Security Bloggers Network Social Engineering

Home » Cybersecurity » Social Engineering » The SEVillage Wrap-up from DEF CON 27

The SEVillage Wrap-up from DEF CON 27

by SEORG on August 26, 2019

If you’ve been asking yourself, “Was DEF CON just a crazy dream?” “Why does it feel like I was hit by a train?” “Are things really back to everyday life without 25,000 friends to hang out with?” Just know that we feel the same way.

Even before we ran the SEVillage at DEF CON 27 from August 8-11, we had some of the team in Las Vegas for our Advanced Practical Social Engineering (APSE) training at Black Hat. With 23 students along for the APSE ride, there was a myriad of both fun and inspiring events, including an unintentional elicitation of a “service woman…of the night,” talks of Lady Gaga’s meat dress, and some awesome conversations with targets that made them feel better for having met us. So, with another successful APSE completed, we continued the sprinting marathon that is DEF CON…

This year was our 10th anniversary of the SEVillage at DEF CON, and wow, it really was one for the books! We were generously provided the entire 3rd floor in the Jubilee Tower of Bally’s and ended up using every bit of space (and more.) A whopping 11,000 (eleven thousand – not a typo) square feet of ballroom space awaited us. Here’s how it all went down:

This wasn’t even the whole room, it was RIDICULOUS!

Wednesday: Set-Up / Pre-Death

Finally, relieved of storing the entire contents of SEVillage in his house yet again, Billy Boatright and the crew unloaded all sorts of boxes, bins, and a literal ton (yes, 2,000 pounds … ish) of Amazon packages.

The sound booth was set up, merchandise was displayed, Evan and Paul set up our magic mics, and 3,000 badges were assembled. Our fingers are still bleeding. You’re welcome.

Resurrecting the booth of ~~terrors~~ fun.

Schwag set-up. Next time, we’ll bring more books and size large T-shirts! #Scarcity

Badge life is the real life. We weren’t kidding when we said 3,000 badges… that was 1,000 more than DC26 and we STILL ran out. We love you guys.

DEF CON is about hacking, but it’s also about friends and family. There were many hugs to be had (awkward hugs too!) in-between the unpacking, sorting, assembling, and general craziness!

OK, so Thursday was INSANE because the SEVillage was (one of) the only villages open on day one of DEF CON 27. Linecon was STRONG; we were backed up for two entire floors, lining both sides of the hallway. Thank goodness most people followed the 3-2-1 rule.

This was like 0.0000000000001% of our Linecon. Luckily, these folks were on our village floor so we could document their beautiful palate of tan shorts.

Anyway, we kicked off with a uniquely-entertaining-yet-somehow-still-family-friendly welcome introduction from the one and only Chris. You could feel the air buzz with energy (or was it our tasers? hehehe) as we started your favorite village competition, the Social Engineering Capture the Flag (SECTF). That’s right—we moved the SECTF to Thursday + Friday!

This year’s theme was ATF: Alcohol, Tobacco, and Firearms. On the list of targeted companies (in no particular order): Brown-Forman, Skoal, Smith & Wesson, Ruger Firearms, Busch Beer, MillerCoors a Molson Coors Brewing Co., R. J. Reynolds Tobacco Company, Republic National Distributing Co., Marlboro, Remington Outdoor Company, E&J Gallo Winery, Constellation Brands Headquarters, Campari America, and Glock.

Contestants were HUNGRY this year, and we were really blown away by the hours and HOURS of preparation each did in anticipation for their 20 minutes in the booth. Many contestants spent 100+ hours on the OSINT-gathering and reporting portions – which equates to THREE HUNDRED minutes of prep per ONE minute of booth time!!! They. Did. Not. Come. To. Play.

All 700 seats plus every square inch of open floorspace were jam-packed! It was a full house to watch seven contestants over a four-hour span followed by our first keynote, Robin Dreeke, and several great speeches.

You could hear a googly eye being placed on a statue; it was so quiet.

OK, well, it was serious until Evan, the MEME MASTER, would distract us with awesome m—squirrel!

This is what laser-focused destruction and pure determination looks like.

Laughing that we might have unlocked the secret to SE: having an Australian accent…

Genuine or fear-induced smile…?!

A sub-contest within the SECTF of who can raise their hand the longest. Is that a joke? You’ll never know.

We saw a fair share of memorable techniques, outcomes, mishaps, learning experiences, and funny things with this year’s SECTF. Contestants were utilizing maternity and/or paternity leave as a rapport builder, targets were exclaiming “You’re a dang liar!”, and plenty of flags were gathered.

Before we knew it, the SECTF was finished for Thursday. It was time to eat some PLAIN TURKEY sandwiches (sorry, that was an inside joke, just go with it) and buckle up for some serious knowledge-dropping by our very good friend, author, CEO of People Formula, and former Chief of the FBI’s Behavioral Analysis Program, Robin Dreeke.

Robin Dreeke’s keynote and sneak peek into his latest book, “Sizing People Up,” on how to quickly and easily determine who you can trust and who you can’t; who is likely to deliver on promises and who will disappoint; and when a person is vested in your success vs when they are actively plotting your demise.

