San Francisco, California
London, United Kingdom
Sogeti Social Engineering Challenge #SSEC2013
for Hack-in-the-Box 2013 #HITBAMS2013
Also this year’s Hack-in-the-Box (‘HitB’) conference Sogeti Nederland B.V. (‘Sogeti’) will host an unprecedented challenge in HitB history, testing your Social Engineering hacking skills! As you all know humans are often referred to as the weakest link in your infosec defenses; let's prove this empirically once again and create some awareness at the same time :)
The challenge is to social engineer one of the top 100 Dutch companies.
In order to participate and avoid any legal consequences the contestant must strictly obey all the rules outlined below. The decisions by the CTF jury in case any ambiguity arises are final, any violation of the rules below may lead to disqualification.
During the HitB conference 10th and 11th of April 2013 from 10am until 5pm.
Slots for the challenge will be communicated in advance. We understand that you are at HitB primarily for the interesting presentations so all our challenges are time-boxed which also ensures that every contestant has an equal chance of winning the challenge. Notify us of any presentation you absolutely don’t want to miss or you're presenting yourself and we will try and provide you with appropriate slots.
Interested in how your company will act on social engineering? You can register your company as targets on our Sogeti Event site.
- In order to participate the contestant will have to register to this Eventbrite event. By registering the contestant acknowledges and agrees unconditionally to all the rules (including also Dutch law) as described hereunder. The contestant will be contacted prior to HitB and will receive 1 target company name chosen by us, the CTF organization, randomly from a previously compiled list.
- In order to build the report the contestant may not use any direct or indirect invasive techniques, all information obtained must verifiably be public information only. This means the contestant is not allowed to call, e-mail, or contact the target in any way before the HitB conference. The report compiled on the target should greatly help during the Social Engineering challenge to find a working attack vector. At the conference contestants will receive a description of the flags together with their point values that they need to obtain from the target. Examples of such flags are information on the targets caterer or to persuade the target to visit a website of our choice.
- During the Social Engineering challenge the contestant will be able to call the target company on any of the Dutch phone numbers listed in your report that are linked to the target and verified by us. You will have a maximum of 30 minutes to call. In these challenges telephony is the only invasive medium used (but it is sufficient :)
- The idea is that this contest shows your skills of a hacker and Social Engineer. It is not allowed in any way that anyone (target and/or employees of the target) gets annoyed, offended, harassed etc. in the challenge. During these phone calls you are furthermore not allowed to try and extract sensitive or illegal information from the target like passwords, creditcard numbers etc. You're also not allowed to appear as government agency, law enforcement, other legally liable entity like an employee of the target company or use any other fake identity. Also, no techniques may be used that will make the target feel "at risk" in any manner (like "we have reason to believe that your account has been compromised"). Basically you're not allowed to do anything that will get Sogeti, HitB or any other contestant compromised in any way.
- The phone call at the HitB conference will take place in a separate conference room under our supervision and will be streamed with a delay to another conference room where others can hear in. In both rooms there is a strict no recording policy.
- All findings of the contestants may be used in a report that will be compiled by Sogeti after the event. The contestants details will not be disclosed in this report. Contestants will not publish any findings in the challenge to any media, including the names of the targets and flags found.
- Sogeti employees are encouraged to participate but in order to avoid any conflict of interest no prizes will be awarded to Sogeti contestants.
So let’s see raise some security awareness in the Netherlands and test your skills!