Men may dominate the ranks of vulnerability researchers and hackers. But could women be the superior social engineers? Its a question that the organizers of the annual Social Engineering Capture the Flag (CTF) contest at DEFCON will try to answer.

In a break from recent years, the third annual DEFCON Social Engineering CTF will pit ten men against ten women in a battle of the sexes to see who can better weasel, cajole and worm their way into obtaining sensitive information from some of the U.S.’s leading corporations. And, according to one of the contest’s organizers, the smart money is on the women.

“Unfortunately, there’s a chauvinist consensus that females don’t get security,” said Chris Hadnagy of Social-Engineer.org, which sponsors the annual Capture the Flag contest. “The truth is that, as social engineers, women do better. We’ve seen hacktivists like Anonymous and LulzSec use females as part of their attacks.”

There’s no hard research on the relative abilities of men and women to social engineer – or “con,” using the term most familiar to past generations. But there is reason to believe that women might have an edge in gaining the trust of potential targets – a key objective of any social engineer. Scientific studies have found that our tendency to find women’s voices comforting may be deeply wired in our brains, and stem from our experience, before birth, hearing the sound of our own mother’s voice.

But Hadnagy said that there are also important differences in the “pretexts” – or ruses that men and women use to trick strangers into surrendering the bits of sensitive information that count as “flags” in the Capture the Flag competition.

“The guys come in with a lot of knowledge,” he said. “The pretexts they choose give them the upper hand – they’re an angry customer, or they ‘work for the boss’ and need answers,” said Hadnagy, who is the co-founder of Social-Engineer.org.

In contrast, Hadnagy said he typically sees women in the CTF contests use pretexts that make the target seem powerful. “They put themselves in a humble position. They’re a woman in distress. Can you help me?” Very often, he said, that approach bears fruit. “‘Can you help me?’ are the four most powerful words in social engineering, Hadnagy said. “We’ve been trained that way. When see someone in need, you want to go help, even if it means betraying your employer.”

Though women are, by no means, the only social engineers to stumble on the utility of appearing vulnerable. Hadnagy said that men, also, have used such pretexts in previous years, including some contest winners. “Last year we had a guy who called and said he was in an airport and he needed help – needed to get a quote in at the last minute.”

Now in its third year, the social engineering CTF contest at DEFCON is modelled on the team hacking Capture the Flag tournaments that have long characterized DEFCON and other hacker gatherings. In the social engineering CTF, contestants are given a list of target firms weeks ahead of the conference and are allowed to research those companies and their employees. They are then given a set amount of time (20 minutes, this year) to pick up the phone and try to convince employees of the firms to divulge the information they’re seeking.

Past social engineering CTF competitions have targeted iconic firms like McDonald’s, Wal-Mart, Microsoft, Google, Ford and Pepsi. The results of the contest have shown that even wealthy, sophisticated companies are ill-equipped to fend off sophisticated social engineering attacks.

However, female employees are less likely to fall for such a ruse. “Every time we get a woman on the phone as a target, she does better than the guys,” Hadnagy told Threatpost. “She’s more paranoid, and answers fewer questions. Her ‘phish’ meter goes up quicker and she hangs up.”

This year’s contest will again target prominent firms, but Hadnagy said the organizers wanted to target industries and companies that might be lower profile, but whose importance to the U.S. economy is large. “We wanted to switch it up and target companies that reflect what American business is all about,” he said.

The organizers had hundreds of people sign up for the CTF competition and closed registration. They then whittled the list down to 20 contestants: 10 men and 10 women. Hadnagy said he was pleasantly surprised by the number of women who volunteered to participate in the CTF contest.

The organizers will also host the second annual social engineering capture the flag contest for children. That contest, which is part of the DEFCON Kids conference is a treasture hunt, with kids needing to retrieve clues from “targets” at the conference. Those clues include ciphers which the contestants need to assemble and decode to solve a puzzle and win.

Organizers will issue a report following the conclusion of the contest. But Hadnagy said that most companies still woefully under-invest in employee training on social engineering, and that he expects contestants will have little trouble collecting flags from target firms.

