The week of August 2, 2015

The art of hacking humans

By Patrick Howell O'Neill

The room was so packed, nobody could find a seat. The boisterous audience, undeterred, crowded against the walls and sat down on the floor at every edge of the room to catch the action. A line of people stretched out the front door.

This was the 2014 Def Con hacker conference at the Rio Hotel & Casino in Las Vegas. The attendees were in one of the tiniest rooms in the casino to see the Super Bowl of lying.

The Social Engineering Capture the Flag contest was launched by Christopher Hadnagy in 2009. This past year, nine teams of two players each were given a long list of goals that could only be accomplished through skillful lying and manipulation. The contest had been going on at that point for five years, but most of the crowd, listening in rapt attention, was experiencing it for the very first time.

Hadnagy has another name for social engineering: “The art of human hacking.” While almost all of Def Con is dedicated to the art of computer hacking, this event targets the mind.

If the game is complicated, the rules are fairly simple. Before the big day, each team is given a target Fortune 500 company and a list of dozens of pieces of sensitive information that they had to find out on a live phone call, in front of a large crowd with high expectations. The pieces of information, called “flags,” are each worth a certain number of points. The more sensitive and, ostensibly, difficult to obtain, the more points the flag is worth.

For instance, when a team gets a target CVS employee to quickly answer that their store is using Windows XP, Internet Explorer 8, and no antivirus on all of their computers, the team is instantly rewarded with 15 points. There are 514 possible points to win if a team gets a target to spill every bit of information on the list. Only one contestant has ever captured all the flags: Security researcher Shane McDougall, whose perfect 2012 win ended up on CNN, no longer competes. To earn the most valuable flag, contestants must convince a target employee to visit a URL of their choosing. That’s worth 26 points.

If you don’t understand why all those pieces of information and actions are dangerous for hackers to know and to take, then you are the perfect target for these talented liars.

To consider the previous example: the targeted CVS is not only attempting to protect customer information with software that is grossly out of date, unprotected, and officially unsupported, but they’re also not doing a very good job of keeping their inadequacies a secret. And if an employee is willing to visit a URL given to them by a stranger on the phone, right after giving up specific information about their out-of-date computer systems, they’ve opened up their store—and their entire company—to a possible cyberattack.

• • •

Teams spent five weeks preparing false backstories. This past year, most claimed to be corporate security auditors who needed detailed information from unsuspecting employees in order to “protect” them—and put together a list of phone numbers to call, including a target company’s retail stores and even personal cellphone numbers of employees. Previously, contestants have claimed to be real estate agents, contractors, students, academics, and more.

If you don’t understand why all those pieces of information and actions are dangerous for hackers to know and take, then you are the perfect target for these talented liars.

Several of the competitors—who are forbidden, by rule, from asking for extremely sensitive data like passwords or social security numbers—had been there before as solo acts, but a new rule last year established two-person tag teams, in which players gained 10 points for transferring the call, mid-lie, to their teammates. It was meant to add a new wrinkle to the game. What happens when two people work together in a lie instead of just one? Is it easier or harder to manipulate the target?

The rules also forbid fear-based tactics—so teams can’t threaten a target, for instance—but that rule almost glosses over the fact that the many teams who pretend to be calling from corporate headquarters inevitably lead targets to want to help a workplace superior.

Fear, if used in that sort of subtle way, is an allowed weapon. Hadnagy agreed with that but stressed an important distinction.

“We very much want the target to feel better after having interacted with us,” he said. “No one will feel victimized or worse after we call. The worst that happens is that an employee is a little annoyed. No one feels bad afterward.”

Last year, a competitor brazenly broke that rule. Posing as the vice president of a target company, he twice threatened to fire employees if they didn’t give him all the information he demanded. The contestant was quickly disqualified by Hadnagy.

The ultimate target, however, is not the unfortunate employee who picks up the phone when the social engineers call. Instead, the goal is to expose the fact that many of these big companies have failed to properly educate employees about how to protect sensitive data from skilled social engineers.

Las Vegas is a city of liars, from the poker tables to the strip clubs, so it makes perfect sense to go big and make dishonesty a spectacle and sport in Sin City.

