New Defcon contest tests hackers' social-engineering skills

Kooky capture-the-flag-style contest gives participants 20 minutes to cajole information from target companies' employees

Social engineering has evidently earned a new level of respect from hacker community: For the first time, this year's Defcon gathering in Las Vegas will feature a contest in which participants will compete to gather nuggets of information from unsuspecting target companies -- over the telephone instead of the Internet.

Social engineering has enjoying an increasingly effective and prominent role in effective online attacks. The term itself is a big one, encompassing targeted surveillance and information-gathering techniques that early hacking stars such as Kevin Mitnick mastered (and went on to write about), down to the ubiquitous phishing and spam email message.

[ Also on InfoWorld: Facebook has proposed one security solution: Require developers to have verified accounts. Will it help? | Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

These days, we hear lots about the centrality of social engineering in advanced attacks by what we at The 451 Group calls "adaptive persistent adversaries." These were the kinds of attacks leveraged at more than 100 Western firms in the so-called Aurora attacks. Much of the press coverage of the Aurora attack focused on the IE vulnerability used to gain access to systems in Google, Adobe, and other companies, as well as the Hydraq Trojan that siphoned data from them. However, social engineering was a critical -- but overlooked -- component in those attacks: Attackers targeted high-level employees with malicious Web links that provided an entry for the attackers' malware and remote administration tools.

The potency of social engineering has garnered new respect in the hacker world. Witness: is partnering with Defcon to present spotlight social-engineering techniques in the form a new capture-the-flag (CTF)-style contest.

CTF hacking tournaments have long been a staple at Defcon, with teams working against each other both to protect their systems from attack and to penetrate the systems of opposing teams. They're raw tests of caffeine-induced brilliance against formidable foes, and they take days to complete and win.

The social engineering contest will borrow elements from the convention's traditional computer-based CTF tournaments, but with a few variations. Prior to the conference, participants will receive an email with the name and URL of a target company. Participants will be permitted to gather preliminary information about the company from the Web, using Google searches and other passive techniques. Contestants are banned from contacting their target directly via email or phone, and they get points for information gathered.

Competitors then use that data during the actual tournament to fuel their social engineering attack: They have 20 minutes to call unsuspecting employees at their target companies and wheedle out of them specific bits of (nonsensitive) information about the business for additional points. Participants aren't allowed to make the target company feel at risk by pretending to represent a law-enforcement agency (view the rules in their entirety).

It's all very cool, and it's probably legal. More important, the contest could raise awareness of the vulnerabilities that companies face in the form of gullible overly eager-to-please employees.

Paul F. Roberts is a senior analyst at The 451 Group.

This story, "New Defcon contest tests hackers' social-engineering skills," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.


Copyright © 2010 IDG Communications, Inc.