LAS VEGAS–The man sits on the edge of a chair in a tiny, soundproof plexiglass booth. Overhead lights give his face a harsh white-yellow cast and illuminate the sweat popping out on his close-shaved head. The walls of the booth press in as he glances down at a small notebook and nods to a man on the other side of the glass. He’s already failed once and the clock is running, always running. He needs a win.
It’s a Friday morning, the second day of the DEF CON hacking conference here, and hundreds of people have crowded into a room at Caesars Palace to watch this man squirm. And not just him. Over the course of the next two days, more than a dozen people will take a seat in the booth and try their hand at convincing someone on the other end of a phone line to give up personal and corporate information. It’s the culmination of the social engineering capture the flag contest, a fascinating test of nerve, creativity, and guile that shows how human weakness can be an organization’s most dangerous vulnerability.
The contestants have been chosen from a pool of hopefuls who had to submit videos explaining why they should make the cut. Organized by the staff of Social Engineer Inc., the SE CTF contest is devilishly simple: Gather information about your target organization, then slide into the booth and start calling and see how much information you can get. The contestants are given a list of data points, or flags, that they need to squeeze out of their targets and had three weeks before DEF CON to find as much data online about their targets as they can. They can’t use threats or intimidation in their phone calls and they can’t use profanity, but otherwise the contestants are mostly free to play it as they see fit.
“I got lucky and got a kid who just wanted to keep talking.”
“We’re not trying to hack them but we do want things that would make great vectors for social engineering hacks, like who provides your security guards or your dumpsters,” Chris Hadnagy, chief human hacker at Social Engineer, said as the contest was beginning.
This year’s contest had people targeting companies in the gaming industry, and the first contestant to step into the booth was Vince, who quickly ran into a wall.
The first number he had the organizers dial for him went nowhere. He hit an endless voicemail/main menu loop and then moved to the next one on the list. During his pre-conference research, Vince had compiled a dossier of numbers, employee names and roles for his target organization and also developed a list of stories and identities he could use as he tried to glean information from the people he talked to. In the social engineering world, those backstories are known as pretexts, and when Vince reached a live person on his next call, he slid into his first one, saying he was calling from the company’s Vancouver office and needed help planning an event. He quickly asked to be transferred to a higher-level employee, but was shut down. He did get an email address for the woman he was trying to reach, but realized the call was going nowhere and hung up.
On the next call, Vince decided to change directions mid-course. Rather than using the even planning ruse, he would take on the identity of a tech reporter writing a story about gamers and social media. And that’s when the fun began. Vince got an employee in the company’s PR department on the line and began feeding him the spiel about his article, saying he’d like to get some quotes for it. The PR rep was friendly and helpful, but demurred on answering any questions on the record. That would have to come from his director, who wasn’t in the office that day. Oh, could I get his name and email address, Vince asked. No problem.
“I scrapped all my original pretexts, so I just revamped everything at the last minute,” Vince said after his 20-minute session in the booth was over. Wearing a Golden State Warriors jersey and a headband, a towel draped over his shoulder, he looked as if he’d just finished a surprise conditioning session the day after his team gave a weak effort.
Happy with some success at last, Vince kept chatting with the target and asked about his social media use, what networks he likes to use, and got him to divulge his Instagram and Twitter handles. The target said maybe some of Vince’s questions were better for the social media team, giving Vince a nice opening. What’s the name of social media lead again, he asked, and quickly got the man’s phone number and some details about his corporate travel plans. He then offered to send over some gifts from he magazine and got the mailing address. All of this is valuable data for an attacker trying to gather information on a corporate target.
“I got lucky and got a kid who just wanted to keep talking,” Vince said.
As the call was winding down, Vince still needed some more information, so he said he was having trouble sending an email to the target’s director and began complaining about Windows and Outlook. They don’t have you on Windows 10 over there do they, Vince asked. Nah, we use Macs, the target said. Gotcha.
After some more small talk, Vince thanked the man for all of his help, hung up, and stepped out of the booth to raucous cheers and whistles from the crowd. Looking happy but somewhat dazed, Vince smiled.
“It’s kind of nerve-wracking. It seemed like he was willing to give me anything I wanted,” Vince said, “except a quote for my article.”