Slashdot Mirror
How To Sneak Into the Super Bowl With Social Engineering
danielkennedy74 links to an instructive story captured on video introduced with these words: "Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong."
USA Today has a slightly longer article.
Maybe they can use their social engineering to get out of Gitmo after this video gets labeled by people with no sense of humor as terrorist training material.
So if I've got this right: you can lie and otherwise deceive people in order to access computer systems. So that makes it geeky , which means its also geeky to lie or otherwise deceive people in other contexts. Is that about it?
Justice works slowly, but finally it will get one.
How many hundreds of millions did Homeland spend to "secure" the super bowl again? Of all the things they've been accused of, fewest of the charges have been competence. When a couple college kids carrying a box can sneak past every security check point, without either them or their box being inspected, it becomes painfully obvious that the security provided is just a show... not unlike the one they're "protecting".
#fuckbeta #iamslashdot #dicemustdie
You just ensured DHS VIPR teams will harass, molest and radiate every person that gets within a block of every Superbowl venue from here on.
This assumes you WANT to goto the superbowl...
I'd pay money not to hear about it ever again. Billions wasted every year on grown men playing 'ball'.
Superbowl: A giant toilet we flush cash down every year for no gain.
Social engineering is used all the time. This is like saying people are sheeple. some form of social engineering is used in a lot of ploys.
Social Hacking
Smishing is social engineering.
I guess I fail to see how this is new. I understand some of the best old school hacks; call the company and talk to the receptionist. If your good you can get information about employees, or other things to start on.
Memory is deceptive because it is colored by today's events. - Albert Einstein
Unfortunately the weakest link is always going to be found in the form of huge sacks of protoplasm known as "people".
This is why, no matter how well trained you get security, social engineering attempts like this will succeed more often than not.
People are pretty much indoctrinated since birth to try to get along. So if someone looks authoritative, there's a default reaction to simply go with it.
There's only so many things a person can pay strict attention to at a time. Eventually they're going to reach the limit of things they can keep straight in their heads. And openings in their awareness will occur.
There's only so long that people can keep up such vigilance before they start relaxing. It's not laziness so much as stimulus saturation.
I don't care how much money "security" firms and agencies throw at the situation. The only way to avoid it is to not have such events in the first place.
Chas - The one, the only.
THANK GOD!!!
Zug.com snuck into the super bowl using social engineering as well.
Details here
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
http://www.youtube.com/watch?v=TdnAaQ0n5-8
Is it too much to ask for steadycam?
I like the fact that some of the party were seriously worried. They had gone way further than they expected and were now fully in sniper range.
I wish I could see the look on that officers face when he says "... Chaser"!
After doing some security work at events, there's some easy tips on what todo/not todo.
/might/ work.
1) have some good lucking women with you. Chances are you'll have a guard somewhere that can be distracted by cleavage.
2) if there's 2+ of people trying to blag their way in, A) only let 1 person talk B) if you're both talking, have the same script "My boyfriend went to the room to get the tickets and they were gone" from the girl, as the guy's saying "I left the tickets in the car, I think the valet took them" WILL get you turned away.
3) turn up when there's a line, before the event starts of course, but not too early, if you make a scene, it might be easier to just let you in.
4) if you get turned away by one guard, ask who you need to see to sort this out, go to them, be nice, wave back at the first person who sent you over, if they wave, say 'he took the ticket and said it was ok'
5) never say 'do you know who I am', and if you do, don't claim to be the person stood behind the guard. (that cracked me up)
6) if there's a list with names on, you might be able to peek and claim a name.
7) "where'd you get this obviously fake ticket?" "there's a guy in the foyer selling them, he said it was legit" "it's not, you need to see that person and get your money back" "but I have a ticket!" "it's fake" "but it's for this event" "yeah, no." is the wrong way. Playing the sob story that this was what you bought online, give as much info as you can. If an event has 5k tickets printed, it's not unknown for the printer/promoter to not only keep some tix behind, but to run dupes. This isn't the punters fault, dropping hints that the promoter/printer is dodgy is all too believable and may help you get in if they think you've done the right thing, not got a cheap tix from a dodgy guy out front.
for an event that's 'no re-admittance', the old 'I have explosive poop' will get you out, but might not get you back in, still, worth a try.
I get how social engineering works. Work a door for a few nights, manage an event, you'll hear all sorts of things and very quickly learn what'll never work, what
Waiting for an amusing sig.
Somebody here called for an electrician. Can you tell me what the fault is?
Shit man, it's dark in here!
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Bet this wouldn't work if you looked like a muslim.
It would in the Middle East.
