DefCon Contest Rattles FBI's Nerves 136
snydeq writes "A DefCon contest that invites contestants to trick employees at 30 US corporations into revealing not-so-sensitive data has rattled nerves at the FBI. Chris Hadnagy, who is organizing the contest, also noted concerns from the financial industry, which fears hackers will target personal information. The contest will run for three days, with participants attempting to unearth data from an undisclosed list of about 30 US companies. The contest will take place in a room in the Riviera hotel in Las Vegas furnished with a soundproof booth and a speaker, so an audience can hear the contestants call companies and try to weasel out what data they can get from unwitting employees."
The group organizing the contest has established a strict set of rules to ensure participants don't violate any laws. Update: 07/31 04:45 GMT by S : PCWorld has coverage of one of the day's more successful attacks.
Rules and Do-Not-Do list (Score:5, Informative)
The CTF Rules
Each Social Engineer is sent via email a dossier with the name and URL of their target company chosen from the pool of submitted names.
Pre-Defcon you are allowed to gather any type of information you can glean from the WWW, their websites, Google searches and by using other passive information gathering techniques. You are prohibited from calling, emailing or contacting the company in any way before the Defcon event. We will be monitoring this and points will be deducted for "cheating".
The goal is to gather points for the information obtained and plan a realistic and appropriate attack vector. The point system will be revealed during the Defcon event. All information should be stored in a professional looking report. 1 week prior to Defcon you will submit your dossiers for review to the judging panel.
They will be sent their time slot (day/time) to perform their attack vector at Defcon. At Defcon each social engineer will be given 5 minutes to explain to the crowd what they did and what their attack vector is.
They are then given 20 minutes to perform their attack vector and points are awarded for information gathered as well as goals successfully accomplished during the process.
A scoreboard will be kept and at the end some excellent prizes will be awarded.
The Flag
The "flag" is custom list of specific bits of information, which you will have to discover during your 20-minute phone call.The judging panel created the list, and points will be awarded for each item present on the list. This list will be presented to you on the day of the event
THE DO NOT LIST:
Underlying idea of this contest is: No one gets victimized in the duration of this contest. Social Engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage.
Items that are not allowed to be targeted at any point of the contest:
1) No going after very confidential data. (i.e. SS#, Credit Card Numbers, etc). No Illegal Data
2) Nothing that can get Social-Engineer.org, Defcon, or the participants in the contest sued
3) No porn
4) At no point are any techniques allowed to be used that would make a target feel as if they are "at risk" in any manner. (ie. "We have reason to believe that your account has been compromised.")
5) No targeting information such as passwords.
6) No pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.
7) The social engineer must only call the target company, not relatives or family of any employee
8) Use common sense, if something seems unethical - don't do it. If you have questions, ask a judge
If at any point in the contest it appears that contestants are targeting anything on the "No" list, they will receive one warning. After the one warning they are disqualified from the contest.
I can verify this (Score:5, Informative)
Posting as AC for obvious reasons, and I can't offer anything in the way of proof (again, for obvious reasons) but I do work for the US Navy in a division that deals with intelligence. We've been getting floods of emails from up on high warning us about Defcon "threats" and that we shouldn't answer any questions from people who call us that we don't know, etc etc.
Comment removed (Score:3, Informative)
Re:This is refreshing (Score:3, Informative)
http://xkcd.com/538/ [xkcd.com]
That is all.
Re:Can they spoof CallerID? (Score:3, Informative)
The usual approach is to call someone pretty much at random, and ask to be transferred to the real target. That person then sees an internal number (typically of someone they don't know) calling them and to some degree lets their guard down.
Re:Can they spoof CallerID? (Score:3, Informative)
Usually it's not that tough to get info. I always maintained an East coast US phone number, regardless of where I was working. I was always doing work things from my cell phone, like dealing with datacenter folks.
Sometimes in the course of normal work, I'd need to acquire access for a coworker to a site. My name was usually listed as a person authorized to make account changes. If it wasn't, I knew the people who would be. A few times, I called as the owner of the company, added myself to the list of people with site access and then scheduled myself to show up and get an access badge. It didn't matter that I was calling from a cell phone from the wrong side of the country. If those should fail, the good old "I just started work here yesterday, I was told to do this..." got it done. A few places wanted emails from authorized individuals to make changes. Oohh, spoofing an email, that's real tough to do.
It was easier where I knew all the right addresses, and the writing styles of the authorized folks. That, and I wouldn't get in trouble, since they actually did tell me to do it, even though the third party didn't know.