Social Engineering Capture The Flag Contest Returns To DefCon

Changes to this years contest include some volunteer, high-profile target companies

The
first-ever social engineering contest at DefCon in Las Vegas last year
went way too well: each contestant was able to successfully social-engineer some piece of information, or flag, out of their targeted company.
Chris Hadnagy, founder of social-engineer.org, which sponsors the Social Engineering Capture The Flag contest, says this years competition will target more industries including manufacturing, technology, and education, and will include some high-profile companies with aggressive internal security awareness programs that have volunteered as targets.
We have two premiere targets [thus far] that have agreed to work with us and allow [contestants] to call them and social-engineer them, Hadnagy says. They are willing to put their security awareness programs up to the challenge publicly, he says.
Hadnagy says he cant release the names of the companies, but that people will be shocked to learn in which sectors these companies reside. The goal is for the contest to include half volunteer, high-profile targets, and the other half, selected by the contest organizers.
We didnt make that offer to last years target companies, he says. Unless they made dramatic changes in the last twelve months, they wouldnt want to agree to voluntarily be part of the contest, he says.
Another new feature to this years contest will be a template for contestants to submit their audit reports on their preliminary reconnaissance. Thats the phase prior to DefCon where they gather any information on their assigned target company online or via other passive data-gathering methods (no phone calls, email, or direct contact with the targeted firms). They score points for the reconnaissance information gathered as well as for the plan of attack, all of which must be submitted prior to DefCon.
The live portion of the contest at DefCon is a 20-minute window where the contestants phone their target and attempt to capture designated flags, everything from finding out who supplies the companys in-house cafeteria food to the type of antivirus program they are running. In last years contest, the flag that brought home the highest number of points was getting the employee on the other end of the line to visit a URL.
The final list of flags for this year is still in the works, Hadnagy says. Like last year, contestants are forbidden from getting credit card numbers, social security numbers, passwords, or making the target feel at risk. They cant use government agencies, law enforcement, or legal entities as a ruse to get inside, nor can they contact relatives or family of the targeted firms employees.
Last years final field of 17 contestants posed as journalists, IT survey-takers, and businessmen, for instance. The list of companies targeted in the contest included Google, BP, McAfee, Symantec, Shell, Microsoft, Oracle, Cisco, Apple, and Walmart.
Another new feature to this years contest is a target ranking system. The targeted firms will get a final tally of how they fared in the contest, and companies will be compared with others in their industry.
We will not release what information was obtained from the target companies, Hadnagy says. The goal is to help companies improve their security awareness programs, he says.
The contest will run from Friday, August 5 to Saturday, August 6. Registration is
here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Social Engineering Capture The Flag Contest Returns To DefCon