Recently, I was in Las Vegas Nevada. I know what you’re thinking – what a lucky guy to be spending time in Sin City gambling. Actually, I was there to attend and participate in two well-known security events – Black Hat and DefCon which are two of the largest Cyber Security conferences in the world.
From an attendee perspective, Black Hat starts with about 7,000 people attending 4 days of intense training, lead, by leading Cyber Security experts, and by the end of Black Hat will be 15,000 attendees. DefCon had approximately 22,000 attendees.
The difference between Black Hat and DefCon can be described as; at Black Hat you have people that will share business cards and have a first and last name. At DefCon, those same people don’t have business cards and the names that are used are Deviant, ReL1K and Dark Tangent.
While at DefCon, I competed in the Social Engineering Capture the Flag (SECTF) contest. Just recently, this event was included in an article that was published in USA Today. SECTF Contestants are given a “Target” company five weeks before the start of Def Con but only have 3 weeks to investigate the target and write our report only using information that is available in the public domain as well as open source information (OSI). This includes, but is not limited to, Google, LinkedIn, Facebook, Twitter, etc. We are prohibited from calling, emailing or making any contact with the target, before the DefCon event.
We are given a list of “flags” that we need to obtain to receive points for our reporting. These flags are data points that we are seeking to obtain and are such things as the user’s Operating System, the Browser they use, when do they get paid, how long have they been with the company and other very helpful data points to social engineer. Why is this information helpful you ask? The reason is that this information may seem innocuous to many but, to a cyber-criminal, IT’S A GOLD MINE. Using this information, a cyber-criminal can build a portfolio of the target and create different pretext to use to gain further information which can then lead to unauthorized system access, data exfiltration, ransomware and the list goes on and on.
When the competition starts at DefCon, contestants are given 25 minutes to “Capture these Flags” in a small, sound proof booth by calling their targets. The constants then try to elicit information from them. We are seeking to validate the OSI information that we found weeks prior as well as some information that we may not have been able to get thru OSI sources. Constants get really big points if we can get a person to visit the test web site (seorg.org) during the call. During my session, I successfully convinced my target to visit that site not once, but twice!
I think I performed well since I was able to obtain many OSI points on my target and I also accumulated points during my call. Although I have worked in the IT security space for over twenty-years, I learn something on every engagement. One of the items I learned very quickly as a social engineer is that people are the weakest link in an organizations security posture. An organization can have the best security technology installed however, it is typically usurped by an unsuspecting person who is under the direction of a social engineer. Numerous breaches support this point. To assist in the mitigation of Social Engineering, people need be critical thinkers as well as question requests and do research.
In conclusion, I truly enjoyed my time in Las Vegas since I was able to spend time with great people who share my passion for security as well as learning new techniques that cyber attackers are using and to help our customers stop and/or mitigate those new techniques. Look for my next post about what else I learned while at Black Hat and DefCon.
-Peter Fellini, Senior Security Engineer – Integration Partners