I've done this by accident a number of times at both the Asia Series and World Baseball Classic at Tokyo Dome. Thinking back, all I did was have a general admission ticket on a pass carrier around my neck and just walk into the press area while nodding to the guard at the entrance. I was supposed to meet some friends there once, but they got stopped by security. "What? This is a restricted zone?" I had no idea before then that anyone wasn't allowed in there.
I guess it goes to show that if you really believe you belong somewhere and look the part that few will challenge you.
The best I've seen yet was a kid (I'm guessing around 16 yrs old) I watched in action at a concert at the Cow Palace in San Francisco many years ago.
A friend and I were waiting in line at a Judas Priest concert when I noticed this guy, wearing a light-blue button-up shirt and slacks, using one of them sweeper things--you know, the little broom and a pivot mounted dustpan thing on a long handle that is used to sweep trash into. He was working his way along the line, sweeping up all the crap the people in line were dropping. I watched as he filled the dustpan with trash, walked over to a trashcan near the door, emptied it and went back to work around the entrance--he swept the place clean, then started working his way around the inside of the front door area, even asking one of the security personnel to step aside so he could get to a soda can just behind him. I remember telling myself "What a lame job".
45 mins later, he was standing next to me about 10 feet from the stage, smoking a joint and obviously enjoying himself. After asking him if he minded passing that thing, I asked him where his broom was. He said with a big, stoned grin on his face that he usually leaves it in the bathroom until after the show. Sure enough, when I went to the bathroom between acts, his sweeper and broom were sitting in the corner.
So why is this on Slashdot?
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Because of the immense blowback that's about to happen.
If this was told as a "college beer frat party" story even if it was all the same, we would all have "lol okay back to work". Instead there's *video footage of people and "stuff" (places, unmanned areas, etc.)
So we have a real problem coming up: Youtube is already ahead of us wondering if this is just a "footage hoax" ... or the big mean Security Theater Beast will be really PISSED and then we'll see more rounds of lockdown.
Bruce Schneier himself said a ways back that he is shifting focus slightly away from ever more ultra algorithmic breaks to stuff like just calling "Mr./Mrs. X" in some company and getting an insecurely defended password that someone mistakenly gave too many privileges.
Chris Chase from USA Today expressed a similar note of caution with the *CLEARLY INCOMPLETE* story he'd been handed and wondered what's the next step to (maybe/maybe not) punking the security force of the biggest football game of the year. (Does hit the Libel/Slander rules if it is in fact a hoax but makes them look bad?)
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
It's not so hard to get from A to B in any public show: The trick is just to act like you belong there, just like everyone else who also belongs there. Blend in.
My own favorite was at a show at the Detroit State Theater. We had assigned seats in the balcony, but the sound really was very bad up there. So we left, wandered, and came up to the entrance for the general-admittance floor area.
There were two security guards looking at tickets before people were allowed into this space, with a small line formed before each of them. We walked right between them as if we owned the venue ourselves, and didn't encounter any trouble. (The sound at front, stage-left was excellent. Kudos to the boardmonkey, and meh to whoever it was that specified the line arrays for that show.)
And for other intermittently-crowded places, carrying a Motorola 2-way portable radio helps. You can direct traffic and behave authoritatively in almost any capacity, even with long hair, regular clothes, and a beard, as long as you have a radio and the gumption to make it look like you belong there. Do that for a little bit, and nobody around will think twice when you slip in through a side door. And after that, just blend in differently: At that level, people aren't paying much attention to security.
(And no, it doesn't matter if the radio works or can talk to anyone.)
So: Social engineering one's way into the Superbowl? Nice feat, but not very surprising.
Kid-proof tablet..
This is also a very real possibility, in this crispy new age of "sensational story - haha, it's just a joke, so long and thanks for all the ad clicks."
My big response is below. I'll end here by just saying that there is something seriously wrong with this story, so I'm not going to sit on pins and needles for 2-4 days for it to pan out as a joke if it is. Because if it's not, we're all busy going "haha cool joke man" when the 100 people pictured in this video are going to lose their jobs.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
http://www.zug.com/pranks/super/index01.html
Well, assuming the "prank" actually happened.
This method has been used by about a gazillion people in so many places, so many times, it just doesn't seem like news. Perhaps the only reason it is "news" is because these guys filmed it? I don't know.
I've done the same thing plenty of times to get in place I shouldn't be; all it takes is a pair of cohunas and a bit of front to just go right in where you want to, without stopping once to check you are in without being noticed.
Dan. -- So what if it's spelt wrong, nobody's perfect
You could dress like a camel, shut out the lights in the stadium and sneak in unnoticed , like I did...
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
Hmmm Superbowl in Dubai...
