Staying within ethical boundaries is a top concern of SEC. As such, we have created a Code of Ethics, which anyone who places a phone call from our booth must agree to. Additionally, we ask that all staff and volunteers agree to the Code of Ethics as well.
Ethics is a core component of the information security industry and especially so when dealing with Social Engineering. Our goal of this section is to define the SEC’s ethics so that contestants can compete in our Vishing Contest in a way that is acceptable throughout our industry to the contestant, the recipient of the call, and the target company.
Our ethics were written to provide an understanding that this competition is designed to meet three primary objectives. We believe the ethics below best balance an acceptable and approachable method to conduct this competition to prevent harm to any party.
1. Showcase live Social Engineering techniques from a variety of individuals which gather non-sensitive but important information.
2. Demonstrate the effectiveness of these techniques so that audience members can see in real-time how they work.
3. Identify and celebrate individuals and the companies which employ proper security awareness practices which prevent the Social Engineering techniques from working.
Should a caller have questions about whether something meets or does not meet our ethics above, they may submit the question before the event and on-site before their call. Callers should not make calls using pretexts or other dialogs which they are unsure if it meets the below ethics.
Suppose during the call, the judges or other members of SEC staff determine that the caller’s pretext or dialog is unethical – in that case, they may intervene as they see fit, including terminating the call and disqualifying the caller from any event on the spot.
Finally, the Social Engineering Community reserves the right to update or otherwise change these ethics without notice.
Any individual conducting a live call at the SEC event at DEF CON must agree to and abide by these ethics.
I will only call employees from the provided company.
– Calls should be made to only employees of the organization. The caller will refrain from calling family or friends of an employee, contractors, or vendors for the organization.
– Any direct dial numbers must have verifiable evidence within the OSINT report that it is a corporate-owned phone number and not a personal cell phone.
I will refrain from using pretexts or narratives which utilize fear.
– All pretexts should never make the receiver of the call fearful or feel threatened. For example, this would be any pretexts that use explicit or implicit repercussions for not complying with requests or following instructions.
I will maintain professionalism at all times during the call.
– The call’s content should remain professional and appropriate for all ages. The caller guarantees they will refrain from using vulgar language or otherwise offensive content.
I will not impersonate an external authority figure.
– Your pretexts should not explicitly or implicitly imply that you hold an external position of authority. Disallowed impersonation includes but is not limited to roles such as: police, lawyers, doctors, city officials, etc.
I will refrain from collecting sensitive information such as personally identifiable information (PII), credentials, etc.
– At no time should the caller ask for explicitly or implicitly sensitive information. If the receiver attempts to provide information that the caller determines may be possibly sensitive, the caller must immediately attempt to stop the receiver from further divulging.
– During the OSINT phase, sensitive information should not be sought or collected.
My focus will be on the company and the individual from their position as an employee, not the personal individual.
– While you are expected to interact with an individual, the focus of pretexts must be to elicit information about the company via their role with the company. This is different than eliciting personal information about the individual. Small talk is acceptable. However, refrain from focusing heavily on the personal life and traits of the individual.
SEC follows DEF CON’s Code of Conduct (CoC) which can be found here https://defcon.org/html/links/dc-code-of-conduct.html
Hacking conference villages and contests always dance across ethical lines, but we would argue that ethics are not top of mind for most people simply because they don’t see the end risk to a person. However, the same argument applies; all the activities pushing the boundaries of security typically never have the approval of the stakeholder and always have a human impact component. For instance, bringing in medical devices, ICS equipment, voting machines, cars, etc. Most of the vendors did not give permission to test these devices. Yet, the successful compromise can immediately impact the human who is the end-user. It’s a lot easier to quickly see the proverbial ethical line in social engineering, especially with vishing, when there is no tech intermediary between the human on the other end. The trifecta of doing the right thing is a focal point of the competition and the community itself; legality, ethics, and morals all must be considered.