the def con 24 social engineering capture the flag report · engineer village at the def con...

30
11/8/2016 Proprietary information. Please contact [email protected] 1 The DEF CON 24 Social Engineering Capture the Flag Report PO Box 62, Brooklyn, PA 18813 | 800.956.6065 | www.social-engineer.org Social-Engineer, LLC © All rights reserved to Social-Engineer, LLC, 2016. No part of this publication, in whole or in part, may be reproduced, copied, transferred or any other right reserved to its copyright owner, including photocopying and all other copying, any transfer or transmission using any network or other means of communication, any broadcast for distance learning, in any form or by any means such as any information storage, transmission or retrieval system, without prior written permission from the author(s).

Upload: vonhan

Post on 26-Aug-2019

213 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 1

TheDEFCON24SocialEngineering

CapturetheFlagReport

POBox62,Brooklyn,PA18813|800.956.6065|www.social-engineer.org

Social-Engineer,LLC

©AllrightsreservedtoSocial-Engineer,LLC,2016.

Nopartofthispublication,inwholeorinpart,maybereproduced,copied,transferredoranyotherrightreservedtoitscopyrightowner,includingphotocopyingandallothercopying,anytransferortransmissionusinganynetworkorothermeansofcommunication,anybroadcast

fordistancelearning,inanyformorbyanymeanssuchasanyinformationstorage,transmissionorretrievalsystem,withoutpriorwrittenpermissionfromtheauthor(s).

Page 2: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 2

TableofContentsExecutiveSummary............................................................................................3

OverviewoftheSECTF........................................................................................4BackgroundandDescription....................................................................................................................4

2016Parameters.................................................................................................................................6TargetCompanies....................................................................................................................................7Competitors.............................................................................................................................................7Flags.........................................................................................................................................................8Scoring...................................................................................................................................................10RulesofEngagement.............................................................................................................................11

ResultsandAnalysis.........................................................................................12OpenSourceIntelligence.......................................................................................................................12Pretexting...............................................................................................................................................16LiveCallPerformance............................................................................................................................17CompetitorSummary.............................................................................................................................19FinalContestResults..............................................................................................................................20Discussion..............................................................................................................................................23

AbouttheSocial-EngineerVillage.....................................................................27

Conclusion........................................................................................................28

AboutSocial-Engineer,LLC...............................................................................29

Sponsors..........................................................................................................30

Page 3: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 3

ExecutiveSummary

Social-Engineer.org(SEORG)hostedtheSocialEngineeringCapturetheFlag(SECTF)contestatDEFCON24inLasVegas,NevadafortheseventhyearinarowinAugustof2016.Thisyear’scompetitiontargetedinformationsecuritycompanies.

Fromover150entries,weselected14competitorsfromdiversebackgroundsandexperiencelevelstotesttheirsocialengineeringabilities.Belowisatablehighlightingsomebasicstatisticsfromthisyear’scompetition:

Asinyearspast,theoverallgoalsofthiscontestweretoraiseawarenessoftheongoingthreatposedbysocialengineeringandtoprovidealivedemonstrationofthetechniquesandtacticsusedbythepotentialmaliciousattacker.Therewereverystrictrulesofengagementinplacetoensurenosensitiveinformationoncompaniesorindividualswasdisclosed.Tofurtherprotectemployeesoftargetcompaniesfrompotentialnegativerepercussions,identitiesofthosecontactedisneitherrecordednorretained.

Itisimportanttonotethatthereportingofatargetcompany’soverallperformanceisacombinationofpointsscoredbytheirassignedcontestantinbothOpenSourceIntelligence(OSINT)gatheringandlivecallphasesofthecontest.Thescoringalonecontainedwithinthisreportdoesnotnecessarilyindicatethatonecompanyislesssecurethananothercompany.However,itisanindicatorofthepotentialvulnerabilitiesthatexistanddemonstratesthatdespitetraining,warningsandeducation,socialengineeringisstillaveryseriousandviablethreattocorporations.

Targetcompanies 14Competitors 14Completedcalls 160Totalpointsscoredonreports 1698Totalpointsscoredoncalls 4352

Table1:SECTFgeneralsummary

Page 4: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 4

OverviewoftheSECTF

TheSocialEngineeringCapturetheFlag(SECTF)isanannualeventheldwithintheSocial-EngineerVillageattheDEFCONHackingConferenceinLasVegas,NV.TheSECTFisorganizedandhostedbySocial-Engineer.Org(SEORG),thenoncommercial,educationaldivisionofSocial-Engineer,LLC.

Thecompetitionwasformedtodemonstratehowserioussocialengineeringthreatsaretocompaniesandhowevennoviceindividualscouldusetheseskillstoobtainimportantinformation.Thecontestisdividedintotwoparts,theinformation-gatheringphasethattakesplacepriortoDEFCON,followedbythelivecallphasethatoccursattheDEFCONconference.

BackgroundandDescription

TheSECTFisacontestinwhichparticipantsattempttoobtainspecificpiecesofinformation,calledflags,fromselectprivate-sectorcompanies.Thepurposeofthecontestistodemonstratehowmuchinformationcanbefreelyobtainedeitherthroughonlinesourcesorviatelephoneelicitation.

MonthspriortotheDEFCONevent,wesolicitedforindividualswhowishedtocompeteviaoursocialmediaoutletsandwww.social-engineer.orgwebsite.Wealsoaskedparticipantstosubmita90-secondvideooutliningwhytheyshouldbeincludedinthecontest.Ourpanelmadeselectionsbasedonanumberoffactorstoincludedesiretolearnaswellasourperceptionofthecontestant’sintent.Asthisisaneducationalevent,wewishourparticipantstohaveaverystrongemphasisonultimatelyhelpingthestatusofcorporatesecurityasopposedtothesingulargoalof“winning”anengagement.Fromover150applicants,weselected14contestantsandrandomlyassignedthemtoacompany.

