Interview: Slick social engineers to test their schmooze power at Defcon 19

Defcon 19 is right around the corner of summer, in August, which means so is the social engineering contest which tends to freak out companies and alarm the feds. Why? Because when asked, humans want to help other humans and can often be tricked to give away critical company details that have proven social engineering can be lethal to corporate America.


For this second year of Social-Engineer.Org's CTF at Defcon, the Schmooze Strikes Back contest is bigger and better to test the power of social engineers' schmooze. There will be premium targets - companies that actually volunteered to be targets, as well as a public ranking of companies according to a new SEORG rating index. This index will be like the new Gartner Research with ratings that can be used by corporations to help them get better and become more aware, or perhaps get tricked out of vital info less often.

I recently talked with Chris Hadnagy, aka loganWHD, who focuses on the "human" aspect of technology such as social engineering and physical security. Hadnagy, @humanhacker, is the operations manager of Offensive Security and a lead developer at He also authored a fascinating book titled, "Social Engineering: The Art of Human Hacking."

How will the "SEORG rating index" publicly rank companies this year?

Hadnagy: The full extent of the ranking system is not public yet, but we will be giving each company a score based on a combination of their online SE based security, ie. how easy it was to find info on them and develop attack vectors, and how they fared on the phone part of the CTF.  These scores will be listed in the SE CTF report.  This will be only for companies we call at the CTF

When do you expect to go LIVE with the SEORG rating index? How many companies will be ranked?

Hadnagy: For now we have 15-18 companies on the list and it will be public after Defcon.

Say a company ranks poorly, was easily social engineered, but objects to making that knowledge public. Will it be too bad, so sad, wake up company and learn from your mistakes?

Hadnagy: Well our goal is the same as last year, which is to not open any companies up to outside attacks or thoroughly embarrass companies. With that being said, we are not going to release what vectors companies fell for or how they answered specific questions, instead we are going to release the overall ranking score and we will list public criteria for that score. Our hope is that companies will raise awareness and, the same as last year those serious about security will call us and ask how they can improve.

Do you have a list of what companies are premium targets? If not, what are the specifications for how a company can volunteer to be a SE target?

Hadnagy: I cannot list the names of the premier targets at this point. But if any company is interested in becoming a premier target there are some definite benefits for them. They are given freedom to screen what flags we can use and what areas we can call. In addition we will giving those companies the options of having their calls records for training purposes and they will receive a special report that will more closely mirror a social engineering pentest or risk assessment report.

Has there been any interference yet this year from the FBI or from companies who tend to freak out over the lethal social engineering contest at DefCon?

Hadnagy: Last year the FBI was willing to work with us - in the fact that they reviewed our flags and were willing to give us some advice that kept us on the straight and narrow. We haven't heard much from the FS-ISAC list we did last year except I have been told from some insiders that there is some internal fear-mongering beginning about our CTF again.

Do you have any advice for social engineers who entered the contest this year at DefCon?

Hadnagy: I have 3 pointers that I think people will do well to remember:

1)  The more information the better.  Do not pass up your info gathering stage.  Do not get so excited if you find a few good hits and then stop gathering info. 

2)  Remember the importance of the report.  The report is a large portion of the score, the better, the more professional, the more complete.... the more points.

3)  Our goal is to raise awareness and have fun... we are not there to attack or to embarrass anyone.  Come to have fun, try your hardest and do not bring an ego and you will succeed.

Each SE contestant will receive a dossier on their target company and will then get busy doing Internet reconnaissance on their targets. It will be interesting to see how much social engineers can trick company employees into disclosing this year. Have companies become more aware about the dangers of being social engineered? Or will the SE contestants show once again that the old saying is true, that there is no patch for human stupidity?

Copyright © 2011 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon