Slashdot Mirror

← Back to Stories (view on slashdot.org)

DefCon Contest Rattles FBI's Nerves

Posted by Soulskill on from the par-for-the-course dept.

snydeq writes "A DefCon contest that invites contestants to trick employees at 30 US corporations into revealing not-so-sensitive data has rattled nerves at the FBI. Chris Hadnagy, who is organizing the contest, also noted concerns from the financial industry, which fears hackers will target personal information. The contest will run for three days, with participants attempting to unearth data from an undisclosed list of about 30 US companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees." The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. Update: 07/31 04:45 GMT by S : PCWorld has coverage of one of the day's more successful attacks.

11 of 136 comments (clear)

  1. Re:Dumbasses @ FBI by msauve · · Score: 4, Funny

    Well, that leaves retail.

    "Do you have Prince Albert in a can?"

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  2. This is refreshing by Majik+Sheff · · Score: 4, Insightful

    It's nice to see the hacker community making a move to acknowledge its roots. Social engineering is the oldest and easily the most challenging/rewarding form of real hacking.

    What's more gratifying, beating the password out of a hash after weeks of brute force or having the mark just tell you in a five-minute phone call?

    --
    Women are like electronics: you don't know how damaged they are until you try to turn them on.
    1. Re:This is refreshing by Hatta · · Score: 5, Funny

      I prefer to beat the password out of the mark after 5 minutes of brute force.

      --
      Give me Classic Slashdot or give me death!
  3. Okay, be honest. by peacefinder · · Score: 4, Funny

    Who here clicked the link to www.social-engineer.org before thinking about the potential consequences?

    Have you just been had? :-)

    --
    With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
  4. Rules and Do-Not-Do list by Zerth · · Score: 5, Informative

    The CTF Rules

    Each Social Engineer is sent via email a dossier with the name and URL of their target company chosen from the pool of submitted names.

    Pre-Defcon you are allowed to gather any type of information you can glean from the WWW, their websites, Google searches and by using other passive information gathering techniques. You are prohibited from calling, emailing or contacting the company in any way before the Defcon event. We will be monitoring this and points will be deducted for "cheating".

    The goal is to gather points for the information obtained and plan a realistic and appropriate attack vector. The point system will be revealed during the Defcon event. All information should be stored in a professional looking report. 1 week prior to Defcon you will submit your dossiers for review to the judging panel.

    They will be sent their time slot (day/time) to perform their attack vector at Defcon. At Defcon each social engineer will be given 5 minutes to explain to the crowd what they did and what their attack vector is.

    They are then given 20 minutes to perform their attack vector and points are awarded for information gathered as well as goals successfully accomplished during the process.
    A scoreboard will be kept and at the end some excellent prizes will be awarded.

    The Flag

    The "flag" is custom list of specific bits of information, which you will have to discover during your 20-minute phone call.The judging panel created the list, and points will be awarded for each item present on the list. This list will be presented to you on the day of the event

    THE DO NOT LIST:

    Underlying idea of this contest is: No one gets victimized in the duration of this contest. Social Engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage.

    Items that are not allowed to be targeted at any point of the contest:

    1) No going after very confidential data. (i.e. SS#, Credit Card Numbers, etc). No Illegal Data
    2) Nothing that can get Social-Engineer.org, Defcon, or the participants in the contest sued
    3) No porn
    4) At no point are any techniques allowed to be used that would make a target feel as if they are "at risk" in any manner. (ie. "We have reason to believe that your account has been compromised.")
    5) No targeting information such as passwords.
    6) No pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.
    7) The social engineer must only call the target company, not relatives or family of any employee
    8) Use common sense, if something seems unethical - don't do it. If you have questions, ask a judge
    If at any point in the contest it appears that contestants are targeting anything on the "No" list, they will receive one warning. After the one warning they are disqualified from the contest.

    1. Re:Rules and Do-Not-Do list by rotide · · Score: 5, Insightful

      Not everything needs to be about obtaining damaging information. Imagine talking to a random stranger and trying to solicit information from them. It's not as easy as it sounds.

      Seriously, try this some time, just go up to a stranger and get their middle name. It will be harder than you think in most cases, if not impossible.

      Social Engineering is a skill. You have to be very good to go under the "what the fuck does this guy want" radar. You have to be able to read people without seeing them and be able to think very quickly in a very dynamic situation. Again, all while staying under their radar.

      Getting confidential, personally sensitive, or business critical information isn't the point nor appears to be the goal. Merely being good with your social skills (and we're talking a special breed of nerds here, no offense to them though), no great with them, is the point. Having a laundry list of weird and/or "not normally given out" information and trying to gain it, that's going to be hard.

    2. Re:Rules and Do-Not-Do list by garompeta · · Score: 4, Interesting

      There are very cool pranks done at HOPE, which was enlightening. Emmanuel Goldstein called to BP and ended up convincing an employee to leave open the office door, and telling him that because it was too late he wouldn't be appearing with the company van. He didn't get any confidential information regarding to the store (surprisingly, some of the employees seemed to be trained and others seemed to be very stupid to understand the questions) but if wanted he could have gone to the gas station with a free pass to the office, from an unmarked unbranded van. That is social engineering.

  5. Not-so-sensitive?! by zyxwvutsr · · Score: 4, Funny

    What participants can do is collect data on less sensitive subjects such as, "who does your dumpster removal; who takes care of your paper shredding," Hadnagy said.

    "If you don't tell me, I'll look at the dumpster behind your building and read the name on it!"

  6. I feel sorry by blantonl · · Score: 5, Insightful

    I feel sorry for the poor fish in the barrel that gets shot on this one.

    Unwittingly, right now, some guy/gal is sitting in their cubical and is on the cusp of getting the phone call that thrusts them into the international spotlight when the tape of the winning team's efforts is played. They might even lose their job for doing nothing more than, well, doing their job, or answering a harmless set of questions.

    --
    Lindsay Blanton
    RadioReference.com
  7. I can verify this by Anonymous Coward · · Score: 5, Informative

    Posting as AC for obvious reasons, and I can't offer anything in the way of proof (again, for obvious reasons) but I do work for the US Navy in a division that deals with intelligence. We've been getting floods of emails from up on high warning us about Defcon "threats" and that we shouldn't answer any questions from people who call us that we don't know, etc etc.

    1. Re:I can verify this by Dhalka226 · · Score: 4, Insightful

      That doesn't mean it's not worth occasionally reiterating, especially when there's a specific reason to believe there may be an increased chance of something happening.

      It's not like they're spending millions of dollars to defend it or something, just sending a few emails.