By Kelly Jackson Higgins
Jun 04, 2010
In a twist to the popular "capture the flag" game played by hacking
teams every year at Defcon, the hacker conference is hosting a contest
that aims to test participants' social engineering skills -- without
anyone getting hurt.
The Social Engineering CTF will provide contestants beforehand with the
name and URL of their "target" company, and they then must gather any
information they can online or via other passive data-gathering methods
(no phone calls, email, or direct contact with the targeted firms). They
score points for the reconnaissance information gathered as well as for
the plan of attack, all of which must be submitted one week prior to
Defcon in a dossier format.
Each contestant gets a 20-minute window to perform the attack live at
Defcon -- in a phone call to the targeted firm -- plus five minutes to
explain to attendees their technique and strategy. They score points
based on the designated "flags" they capture and the information they
gather from the target.
Hacking contests are all the rage at Defcon every year, and social
engineering has been among the games in past years. This year's contest
is different in that there are specific ground rules -- participants
must legally socially engineer their way into the company, and they are
not allowed to get credit card numbers, social security numbers,
passwords, involve porn, or make the target feel "at risk." They can't
use government agencies, law enforcement, or legal entities as a ruse to
get inside, nor can they contact relatives or family of the targeted
Best Selling Security Books and More!
Shop InfoSec News