The Art of Human Hacking

Filed under: Culture Jamming and Reality Hacking, Fraud and Deception

Patrick Howell O’Neill reports from Def Con 2014 in Las Vegas, where he witnesses an odd sort of game: Social Engineering Capture the Flag.

Inside the Super Bowl of Lying
by Patrick Howell O’Neill
The Daily Dot
September 2, 2014

Nobody can find a seat, the room is so packed. The boisterous audience, undeterred, crowds against the walls and lies down on the floor at every edge of the room to catch the action. A line of people stretches out the front door.

Social engineering capture the flag


This is the 2014 Def Con hacker conference at the Rio Casino in Las Vegas. The people are in one of the tiniest rooms in the casino to see the Super Bowl of lying.

The Social Engineering Capture The Flag contest was launched by Christopher Hadnagy in 2009. This year, nine teams of two players each are given a long list of goals that can only be accomplished through skillful lying and manipulation. The contest has been going on for five years, but most of the crowd, listening in rapt attention, is experiencing it for the very first time.

Hadnagy has another name for social engineering: “The art of human hacking.” While almost all of Def Con is dedicated to the art of computer hacking, this event targeted the mind.

If the game is complicated, the rules are fairly simple. Before the big day, each team was given a target Fortune 500 company and a list of dozens of pieces of sensitive information that they had to find out on a live phone call in front of this big crowd with high expectations.

The pieces of information, called “flags,” are each worth a certain number of points. The more sensitive and, ostensibly, difficult to obtain, the more points the flag is worth.

When a team gets a target CVS employee to quickly say they their store was using Windows XP, Internet Explorer 8, and no antivirus on all of their computers, the team is instantly rewarded with 15 points.

There are 514 possible points to win if a team gets a target to spill every bit of information on the list. Only one contestant has ever captured all the flags: Security researcher Shane McDougall, whose perfect 2012 win ended up on CNN, no longer competes.

To earn the most valuable flag, contestants must convince a target employee to visit a URL of their choosing. That”™s worth 26 points.

If you don”™t understand why all those pieces of information and actions are dangerous for hackers to know, then you are the perfect target for these talented liars.

The targeted CVS is not only protecting customer information with software that is grossly out of date, unprotected, and officially unsupported, but they”™re also not doing a very good job of keeping it a secret.

And if an employee is willing to visit a URL given to them by a stranger on the phone right after giving up specific information about their out-of-date computer systems, they”™ve opened up their store””and their entire company””to a possible cyberattack. Read the rest of this article here.