“I don’t see it getting any better,” he told Threatpost.

Correction: An earlier version of this story listed Chris Hadnagy as a principal at Offensive Security. Mr. Hadnagy is no longer employed by that firm. 

Categories: Data Breaches, Hacks, Social Engineering

Comments (11)

  1. Anonymous
    2

    Political Correctness at its finest. The fact that this is on ThreatPost is sad.

     

     

  2. Anonymous
    3

    Hadnagy is one of those guys who doesn’t realize he’s being sexist or discriminating, because it’s so ingrained in him.  Listen to the podcast where he’s interviewing Jasmine St. John. He’s condescending to her from the get-go, commenting on her tiny, childlike voice, etc.

    It’s not just him, tho. It seems that the infosec groups are all-male boys’ clubs, who have no women in their leadership (or, for that matter, no women participating at all) have the same problem. 

  3. Paul W.
    4

    whew – i got a great laugh from that poster a few lines up…. He obviously doesn’t know Chris or anyone on the podcast.  I am sure his new Female Podcast Panelist wouldn’t put up with him if he was sexist… and Jasmine actually stated how much fun she had on the podcast.  But I guess that is why lamers will hide behind Anon in order bring in doubt.

    Thanks for the laugh though.

    Chris and crew if you are reading these comments – keep going.  What you are doing is a great work and people like that guy probably can’t do anything, thats why they just sit and insult.

  4. Anonymous
    5

    NO WOMEN IN THEIR GROUP

    LOL

    Talk about misinformed posters… SEORG has had a female on the panel for months now, they have interviewed many leading Females in the their fields… sexist?  wow.  That poster obviously was just trying to get  people going.

    I agree with above, if you are reading Chris… keep going.  Good work.

  5. Paul Roberts
    6

    Not sure how this is evidence of ‘political correctness’? I’m confused. 

  6. Leo
    7

    I see that everyone that knows Chris has already covered the fact that Chis is not “being sexist or discriminating…”

    I will add my voice as someone that has listened from the first podcast and had the pleasure of meeting Chris.  

  7. Chris Rattis
    8

    I’ve listed to all but the latest epsidoe of The Social Engineer Podcast. I don’t think that Chris has been condesending at all. As for the Jasmine St. John interview, I’m sure there was some report between the two of them before what we heard that was edited out. I also think that Chris got schooled by Jasmine over all, if you really listen to the episode, she was the one in complete control.

    As for the comment about more women in podcasting and roles of leadership, it’s not easy. Not because there is an old boys network trying to keep them out, but because they don’t have time. I have a podcast, and we did a panel on gender. The panelists said they didn’t have time to run one. I left an open invite to all the panelists, to be on our show when ever they wanted. None of them have taken us up on it yet. Well, one kind of did, but that was as an interview for her talk at a Bsides confernce.

  8. Brent E
    9

    It’s been well researched that in every culture people in general tend to be more sympathectic to a woman’s voice rather than a man’s. Women, in general, and I am not being sexist here, are also “trained” or for the most part tutored to use soft influence just as most young men or boys have been taught to take charge or take control (command) of a situation. For the most part its how we’ve been raised since early childhood as to how to behave.

    It would be interesting to see this CTF flag experiement to include more non-technical folks at say a college level experiment. Might find that pre-law students might do very well or art types or whatever rather than more security orientated folks. I suspect we’re really not as good as the general population without the onus to do so. Logic can so get in the way of creative thinking.

     

  9. Anonymous
    10

    I actually listen to all the social engineer podcasts, and I have never once felt anyone in that group is sexist or discriminating.  It is true that security seems to be a male boys club… but as a woman, i am happy he is doing this.  But I guess if you are gonna hate… you are gonna hate.

  10. Anonymous
    11

    There are plenty of women who feel threatened by a man’s voice, and probably even more that simply feel more comformtable with a female’s voice. Sex appeal isn’t the only thing going for ’em really…

Comments are closed.