• • •

“It was tiny, the floor was sticky, and it smelled like piss.”

Hadnagy has another name for social engineering: “The art of human hacking.”

That’s how Hadnagy described the first-ever Social Engineering Capture the Flag competition, held at Def Con 2010. Despite the lingering essence of human waste, word of the event spread so quickly that the Department of Justice was called when the targeted companies grew concerned over the contest.

“I had to go to DC to talk about the contest with the FBI,” Hadnagy told the Kernel.

Two years later, as Capture the Flag’s audience grew, Hadnagy found himself in the nation’s capital once again. That time, he was called to the Pentagon to debrief more than 30 high-ranking military officers—from decorated generals on down—and officials about the potency of social engineering attacks.

“They wanted to know how social engineering affects the American public,” Hadnagy said, “how it affects corporations, and to see how the government could possibly help.”

Retired Gen. Keith Alexander, former head of the National Security Agency, sat in the Capture the Flag audience in 2012 to watch the contestants go at it. “Thank you for teaching America’s youth how to use skills like social engineering for the better,” Alexander told Hadnagy, while shaking his hand in front of a cheering crowd.

By 2013, following the American government’s lead, the corporate world had made a complete turnaround on its view of the social engineering competition. Nine out of 10 targeted companies requested post-contest reports from Hadnagy and utilized a free seminar to learn more about how to fix the vast array of social engineering problems they face.

The competition, for all its bells and whistles, is far more about education than winning. The prize is relatively small—a coveted “black badge,” a lifetime free pass to Def Con, is awarded with some schwag, but no big money goes to the winner—and half of 2014’s competitors had never even tried social engineering before.

“The moral lesson is that anyone can do it,” said Michele Fincher, who helped run the competition and worked with Hadnagy as a security consultant at Social-Engineer.org. “You don’t need to be cool or have experience. People who are new come in and do extremely well.”

Fear, if used in that sort of subtle way, is an allowed weapon.

Fincher and Hadnagy both said the Capture the Flag competition is proof positive that social engineering is the most dangerous attack vector anyone faces—from mom and pop businesses to Fortune 500 companies and nation-states—and that transparency and education is likely the only way to even begin fixing the vulnerabilities.

“A computer virus could affect 10 million people until it’s patched,” Hadnagy argued. “There is no patch for humans.”

• • •

Last year, the third team of the first day of competition was called the “Schmooze Operators.” Their target, Home Depot, was an $80 billion company and the largest home improvement retailer in the United States. The team posed as auditors from corporate headquarters.

“I’m not sure I’m supposed to be doing this,” an obviously irritated Home Depot employee (who we’ll call Sharon, to protect her from the potential wrath of embarrassed Home Depot superiors), said when one of the teams asked for yet another piece of sensitive information about the company’s security procedures. Even the best liars run into a brick wall eventually.

“The moral lesson is that anyone can do it.”

Within the 30-minute time limit, the Schmoozers quickly eked out important technical details about how Home Depot’s computer systems work, as well as loads of other security information—when employees go on break, if keys or cards are used to open locked doors, and how often people get paid—that leave Home Depot vulnerable to a wide range of attacks in both cyberspace and the real world. For 10 minutes, they sweet-talked Sharon and used her as a lever to learn more about Home Depot’s security, or in this case, the lack thereof.

The Schmoozers, a team who hadn’t even met prior to competing, were polite but forceful. They never asked if it was OK to take up Sharon’s time, but just did it, projecting an air of authority that carried them very far, very fast.

Sharon gave up a slew of information: the exact computer models Home Depot used, the software run on them, and the fact that the computers have virtually no malware protection.

When Sharon started talking about the complete lack of security in the store itself—“The doors here are never locked,” she told the supposed auditors—the audience erupted in laughter before quieting down at Hadnagy’s insistence. The Schmoozers are in a mostly soundproof booth, but there’s no use in risking errant sounds ruining the call.

Sharon, who was working sales and registers for a Home Depot store in the U.S., eventually mentioned there were customers lining up at the register. She grew impatient but was implored by the liars to keep going.

The callers asked Sharon what kind of email software the Home Depot computers used.

