On the Road: OSINT CTF at NolaCon
A thousand thanks to our sponsors — IntelTechniques, Hak5, and Ace Hackware — as well as the Nola Con organizers and volunteers, our CTF targets, and our contestants, for making the OSINT CTF such a success. And additional thanks to Taylor Banks for presenting "On the Hunt: Hacking the Hunt Group" with me, and to every NolaCon attendee who participated in our helium challenge.
All I can say after the NolaCon OSINT CTF is WOW! Again, our teams blew us away with their investigative skills. We really upped the difficulty this time, and our teams rose to the challenge.
At the end of the contest, with 40 teams creeping on 3 targets for 36 flags worth more than 2,000 possible points, we had our winners:
The top three teams walked away with some incredible prizes, including a WiFi Pineapple NANO, Bash Bunnies, a voucher for IntelTechniques online training, Ace Hackware lockpick sets, and waterproof Bluetooth speakers, among other equally awesome gadgets and tools. Not to mention way more candy than anyone should consume in a day.
But enough of that. The OSINT CTF isn't just about prizes and competition. It's also about education — about the information that's out there, how easy or difficult it is to find, and how potentially harmful it can be for those with malicious intent and an internet connection to find it. (For more about the OSINT CTF, including rules and philosophy behind it, head on over here.)
So let's dig into the results of this year's NolaCon OSINT CTF to see what the results can tell us. Middle Names The flag captured by the most teams (12 out of 23 teams that got on the scoreboard, or about 57% of actively participating teams) was the middle name of a target's spouse. And in fact, the second-most captured flag was also about middle names — the same target's middle name was discovered by 48% of actively participating teams.
Not only does knowing your middle name make you easier to research down online or impersonate to close family, friends, and colleagues, middle and maiden names are consistently implemented as security questions. By now the "mother's maiden name" security question has become a running joke inside and outside the security community. But you'd be surprised just how many platforms still ask. Family As we saw in the BSidesATL OSINT CTF, family was often our contestants' doorway into the targets' sensitive information. One of our flags asked for the name of a target's oldest child. Guess where 2 of our teams found the name? The target's wife's Facebook page. The kicker? The target doesn't even have a Facebook page. Bosses We asked for 2 of our targets' current boss' first names. No teams were able to find this flag for either target.
While it might seem like an odd flag to ask for, this information can prove immensely useful to an attacker. Think about the people you would be most likely to answer an angry or otherwise emotional call, text, or email from. Your direct boss is definitely somewhere toward the top of that list. Any information about a direct supervisor will make a social engineering attack more believable and effective.
Like what you read? Want to get notified when I post? Subscribe to the email list.