Once again, the Social Engineering Village at DEF CON 27 exceeded all of our expectations. Interesting speakers, enthusiastic participants, and more games, talks, and panels than one person can possibly take in over the course of 3 days. Mad props to Chris Hadnagy and his team for pulling it off year after year.
2019's DEF CON theme, “Technology’s Promise,” asked attendees to reflect on what the world looks like when technology lives up to our expectations, and how we, as its custodians, can help it live up to them. One way to help technology live up to its promise of a better tomorrow is to teach young people how to use technology safely, securely, and ethically today. Social Engineering Capture the Flag (SECTF) events aimed specifically at kids and teens can help support this goal.
The 2019 SECTF4Teens Took No Prisoners
The SECTF4Teens challenge designed by CG Silvers Consulting and friends at DEF CON 27 attempted to authentically simulate the experience of being a social engineer and inspire young people to become interested in the industry. SECTF4Teens at DEF CON was introduced three years ago, when children who had been competing in the SECTF4Kids event became teenagers and demanded a CTF more fitting to their age and experience. (They grow so fast, these young-ins.)
Each year, these aspiring security experts clamor for more challenging tasks and more complicated social engineering problems. This year, we thought to ourselves, “Alright, kiddos. You asked for it!” We designed our most ambitious and demanding CTF yet. To connect with the larger conference theme of “Technology’s Promise,” we chose to use the film Back to the Future to setup our SECTF4Teens challenge. From assembling shredded clues and decoding encrypted messages to scouring social media and coming up with reasonable pretexts to gain access to information, these teens did what they needed to do to defeat the evil BiffCorp.
Why encourage kids to understand internet security and learn social engineering strategies through CTF events?
Well, first, it’s a good idea for all of us — adults and kids alike — to recognize that the information we put on the internet is valuable and vulnerable. But also, these types of challenges strengthen problem-solving skills, encourage outside-the-box thinking, build communication skills (with human beings! IRL!), and teach tenacity. In short, they help young people develop “the hacker mindset.”
We want to highlight two teens competing in the SECTF4Teens this year who embraced the hacker mindset.
Hacker Heidi: The Newbie
Hacker Heidi* signed up for SECTF4Teens at the last minute. This was her first time competing in a CTF event, and at first, she was a little lost in the game. An hour into the competition, a staff member answering the vishing calls reported that Heidi had called multiple times, and though she was trying hard and had done the research, she just didn’t understand what she was trying to accomplish or how to get there. Her frustration was obvious.
However, after this bumpy start, Heidi was able to shift her perspective to a hacker mindset. Later, that same concerned staff member declared that in her final call, Heidi’s pretext and her delivery of it had “knocked it out of the park.”
From that point on, Heidi began to dominate the competition. She never gave up and impressed everyone involved in the SECTF4Teens. In the end, this CTF newbie won the challenge by more than 200 points.
Hacker Harold: The Polyglot
Hacker Harold* had his own obstacles to overcome. Harold had traveled from Mexico to attend DEF CON 27. Because English is not Harold’s first language, it was difficult for him to understand some of the American terms in the clues. Even a simple reference to “high school,” which would be a non-issue for a native speaker, created extra work and research for Harold.
At first, he was disheartened to see other competitors breezing through the challenges, but luckily, Harold is persistent and creative. Like Heidi, he was able to flip the switch and turn on the hacker mindset. He started to ask himself, “How can I turn this language barrier into a bridge?” In addition to Spanish and English, Harold speaks French and Mandarin. He started to use his language skills (and charm) to make connections with other people and earn clues. At one point, he had the merchandise targets laughing so hard they turned heads!
Harold was able to turn his disadvantage to an advantage. While Harold may not have won the competition, his father reported after the event that SECTF4Teens had helped Harold come out of his shell and had ignited an interest in social engineering as a career. That’s a victory in our book!
Congratulations to Heidi and Harold for their success in SECTF4Teens. We’re proud of all of the young hackers who entered the contest and exercised their hacking muscles. We keep raising the bar on the challenges, and these kids keep leaping over it!
*Names have been changed to protect the privacy of the individuals involved.