After Robin’s discussion and Q&A we had several great Human Track speeches including:

- Marcus Liotta, “Leveraging the Insider Threat, Oh, and How to be Awesome”
- Edward Miro, “Rideshare OSINT: Car-Based SE For Fun & Profit”
- Chris Pritchard, “The Basics of Social Engineering AKA How I Break into Casinos, Airports and CNI”
- Andrew Nicholson, “Hacking Hollywood”

These and all of the talks given in the SEVillage were recorded by DEF CON and will be made available by their team, likely via YouTube, in the near-ish future. Keep an eye on our Twitter. We will be sharing the videos as soon as they become available!

Sooooo, because weird things happen in the SEVillage, like having your famous friend from the UK being in Las Vegas the same days you’re there for his own show and actually being available to do a live demo for your village, we were fortunate to have R Paul Wilson join us at the end of the day! Take his workshop at SEVillage Orlando 2020 if you’re into slight-of-hand and magic and deception. Because how much more amazing could you be if you could learn how to palm a rubber ducky, right?

R Paul Wilson probably shuffled a deck of cards and bent and un-bent every card’s corner in the time it took to take this photo.

Friday: SECTF4Kids, SECTF, Keynote Chris Hadnagy, Human Track Speeches

At the crack of dawn on Friday (okay, 9am), we met with the kids, ages 6-12, of DEF CON for the SECTF4Kids. This year, we sent them “Back to the Future” on a competition that taught them how to crack safes, solve ciphers, tape together a bag full of shred, and even compete in a custom-made Minecraft puzzle using an Oculus Go (which, was also the prize for our 1st place winner!) As usual, the kids dominated the competition and amazed us with their problem-solving skills. Congratulations to our 2nd place winners, Jennicka and Athena, and our 1st place winners, Tobin and Jayden!

A bit later in the morning, day two of the SECTF kicked off with a vengeance. With a mixture of seasoned SECTF veterans and some fresh faces, we were excited to see what was in store. Our contestants were up to some new tricks! One directed their target to go to a known unreachable site before directing them to the flag site—brilliant! Another contestant actually dressed up to get in character. And the SECTF narrowly avoided almost becoming the next dating platform. Yes, really.

Want all the juicy details, stats, and more? Look out for the SECTF Report and accompanying webinar in the coming months!

We really needed more like 800 or 900 seats, TBH.

These competitors are BRAVE. A live vishing call in front of 700-1,000 people is NO joke.

All smiles after a great experience!

With our veins pumping adrenaline from the SECTF calls, we thought it would be a good idea to get a little nostalgic with a lookback at the SEVillage’s 10 years at DEF CON with our Friday keynote by Chris.

Chris, @humanhacker, recalling all the “good decisions” he’s made over the years of creating SEVillage, like Nerf-ing small children.

We reminisced our beginnings and the various, REALLY GREAT (…) themes throughout the decade. Chris highlighted facts about the contest, our competitors, and most importantly—that none of this would have been possible without our guiding principles, ethics, and code: “Leave people feeling better for having met you.”

Speaking of making the world a better place…some of you may know that a few years ago, Chris founded a 501(c)(3) called the Innocent Lives Foundation (ILF). This highly talented nonprofit group of technical volunteers unmasks anonymous child predators and works with law enforcement to bring justice around the world. At the end of 2018, which was an amazing year of growth, ILF hired its first full-time employee—a Chief Operating Officer. This vital role was needed to refine, build, and foster the nonprofit towards a truly sustainable path. Shane McCombs has done a terrific job of just that in his time so far as ILF’s COO.

Shane, the ILF staff, and many of the ILF volunteers were present throughout the days at DEF CON, bringing awareness to the issue at large and to the work they do on behalf of society. We’re humbled to report total fundraising for the week exceeded $6,000 thanks to many generous friends and donors!

We were lucky to have Shane speak in the SEVillage on “Why Vigilantism Doesn’t Work.” Other awesome speeches from Friday included:

Ryan MacDougall, “OSINT in the Real World”
Billy Boatright, “Swing Away: How to Conquer Impostor Syndrome”
Micah Zenko, “Red Teaming Insights and Examples from Beyond the Infosec Community”

Those speeches wrapped up our second day! Though the SECTF had finished, we had so much more to keep us in out of trouble for the next couple days…

Saturday: SECTF4Teens, Mission SE Impossible, Keynote Jayson Street, Human Track Speeches

For the 3rd year in a row, we kicked off Saturday with our SECTF4Teens competition. The teens, ages 13-17, had no idea what they were in for when they met with the team that morning. We joined forces with an amazing friend, volunteer, and long-time supporter: Chris Silvers of C G Silvers Consulting. He helped us design one of the most challenging competitions we have EVER done for teens. Including ACTUAL phishing, vishing and impersonation, the teens spent an entire day involved in a simulated social engineering engagement.

Congratulations to our 1st place winner, Donna! Donna is an OSINT superstar! She blew away the recon portion of the competition and even nailed most of the bonus questions, ending up with an almost 200-point lead. For a first-time competitor, Donna impressed us all with the way she picked up new skills so quickly.