Contestantswerenotmadeawareofanyothercompetitorsortargetcompaniesotherthantheirownpriortotheircalltimeattheliveevent.ThetargetcompanieswerenotinformedoftheirinclusionintheSECTF,norwastheindustryannouncedpriortoourcontest.Forthisyear,weselectedinformationsecurityasthetargetindustry.Thesearebrandsthatbusinessesrelyontoassisttheirpopulationsinthedefenseofconfidentiality,integrity,andavailabilityofinformation.

Contestantsweregiven3weekstogatherasmuchinformationabouttheirtargetcompanyaspossibleandgenerateaformalreport.TheywereallowedtouseonlyOpenSourceIntelligence(OSINT)thatcouldbeobtainedthroughsearchenginesortoolssuchasGoogle,FOCA,Maltego,etc.Duringthisinformation-gatheringphase,contestantscouldattempttocaptureasmanyofthepre-definedflagsaspossible.Theinformationgatheredwastobeassembledintoaprofessionallookingreport.Contestantswereprovidedwithasamplereporttoassistthem,but

Page 5: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 5

werenotrequiredtousethistemplate.Inadditiontotheflags,pointswerealsoawardedbasedontheprofessionalismandqualityofthereport,with10bonuspointsawardedforreportssubmittedearly.

ContestantswerethenassignedatimeslottoperformtheirlivecallsoneitherFridayorSaturdayduringDEFCON24inLasVegas,NV.

Greatcarewastakeninthedevelopmentofthecontesttoensuremaximumsuccessforthecontestants.SincethecontestwasheldontheWestCoast,companieswhoseheadquarterswerelocatedontheEastCoastwereassignedearliertimeslots.Furthermore,companieswhoweremoreeasilyaccessibleduringnon-standardbusinesshourswereassignedSaturdaytimeslots.

Contestantswereplacedinasoundproofboothandrequiredtoprovidealistofphonenumbers(obtainedduringtheinformation-gatheringstage)atthetargetcompanytocallalongwithphonenumberstheywishedustospoof.CallerIDspoofingisamethodthroughwhichone’sincomingphonenumbercanbeforged,or“spoofed”.Thisisatacticcommonlyusedbysocialengineerstoincreasetheircredibilitywithrecipients.

Eachcontestantwasfreetousetheirentireallotted25-minutetimeslottoperformasmanyorasfewcallsastheywished.AlthoughUnitedStatesfederallawonlyrequiresonepartytobenotifiedintheeventofrecordingatelephonecall,manystates(Nevadaincluded)havecreatedadditionallawsrequiringbothpartiestoconsent.Sincewecouldnotobtaintheconsentoftargetcompanieswithoutjeopardizingtheintegrityofthecontest,norecordingofanytypewaspermitted(includingthatbytheaudience).Photographswereallowedwithpermissionofthecontestant.

Scoringwasaccomplishedduringeachcallbythreejudges.Basedonverypositivefeedbackfrompreviousyears,weagaintookopportunitiesaftereachcalltodiscussthecallwiththeaudience.Duringthattime,weanalyzedthesuccessofthetechniquesused,andansweredasmanyquestionsdirectedtoeitherjudgingpanelorcontestantastimeallowed.Subsequenttothecontest,scoringandcommentswerereviewedalongwiththereportssubmittedpriortoDEFCONtodeterminethewinners.

Itshouldbenotedthatall14contestantswererequiredtoplacea$20USDfullyrefundabledeposittoreservetheirspotatthecontest.AllcontestantswererefundedthisdepositimmediatelyaftercompletingtheircallattheDEFCONportionofthecontest.

Page 6: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 6

2016Parameters

Overall,weattempttokeepthemajorparametersofthecompetitionasconsistentaspossiblefromyeartoyear.However,wedomakechangestoensurethatthecontestcontinuestobechallengingandeducationalforbothcontestantsandaudience.Primarychanges:

o Theabilitytospoofwasallowedforallcontestantso Thetargetcompanieswereallinformationsecuritycompanies

Page 7: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 7

TargetCompanies

TheSocial-Engineerstaff,throughanopennominationandvotingprocessaccomplishedtargetselection.Wemadeeveryattempttoensurethatnobiaswasintroducedthroughattitudesorpreconceivednotionsregardinganyparticularcompany.Ingeneral,weattemptedtoselectFortune500orlargercompaniesfromtheinformationsecurityindustry.Asbusinessesmustfocusontheircorecompetencies,manydonothavetheinternalresourcesforin-houseinformationsecurityteams.Theymustrelyontheexpertiseofexternalserviceproviders,andascompaniesresponsiblefortheprotectionofclientinformation,theseprovidersmustthemselvesbeextremelycognizantoftheirowninformationsecurity.Asinpreviousyears,wemadethecallforcompaniestobewillingparticipantsintheSECTF.Nocompaniesvolunteered;therefore,noneofthecompanieschosenwereawareoftheirselectionpriortotheDEFCONconference.Thetargetlist(inalphabeticalorder):

1. AkamaiTechnologies2. CiscoSystems3. ComcastXfinity4. DellSecureWorks5. DeloitteToucheTohmatsuLimited6. EMCCorporation7. Fortinet8. InternationalBusinessMachinesCorporation(IBM)9. OracleCorporation10. PaloAltoNetworks11. RSASecurity12. SophosGroup13. SymantecCorporation14. SYNNEXCorporation

Competitors

Asinallpreviousyears,oneofourcorerulesisthatnooneisvictimized.Thisincludesthosewhochoosetoparticipate,thosewhoarecalled,andthecompaniestheyworkfor.Ourcontestant’spersonalinformationisneverrevealedandtheyareonlyphotographediftheyprovideexplicitverbalpermissionpriortotheirlivecallsegmentatDEFCON.Novideo

Page 8: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 8

recordingofcontestantsduringtheircallsiseverpermittedduetotwo-partyconsentlawsinthestateofNevada.

Therewere14competitorsselectedfromanoriginalpoolofover150applicants.Notallwereskilledcallersorexperiencedsocialengineers.Formany,thiswastheirfirstattemptateverplacingadeliberatesocialengineering-basedcall.Someofthecontestantswereredteamorsecurityspecialists,butmanywerefromotherfieldsnotrelatedtosocialengineeringorinformationsecurity.

