Doing The Right Thing
Staying within ethical boundaries is a top concern of SEC. As such, we have created a Code of Ethics, which anyone who places a phone call from our booth must agree to. Additionally, we ask that all staff and volunteers agree to the Code of Ethics as well.
SEC Code of Ethics
Ethics is a core component of the information security industry and especially so when dealing with Social Engineering. Our goal of this section is to define the SEC’s ethics so that contestants can compete in our Vishing Contest in a way that is acceptable throughout our industry to the contestant, the recipient of the call, and the target company.
Our ethics were written to provide an understanding that this competition is designed to meet three primary objectives. We believe the ethics below best balance an acceptable and approachable method to conduct this competition to prevent harm to any party.
- Showcase live Social Engineering techniques from a variety of individuals which gather non-sensitive but important information.
- Demonstrate the effectiveness of these techniques so that audience members can see in real-time how they work.
- Identify and celebrate individuals and the companies which employ proper security awareness practices which prevent the Social Engineering techniques from working.
Should a caller have questions about whether something meets or does not meet our ethics above, they may submit the question before the event and on-site before their call. Callers should not make calls using pretexts or other dialogs which they are unsure if it meets the below ethics.
Suppose during the call, the judges or other members of SEC staff determine that the caller’s pretext or dialog is unethical – in that case, they may intervene as they see fit, including terminating the call and disqualifying the caller from any event on the spot.
Finally, the Social Engineering Community reserves the right to update or otherwise change these ethics without notice.
Any individual conducting a live call at the SEC event at DEF CON must agree to and abide by these ethics.
I will only call employees from the provided company.
- Calls should be made to only employees of the organization. The caller will refrain from calling family or friends of an employee, contractors, or vendors for the organization.
- Any direct dial numbers must have verifiable evidence within the OSINT report that it is a corporate-owned phone number and not a personal cell phone.
I will refrain from using pretexts or narratives which utilize fear.
- All pretexts should never make the receiver of the call fearful or feel threatened. For example, this would be any pretexts that use explicit or implicit repercussions for not complying with requests or following instructions.
I will maintain professionalism at all times during the call.
- The call’s content should remain professional and appropriate for all ages. The caller guarantees they will refrain from using vulgar language or otherwise offensive content.
I will not impersonate an external authority figure.
- Your pretexts should not explicitly or implicitly imply that you hold an external position of authority. Disallowed impersonation includes but is not limited to roles such as: police, lawyers, doctors, city officials, etc.
I will refrain from collecting sensitive information such as personally identifiable information (PII), credentials, etc.
- At no time should the caller ask for explicitly or implicitly sensitive information. If the receiver attempts to provide information that the caller determines may be possibly sensitive, the caller must immediately attempt to stop the receiver from further divulging.
- During the OSINT phase, sensitive information should not be sought or collected.
My focus will be on the company and the individual from their position as an employee, not the personal individual.
- While you are expected to interact with an individual, the focus of pretexts must be to elicit information about the company via their role with the company. This is different than eliciting personal information about the individual. Small talk is acceptable. However, refrain from focusing heavily on the personal life and traits of the individual.
- After the event, callers are not expected or otherwise required to maintain or keep the information or other documentation about the interaction, including the OSINT report and notes.
- You are expected to ensure the information you have discovered is used for the competition only and won’t be sold, shared, or otherwise disseminated to any other party or used for other purposes.
- It is important to note that this guideline’s intention is not to limit your freedom of speech. However, we believe it is in the best interest of the Social Engineering Community, targets, and individuals to receive narratives of the event which focus on both the strengths and weaknesses without incorporating shame.
- As an example, rather than saying “So’n’So was stupid for thinking I was actually a department manager and really screwed Acme Co. for giving me all that information over the phone.” Consider framing the situation like this “My pretext leveraged implied trust when pretending to be a manager, resulting in the receiver complying with my request without question. The organization should consider implementing a policy to pass information via another method such as emails, or have a method of verification to confirm employees.”
- OSINT, pretexts, and target phone numbers will be proactively investigated for signs of cheating, including the manufacturing of OSINT data or falsifying phone numbers or staging plants. Evidence that corroborates cheating by the contestant will result in disqualification.
- We wrote these ethics to set guidelines to capture the effects of social engineering against companies while minimizing the impact to all parties as best as possible. These ethics were not designed to enable someone to find loopholes, contradictions, or other inconsistencies to accomplish something the Social Engineering Community staff would construe as unethical. You agree to follow these guidelines and at any time may request assistance from the Social Engineering Community staff for determining if something meets our ethical guidelines.
Code of Conduct
SEC abides by and enforces DEF CON’s Code of Conduct (CoC).
Check out the FAQs
Still have unanswered questions and need to get in touch?
Hacking conference villages and contests always dance across ethical lines, but we would argue that ethics are not top of mind for most people simply because they don’t see the end risk to a person. However, the same argument applies; all the activities pushing the boundaries of security typically never have the approval of the stakeholder and always have a human impact component. For instance, bringing in medical devices, ICS equipment, voting machines, cars, etc. Most of the vendors did not give permission to test these devices. Yet, the successful compromise can immediately impact the human who is the end-user. It’s a lot easier to quickly see the proverbial ethical line in social engineering, especially with vishing, when there is no tech intermediary between the human on the other end. The trifecta of doing the right thing is a focal point of the competition and the community itself; legality, ethics, and morals all must be considered.
- MC announcements – Throughout the entire event we plan to have the MC have “legal, moral, and ethical” discussion points.
- Agreements – Callers must agree to not cross specific boundaries. These include information which would be illegal to collect, but also areas counterproductive to the intention of the contest which is to raise the awareness of how social engineering is both exploited and defended against.
- Ethics Panel – On Friday or Saturday evening we plan to have a panel of experts to have an open discussion of the intersection of ethics, laws, and morals and their intersection with Social Engineering.