I bet they would, NFL'd eat a dead rat sandwich if they thought it would profit them.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
And they got thrown in "Superbowl Jail" too.
is one of the oldest tricks in the books. I used to work for an entertainment company lugging around equipment. I have been to many venues and big hotels in Manhattan and some are pretty secure, requiring you to sign in and have your picture taken. But there are plenty where all you do is is walk in there like you own the place and no one says anything. As long as you are carrying something then they assume you are part of some staff and just let you walk right in. Even the secure places just require you to say you are from company X for party Y and they let you in without any scrutiny. The parties are planned by a planner who is not part of the venue. So security has no way to easily contact the planner to verify if vendor x is legit or not. They just do their job which is to get a signature and hand out a flimsy sticker pass. If you use a little creative social engineering and figure out what party is happening where you could easily gain access. Even carrying around some legit looking paper work is enough to get you into a venue.
Once we did a party in the museum of natural history, they have a private room in the back (I hear it was $20,000+ just to rent the room, rich kids, you should see some of the parties I have seen, amazing. Once I setup a million dollar bar mitzvah on the intrepid). Me and the guy I did the delivery with setup all the equipment and then walked down the hallway, jumped a set of ropes into the museum and went to the planetarium. No one stopped us or asked us what we were doing.
Across the street where I live is a house which the owner defaulted on his loan. Well he also had a loan through two other banks so the house sits there as the banks cant agree on a decent price which would let it sell. So one day I hear the house was robbed of all its copper pipe, electrical wiring along with the boiler and hot water heater. One neighbour said he saw a van parked outside with some men working in the house. They weren't working but robbing the place. All they needed to do was look legit and no one would question them. Essentially its more difficult to gain access if you look suspicious or try to hide what you are doing.
Easy there... this is Slashdot and generally folks here who exploit weaknesses in security systems without regard for personal gain are on the white hat side of the field. Here's what should happen: these two will make their 15 minutes complete with a round of guest appearances on the morning show circuit, and if the story really catches on, maybe even culminating with a nighttime appearance on Letterman. If any lesson is to be learned from this breach by security forces, it is probably one they already suspect: their job is a hoax. It is impossible to keep an event like this secure and they are there to perpetrate the illusion of security. The Superbowl sites are picked years in advance. There are years for 'neer-do-wells to access the structures.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
The high use of subcontractors and contractors makes it even easier as you can say stuff like my firm does not give us ID's or just show some thing that looks like a work order.
I remember this was called a con job. You con someone into believing you are someone else, just like conmen have been doing for thousands of years. There's nothing really new about it.
http://github.com/gbook/nidb
It would in the Middle East.
Or even Australia.
Have you read my blog lately?
That is all.
Is it just my observation, or are there way too many stupid people in the world?
Why would I be silly enough, after weasling my way in, subject myself to $7.00 hotdogs and $10.00 beers and 30 minute restroom line to dispose of said comestibles by physically attending a game? (captcha: molests)
In a discussion about shoulder mount ENG cameras (are we getting to a point if it's shoulder mount, is it regarded as old technology including new $40K Panasonic HD with P2?). Someone said he attends lots of concerts for free. He stops by the news station, gets a non-working camera and gains access as media (does not show a badge but it's the impressive camera that does it). And if his girlfriend wants to join, he gets a microphone for her. He said at one concert the security guard wanted to be interviewed. So they did a interview of him with a dead mic and camera. After that had the best "seats" at the concert.
mfwright@batnet.com
It's just a more specific term. Social engineering is a particular type of deception, just like a salmon is a particular kind of fish.
Weaselmancer
rediculous.
Thanks for the link about the Chaser APEC Prank. It is closer in that they were surprised by how far they got: Morrow pointed out that while they did extensive planning for the stunt, the one thing they "didn't plan for was success"; the participants were confused by the unexpected permission to enter the area, and unsure how to proceed; they clearly sensed danger, but the atmosphere was actually very quiet and subdued.
Simply because the internal controller buffers of these storage devices are generally a power of 2 (typically 512 bytes), and certainly not a multiple of 10.
Any advertisement mentionning a "MB, GB, etc" which is actually powers of 10 is misleading at best, if not a lie.
My boss wrote the software that controls the process of scanning tickets at the gate for another major company that puts on sporting events. By chance, he happened to mention that he built a backdoor into the software which will always cause the software to allow access when it scans a certain barcode, so basically if you have that barcode you can get an unlimited number of people into any event this company puts on (as long as the ticket looks legit enough to pass a visual inspection).
Just goes to show that IT guys rule the world.
Hmmm Superbowl in Dubai...
I bet they would, NFL'd eat a dead rat sandwich if they thought it would profit them.
The clientele of the Super Bowl tends to be wealthy, repeat customers so the long flight may not be an issue. If this venue expanded their viewership too, why the hell not?
"Like con-men, spies know that in the work place, a clipboard is as good as a skeleton key."
- Burn Notice
Given typical shitty stadium food, it's safe to say this has already been done for years.