Flags

A“flag”isaspecificpieceofinformationthatthecontestantsattemptedtoobtaininboththeOSINTandlivecallportionsofthiscompetition.

Everyyear,wesendanoverviewofflags,rules,targetsandotherpertinentinformationtoourlegalcounsel.Wedothistoensurewearestayingwithinthelegalboundarieswesetforourselveswhenwestartedthiscompetition.

Table2outlinesthelistofspecificflags,theircategories,andpointvaluesfor2016:

Page 9: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 9

Table2:FlaglistforSECTFatDEFCON24in2016

DEFCON24SECTFFlagList

Reportpoints CallpointsLogistics IsITSupporthandledinhouseoroutsourced? 3 6Whodotheyusefordeliveringpackages? 3 6Doyouhaveacafeteria? 4 8Whodoesthefoodservice? 4 8 OtherTech IsthereacompanyVPN? 4 8Doyoublockwebsites? 2 4Ifwebsiteblock=yes,whichones?(Facebook,EBay,etc.) 3 6Iswirelessinuseonsite?(yes/no) 2 4Ifyes,ESSIDName? 4 8Whatmakeandmodelofcomputerdotheyuse? 3 6Whatanti-virussystemisused? 5 10 CanBeUsedforOnsitePretext Whatisthenameofthecleaning/janitorialservice? 4 8Whodoesyourbug/pestextermination? 4 8Whatisthenameofthecompanyresponsibleforthevendingmachinesonsite? 4 8Whohandlestheirtrash/dumpsterdisposal? 4 8Nameoftheir3rdpartyorinhousesecurityguardcompany? 5 10Whattypesofbadgesdoyouuseforcompanyaccess?(RFID,HID,None) 8 16 CompanyWideTech Whatoperatingsystemisinuse? 5 10Whatservicepack/version? 8 16WhatprogramdotheyusetoopenPDFdocumentsandwhatversion? 5 10Whatbrowserdotheyuse? 5 10Whatversionofthatbrowser? 8 16Whatmailclientisused? 5 10Doyouusediskencryption,ifsowhattype? 5 10FakeURL(gettingthetargettogotoaURL)www.seorg.org N/A 26 EmployeeSpecificInfo Howlonghavetheyworkedforthecompany? 3 6Whatdaysofthemonthdotheygetpaid? 3 6Employeesscheduleinformation(start/endtimes,breaks,lunches) 3 6Whatisthenameofthephone/PBXsystem? 4 8Whenwasthelasttimetheyhadawarenesstraining? 5 10

Page 10: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 10

Scoring

Social-EngineerhadaproprietaryapplicationdevelopedforthepurposeofscoringboththeOSINTandlivecallportionsofthecompetition.FlagsobtainedduringtheOSINTphaseofthecontestwereworthhalf-points(pleaseseeTable2).OSINTreportswerescoredpriortothelivecallevent.Scoringduringthetelephonecallswasaccomplishedliveusingthesameproprietaryapplicationmentionedabove.Judgeswereabletoinputscoresintoadatabasefortheflagsastheywereobtained.Flagscapturedduringthisportionoftheeventwereawardedfullpoints(pleaseseeTable2).Thesameflagcouldbecapturedmultipletimesbythecontestanteitherbycontactingdifferenttargetsonthesamecall(e.g.,throughbeingtransferred)oronsubsequentcallswithintheallotted25minutes.Forexample,ifthecontestantreachedthreedifferentpeopleandconvincedallthreetonavigatetothewebsiteofthecontestant’schoosing(aflagworth26points),theywouldhavereceivedseventy-eightpoints.Everyattemptwasmadetoensureconsistencyinscoringforallcontestants,regardlessofthejudge,althoughourscoringprocessdoesprovidesomesubjectivitythroughtheabilitytoincludenotesandcommentsbyeachjudgeforeachcontestant.Attheendofthecompetitionthescoresweretotaledbytheapplicationtodeterminethewinningscore.InadditiontodeterminingtheSECTFwinnerbasedonpointstotals,wealsoconductedananalysisofhowthetargetcompaniesfaredinresponsetoasocialengineeringattack.Itfollowsthattheinterpersonalskillsandoverallpreparationofthecontestantwashighlypredictiveintheoutcomesindicatedbybothscoresaswellassubjectiveassessmentsofperformancebythejudges.Unfortunately,acompanycannotrelyonthehopethatamalicioussocialengineerwillbeinexperienced,unskilled,orunprepareduponwhichtobasetheirsenseofcorporatesecurity.

Page 11: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 11

RulesofEngagement

Contestantsareheldtoverystrictrulestoensuretheprotectionoftargetcompaniesaswellastheiremployees.Thecorerulesremainedthesameasinpreviousyears.Wedidnotallowthecollectionofsensitivedatasuchascreditcardinformation,socialsecuritynumbers,andpasswords.OnlyOpenSourceIntelligence(OSINT)wasallowed.Wedidnotallowphysical(i.e.facility)ortechnical(i.e.network)penetrationintocompanies.Inaddition,wedidnotallowthecontestanttovisitanylocationoftheirtargetforinformationgatheringpurposesorinteractwithanypersonfromthetargetbeforethecallsatDEFCON.Wealsospecificallyavoidedsensitiveindustriessuchasgovernment,education,healthcare,andfinance.

Themostimportantrulestressedtoallcontestantsisthattherewastobeabsolutelynovictimizationofanyindividualsortargetcompanies.FormorespecificinformationontheROE,pleaseseeourrulesandregulations:http://www.social-engineer.org/ctf/def-con-sectf-rules-registration/.

