Lying is one of those skills that our culture paradoxically both admires and reviles. There’s a reason we lionize TV characters like Frank Underwood and Walter White, who manipulate the truth effortlessly with almost every sentence that slips from between their lips: Lying is cool. Sure, the consequences of the act can be terrible, but there’s something fascinating about a person able to deftly manipulate the truth to their own ends. That’s what makes this Daily Dot piece focused on the annual Social Engineering Capture The Flag event at Las Vegas’ Def Con hacker conference so fascinating.
The article, by Patrick Howell O’Neill, is an in-depth exploration of the origins and culture of the event, which gives competitors 30 minutes to lie, cajole, charm, and bluff as much sensitive information as they can over the phone from employees at pre-selected businesses, in imitation of real social engineers who “hack” people using deception and manipulation in order to steal valuable security information. The goal is to increase awareness of how vulnerable businesses are to these social engineering techniques, and how poorly trained their employees are to counter them. Along the way, the article illustrates which bits of information are of most use to social hackers—you should never, ever tell people what operating system your store’s computers use, apparently—and includes stories like this one, about a contestant who chose the wrong security expert to imitate:
Last year, a contestant named Milkman Dan was tasked with capturing flags from I.B.M. In order to do so, he set up a fake backstory using the name of a real employee: Josh Lackey, a hacker working in security for the company.
“He called and claimed he was Josh and needed a ton of information,” Hadnagy says. “But the people he called all knew who Josh was.”
Oops. The targeted employees sent text messages to Lackey asking him why he was on the phone asking them such strange questions for sensitive data. Lackey answered back that he had no idea what they were talking about. Then, the truth dawned on him.
Lackey, it turned out, was a Def Con attendee. He was sitting three rooms over from the 2013 Social Engineering Capture the Flag contest when he was inundated with confused text messages from employees. When he realized what was happening, he walked over to the competition and introduced himself.
You can read the rest of the article over at The Daily Dot.