Slashdot Mirror
How To Sneak In To a Security Conference
jfruh writes "You'd think that, of all events, security conferences would have tight security. But one anonymous human pen tester managed to sneak into the RSA conference without credentials, using tried and true techniques like waving a badge from another conference at security guards and slipping in through exits."
It's easy to avoid notice if you act like you know what you're doing, where you're going and that you belong where you are. Never stand still or look around.
Bingo. Simple tactics and social engineering are usually all you need if you really want to get at something.
The weakest link in any security chain is always the people, and people are easy to deceive.
You'd think that, of all events, security conferences would have tight security.
No, I wouldn't think that. I'd think that a bank, or an event involving a US President would have tight security. Security is about what you're protecting, not who's involved in it. For the most part "stealing" admission to a conference is harmless, as long as a few people do it. The security only has to be good enough to make it so only a few people sneak in.
Security conferences aren't exactly a high profile event like, that appeals to millions (like say a Rock Concert), so people sneaking in is really not a big problem. If you didn't think you could sneak in to a conference before, you obviously haven't been paying attention.
You'd think that, of all events, security conferences would have tight security.
Why?
I suspect the cost/hassle of doing more than basic security outweighs the benefit of catching a few people who didn't want to pay the $100 conference fee. I doubt the information being presented is secret and needs protecting. And I imagine of all conference organizers, the organizers of a security conference would have best grasp on this security cost/benefit.
RSA 2012 is basically a big sales presentation.
To suggest sneaking in is a big achievement is like saying you got into BestBuy a few minutes early one day to shop for TVs.
Carrying things is also good.
I worked at a vending company, and let me say, if you're carrying a box of sodas with both hands while standing helplessly by the door, all you need to say is "I'm here for the vending machines" and someone will let you in for most places.
Now, federal sites that doesn't work so well. At a delivery company I worked with, if you're going to a federal site (post office, airport, etc) if you're not wearing the right clothes, have the right badge, and come in the right vehicle, you're not getting in.
Default passwords remaining at default is caused by people.
"For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." Feynman
Never stand still or look around.
I find this, in general, to be a good guideline in life. If you stop to look around at the beauty and wonder of life people think there is something wrong with you.
Yes! I've been asked if I'm alright, and know where I'm at. To the latter, I respond: "Yes. I'm right here!"
Tell me about it. I used to work in a hospital (not as a member of the medical staff). I had a labcoat that I kept mostly to keep warm when the air conditioning got too cold. If I put it on and wandered the halls, there was pretty much nowhere I couldn't go. I'll bet if I hung a stethoscope around my neck, I could have walked into the OR and nobody would have said "boo".
Adjust the costume to fit the venue. Hardhat at a construction site. Trial case in a courthouse. If you saw a guy with a pitchfork and covered in manure walking through a stable, would you stop him and demand to see his ID?
Find a pack of people smoking. They always know the easiest way to get out and back in quickly.
None of us know everything. Therefore we're all naïve.