How To Sneak Into the Super Bowl With Social Engineering

danielkennedy74 links to an instructive story captured on video introduced with these words: "Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong." USA Today has a slightly longer article.

"by holding a box"

[girlintraining]

How many hundreds of millions did Homeland spend to "secure" the super bowl again? Of all the things they've been accused of, fewest of the charges have been competence. When a couple college kids carrying a box can sneak past every security check point, without either them or their box being inspected, it becomes painfully obvious that the security provided is just a show... not unlike the one they're "protecting".

Re:congrats!

I find it funny how You somehow make it their fault and not DHS'

Security is only as good as its weakest link.

[Chas]

Unfortunately the weakest link is always going to be found in the form of huge sacks of protoplasm known as "people".

This is why, no matter how well trained you get security, social engineering attempts like this will succeed more often than not.

People are pretty much indoctrinated since birth to try to get along. So if someone looks authoritative, there's a default reaction to simply go with it.

There's only so many things a person can pay strict attention to at a time. Eventually they're going to reach the limit of things they can keep straight in their heads. And openings in their awareness will occur.

There's only so long that people can keep up such vigilance before they start relaxing. It's not laziness so much as stimulus saturation.

I don't care how much money "security" firms and agencies throw at the situation. The only way to avoid it is to not have such events in the first place.

Re:Security is only as good as its weakest link.

[Dr.+Evil]

"Track performance and give bonuses to the people who manage to stop the intruders."

Ensure the bonus even goes to the average schmo hot-dog vendor who challenges somebody who doesn't have their ID showing. It's not a new strategy, but turning it into a game like this shifts cultures. Suddenly all the con-man defenses of "seriously, don't you know me?", "man, you're uptight, chill." or "Bob says it's okay" fall out the window to your "hey, I get $50 if you don't have a badge".

Not to pick on hot-dog vendors. They're probably more people savvy than most of your security team.

Re:hmmmm

[ireallyhateslashdot]

Social engineering is social engineering. Penetrating a security system is penetrating a security system.

Re:hmmmm

[hawkinspeter]

You should however expect normal humans to question assumptions when it comes to letting random people through security doors. Would you be happy if a bank got robbed and the bank staff turned round with "he was wearing a plumber's outfit, so we just assumed he was looking at the plumbing although we were a bit puzzled as to what plumbing was in the vault".