Nobody can find a seat, the room is so packed. The boisterous audience, undeterred, crowds against the walls and lies down on the floor at every edge of the room to catch the action. A line of people stretches out the front door.
This is the 2014 Def Con hacker conference at the Rio Casino in Las Vegas. The people are in one of the tiniest rooms in the casino to see the Super Bowl of lying.
The Social Engineering Capture The Flag contest was launched by Christopher Hadnagy in 2009. This year, nine teams of two players each are given a long list of goals that can only be accomplished through skillful lying and manipulation. The contest has been going on for five years, but most of the crowd, listening in rapt attention, is experiencing it for the very first time.
Hadnagy has another name for social engineering: “The art of human hacking.” While almost all of Def Con is dedicated to the art of computer hacking, this event targeted the mind.
If the game is complicated, the rules are fairly simple. Before the big day, each team was given a target Fortune 500 company and a list of dozens of pieces of sensitive information that they had to find out on a live phone call in front of this big crowd with high expectations.
The pieces of information, called “flags,” are each worth a certain number of points. The more sensitive and, ostensibly, difficult to obtain, the more points the flag is worth.
When a team gets a target CVS employee to quickly say they their store was using Windows XP, Internet Explorer 8, and no antivirus on all of their computers, the team is instantly rewarded with 15 points.
There are 514 possible points to win if a team gets a target to spill every bit of information on the list. Only one contestant has ever captured all the flags: Security researcher Shane McDougall, whose perfect 2012 win ended up on CNN, no longer competes.
To earn the most valuable flag, contestants must convince a target employee to visit a URL of their choosing. That’s worth 26 points.
If you don’t understand why all those pieces of information and actions are dangerous for hackers to know, then you are the perfect target for these talented liars.
The targeted CVS is not only protecting customer information with software that is grossly out of date, unprotected, and officially unsupported, but they’re also not doing a very good job of keeping it a secret.
And if an employee is willing to visit a URL given to them by a stranger on the phone right after giving up specific information about their out-of-date computer systems, they’ve opened up their store—and their entire company—to a possible cyberattack.
— Stephen Heath (@dilisnya) August 9, 2014
Teams spent five weeks preparing false backstories—this year, most claimed to be corporate security auditors who needed detailed information from unsuspecting employees in order to “protect” them—and putting together a list of phone numbers to call, whether it be a target company’s retail stores or even personal cell phone numbers of employees.
In the past, contestants have claimed to be real estate agents, contractors, students, academics, and more.
Several of the competitors—who are forbidden, by rule, from asking for extremely sensitive data like passwords or social security numbers—had been there before as solo acts, but a new rule this year established two-person tag teams in which players gained 10 points for transferring the call, mid-lie, to their teammates. It was meant to add a new wrinkle to the game. What happens when two people work together in a lie instead of just one? Is it easier or harder to manipulate the target?
The rules also forbid fear-based tactics—so teams can’t threaten a target, for instance—but that rule almost glosses over the fact that the many teams who pretend to be calling from corporate headquarters inevitably lead targets to want to help a workplace superior or else what might happen to their job?
Fear, if used in that sort of subtle way, is an allowed weapon. Hadnagy agreed with that but stressed an important distinction.
“We very much want the target to feel better after having interacted with us,” he said. “No one will feel victimized or worse after we call. The worst that happens is that an employee is a little annoyed. No one feels bad afterwards.”
Last year, a competitor brazenly broke that rule. Posing as the vice president of a target company, he twice threatened to fire employees if they didn’t give him all the information he demanded. The contestant was quickly disqualified by Hadnagy.
The ultimate target, however, is not the unfortunate employee who picks up the phone when the social engineers call. Instead, the goal is to expose the fact that many of these big companies have failed to properly educate employees about how to protect sensitive data from skilled social engineers.
Las Vegas is a city of liars, from the poker tables to the strip clubs, so it makes perfect sense to go big and make dishonesty a spectacle and sport in Sin City.