Page 12: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 12

ResultsandAnalysis

Highprofileeventsasaresultofmalicioussocialengineeringareillustrativeofthefactthatcorporationscontinuetobepooratprotectingcriticalinformation.Unfortunately,thisyear’sSECTFsupportedthistrendasourcontestants,bothexperiencedandnewcomerswereabletoobtainflagsboththroughOSINTandthelivecalls.Ourfindingsaredetailedinthesectionsthatfollow.Itshouldbenotedthatanycomparisonstopreviousyears’performanceisforsubjectivetrendanalysisonly.Sincepopulationsandsamplesizesarenotequivalentacrossyears,statisticalanalysisisnotappropriateandwasnotperformed.

OpenSourceIntelligence

Preparationpriortoanysocialengineeringengagementiscritical.Itisthisphasethatisthemosttime-consumingandlaborious,butcanmostoftendeterminethesuccessorfailureoftheengagement.Theprofessionalsocialengineermustbeawareofalloftheinformation-gatheringtoolsfreelyavailableaswellasthemanyaccessiblelocationsonlinethathousevaluablepiecesofdata.

ThefollowingtableisalistoftoolscommonlyusedbyprofessionalsocialengineersaswellasourcontestantsduringtheOSINTphaseoftheSECTF:Google

Maltego

LexisNexis

FOCA

Twitter

PiPl

Reddit

Facebook

Plaxo

GoogleMaps

Shodan

PicasaWeb

WhoIs

WGet

Vimeo

Tineye

WaybackMachine

LinkedIn

Monster

GlassDoor

Yelp!

Craigslist

Spokeo

YouTube

FourSquare

Friendster

theHarvester

GoogleImages

Telnet

EchoSec

DuckDuckGo

Pinterest

JigSaw

Table3:CommonlyusedOSINTtoolsandwebsites

Page 13: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 13

Thequalityandresearchdedicatedtothereportscontinuestobeimpressive.However,continuingthetrendfromtheprevioustwoyears,thescoresforcallsoutperformedthoseforthereports.Thisreversesthetrendsetintheearliestyearsofthecompetition.Figure1showsasimilarpointdistributiontolastyear’scompetition.ItshouldagainbenotedthatpointsawardedforflagawardedduringOSINTareworthhalfthevalueofthoseawardedduringlivecalling.

Figure1:ComparisonofOSINT/CallsPointsAwarded2015-2016

Thefollowingsmalllistofthisyear’sfindingsdemonstratesthatthedangerposedbysocialengineeringinformationgatheringisextremelyprevalent.Anyofthefollowingpiecesofinformationcouldbeusedbyamaliciousattackertofurtherdevelopvishing,phishing,oronsiteimpersonationattacks.Majorcategoriesareasfollows:

EmployeeInformation

- Keypersonnelwerediscoveredtobesharingpersonalinformationviasocialmedia–activities,interests,purchasinghabits,homelocation,relationshipstatusandfriends/familymembers.

- Severalcontestantswereabletofindemployeespostingpicturesfromtheirdesksonsocialmedia.Thesecontainedviewsofthecomputersusedbytheemployees,andinsomecasesviewsoftheemployee’scomputerscreenwithsensitiveinformationdisplayedonit.

Page 14: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 14

- Employeeslistedverydetailedinformationontheirexperienceandbackgroundonsocialmedia.

- Somecontestantswereabletofindseveralpostsfromtargetemployeesdiscussingworkschedule.

Technologies

- InformationonoperatingsystemsaswellashardwarewasdiscoveredbyseveralcontestantsduringtheOSINTportion.Thiswouldallowanattackertoselectexploitsspecificallytargetedatacompany’sinfrastructure.

- Informationonsystemarchitecture,operatingsystems,andhardwaredevicesusedbyseveraltargetswasfoundbylookingonjobpostings.

- Multiplecontestantswereabletolocateafullmapoftheirtargetcompany’sVPN.ThiswouldexposetheVPNportaltopotentialattacks.

- SeveralpicturesdisclosedthemakeandmodeloftheWiFiaccesspointsbythetargetcompanies.

- Onetargetdisplayedthemakeandmodelfortheirrouters,firewall,andseveralotherpiecesofhardwareusedtosecureenterprisedata.

PhysicalPlant

- Onsitecafeteriawasdiscoveredtobeopentothepublic,makingbothfacilitiesandemployeesvulnerable.

- Informationregardingofficespaceswasreadilyavailable(e.g.,buildingowners,officermanagers,vacantoffices,othertenants).

- Severalimagesfrominsidetheofficesoftargetcompaniesweredisplayedviasocialmedia.

- ManydetailsaboutthephysicalspacewerelocatedusingtoolssuchasGoogleMaps(e.g.,locationofATMs,security,etc.).

Contractor/Vendor/OtherCompanies

- Avendorlistedatargetastheircustomerforcafeterias.

Page 15: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 15

- Manycompaniesemploycontractors,manywhoaresuppliedthroughwell-knowncontractingcompanies.

- AGoogleStreetViewimagediscoveredbyacontestantdisplayedthenameofthetrashpickupcompanyusedbyatargetcompany.

- Onetargetcompanyreceivedarewardforrecycling/compostfromtheirtrashpickupcompany.

- Ajanitorialservicelistedatargetcompanyasaclientontheirwebsite.

SpecialNotes

- Socialmediaaccountsofnumeroustargetemployeeswerelocated.Employeesoftendisclosedinformationtoincludedetailsregardingtechnology,systems,andinfrastructureemployedattheircompanies,aswellasotherpertinentdetailssuchaspayscheduleandspecificjobfunctions.Manyemployees(particularlyexecutivelevelindividuals)possessLinkedInaccountsthatarenotprivate,providingsignificantinformationtoattackers.

- Securitybadgeswereprominentlydisplayedinseveralpicturesdiscovered.Thiswouldallowanattackertocreateaveryrealisticcopytouseinanimpersonationattempt.

- Onecontestantwasabletodiscoveraleaseagreementbetweenthetargetcompanyandthelandlordavailableonline.

- TheESSIDandpasswordforonsitewirelesswasmadepublicviaatweetbyanemployeeforonetarget

- AcontestantwasabletouseknowledgegainedfromobservingGoogleEarthimagesofatargetlocationinhiscalltoobtainaseveralflags.

