Vulnerabilities / Threats
6/12/2014
06:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Kids To Hack Corporate Crime Caper Case At DEF CON

The Social Engineering Capture the Flag contest for kids is now an official DEF CON contest.

Call it a life-sized DEF CON version of the game Clue.

That's how Christopher Hadnagy, the mastermind behind the fourth annual Social Engineering Capture the Flag Contest for DEF CON Kids and chief human hacker at Social-Engineer.org, describes this year's contest, which will be held during the famed adult DEF CON hacker conference in Las Vegas.

This year's "Who Dunnit? A Social Engineering Corporate Crime!" is part and parcel of the official DEF CON conference's competitions. It previously piggybacked off DEF CON Kids, now known as R00tz. The premise of the contest is that a corporate crime has been committed, and the 5- to 12-year-old contestants must use a mix of social skills, password and cipher cracking, lock picking, and a little social engineering to get to the bottom of the caper.

"They interview people, crack ciphers, codes, and puzzles to remove clues from their docket to figure out who committed the crime and what the crime is," Hadnagy says.

Unlike the grown-ups' version of the Social Engineering CTF that Hadnagy and his team have run at DEF CON the past five years -- where contestants try to schmooze as much potentially sensitive information as possible from high-profile corporate targets via some open source intelligence gathering and live cold telephone calls -- the kid-friendly version is all about critical thinking skills.

[The fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new "tag team" rules to reflect realities of the threat. Read Social Engineering Grows Up.]

The mini-social engineers will be assigned to two-person teams that combine a younger and an older contestant who are given a series of challenges that provide them with clues.

"The original concept was to help with critical thinking skills. Part of critical thinking is being able to work with a person you don't know and to be able to work as a team and plan," Hadnagy says. "This is a way to introduce our kids to some level of the security industry, the human side of the security industry, and showing them skillsets they can work on and use. They can own and use these skills... Our goal is to encourage them to think about security as a future" profession.

One alumna of the contest who has competed each year and is now a college student will return as a homecoming of sorts at this year's CTF. Ashley Wong will assist Hadnagy's CTF team of Amanda White and Tamara Kaufman. "She is helping us organize and run it. It's really cool because she played every year" of the contest, Hadnagy says.

Wong, who is now studying robotics in college, attributes much of the necessary critical thinking skills for that field to the social engineering CTF, Hadnagy says. "A lot of the critical thinking skills have helped her. She's a success story."

As in past years, various security experts, DEF CON organizers, and DEF CON "goons" will play roles in the contest. Many of the contestants traditionally have been the kids of hackers or DEF CON attendees, but Hadnagy says there are several new contestants this year whose names he can't match to security industry regulars.

Each year, one team has finished far ahead of the others, but tradition has been that the other teams have continued on. "One team spent an hour trying to pick a lock and wouldn't accept help from Deviant" Ollam, says Hadnagy, referring to the lockpick master of DEF CON who also helps with the kids event.

"It's not a linear thing," so there's no official order to the flag capture. A team can be interviewing someone about the crime, picking a lock, or solving a cipher, in no particular order. "They have to solve the crime -- who did it, how they did it, and where they did it. But they have to complete every task."

The kids social engineering contest will be held on Saturday, Aug. 9, beginning at 9:30 a.m. Registration is under way for the event, which will include a chance to meet the famed social engineer-turned security expert Kevin Mitnick.

"They can meet someone who did it the wrong way but is now doing it the right way," Hadnagy says.

Rules and a registration form are available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 4:16:24 PM
Re: Kudos to DEF CON
Scary thought but true..
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/13/2014 | 4:14:22 PM
Re: Kudos to DEF CON
I'm not sure how many five year olds actually participated, but I bet they will be our bosses in ~15 years....
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 4:07:59 PM
Re: Kudos to DEF CON
I love hearing about these kid capers. How many five-year old actually participate? Amazing!
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
6/13/2014 | 8:00:42 AM
Re: Kudos to DEF CON
My son participated a couple of years ago, but he was one of the older kids. He enjoyed it and still wears his social-engineer.org t-shirt. :-) His favorite part of DEF CON was Lockpick Village, which has come in handy around the house when someone gets locked out.
Christian Bryant
100%
0%
Christian Bryant,
User Rank: Ninja
6/13/2014 | 1:14:14 AM
Kudos to DEF CON
I hope this sticks so I can bring my girls in a couple years.  I don't want either of them going the route of our Canadian friend Mr. Ben-Itzhak.  That said, I'd be interested to see the format and how age agnostic it is.  Regardless, there's nothing more exciting than watching kids burning with inspiration and seeing what young human brains are really capable of.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.