Wesley McGrew has been posting recently about a capture-the-flag event he is organizing for his students. I am currently gathering my notes to teach an introductory computer security class in Fall, and I am also considering a similar event at the end of the semester. Not only is capture the flag fun to play, it is also a very eye-opening experience when you are able to truly hack into your first box.

One of the most important lessons that an information security professional must learn is that users are the weakest link in the defense of your organization's information assets. No matter how well your technical controls are, if you have users who are uninformed (or outright malicious), your protection failures will fail.

Some of McGrew's students seem to have understood that lesson very
well. Rather than trying to go the route of technically attacking the
targets in the game, they did their homework and went after the professor instead. (Un)fortunately, McGrew realized that something was out-of-the-ordinary, and did not reveal any sensitive information.

However, this social engineering attack illustrates clearly that even an experienced professional is not unvulnerable. This time, the students failed, but who knows: someone else might have easily taken the bait and they would have pulled of an award-winning victory in capture the flag.

Compliments to McGrew's students.

And to my students: if you do your research properly, and you actually find this post when it comes time for your capture-the-flag event; please realize that I am now a warned man and ready for you. It had better be good :-)