Werecognizethatmuchoftheinformationlistedaboveisbeyondthecontroloftheorganizationsandindividualsconcerned.However,itisimportanttobeawareofinformationfreelyavailableinordertomitigatepossibleexploitationbymaliciousattackers.

Figure2providesaside-by-sidecomparisonofpointsscoredbycompetitorsagainsttheirassignedcompanyduringtheOSINTportionofthecontest,outofapossible225points.TheX-axisrepresentsthecompetitors,andtheY-axisthepointvaluesfortotalpointsawardedforthisphaseofthecompetition.

Page 16: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 16

Figure2:OSINTScoresbyCompetitor

TheOSINTportionofourcompetitionstressesafewkeypoints.First,thisemphasizestheoverallimportanceoftheinformation-gatheringphaseofanysocialengineeringengagement.Athoroughonlineinvestigationcanprovideanindividualwithaverygoodunderstandingofwhen,where,andhowcompaniesconductbusinessaswellastheonlineactivitiesoftheiremployeesthroughvectorssuchassocialmedia.Second,anyimagesfoundcanbeextremelyusefulformaliciousattackers.Forinstance,ifanattackerknowswhatbuildingslooklike,thelocationofentrancesandbreakareas,andperhapsevenfindspicturesofcorporatebadges,theseareallpotentialvulnerabilities.Finally,ourOSINTexercisestressestheissueofonlinedataleakagebyorganizations.Networkpenetrationwasnotallowed;theflagsduringtheOSINTphasewereobtainedthroughinformationfreelyfoundonlinewithoutanyliveinteractionwithindividualsatthetargetcompanies.

Pretexting

Selectingaproperpretextisakeycomponenttothesuccessofavishingcampaign.Thisyeartherewereavarietyofpretextsusedwithvaryingdegreesofsuccess.Newcomerspredictably

Page 17: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 17

struggledthemostwithbothbelievablepretextsaswellaswithmaintainingthepretextforthedurationofthecall.

Somecontestantsattemptedtouseaccentswhichwerenotnaturaltothemandfoundverylittlesuccess.Animportantthingtorememberwhenselectingapretextistoselectonewhichisthemostbelievable.Severaloftheyoungersoundingcontestantswereabletoobtaingoodresultsusingintern/collegestudentpretextswherethesewouldbeinappropriateforoldersoundingcontestants.Severalnewcomersdemonstratedanabilitytousetheinherentnervousnesspresentwhencompetingaspartoftheirpretext.

OneofthemostimportantrulesfortheSECTFisthatcontestantsarenotallowedtousenegativepretexting.Thisincludesthreateningdisciplinaryaction,and/orusingextremefearorangertowardsatarget.Thisruleisinplacetokeeptargetsfrombeingleftinfearfortheiremploymentaswellastoprovideachallengetothecontestantstoformulateapretextthatismorecreative.Thisyear,onecontestantdidattemptapretextwhichthejudgingpanelfeltincitedextremefearinatarget.Hiscallwasinterruptedandhewasinstructedtorecallthetargettorectifythesituation.

LiveCallPerformance

ThelivecallportionoftheSECTFisaninterestingtrialforthecontestant.Itisnotonlyatestinmentalagilityandtheabilitytoinfluenceapersoninreal-time,butalsoataskthatmustbeaccomplishedinfrontofaliveaudience.TheluxuryoftimeandtrueanonymityenjoyedintheOSINTphasearenotapplicable.Itisforthatreasonwecongratulateallofourcontestantsincompletingthisphaseofthecompetition.Figure3quantifiespointvaluesscoredbythecontestantsagainsttheirassignedcompanyduringthelivecallportionofthecontest.TheX-axisrepresentsthecontestantsandtheY-axisthepointvaluesawarded.ItshouldbenotedthatsomecontestantsfounddifficultyreachingcompaniestowardstheendofthebusinessdaywhileotherswereillpreparedwithveryfewphonenumbersdiscoveredduringtheOSINTportionofthecompetition.

Page 18: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 18

Figure3:LiveCallScoresbyCompetitor

Thefollowingareobservationsmadeduringcalls.

- Competitorswhowerethemostsuccessful:o Wereverywellprepared.TheyhadconductedthoroughOSINTandpossessed

morethanenoughpossibletargets/phonenumberstocall.Theywerealsofamiliarwithinternalterminology,systems,processes,andinonenotablecase,veryrecentcorporatenews.

o Developedgoodrapportwiththetarget.Inonecase,thecontestantestablishedapretextwhichallowedhimto‘assist’atargetwithfiguringoutwhyafakelinkwasn’tworkingwhichledtoachievingahighnumberofflags.

o Dealtwellwithanunpredictableenvironment.Thiscontestillustratesthedifficultyoflivecalling.Ourbestcompetitorsthoughtquicklyontheirfeetandwereabletoadjustpretextsandquestionsevenwhenthecallappearedtobegoingpoorly.

o Carefullyplannedtheorderoftheirquestions.Themostexperiencedcontestantstendedtostartwithnon-threateningquestionsandgraduallypressedthetargetsintodisclosingmoresensitiveinformation.

o Werepersistent.Inonecase,acompetitorwasunabletoreachhistargetsandwalkedhistelephonenumberscalledupbyonedigitinanattempttoreachpeople.Inanumberofcases,competitorsrecalledindividualswhenunabletoreachothertargets.

- Competitorswhohadthemostdifficulty:

Page 19: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 19

o Werenotabletomaketheirpretextsimmediatelycleartotheirtargets.Withoutbeingabletoestablishwho,what,andwhyimmediately,thesecompetitorsoftenrambledandwereunabletodevelopproperrapport.

o Werequicktoabandonacalliftheymeteventheslightestresistance.o Didnotproperlyresearchthecompanybeforethelivecallingphase.