And congratulations to our 2nd place winner, Flipbit! Flipbit is one smart cookie! She was one of the first contestants to make it through most of the challenges. Flipbit knows how to use her resources, both human and OSINT, and showed some serious SE skills.

Our Mission SE Impossible (MSI) was back and as heart-pounding as ever. In this contest, you were captured in an attempt to break into Chris’ office building. You were handcuffed AND leg-cuffed in a jail cell, and you had to shim your handcuffs, pick a lock, successfully identify facial expressions from Dr. Paul Ekman’s micro-expressions training, and to escape you have to traverse a laser grid with SHARKS with LASERS on their HEADS to escape. The fastest time won!

Colin gave some great hands-on practice and demos beforehand for everyone to pick up a new skill, and to give the contestants a fighting chance.

MSI included both younger and older contestants. One contestant was repeatedly a “life-line” for many other contestants on the lock picking portion. She eventually ran the course and won! We also found out that Jay is a really bad security guard, and that SEVillage is the only place where parents encourage their kids to get handcuffed, and film the experience.

Our Saturday and final keynote was by our very good friend Jayson Street, “I PWN thee, I PWN thee not!” He hosted a frank discussion of what control failures an attacker looks for when attempting to breach an enterprise, as well as how an effective control can help prevent an attacker from being successful. And, he gave lots of awkward hugs!!

Jayson keeping DEF CON weird <3 Thanks to the lovely April Wright for this photo!

Another batch of terrific talks was out of the oven for our last full day of activities. On stage to close Saturday out were:

Chris Kirsch, “Getting Psychic: Cold Reading Techniques for Fortune Tellers and Social Engineers”
Rebecca Long, “Hacking Your Career Through Social Engineering”
Wayne Ronaldson, “Executives Seeing Red”
Daniel Isler, “The Voice Told Me to Do It”
Perry Carpenter, “The Aspie’s Guide to Social Engineering Your Way Through Life”

On Saturday, we welcomed our friends at Security Weekly to set up shop for conducting interviews on our village floor. You can watch all the sit-downs with many of our SEVillage speakers here.

Sunday: SEPodcast, Breakdown, Closing Ceremonies

Whoa. Sunday already. Even though each day felt like 2.78 weeks, we finally made it! Everyone was MOSTLY still alive, so we decided to change that. Our in-village recording of the Social-Engineer Podcast went underway with guests Robin Dreeke and Perry Carpenter from our long-time supporter, KnowBe4.

Check out the show and give it a listen!

Luckily for our remaining brain cells and working limbs, all we had to do was clean-up, pack everything, and have a little fun at Closing Ceremonies

Ah, Closing Ceremonies… The place where everyone’s running on fumes and there are babies casually chilling on stage like it’s NBD. OK, so if you haven’t noticed, the ladies have really been cleaning up lately (read: dominating) – and we were insanely excited that Jo Zhou won 2nd place in our SECTF.

Don’t let her adorable-ness fool you; she’s one ~~mean~~ very nice, green, SE-ing machine.

And for the 10th year running, the SEVillage was awarded a DEF CON black badge for its 1st place competitor. We could not have been happier to award it to the AMAZING ALETHE DENIS!!! She was able to get flag after flag after establishing an incredibly strong rapport with a new dad (being a new mother herself!) Alethe spent SO many hours preparing for her calls, and it clearly paid off. A past contestant, Alethe really showed us all that she was ready to dominate this year!!

Photos thanks to Alethe herself. Congratulations, you powerhouse!!!

Soooo, Now What?

With all our 25,000 friends back home (and other places by now,) we want to thank you for your support. Yeah, yeah, yeah, a lot of mushy stuff was said this go ‘round, but come on, 10 years of SEVillage at DEF CON was a pretty big deal. And we couldn’t have done it without your friendship, laughs, and whisk(e)y throughout the years. So, THANK YOU.

And if you can’t wait to see us before the next HSC (only like ~50 weeks!), we’ll be at DerbyCon with a wicked OSINT CTF. And come visit Orlando in February (hello, gorgeous temperatures) for our inaugural training conference aptly named SEVillage Orlando 2020. It’s for the SE who’s looking to REALLY level-up and get serious about learning from some of the foremost experts in the world on all things SE-related: body language, cold reading, behavior, physiology, slight-of-hand, acting, OSINT, and so much more. And yes, we’ll likely be hosting our flagship SECTF, so stay tuned for more info on that!

Thanks again for leaving us feeling better for having met YOU. Here’s to the next 10!

And here are some more pics we think you’ll enjoy

SO MUCH CUTENESS IN ONE SMOL BUNDLE. Do those pineapple pants come in our size?!

There is no better way to be surrounded by soft comfort AND kick major butt at the same time than by wearing one of these ILF T-shirts.

Before.

After.

Thanks again for this photo, Alethe! One of the most friendly-looking (and sounding) groups of people you’ll ever meet. But that’s the whole point, isn’t it? Heh heh