Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/12/2014
06:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Kids To Hack Corporate Crime Caper Case At DEF CON

The Social Engineering Capture the Flag contest for kids is now an official DEF CON contest.

Call it a life-sized DEF CON version of the game Clue.

That's how Christopher Hadnagy, the mastermind behind the fourth annual Social Engineering Capture the Flag Contest for DEF CON Kids and chief human hacker at Social-Engineer.org, describes this year's contest, which will be held during the famed adult DEF CON hacker conference in Las Vegas.

This year's "Who Dunnit? A Social Engineering Corporate Crime!" is part and parcel of the official DEF CON conference's competitions. It previously piggybacked off DEF CON Kids, now known as R00tz. The premise of the contest is that a corporate crime has been committed, and the 5- to 12-year-old contestants must use a mix of social skills, password and cipher cracking, lock picking, and a little social engineering to get to the bottom of the caper.

"They interview people, crack ciphers, codes, and puzzles to remove clues from their docket to figure out who committed the crime and what the crime is," Hadnagy says.

Unlike the grown-ups' version of the Social Engineering CTF that Hadnagy and his team have run at DEF CON the past five years -- where contestants try to schmooze as much potentially sensitive information as possible from high-profile corporate targets via some open source intelligence gathering and live cold telephone calls -- the kid-friendly version is all about critical thinking skills.

[The fifth annual DEF CON Social Engineering Capture the Flag Contest kicks off today with new "tag team" rules to reflect realities of the threat. Read Social Engineering Grows Up.]

The mini-social engineers will be assigned to two-person teams that combine a younger and an older contestant who are given a series of challenges that provide them with clues.

"The original concept was to help with critical thinking skills. Part of critical thinking is being able to work with a person you don't know and to be able to work as a team and plan," Hadnagy says. "This is a way to introduce our kids to some level of the security industry, the human side of the security industry, and showing them skillsets they can work on and use. They can own and use these skills... Our goal is to encourage them to think about security as a future" profession.

One alumna of the contest who has competed each year and is now a college student will return as a homecoming of sorts at this year's CTF. Ashley Wong will assist Hadnagy's CTF team of Amanda White and Tamara Kaufman. "She is helping us organize and run it. It's really cool because she played every year" of the contest, Hadnagy says.

Wong, who is now studying robotics in college, attributes much of the necessary critical thinking skills for that field to the social engineering CTF, Hadnagy says. "A lot of the critical thinking skills have helped her. She's a success story."

As in past years, various security experts, DEF CON organizers, and DEF CON "goons" will play roles in the contest. Many of the contestants traditionally have been the kids of hackers or DEF CON attendees, but Hadnagy says there are several new contestants this year whose names he can't match to security industry regulars.

Each year, one team has finished far ahead of the others, but tradition has been that the other teams have continued on. "One team spent an hour trying to pick a lock and wouldn't accept help from Deviant" Ollam, says Hadnagy, referring to the lockpick master of DEF CON who also helps with the kids event.

"It's not a linear thing," so there's no official order to the flag capture. A team can be interviewing someone about the crime, picking a lock, or solving a cipher, in no particular order. "They have to solve the crime -- who did it, how they did it, and where they did it. But they have to complete every task."

The kids social engineering contest will be held on Saturday, Aug. 9, beginning at 9:30 a.m. Registration is under way for the event, which will include a chance to meet the famed social engineer-turned security expert Kevin Mitnick.

"They can meet someone who did it the wrong way but is now doing it the right way," Hadnagy says.

Rules and a registration form are available here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
6/13/2014 | 1:14:14 AM
Kudos to DEF CON
I hope this sticks so I can bring my girls in a couple years.  I don't want either of them going the route of our Canadian friend Mr. Ben-Itzhak.  That said, I'd be interested to see the format and how age agnostic it is.  Regardless, there's nothing more exciting than watching kids burning with inspiration and seeing what young human brains are really capable of.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
6/13/2014 | 8:00:42 AM
Re: Kudos to DEF CON
My son participated a couple of years ago, but he was one of the older kids. He enjoyed it and still wears his social-engineer.org t-shirt. :-) His favorite part of DEF CON was Lockpick Village, which has come in handy around the house when someone gets locked out.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 4:07:59 PM
Re: Kudos to DEF CON
I love hearing about these kid capers. How many five-year old actually participate? Amazing!
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/13/2014 | 4:14:22 PM
Re: Kudos to DEF CON
I'm not sure how many five year olds actually participated, but I bet they will be our bosses in ~15 years....
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/13/2014 | 4:16:24 PM
Re: Kudos to DEF CON
Scary thought but true..
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...