As Defcon came rolling around we knew that this year would be different. Being the second year of the SE CTF as well as the first ever Defcon Kids event with a special Social Engineering CTF for Kids, we knew this year would be special.
We wanted to take a minute to recap some of the events and lessons learned from Defcon 19 and talk about our plans for next year.
Defcon 19’s new venue really was a few dozen steps above the Riv. Our room set up and everything went ultra smooth. Pyr0, Grifter and the crew did an amazing job with the organization as well as the layout of the events. These guys know how to make stuff happen, and it did. When we got to the room we had no walls, or chairs or tables and with in an hour we were set up. Really an amazing job. The fact that our feet didn’t stick to the floor when we walked down the hallway or bathrooms was an added bonus. 🙂
The room that they gave us this year was easily 5-10 times bigger than last year. Our first concern was of course keeping it interesting enough to keep the room packed. The first day we had to announce that our premier target for the CTF couldn’t participate this year, so Kevin Mitnick and Chris who planned on making that call couldn’t do it. Kevin came in and did a nice 30-40 speech on SE and answered some Q&A. It was an excellent speech and good way to kick off the event.
The callers this year where excellent and really made a great effort to do a highly professional job, following all the rules. Unfortunately on Friday we had quite a few people cancel by not even showing up. So we put a call out to the public to see if anyone wanted to step up and make a call. We had quite a few respond to that call.
Mark stepped up and did his first ever social engineering call and really did an amazing job. Next we had a guy step up that called himself “mud”. He was an interesting guy and a tad bit sure of himself, but was promising a good call – and he delivered. Energetic and lively and often more funny than anything else, he got the company to hand over a ton of information. We later found out that “mud” is really the well-known, hubris from backtrace security.
Saturday opened up with Johnny Long giving a Q&A session about SE and his work. That was really lively and got the crowd stirred up. Johnny stayed and heard one of our newer contestants on the phone and was inspired by his work and asked to come back in the afternoon and do a call of his own. The rest of Saturday went with out a hitch and was amazing. The ending of the day was Johnny Long doing one of his first public SE calls – and wow was that amazing. He hit it out of the park and showed that all his time in Africa did not affect his amazing SE Skills. Great Job Johnny!
Sunday came and it was time to have our live podcast. As the room filled up we had some people in there from the Anonymous group that asked some very intelligent and conversation sparking questions. The line for audience questions filled up and 2 hours shot by quickly.
Lesson Learned
There are few take away lessons that we will use to improve the experience next year.
Firstly, this year we had our room open to anyone, including press. Due to that some of the comments we made that were mis-used in some very prominent articles. This caused some problems for us and our sponsors. Remember, although we are “hackers” our jobs is to help secure and educate companies. We thrive when companies succeed. We rejoice when they fight SE and malicious hacking. So although we are happy to see the competition do well, we are careful to not publicly release info that could damage or embarrass a company, but sensational headlines sell. Stating that a certain company was “hacked” or totally “wiped” is damaging to the work we are doing, to the company and to the caller. I would say our first lesson is probably to close the doors to press for the competition next year. This will ensure that they cannot misquote, or use a comment made from excitement that will lead to damaging some one in the competition.
Secondly, we had a lot of cancellations this year, we still haven’t decided how to handle this. But when people cancel last minute it skews our results and can be frustrating. We thought about making a REFUNDABLE deposit for all contestants, like $20, that they get back when they show up for their call with a Tee and some other schwag. Something like this we feel would help ensure that if a contestant signs up they will show, of course it is not about cash so we are not looking to get paid but something that would make them more prone to show and not “forget”.
I think another lesson is that not even the house sound is safe. 🙂 Mid CTF someone hacked the sound system and nearly wrecked a good call, if it wasn’t for the cool calmness of the contestant that call would have been wrecked. So I think next year we keep to our own sound.
The kids… how can we forget the kids. The first ever Defcon Kids went off amazing. The group here at Social-Engineer.Org put on the first ever Kids Social Engineering CTF. A mixture of ciphers, lock picking, elicitation, facial expressions and more was taught and used to race the clock and be the first to finish. What did we learn? The kids in this community are smart, amazing and entertaining. They love life, they learn fast and they have an amazing ability to hack. Most importantly, they have AWESOME parents. These kids are lucky to have parents that care so much, support them and show them a good, clean and fun way to manage and practice these skills.
Congrats to Edward and Tim – Team FlimFlam for taking first place and Jack and Max Team Python for taking Second place. Really congratulations to all the kids that completed this years event and tried harder!
Finally, on the data itself, we are working on the report as we speak. It seems from an initial overview that security has not increased in this country in the last year. As a matter of fact, it may be worse.
The results are scary and the ease of which info was gathered and compliance was made really scared us. Especially after seeing so many high profile targets fall this year we expected to see a heightened level of security and awareness, but yet again it is proven that humans are the biggest weakness in any network.
We also were awarded another black badge for the winner of this years CTF. Congrats to Shane for taking 1st place and Chris for taking 2nd.
Next Year?
We already have been asked back for the Defcon Kids SE CTF as well as the Social-Engineering CTF for Defcon 20. We are going to be planning and working on these events now so we can make them even better for next year.
We already are working on the next years Kids CTF to make it bigger, better and yes, a little harder. (so get your game on kids.)
The SE CTF will have some changes too. We were contacted by a few companies saying they may be up for being a willing target in next years CTF. Please, if you are a company and want information on how you can show that you are truly concerned about security contact us at [email protected].
There is going to be a lot going on between now and next year, we will be releasing information as we can during the year. Feel free to send us your ideas or suggestions and thank you all for your support and a great year!
Till next year!