- Techniques:

o Anumberofsuccessfulcompetitorsescalatedtheirrequestsfromsmalltolarge.o Onecompetitoraddedanincentivetohispretextbyofferingagiftcardfor

completingasurvey.Uponcompletionofabriefsurveythecompetitorwasabletoobtainseveralmoreflagsbyassistingthetargetwithreceivingthegiftcard.

o Anumberofsuccessfulcompetitorsphrasedtheirelicitationsasconfirmationofinformationtheyalreadyknew(collectedintheOSINTphase).

o Successfulcompetitorsalsouseddeliberatefalsestatementstohavethetargetcorrectthemwiththecorrectflag.

o Anumberofcompetitorsuseda“rapidfire”styleofquestioning,essentiallyoverwhelmingtheirtargets.Dependingontheamountofrapportestablished,thiswasasuccessfultechnique.

- AdditionalObservations:o Onecompetitornoticedthattherewasadumpsternexttothesmokingareafor

acompanyduringtheOSINTphaseandusedthistoobtainthetrashpickupcompanyflagduringthecalls.

o Twoofourcompetitorswereunabletoobtainflagsduetopersonnelnotansweringcalls.Thismirrorsactualsocialengineeringengagementsanddemonstratesthelackofpredictabilityandcontrolinherentinvishingcalls.

o Inmorethanonecase,acompany’scorporatedirectoryprovidedthefullnamesofindividuals,providingmultipletargetopportunitieswithasinglecall.

CompetitorSummary

Thisyearwehadourtypicalrangeofnovicesocialengineerstoprofessionalpenetrationtesters.AverageOSINTperformanceforthisyearremainedidenticalcomparedtolastyearasdemonstratedinFigure4.However,sincewemakechangestotheconditions,numberofcompetitors,andscoringeachyear(e.g.,extrapointsfor“tag-outs”in2014),theseaveragesareonlyvaluableintermsofidentifyinglargetrendssuchasthedatareversalwesawin2014.Callscoreappearstohavefallenthisyearwhichmaybeattributedtothedifficultysomecompetitorshadinreachingemployeesatthetargetcompanies.Themathematicalaverageisalsoimpactedbyoutlyingscores(eitherveryhighorverylow),soarerelativelylimitedinthe

Page 20: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 20

informationitconveys.OnecansurmisethatperhapscompetitorsthisyearcontinuedtoemphasizecallphasepreparationandperformanceovertheOSINTphase.

Figure4:MeanPerformanceforSECTF2013-2016

FinalContestResults

Attheconclusionofthelivecallportionofthecontest,thejudgingpanelmetandreviewedallscores.Figure5isatallyofOSINTscores,callscores,andgrandtotalbycompany.Thehigherscoredenotesthatahighernumberorvalueofflagsweresurrendered,andisindicativeofpoorerperformanceonthepartofthecompany.

Page 21: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 21

Figure5:CompanyRanking

Keepingwiththetrendfromlastyear,contestantsreliedheavilyonthecallportionfortheirscore.Unfortunately,itshouldalsobenotedthattherewereseveraltargetsthisyearcompletelyuntestedduringthecallportionduetopersonnelsimplynotansweringtelephonecallsatall.Finally,everytargetcompanydisclosedatleastsomeinformation(eitherdiscoveredduringOSINTorduringlivecalls)whichcouldbeusedasapossibleattackvectorformaliciousactors.Therankingofcompaniesfrombestperformance(lowestscore)toworstperformance(highestscore)isasfollows:

1. Symantec2. IBM3. Oracle4. EMC5. SYNNEX6. PaloAlto7. Fortinet8. SecureWorks9. Sophos10. Akamai11. CISCO12. RSA13. Deloitte

Page 22: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 22

14. ComcastXfinity

Wedonotreleaseinformationonspecificvulnerabilitiesofthecompaniestothegeneralpublic.NOTE–WedoprovidethisinformationdirectlytotheinvolvedcompaniesuponrequestOnepositiveaspectofthelivecallportionoftheSECTFeachyearistoseewhenacompanyshutsdownthecontestant.Thatis,thepersonfromthetargetcompanyfollowsappropriatesecurityprotocolanddoesnotansweranyquestionsorhangsuponthecall.Eachyearwhenapersonfromatargetcompanystopsacontestant,theroombreaksoutintoapplause.Thisyearwedidhavecallsduringwhich:

- Thetargetattemptedtoverifythecontestantandrefusedtodiscloseanyinformationwhenthecontestantcouldnotbelocatedintheemployeedirectory.

- Thetargetlookedupthedomainandcompanyfromthecontestant’spretextandrefusedtohavefurtherconversationwhentheseturnedouttobefake.

- Thetargetpolitelyshutdownthecontestantinsistingthatanyrequestsforasurveyshouldgotothetarget’smanager.

- Atargetcompanysentabulletincompany-widethatthefirmwasunderattackfromDEFCON.

Despitethesepositivenotes,overall,thisyear’scontestprovedonceagainthatpotentiallydamaginginformationonorganizationsisstilleithereasilyaccessibleonlineordiscoveredviatelephonecallsbyeventhemostnovicecompetitor.Figure6illustratesthenumberoftimeseachflagwasobtainedduringbothOSINTandlivecallphases.Whilenotallflagswererequestedthesamenumberoftimes,thisisatleastanindicatoroflikelyvectorsintoanorganization.Inspectionwillrevealthatthemostcommonlyobtainedflagthisyearwaswhattheamountoftimethetargethadworkedforthecompany,followedbywhetherornottherewasanonsitecafeteria,thenemployeeschedule.Thefirstflagcouldbeusedbyamaliciousattackerindetermininghowdifficultitmightbetoescalateanattackusingthisindividualaswellasthevalueoftheinformationtheymayhold.Anewcomertoanorganizationmaybeaneasiertarget,butmayalsoprovidelessvaluableinformation,dependingontheirjobfunction.Theotherflagscouldbeusedtoperpetratebelievableattacksviaonsiteimpersonationattempts.Thetake-awayhereisthatsocialengineeringisnottheendgame,butisusedastheentrypointtoperpetratetheftofidentityorresources.Themotivatedindividualwillcompileinformationfromanumberofdifferentsourcesandcreatebelievableattacksthataredifficulttorecognizeandresist.

