Men may dominate the ranks of vulnerability researchers and hackers. But could women be the superior social engineers? Its a question that the organizers of the annual Social Engineering Capture the Flag (CTF) contest at DEFCON will try to answer.
In a break from recent years, the third annual DEFCON Social Engineering CTF will pit ten men against ten women in a battle of the sexes to see who can better weasel, cajole and worm their way into obtaining sensitive information from some of the U.S.’s leading corporations. And, according to one of the contest’s organizers, the smart money is on the women.
“Unfortunately, there’s a chauvinist consensus that females don’t get security,” said Chris Hadnagy of Social-Engineer.org, which sponsors the annual Capture the Flag contest. “The truth is that, as social engineers, women do better. We’ve seen hacktivists like Anonymous and LulzSec use females as part of their attacks.”
There’s no hard research on the relative abilities of men and women to social engineer – or “con,” using the term most familiar to past generations. But there is reason to believe that women might have an edge in gaining the trust of potential targets – a key objective of any social engineer. Scientific studies have found that our tendency to find women’s voices comforting may be deeply wired in our brains, and stem from our experience, before birth, hearing the sound of our own mother’s voice.
But Hadnagy said that there are also important differences in the “pretexts” – or ruses that men and women use to trick strangers into surrendering the bits of sensitive information that count as “flags” in the Capture the Flag competition.
“The guys come in with a lot of knowledge,” he said. “The pretexts they choose give them the upper hand – they’re an angry customer, or they ‘work for the boss’ and need answers,” said Hadnagy, who is the co-founder of Social-Engineer.org.
In contrast, Hadnagy said he typically sees women in the CTF contests use pretexts that make the target seem powerful. “They put themselves in a humble position. They’re a woman in distress. Can you help me?” Very often, he said, that approach bears fruit. “‘Can you help me?’ are the four most powerful words in social engineering, Hadnagy said. “We’ve been trained that way. When see someone in need, you want to go help, even if it means betraying your employer.”
Though women are, by no means, the only social engineers to stumble on the utility of appearing vulnerable. Hadnagy said that men, also, have used such pretexts in previous years, including some contest winners. “Last year we had a guy who called and said he was in an airport and he needed help – needed to get a quote in at the last minute.”
Now in its third year, the social engineering CTF contest at DEFCON is modelled on the team hacking Capture the Flag tournaments that have long characterized DEFCON and other hacker gatherings. In the social engineering CTF, contestants are given a list of target firms weeks ahead of the conference and are allowed to research those companies and their employees. They are then given a set amount of time (20 minutes, this year) to pick up the phone and try to convince employees of the firms to divulge the information they’re seeking.
Past social engineering CTF competitions have targeted iconic firms like McDonald’s, Wal-Mart, Microsoft, Google, Ford and Pepsi. The results of the contest have shown that even wealthy, sophisticated companies are ill-equipped to fend off sophisticated social engineering attacks.
However, female employees are less likely to fall for such a ruse. “Every time we get a woman on the phone as a target, she does better than the guys,” Hadnagy told Threatpost. “She’s more paranoid, and answers fewer questions. Her ‘phish’ meter goes up quicker and she hangs up.”
This year’s contest will again target prominent firms, but Hadnagy said the organizers wanted to target industries and companies that might be lower profile, but whose importance to the U.S. economy is large. “We wanted to switch it up and target companies that reflect what American business is all about,” he said.
The organizers had hundreds of people sign up for the CTF competition and closed registration. They then whittled the list down to 20 contestants: 10 men and 10 women. Hadnagy said he was pleasantly surprised by the number of women who volunteered to participate in the CTF contest.
The organizers will also host the second annual social engineering capture the flag contest for children. That contest, which is part of the DEFCON Kids conference is a treasture hunt, with kids needing to retrieve clues from “targets” at the conference. Those clues include ciphers which the contestants need to assemble and decode to solve a puzzle and win.
Organizers will issue a report following the conclusion of the contest. But Hadnagy said that most companies still woefully under-invest in employee training on social engineering, and that he expects contestants will have little trouble collecting flags from target firms.
“I don’t see it getting any better,” he told Threatpost.
Correction: An earlier version of this story listed Chris Hadnagy as a principal at Offensive Security. Mr. Hadnagy is no longer employed by that firm.