Security Awareness Blog

Exploiting The Human - CTF Style

Traditionally one of my favorite resources on social engineering (a common methods for exploiting the human) has been Kevin Mitnick's book The Art of Deception. In this book Kevin describes in detail many of the social engineering attacks he used in the past. While most of the attacks he describes do not use today's technology (he simply used a phone as opposed to today's Twitter, Facebook or Smartphone apps), he does a great job explaining how the attacks worked, especially his more sophisticated ones. Specifically he explains how he progressively built the trust of people within an organization with a series of short phone calls, and building on those calls was able to access an amazing amount of information. What I liked best is he explains why these attacks worked, he demonstrates how the trust is being built step by step. If social engineering is something you are interested in, this book is a must read.

Recently the guys at are taking this idea to the next level. At Defcon this year they will be hosting a Capture The Flag (CTF) event for Social Engineering. CTF is traditionally a technical event where attendees attempt to hack each other's networks. The more computers a team hacks (and the better they defend their own computers) the more points they earn. The team with the most points at the end wins the event. This has been going on for many years now at Defcon and is one of Defcon's most popular events. However, the CTF sponsored by Social Engineer is different, it is one of the first that focuses on the human issues. Specifically, participants are challenged to see how much information they can recover using social engineering techniques. It will be interesting to see what techniques prove to be the most successfull and why. Also, this has the potential to provide some very good metrics for the security community. However, it will also be interesting to see how the Security Engineer team construct the rules of the event to ensure things don't get out of hand, especially ethical issues.