Page 23: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 23

ItisinterestingtonotethatEVERYapplicableflagwassurrenderedatleastoncebythetargetcompanies.

Figure6:FrequencyofFlags

Discussion

Thiswas,onceagain,aninterestingandinformativeyear.Basedonallofthedataandourownobservations,wecanconcludeafewpoints.Firstandforemost,socialengineeringcontinuestobeasecurityriskfororganizations.Thiswasourseventhconsecutiveyearhostingthisevent;inthattimeanddespitenumeroushigh-profilesecuritybreachesthatoccurredthisyear,wehavenotseenconsistentimprovementsthatdirectlyaddressthehumanelementinorganizationalsecurity.Evenascompaniesarereportedlyinvestingmoreinsecurityawarenesstrainingandpolicydevelopment,theresultsagainthisyearsupportourbeliefthatoverall,companiesarestilldoingarelativelypoorjob.Notallofourcompetitorswereexperiencedinformationsecurityprofessionals;however,allwereabletoobtainflags.Itdoesnotappearthatemployeesarebeingeducatedtounderstandthevalueoftheinformationtheyholdorhowtoappropriately

Page 24: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 24

protectit.Ratherthanacceptarequestatfacevalue,employeesneedtobetrainedandencouragedtoquestion,challenge,andmakegooddecisions.Ifthetrainingtaskistoodifficulttoovercomeimmediately,thenatminimum,employeesneedtohaveproperprotocolsinplacethatallowthemtoquestioncallers.Forexample,ifallemployeeswereforcedtoverifythemselveswithanemployeeIDorotherdailycode,thiscouldgreatlyreducetheriskoftelephone-basedattacksandtheneedforemployeestodecideforthemselvesthecorrectcourseofaction.Ifanorganizationcreatesanambiguoussituationeitherthroughunclearpoliciesorinadequatetraining,employeeswillmakechoicesthatareeasierandlessuncomfortable(e.g.,disclosinginformationasopposedtopolitelydecliningtoanswer).Oursecondconclusionisthatcompaniesarestillallowingsensitivedatatobepostedonline.Indirectoppositiontosecurityisthebasicnatureofconductingmodernbusiness.Clearcommunicationwith,andaccessibilityofinformationby,clientsandpartnersismandatory.Thisplacescompaniesinapositionwheretheyneedtomaketheirresourceshighlyavailable,andperhapsvulnerable.Inadditiontomonitoringcorporateinformation,anotherchallengeforallorganizationsistheinabilitytocompletelycontrolthesocialmediaandotherpostingsofcurrentandpastemployees.Ourcompetitorsclearlyfoundvaluableinformationthroughthesesources,andtheyarecertainlyusedbyprofessionalsocialengineerstocraftphishing,vishing,andonsiteimpersonationattempts.Althoughitisunlikelythatthisvulnerabilitycaneverbecompletelymitigated,clearpoliciesandtrainingcanassistmakingemployeesawareoftheriskinwhichtheyplaceboththemselvesandtheircompaniesbyoversharinginformation.Wesincerelyhopeourfindingsareusefulinmakingtheinformationsecurityindustrysafer,andasecureplaceinwhichtoconductbusiness.MitigationTheongoinggoaloftheSECTFistoraiseawarenessofthethreatthatsocialengineeringpresentstobothorganizationsandindividuals.Thecruxofthisreportistoinformcompaniesofthedangersassociatedwithmalicioussocialengineersaswellashowtheycanmitigatevulnerabilitiesandprotectagainsttheseattacks.Basedonourpracticeandinreviewingthetrendsoverthepastseveralyears,wewouldexpecttheuseofsocialengineeringtocontinuetobeasignificantthreattoorganizations.Technicalcontrolsareonlypartofasolutionthatshouldincludeongoingeducationandauditingasastandardpracticetodefeatmaliciousattackers.Belowareafewsuggestionsforpotentialmitigationofthisthreat.

Page 25: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 25

1.DefensiveactionsTheOSINTphaseofthecontestrevealedhowmuchdataonatargetcompanycanbegatheredthroughthesimplestonlinesearches.Companiesmustbalancethebusinessrequirementsofmanagingtheirbrandswiththerisksassociatedwithhavingopenandapproachablecommunicationswiththeiremployeesandtheworld.Tofurthercomplicatetheissue,corporatepoliciesoninformationhandlingaswellasemployeesocialmediausecanoftenbeeithervagueorunrealistic.Companiesneedtosetcleardefinitionsofwhatisandisnotallowedwithregardtothehandlingandpostingofinformation,particularlywithrespecttosocialmedia.Individualswilloftennotmaketheconnectionthatpersonallifebeingdiscussedinanopensocialforumcanbeleveragedtobreachtheiremployers.Inaddition,clearlydefinedpoliciesonhow,where,andwhatkindofinformationcanbeuploadedtounsecuredareasoftheInternetcangoalongwaytosafeguardingcompanies.Finally,companiesMUSThelptheiremployeesunderstandwhatinformationisvaluableandhowtothinkcriticallyaboutitsprotection.Guidelines,policies,andeducationcanhelptheemployeesunderstandtherisksassociatedwithinformationexchangeinboththeirpersonalandprofessionallives,creatingasecurity-focusedculture.2.RealistictestingOneofthemostnecessaryaspectsofsecurityisthesocialengineeringriskassessmentandpenetrationtest.Whenaproperriskassessmentisconductedbyprofessionalswhotrulyunderstandsocialengineering,real-worldvulnerabilitiesareidentified.Leakedinformation,socialmediaaccounts,andothervulnerableaspectsofthecompanyarediscovered,cataloged,andreported.Potentialattackvectorsarepresentedandmitigationsarediscussed.Asocialengineeringpenetrationtestincreasestheintensityandscrutiny;attackvectorsarenotsimplyreported,butexecutedtotestacompany’sdefenses.Theresultsarethenusedtodevelopawarenesstrainingandcantrulyenhanceacompany’sabilitytobepreparedforthesetypesofattacks.Weconcludethatifthecompaniestargetedinthisyear’scompetitionpossessedregularsocialengineeringriskassessmentsandpenetrationtesting,theymighthavebeenmoreawareofpossibleattackvectorsandbeenabletoimplementeducationandothermitigationtoavoidthesepotentialthreats.3.SecurityawarenesseducationOneoftheareasthatappearstobelackingacrosstheboardisquality,meaningful,securityawarenesseducation.Educatingthepopulationtomeetcompliancerequirementsisnotsufficient.Inourexperience,thereisadefiniterelationshipbetweencompaniesthatprovide