“You should know this,” she said, wondering why someone from corporate headquarters would know so little about her store. With a little more sweet-talking, she gave up that info too: Her Home Depot used Outlook Express, an out-of-date email client that’s trivial to attack.

When the Schmoozers began asking her about her previous security training—another four-point flag is to get details of how companies train their employees—a lightbulb finally went off for her.

“A computer virus could affect 10 million people until it’s patched. There is no patch for humans.”

“I’m not sure I’m supposed to be doing this,” she said. After all, if the callers were from corporate headquarters, why didn’t they have an internal Home Depot phone number? And why didn’t she get a preliminary email before the phone call, a standard operating procedure at the company?

When targets have too much time to think about what’s really happening, social engineering fails. The whole art of SE relies on hiding in plain sight and never triggering any suspicions. Sharon had been triggered and had begun to ask too many questions, so the call was obviously coming to an end.

When the Schmoozers hung up, the crowd burst out into applause. Despite the failure, it was the best performance of that day by far.

The team still had 20 minutes on the clock, so the crowd quieted down again, waiting for the next call, the next lie, and the next target to fall.

• • •

Lying can go wrong in the strangest ways.

In 2013, a contestant named Milkman Dan was tasked with capturing flags from AT&T. In order to do so, he set up a fake backstory using the name of a real employee: Josh Lackey, a hacker working in security for the company.

“He called and claimed he was Josh and needed a ton of information,” Hadnagy says. “But the people he called all knew who Josh was.”

Oops. The targeted employees sent text messages to Lackey asking him why he was on the phone asking them such strange questions for sensitive data. Lackey answered back that he had no idea what they were talking about. Then, the truth dawned on him.

Lackey, it turned out, was a Def Con attendee. He had been sitting three rooms over from the 2013 Social Engineering Capture the Flag contest when he was inundated with confused text messages from his co-workers. When he realized what was happening, he walked over to the competition and introduced himself.

The contestant, who could hardly believe what was happening, immediately stood up for a smiling picture with the real Josh Lackey.


Photo via Social-Engineer.org

• • •

Capture the Flag teams attack some of the biggest companies in the world but, in the end, no one uses the information gained maliciously.

“We started it up to raise awareness for social engineering and give a venue to learn what makes a good social engineer,” Hadnagy told Computer World in 2010. “The easiest route into a company is still people.”

Real bad guys could easily use the kind of information Sharon had so freely given away to launch a campaign specifically targeted against the vulnerabilities in Home Depot’s security. Thieves could even use the information—like the lack of keys and cards in certain areas, the knowledge of employees’ break and shift times, and the exact contractors the stores use for pest control or garbage, for instance—to gain access to the store itself.

That’s what makes social engineering so potent, and that’s what makes having a fully transparent competition about it so important—and wonderful to watch. Instead of security through obscurity—the futile act of hiding critical vulnerabilities rather than fixing them—the Social Engineering Capture the Flag event highlights important problems and demands improvement.

Security personnel at many of the targeted companies have learned to appreciate that the Capture the Flag competition actually provides a service to them in the form of a free penetration test, something for which major firms usually pay big money.

It’s easy to imagine Capture the Flag getting a bad rap. When I tell Hadnagy and Fincher that I think of the event as the “Super Bowl of lying,” they take issue with the nickname, and say they are weary of negative press coverage. A 2012 CNN article that deemed the social engineers liars and characterized the calls as cons struck Hadnagy as particularly wrongheaded.

What about the Super Bowl of manipulation?

“I prefer the Super Bowl of influence,” Fincher offered, saying that “human hacking” is about influencing the decisions of others.

Social engineering, which undeniably involves lying and manipulation, can nevertheless be put to positive use. Don’t let a few naughty words scare you off.

The Social Engineering Capture the Flag competition is a perfect example of how deceit—because, yes, that is what’s happening when unsuspecting Sharon gets hoodwinked in front of hundreds of people—can be used for the greater good. And it’s a hell of a spectator sport, too.


A version of this story was originally published by the Daily Dot on Sept. 2, 2014.

Photo via Bernard Pollack/Flickr (CC BY 2.0) | Remix by Jason Reed