Social engineering (SE) is a technique used by cybercriminals to psychologically manipulate individuals into disclosing sensitive information (passwords) and providing unauthorized access (downloading and executing malware files).
Penetration testers are tasked with simulating targeted attacks on a company’s system to determine any weaknesses in their environment.
It can be hard to practice pen tests on someone or an organization as it involves ethical and legal issues. The SE Pen Test Competition allows students to experience pen testing in a safe and ethical way.
Your team will be “hired” to conduct a social engineering penetration test on the CARE Lab and its (current) employees! Your pen test will include each of the three areas below. A strong pen test will demonstrate the effective connection of these three areas. Teams will submit a formal report of their findings and make security recommendations.
Open Source Intelligence (OSINT) involves gathering information that can be “obtained legally and ethically from public sources” 
Research our Lab and our employees. You can use the CARE Lab site of course, but you are encouraged to use external information from regular OSINT (social media, news, etc.)
The word ‘vishing’ is a combination of ‘voice’ and ‘phishing.’ Phishing is the practice of using deception to get you to reveal personal, sensitive, or confidential information . However, instead of using email, regular phone calls, or fake websites like phishers do, vishers use an internet telephone service (VoIP) . Impersonating a person or legitimate business to scam people isn’t a new thing . Vishing is simply a new twist on an old routine. In fact, vishing has been around almost as long as internet phone service .
Try to get us to do something (extract information, send you a file/dataset, etc.) through your vish call. The only caveat is that you have to vish current employees about the work we do at our Lab! Anything else falls outside the vishing scope and will result in automatic disqualification.
Phishing occurs when a target is contacted via email by “someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords” .
Try to get us to do something (extract information, send you a file/dataset, etc.) through your phishing. The only caveat is that you cannot include malicious links for us to click on (we will NOT click on these), but can convince us to do something (extract information, send you a file/dataset, etc.). Anything else falls outside the phishing scope and will result in automatic disqualification.
4. SE Pen Test Report
All pen testing teams will submit a formal report based on their findings. Teams will be provided with a template of the report that they should use.
Any full-time high school (ages 14-18), undergraduate (ages 18-45), or graduate (ages 18-45). Teams must be composed of members from the same academic level.
Please note that we are aligning ourselves with NSF’s commitment to broadening participation, which is embedded in its Strategic Plan through a variety of investment priorities related to the Learning and Stewardship strategic outcome goals. Specifically, we are expanding efforts to broaden participation from underrepresented groups and diverse institutions across all geographical regions.
Have the following information ready for the online registration form:
- Team name
- Institution name
- Team member details: size (2-4 members), full names, email addresses, headshots and short bios (100 words per member)
- Faculty advisor (with institution-affiliated email address). The advisor can be full-time faculty, full-time staff or full-time graduate student. Advisors who have part-time status (adjuncts, etc.) are not permitted. If you are a graduate student team, your advisor must be faculty or staff.
- If any member of the team is under 18 years of age, this consent form must be completed by each member as part of the application.
- A 100-250 word text entry for why you want to be considered!
Applications are due by April 30, 2021 6pm ET. Register your team.
All teams will be notified about the selection decision by May 10, 2021.
Orientation will be the week of May 24th. This orientation will cover ethics, report writing, and other relevant topics. All selected teams are required to attend orientation.
All pen testing activities will be scheduled on Fridays in the summer (June 4-Aug 13) unless otherwise specified.
If your team is selected
- OSINT: You can start conducting your OSINT as soon as you know you’ve been selected (or hey, start earlier and impress us with what you find in your application!).
- Vishing: Your team will be given a specific date, time, and link (provided later) to call in to a zoom meeting. You must “dial in” only at this time (not before or after). This will be your ‘vish’ call. Your entire group will have a total of 15 minutes to vish the CARE Lab employees and pursue the objectives. Only ONE student can engage with ONE CARE Lab employee at any given time.
- Phishing: Your team can phish the CARE Lab employees all day on the day of your assigned vish day (not before or after that day).
Participation will require parental permission (if under age 18) and all participants must sign two waivers. The first waiver ensures that students do not cheat or use external/professional assistance.
Vish calls will be recorded, and those that are excellent will be shared on our website and/or at conference presentations! Each member of selected teams must also complete a second waiver which includes an audio-visual release to compete. This allows organizers to use images, audio, text, and video generated during the competition for event promotion and dissemination via conferences, publications, and podcasts.
Each member of selected teams will be required to complete a pre-event and post-event survey.
This event and evaluation are considered research and are part of the education and outreach efforts of NSF Award # 2032292.
When will the winners be announced?
Winners will be announced at the end of August 2021.
What do we win?
1st place: $300
2nd place: $200
3rd place: $100
But most importantly, you win by experiencing what it is like to conduct a SE Pen Test!
Do we have to be in the United States to compete?
No! You can be anywhere in the world. Unfortunately, you would not be eligible for the prize monies. But you still get to be in our Hall of Fame and gain the pen testing experience.
Do we have to be university students?
No! Students from high schools, 2-year, and 4-year institutions (undergraduate and graduate) can compete! However teams members must be at the same level. For instance, a team cannot have a mix of undergraduate and graduate students; it must be strictly be composed of undergraduates only or graduates only or high school only.
Can my school submit more than one team?
Yes! While multiple teams from the same institution institution can apply, only one will be selected per institution to compete.
Can we create teams where members are from different schools?
Yes! However, one person can only be on one application (the same person cannot be part of multiple teams at the time of application). Also, teams from different institutions must still be at the same level (purely high school students or purely undergrad students or purely graduate students).
I’m not a computer science/engineering student and don’t know how to code or hack. Can me and my non-technical classmates still compete?
Yes! This experience is not structured as a technical event. So please do not hesitate – do apply! Remember that this is about learning in a fun and safe environment, and that is the experience we are trying to provide students with!
What is the expected time commitment required by a team?
Once a team is selected, all members will be required to attend a 2-3 hour (might fluctuate a bit) training session. Each team will then be assigned a date (one of 10 Fridays). The team can work on OSINT till that date, but the other two components would be on that specific Friday; they will have that entire day to phish and a specific assigned time window to vish. Teams will have the weekend to write up their report, which will be due by the upcoming Sunday (11.59pm ET), after which they are done.
How can I prepare?
Great question! Feel free to check out YouTube for some examples. You can also hear some of the 2020 Collegiate SECTF winning teams in their vish attempts via the CARE POD podcast. And of course, you are encouraged to listen to Alethe Denis‘ amazing vishing workshop that she delivered at the 2020 Collegiate SECTF event. You can also check out the How to OSINT and How to Phish webinars by Chris Kirsch, which were also delivered at the 2020 Collegiate SECTF event.
 R. D. Steele, “The importance of open source intelligence to the military,” International Journal of Intelligence and Counter Intelligence, vol. 8, no. 4, pp. 457-470, 1995.
 Fraud Watch International (2020). “What is Vishing?”. Retrieved July 15, 2020. Online at https://fraudwatchinternational.com/vishing/what-is-vishing/
 Phishing.org (2020). “What is phishing?”. Retrieved January 16, 2021. Online at phishing.org/what-is-phishing