• • •
“It was tiny, the floor was sticky, and it smelled like piss.”
That’s how Hadnagy describes the first-ever Social Engineering Capture the Flag competition, held at Def Con five years ago. Despite the lingering essence of human waste, word of the event spread so quickly that the Department of Justice was called when the targeted companies grew concerned over the contest.
“I had to go to D.C. to talk about the contest with the F.B.I.,” Hadnagy told the Daily Dot.
Two years later, as Capture the Flag’s audience grew, Hadnagy found himself in the capital once again. This time, he was called to the Pentagon to debrief over 30 high-ranking military officers and officials—from decorated generals on down—about the potency of social engineering attacks.
“They wanted to know how social engineering affects the American public,” Hadnagy said, “how it affects corporations, and to see how the government could possibly help.”
By last year, following the American government’s lead, the corporate world had done a complete 180 on how it views the social engineering competition. Nine out of 10 targeted companies requested post-contest reports from Hadnagy and utilized a free seminar to learn more about how to fix the vast social engineering problems they face.
Retired General Keith Alexander, former head of the National Security Agency, sat in the Capture the Flag audience in 2012 to watch the contestants go at it.
“Thank you for teaching America’s youth how to use skills like social engineering for the better,” Alexander told Hadnagy, while shaking his hand in front of a cheering crowd.
The competition, for all its bells and whistles, is far more about education than winning. The prize is relatively small—a coveted “black badge,” a lifetime free pass to Def Con, is awarded with some schwag but no big money goes to the winner—and half of this year’s competitors have never even done social engineering before.
“The moral lesson is that anyone can do it,” says Michelle Fincher, who helps to run the competition and works with Hadnagy as a security consultant at Social-Engineer.org. “You don’t need to be cool or have experience. People who are new come in and do extremely well.”
Fincher and Hadnagy both say the Capture the Flag competition is proof positive that social engineering is the most dangerous attack vector anyone faces—from moms and pops to Fortune 500 companies and nation-states—and that transparency and education is likely the only way to even begin fixing the vulnerabilities.
“A computer virus could affect ten million people until it’s patched,” Hadnagy argued. “There is no patch for humans.”
• • •
The third team of the first day of competition is called the “Schmooze Operators.” Their target, Home Depot, is an $80 billion company and the largest home improvement retailer in the United States. The team poses as auditors from corporate headquarters.
“I’m not sure I’m supposed to be doing this,” an obviously irritated Home Depot employee named Sharon says when one of the teams asks for yet another piece of sensitive information about that company’s security procedures.
Even the best liars run into a brick wall eventually.
Within the 30-minute time limit, the Schmoozers quickly eek out important technical details about how Home Deport’s computer systems work as well as a load of other security information—like when employees go on break, if keys or cards are used to open locked doors, and how often people get paid—that leaves Home Depot vulnerable to a wide range of attacks in both cyberspace and the real world.
For ten minutes, the Schmoozers sweet talk Sharon and use her as a tool to learn more and more about Home Depot’s security or, in this case, the lack thereof.
The Schmoozers, a team who hadn’t even met prior to competing, are polite but forceful. They never ask if it’s okay to take up Sharon’s time. They just did it, projecting an air of authority that carries them very far, very fast.
Sharon, whose name we’ve changed to protect her from the potential wrath of embarrassed Home Depot superiors, gives up a slew of information: The exact computer models Home Depot use, the software they run, and the fact that they have virtually no malware protection.
When Sharon starts talking about the complete lack of security in the store itself—“The doors here are never locked,” she tells the supposed auditors—the audience erupts in laughter before quieting down at Hadnagy’s insistence. The Schmoozers are in a mostly-soundproof booth, but there’s no use in risking errant sounds ruining the call.
Sharon, who works sales and registers for a Home Depot store in the U.S., eventually sees customers lining up at the register. She grows impatient but is implored by the liars to keep going despite being about ten minutes into the call.
The callers ask Sharon what kind of email software the Home Depot computers use.