Page 26: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 26

frequentandrelevantawarenesstrainingandtheamountofinformationthatcompanysurrenders.Anorganizationthatplacesapriorityoneducationandcriticalthinkingissuretopossessaworkforcethatisfarmorepreparedtodealwithmaliciousintrusions,regardlessoftheattackvector.Securityawarenesstrainingneedstobepractical,interactive,andapplicable.Italsoneedstobeconductedonaconsistentbasis.Itdoesn’trequirethatacompanyplanslargeeventseachmonth,butregularsecurityremindersshouldbesentouttokeepthetopicfreshintheemployees’minds.Inaddition,wehavefoundthroughourpracticethatcompanieswhoemployongoingphishingandvishingawarenesscampaignsthroughrealworldtestingoftenfarebetteratthesethreatsthanthosethatdonot.Manytimes,thedifficultyliesinbusinessesmakingtrainingandeducationaprioritytotheextentthatappropriateresourcesareallocatedtoensurequalityandrelevance.Securityeducationreallycannotbefromacanned,pre-madesolution.Educationneedstobespecifictoeachcompanyandinmanycases,evenspecifictoeachdepartmentwithinthecompany.Companieswhotrulyunderstandthechallengesandrewardsassociatedwithhighqualitytrainingandeducationwillfindthemselvesmostpreparedfortheinevitable.Thesearejustthreeofthemanystrategiesthatcanbeutilizedtoimproveandmaintainsecurityandpreparefortheattacksbeinglaunchedoncompanieseveryday.Ourhopeisthatthisreporthelpsshedlightonthethreatspresentedbysocialengineeringandopenstheeyesofcorporationstohowvulnerabletheyreallyare.

Page 27: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 27

AbouttheSocial-EngineerVillage

DEFCON24broughtbacktheSocial-EngineerVillagebypopulardemand.InadditiontohostingtheSECTF,wecreatedafour-dayeventtoentertainandeducateDEFCONattendeesonallthingssocialengineering.Thisyearweofferedarebootoflastyear’s“MissionSEImpossible”challengethatsimulatedanofficebreak-inandemphasizedthecriticalthinkingskillsnecessarytoperpetratesuccessfulcorporateespionage.Wealsohostedanumberofpresentationsbywell-knownsocialengineerstoprovideouraudiencewiththeiruniqueperspectivesinthefield,theSocialEngineeringCTFforKids,aswellasourownliveSEORGpodcast.Basedonanoverwhelminglypositiveresponse,theSocial-EngineerVillagewillreturnin2017andwillonceagainhosttheHumanTrackatDEFCON25.WewillbereleasingaCallforPapersalongwithourcallfor2017SECTFcontestantsincoordinationwithDEFCONannouncements.Pleasewatchourwebsitewww.social-engineer.organdoursocialmediaaccounts@HumanHacker@SocEngineerInc,andhttps://www.facebook.com/seorg.orgforthemostcurrentinformation.

Page 28: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 28

Conclusion

ThiswasanotherfantasticyearfortheSECTF.Thereweremanyfirsttimecontestantsaswellassomereturningfrompastyears.Withsomeofthenovicecompetitorsoutperformingexperiencedsecurityprofessionalsthecompetitioncontinuestodemonstratethatsocialengineeringcanbeapowerfulskillforpeopleatanylevel.Unfortunately,asinyearspast,ourlimitedfindingsshowthatcompaniesarestillvulnerabletosocialengineeringattacks.Itisourhopethatthiswillchangeaswecontinuetoexpandoureventandstressongoingpreparation,notjusttheattentiongarneredatDEFCON.

Ifyou,oryourorganization,haveanyquestionsregardinganyaspectofthisreportpleasecontactusat:[email protected].

Page 29: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 29

AboutSocial-Engineer,LLC

Social-Engineer,LLCisthepremierconsultingandtrainingcompanyspecializingintheartandscienceofsocialengineering(SE).Socialtacticsareanestablishedandquicklygrowingtrendininformationsecurityintheformsofphishing,phoneelicitation(vishing),andimpersonation.

Withmorethanthreedecadesofcombinedexperience,Social-Engineer,LLCassistsorganizationsingovernment,lawenforcement,andtheprivatesectorindetectionandmitigationofthedevastatingeffectsofbothphysicalandinformationbreaches.Social-Engineer,LLCfocusesontheabilitiesofahostileattackertoexploitthehumanelementofbusinessestogainaccesstocorporateassets.Throughassessment,education,andtraining,Social-Engineer,LLChelpsorganizationsprotectthemselvesandtheirtradesecrets.Tolearnmoreaboutprofessionalsocialengineering,servicespleasevisit:http://www.social-engineer.com/social-engineering-services/.

Page 30: The DEF CON 24 Social Engineering Capture the Flag Report · Engineer Village at the DEF CON Hacking Conference in Las Vegas, NV. The SECTF is organized The SECTF is organized and

11/8/2016 [email protected] 30

Sponsors

The2016SocialEngineeringCapturetheFlagcontestandtheSocial-EngineeringVillagewould

nothavebeenpossiblewithoutthegeneroussupportofthefollowingorganizations:

www.social-engineer.com

www.trustedsec.comhttp://www.phishline.com/

www.pindropsecurity.comhttp://www.asgent.com