Vulnerabilities / Threats
6/12/2014
06:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Kids To Hack Corporate Crime Caper Case At DEF CON

The Social Engineering Capture the Flag contest for kids is now an official DEF CON contest.

Call it a life-sized DEF CON version of the game Clue.

That's how Christopher Hadnagy, the mastermind behind the fourth annual Social Engineering Capture the Flag Contest for DEF CON Kids and chief human hacker at Social-Engineer.org, describes this year's contest, which will be held during the famed adult DEF CON hacker conference in Las Vegas.

This year's "Who Dunnit? A Social Engineering Corporate Crime!" is part and parcel of the official DEF CON conference's competitions. It previously piggybacked off DEF CON Kids, now known as R00tz. The premise of the contest is that a corporate crime has been committed, and the 5- to 12-year-old contestants must use a mix of social skills, password and cipher cracking, lock picking, and a little social engineering to get to the bottom of the caper.

"They interview people, crack ciphers, codes, and puzzles to remove clues from their docket to figure out who committed the crime and what the crime is," Hadnagy says.

Unlike the grown-ups' version of the Social Engineering CTF that Hadnagy and his team have run at DEF CON the past five years -- where contestants try to schmooze as much potentially sensitive information as possible from high-profile corporate targets via some open source intelligence gathering and live cold telephone calls -- the kid-friendly version is all about critical thinking skills.

[The fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new "tag team" rules to reflect realities of the threat. Read Social Engineering Grows Up.]

The mini-social engineers will be assigned to two-person teams that combine a younger and an older contestant who are given a series of challenges that provide them with clues.

"The original concept was to help with critical thinking skills. Part of critical thinking is being able to work with a person you don't know and to be able to work as a team and plan," Hadnagy says. "This is a way to introduce our kids to some level of the security industry, the human side of the security industry, and showing them skillsets they can work on and use. They can own and use these skills... Our goal is to encourage them to think about security as a future" profession.

One alumna of the contest who has competed each year and is now a college student will return as a homecoming of sorts at this year's CTF. Ashley Wong will assist Hadnagy's CTF team of Amanda White and Tamara Kaufman. "She is helping us organize and run it. It's really cool because she played every year" of the contest, Hadnagy says.

Wong, who is now studying robotics in college, attributes much of the necessary critical thinking skills for that field to the social engineering CTF, Hadnagy says. "A lot of the critical thinking skills have helped her. She's a success story."

As in past years, various security experts, DEF CON organizers, and DEF CON "goons" will play roles in the contest. Many of the contestants traditionally have been the kids of hackers or DEF CON attendees, but Hadnagy says there are several new contestants this year whose names he can't match to security industry regulars.

Each year, one team has finished far ahead of the others, but tradition has been that the other teams have continued on. "One team spent an hour trying to pick a lock and wouldn't accept help from Deviant" Ollam, says Hadnagy, referring to the lockpick master of DEF CON who also helps with the kids event.

"It's not a linear thing," so there's no official order to the flag capture. A team can be interviewing someone about the crime, picking a lock, or solving a cipher, in no particular order. "They have to solve the crime -- who did it, how they did it, and where they did it. But they have to complete every task."

The kids social engineering contest will be held on Saturday, Aug. 9, beginning at 9:30 a.m. Registration is under way for the event, which will include a chance to meet the famed social engineer-turned security expert Kevin Mitnick.

"They can meet someone who did it the wrong way but is now doing it the right way," Hadnagy says.

Rules and a registration form are available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 4:16:24 PM
Re: Kudos to DEF CON
Scary thought but true..
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/13/2014 | 4:14:22 PM
Re: Kudos to DEF CON
I'm not sure how many five year olds actually participated, but I bet they will be our bosses in ~15 years....
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 4:07:59 PM
Re: Kudos to DEF CON
I love hearing about these kid capers. How many five-year old actually participate? Amazing!
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
6/13/2014 | 8:00:42 AM
Re: Kudos to DEF CON
My son participated a couple of years ago, but he was one of the older kids. He enjoyed it and still wears his social-engineer.org t-shirt. :-) His favorite part of DEF CON was Lockpick Village, which has come in handy around the house when someone gets locked out.
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/13/2014 | 1:14:14 AM
Kudos to DEF CON
I hope this sticks so I can bring my girls in a couple years.  I don't want either of them going the route of our Canadian friend Mr. Ben-Itzhak.  That said, I'd be interested to see the format and how age agnostic it is.  Regardless, there's nothing more exciting than watching kids burning with inspiration and seeing what young human brains are really capable of.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.