Vulnerabilities / Threats

6/12/2014
06:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Kids To Hack Corporate Crime Caper Case At DEF CON

The Social Engineering Capture the Flag contest for kids is now an official DEF CON contest.

Call it a life-sized DEF CON version of the game Clue.

That's how Christopher Hadnagy, the mastermind behind the fourth annual Social Engineering Capture the Flag Contest for DEF CON Kids and chief human hacker at Social-Engineer.org, describes this year's contest, which will be held during the famed adult DEF CON hacker conference in Las Vegas.

This year's "Who Dunnit? A Social Engineering Corporate Crime!" is part and parcel of the official DEF CON conference's competitions. It previously piggybacked off DEF CON Kids, now known as R00tz. The premise of the contest is that a corporate crime has been committed, and the 5- to 12-year-old contestants must use a mix of social skills, password and cipher cracking, lock picking, and a little social engineering to get to the bottom of the caper.

"They interview people, crack ciphers, codes, and puzzles to remove clues from their docket to figure out who committed the crime and what the crime is," Hadnagy says.

Unlike the grown-ups' version of the Social Engineering CTF that Hadnagy and his team have run at DEF CON the past five years -- where contestants try to schmooze as much potentially sensitive information as possible from high-profile corporate targets via some open source intelligence gathering and live cold telephone calls -- the kid-friendly version is all about critical thinking skills.

[The fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new "tag team" rules to reflect realities of the threat. Read Social Engineering Grows Up.]

The mini-social engineers will be assigned to two-person teams that combine a younger and an older contestant who are given a series of challenges that provide them with clues.

"The original concept was to help with critical thinking skills. Part of critical thinking is being able to work with a person you don't know and to be able to work as a team and plan," Hadnagy says. "This is a way to introduce our kids to some level of the security industry, the human side of the security industry, and showing them skillsets they can work on and use. They can own and use these skills... Our goal is to encourage them to think about security as a future" profession.

One alumna of the contest who has competed each year and is now a college student will return as a homecoming of sorts at this year's CTF. Ashley Wong will assist Hadnagy's CTF team of Amanda White and Tamara Kaufman. "She is helping us organize and run it. It's really cool because she played every year" of the contest, Hadnagy says.

Wong, who is now studying robotics in college, attributes much of the necessary critical thinking skills for that field to the social engineering CTF, Hadnagy says. "A lot of the critical thinking skills have helped her. She's a success story."

As in past years, various security experts, DEF CON organizers, and DEF CON "goons" will play roles in the contest. Many of the contestants traditionally have been the kids of hackers or DEF CON attendees, but Hadnagy says there are several new contestants this year whose names he can't match to security industry regulars.

Each year, one team has finished far ahead of the others, but tradition has been that the other teams have continued on. "One team spent an hour trying to pick a lock and wouldn't accept help from Deviant" Ollam, says Hadnagy, referring to the lockpick master of DEF CON who also helps with the kids event.

"It's not a linear thing," so there's no official order to the flag capture. A team can be interviewing someone about the crime, picking a lock, or solving a cipher, in no particular order. "They have to solve the crime -- who did it, how they did it, and where they did it. But they have to complete every task."

The kids social engineering contest will be held on Saturday, Aug. 9, beginning at 9:30 a.m. Registration is under way for the event, which will include a chance to meet the famed social engineer-turned security expert Kevin Mitnick.

"They can meet someone who did it the wrong way but is now doing it the right way," Hadnagy says.

Rules and a registration form are available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 4:16:24 PM
Re: Kudos to DEF CON
Scary thought but true..
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/13/2014 | 4:14:22 PM
Re: Kudos to DEF CON
I'm not sure how many five year olds actually participated, but I bet they will be our bosses in ~15 years....
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 4:07:59 PM
Re: Kudos to DEF CON
I love hearing about these kid capers. How many five-year old actually participate? Amazing!
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
6/13/2014 | 8:00:42 AM
Re: Kudos to DEF CON
My son participated a couple of years ago, but he was one of the older kids. He enjoyed it and still wears his social-engineer.org t-shirt. :-) His favorite part of DEF CON was Lockpick Village, which has come in handy around the house when someone gets locked out.
No SOPA
100%
0%
No SOPA,
User Rank: Ninja
6/13/2014 | 1:14:14 AM
Kudos to DEF CON
I hope this sticks so I can bring my girls in a couple years.  I don't want either of them going the route of our Canadian friend Mr. Ben-Itzhak.  That said, I'd be interested to see the format and how age agnostic it is.  Regardless, there's nothing more exciting than watching kids burning with inspiration and seeing what young human brains are really capable of.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.