I have had a few people mention to me in person, and via email and twitter about the social engineering competition that took place at DEFCON 18, and if I think it was right or not, as many people seem to have mixed feelings about what went on.
So I am going to take the opportunity this week to speak briefly about my thoughts, however I will make it clear that I was not at DEFCON, and I don’t have any insider knowledge on the event (although I do know the winner) and any information I mention about the event is just my understanding, so don’t take it as gospel.
If you are not familiar with the Social Engineering CTF – How Strong is Your Schmooze, then check out this link for the rules and guidelines that were published online.
So do I think social engineering competitions are good. YES, however I would caveat that answer with the following. I agree that social engineering competitions are a good idea if they are run responsibly, with the right intent, in an ethical and some what controlled environment. I think the DEFCON SE CTF was carried out in this manner.
Why do I think its a good idea? Well you have probably all seen it, and I even have the T-Shirt. There is no patch for human stupidity. I believe this isnt the case, however the reality is people are lazy, lack understanding, and would rather stick their head in the sand than try and understand the problem and to fix it. People are complicated.
Social engineering engagements of any type help to identify the gaps in the human element (wetware), and lets face it there are alot of crap social engineers around, who dont really know what they are doing, but are still pretty successful, because the controls are non existent, or ineffective. Don’t get me wrong, I think its a good thing, because lets face it, if someone with not alot of skill can get it, your more than just screwed, as someone who takes a proper interest, and knows what they are doing are going to cause some real damage.
So what does a social engineering competition achieve? I think it does a few things, and if done properly everyone benefits. So first of all, anyone who participates as an SE gets to experience some elements of social engineering, can test their theories, see what happens and learn. People outside of the event learn something, perhaps the penny will drop and this stuff is real, and has been going on since humans walked the earth, and perhaps will try and be more mindful as a result of what they hear, even if its not truly factual. Then the companies who have been selected also get something out of it, they get a free remote assessment. I am not sure what information the organisers share the companies involved (perhaps legal implications, based on permission) but regardless they know they have been targeted and in all likelyhood have had data extracted. This can then signal some internal movement to up the priority on awareness, and they have some real world example to draw on.
Criminals dont care about the people or companies they are attacking, they just do what they need to do to succeed. As social engineers, we can replicate this attack in a controlled and ethical approach, this is a big benefit. Companies need to look at the bigger picture, the full scope. Get your head out of the sand, great you have got a firewall, its all locked down, bully for you, dont think an attacker isnt going to use another vector.
So just to conclude, I think everyone involved can benefit from a social engineering competition, I guess the only grey area and again I don’t know the details is if the companies that have been targeted have not given consent. However I think this is covered to some extent based on the rules of engagement, and what information is allowed to be extracted, and how it is handled after the event. I think anyone would be naive to think that people other than criminals are calling companies and extracting information to benefit themselves in one way or another, context is a crazy thing. Intent and responsibility is to me what really is the deciding factor when it comes to ethics.
Its my understanding the SE CTF guys had various discussions with the EFF to ensure they were going about things in the right manner, and I believe there were also some discussions with the FBI, who may or may not have given the companies selected a heads up. Regardless the event was allowed to continue and was highly publicised in the media.
I can understand why some people may be abit dubious about these events, and I think that’s only natural as good people will often consider possible ramifications, but I hope that over time we can see more events similar to this, and educate everyone in the process. Together we can make people more informed, and to operate in a more mindful manner.
There is no silver bullet, but we can apply a patch to human stupidity to reduce the risks and exposure.
[…] This post was mentioned on Twitter by phat32, Dale Pearson. Dale Pearson said: Social Engineering Competitions… Good or Bad? – http://www.headhacker.net/2010/09/01/social-engineering-competitions-good-or-bad/ […]