Vulnerabilities / Threats
6/12/2014
06:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Kids To Hack Corporate Crime Caper Case At DEF CON

The Social Engineering Capture the Flag contest for kids is now an official DEF CON contest.

Call it a life-sized DEF CON version of the game Clue.

That's how Christopher Hadnagy, the mastermind behind the fourth annual Social Engineering Capture the Flag Contest for DEF CON Kids and chief human hacker at Social-Engineer.org, describes this year's contest, which will be held during the famed adult DEF CON hacker conference in Las Vegas.

This year's "Who Dunnit? A Social Engineering Corporate Crime!" is part and parcel of the official DEF CON conference's competitions. It previously piggybacked off DEF CON Kids, now known as R00tz. The premise of the contest is that a corporate crime has been committed, and the 5- to 12-year-old contestants must use a mix of social skills, password and cipher cracking, lock picking, and a little social engineering to get to the bottom of the caper.

"They interview people, crack ciphers, codes, and puzzles to remove clues from their docket to figure out who committed the crime and what the crime is," Hadnagy says.

Unlike the grown-ups' version of the Social Engineering CTF that Hadnagy and his team have run at DEF CON the past five years -- where contestants try to schmooze as much potentially sensitive information as possible from high-profile corporate targets via some open source intelligence gathering and live cold telephone calls -- the kid-friendly version is all about critical thinking skills.

[The fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new "tag team" rules to reflect realities of the threat. Read Social Engineering Grows Up.]

The mini-social engineers will be assigned to two-person teams that combine a younger and an older contestant who are given a series of challenges that provide them with clues.

"The original concept was to help with critical thinking skills. Part of critical thinking is being able to work with a person you don't know and to be able to work as a team and plan," Hadnagy says. "This is a way to introduce our kids to some level of the security industry, the human side of the security industry, and showing them skillsets they can work on and use. They can own and use these skills... Our goal is to encourage them to think about security as a future" profession.

One alumna of the contest who has competed each year and is now a college student will return as a homecoming of sorts at this year's CTF. Ashley Wong will assist Hadnagy's CTF team of Amanda White and Tamara Kaufman. "She is helping us organize and run it. It's really cool because she played every year" of the contest, Hadnagy says.

Wong, who is now studying robotics in college, attributes much of the necessary critical thinking skills for that field to the social engineering CTF, Hadnagy says. "A lot of the critical thinking skills have helped her. She's a success story."

As in past years, various security experts, DEF CON organizers, and DEF CON "goons" will play roles in the contest. Many of the contestants traditionally have been the kids of hackers or DEF CON attendees, but Hadnagy says there are several new contestants this year whose names he can't match to security industry regulars.

Each year, one team has finished far ahead of the others, but tradition has been that the other teams have continued on. "One team spent an hour trying to pick a lock and wouldn't accept help from Deviant" Ollam, says Hadnagy, referring to the lockpick master of DEF CON who also helps with the kids event.

"It's not a linear thing," so there's no official order to the flag capture. A team can be interviewing someone about the crime, picking a lock, or solving a cipher, in no particular order. "They have to solve the crime -- who did it, how they did it, and where they did it. But they have to complete every task."

The kids social engineering contest will be held on Saturday, Aug. 9, beginning at 9:30 a.m. Registration is under way for the event, which will include a chance to meet the famed social engineer-turned security expert Kevin Mitnick.

"They can meet someone who did it the wrong way but is now doing it the right way," Hadnagy says.

Rules and a registration form are available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 4:16:24 PM
Re: Kudos to DEF CON
Scary thought but true..
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/13/2014 | 4:14:22 PM
Re: Kudos to DEF CON
I'm not sure how many five year olds actually participated, but I bet they will be our bosses in ~15 years....
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 4:07:59 PM
Re: Kudos to DEF CON
I love hearing about these kid capers. How many five-year old actually participate? Amazing!
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
6/13/2014 | 8:00:42 AM
Re: Kudos to DEF CON
My son participated a couple of years ago, but he was one of the older kids. He enjoyed it and still wears his social-engineer.org t-shirt. :-) His favorite part of DEF CON was Lockpick Village, which has come in handy around the house when someone gets locked out.
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/13/2014 | 1:14:14 AM
Kudos to DEF CON
I hope this sticks so I can bring my girls in a couple years.  I don't want either of them going the route of our Canadian friend Mr. Ben-Itzhak.  That said, I'd be interested to see the format and how age agnostic it is.  Regardless, there's nothing more exciting than watching kids burning with inspiration and seeing what young human brains are really capable of.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.