“You should know this,” she says, wondering why someone from corporate headquarters would know so little about her store. With a little more sweet talking, she gives up that info too: Her Home Depot uses Outlook Express, an out-of-date email client that’s trivial to attack.
When the Schmoozers begin asking her about her previous security training—another four-point flag is to get details about how companies train their employees—a light bulb finally goes off in her head.
“I’m not sure I’m supposed to be doing this,” she says. After all, if the callers were from corporate headquarters, why didn’t they have an internal Home Depot phone number? And why didn’t she get a preliminary email before the phone call, a standard operating procedure at the company?
When targets have too much time to think about what’s really happening, social engineering fails. The whole art of it relies on hiding in plain sight and never triggering any suspicions. Sharon had been triggered. She was asking too many questions now, so the call was obviously coming to an end.
When the Schmoozers hang up, the crowd bursts out into applause. Despite the failure, it is the best performance of the day by far.
The team still has twenty minutes on the clock, so the crowd quiets down again, waiting for the next call, the next lie, and the next target to fall.
• • •
Lying can go wrong in the strangest ways.
Last year, a contestant named Milkman Dan was tasked with capturing flags from AT&T. In order to do so, he set up a fake backstory using the name of a real employee: Josh Lackey, a hacker working in security for the company.
“He called and claimed he was Josh and needed a ton of information,” Hadnagy says. “But the people he called all knew who Josh was.”
Oops. The targeted employees sent text messages to Lackey asking him why he was on the phone asking them such strange questions for sensitive data. Lackey answered back that he had no idea what they were talking about. Then, the truth dawned on him.
Lackey, it turned out, was a Def Con attendee. He was sitting three rooms over from the 2013 Social Engineering Capture the Flag contest when he was inundated with confused text messages from employees. When he realized what was happening, he walked over to the competition and introduced himself.
The contestant, who could hardly believe what was happening, immediately lined up for a smiling picture with the real Josh Lackey.
Photo via Social-Engineer.org
• • •
Capture the Flag teams attack some of the biggest companies in the world but, in the end, no one uses the information gained maliciously.
“We started it up to raise awareness for social engineering and give a venue to learn what makes a good social engineer,” he told Computer World in 2010. “The easiest route into a company is still people.”
Real bad guys could easily use the kind of information Sharon freely gave away to launch a campaign specifically targeted against the vulnerabilities in Home Depot’s security. Thieves could even use the information—like the lack of keys and cards in certain areas, the knowledge of an employee’s break and shift time, and the exact contractors the stores use for pest control or garbage, for instance—to gain access to the store itself.
That’s what makes social engineering so potent, and that’s what makes having a fully transparent competition about it so important—and wonderful to watch. Instead of security through obscurity—the futile act of hiding critical vulnerabilities rather than fixing them—the Social Engineering Capture the Flag event highlights important problems and demands improvement.
Security personnel at many of the targeted companies have learned to appreciate that the Capture the Flag competition is actually providing a service in the form of a free penetration test, something for which major firms pay big money.
It’s easy to imagine Capture the Flag getting a bad rap. When I tell Hadnagy and Fincher that I think of the event as the “Super Bowl of lying,” they take issue with the nickname and say they were weary of negative press coverage. A 2012 CNN article that deemed the social engineers liars and characterized the calls as cons struck Hadnagy as particularly wrongheaded.
What about the Super Bowl of manipulation?
“I prefer the Super Bowl of influence,” Fincher offered, saying that “human hacking” is about influencing the decisions of others.
Social engineering, which undeniably involves lying and manipulation, can nevertheless be put to positive use. Don’t let a few naughty words scare you off.
The Social Engineering Capture the Flag competition is a perfect example of how deceit—because, yes, that is what’s happening when unsuspecting Sharon gets hoodwinked in front of hundreds of people—can be used for the greater good. And it’s a hell of a spectator sport, too.
Photo via Gigi Ibrahim/Flickr (CC BY 2.0)