Slashdot Mirror
How To Sneak Into the Super Bowl With Social Engineering
danielkennedy74 links to an instructive story captured on video introduced with these words: "Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong."
USA Today has a slightly longer article.
Maybe they can use their social engineering to get out of Gitmo after this video gets labeled by people with no sense of humor as terrorist training material.
How many hundreds of millions did Homeland spend to "secure" the super bowl again? Of all the things they've been accused of, fewest of the charges have been competence. When a couple college kids carrying a box can sneak past every security check point, without either them or their box being inspected, it becomes painfully obvious that the security provided is just a show... not unlike the one they're "protecting".
#fuckbeta #iamslashdot #dicemustdie
You just ensured DHS VIPR teams will harass, molest and radiate every person that gets within a block of every Superbowl venue from here on.
Unfortunately the weakest link is always going to be found in the form of huge sacks of protoplasm known as "people".
This is why, no matter how well trained you get security, social engineering attempts like this will succeed more often than not.
People are pretty much indoctrinated since birth to try to get along. So if someone looks authoritative, there's a default reaction to simply go with it.
There's only so many things a person can pay strict attention to at a time. Eventually they're going to reach the limit of things they can keep straight in their heads. And openings in their awareness will occur.
There's only so long that people can keep up such vigilance before they start relaxing. It's not laziness so much as stimulus saturation.
I don't care how much money "security" firms and agencies throw at the situation. The only way to avoid it is to not have such events in the first place.
Chas - The one, the only.
THANK GOD!!!
Zug.com snuck into the super bowl using social engineering as well.
Details here
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Wow seriously. Try this one: http://www.youtube.com/watch?v=N3zKuLgH_l8
If you''re going to sneak into some place inconspicuously, the LEAST you can is bring along a complete camera crew.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
After doing some security work at events, there's some easy tips on what todo/not todo.
/might/ work.
1) have some good lucking women with you. Chances are you'll have a guard somewhere that can be distracted by cleavage.
2) if there's 2+ of people trying to blag their way in, A) only let 1 person talk B) if you're both talking, have the same script "My boyfriend went to the room to get the tickets and they were gone" from the girl, as the guy's saying "I left the tickets in the car, I think the valet took them" WILL get you turned away.
3) turn up when there's a line, before the event starts of course, but not too early, if you make a scene, it might be easier to just let you in.
4) if you get turned away by one guard, ask who you need to see to sort this out, go to them, be nice, wave back at the first person who sent you over, if they wave, say 'he took the ticket and said it was ok'
5) never say 'do you know who I am', and if you do, don't claim to be the person stood behind the guard. (that cracked me up)
6) if there's a list with names on, you might be able to peek and claim a name.
7) "where'd you get this obviously fake ticket?" "there's a guy in the foyer selling them, he said it was legit" "it's not, you need to see that person and get your money back" "but I have a ticket!" "it's fake" "but it's for this event" "yeah, no." is the wrong way. Playing the sob story that this was what you bought online, give as much info as you can. If an event has 5k tickets printed, it's not unknown for the printer/promoter to not only keep some tix behind, but to run dupes. This isn't the punters fault, dropping hints that the promoter/printer is dodgy is all too believable and may help you get in if they think you've done the right thing, not got a cheap tix from a dodgy guy out front.
for an event that's 'no re-admittance', the old 'I have explosive poop' will get you out, but might not get you back in, still, worth a try.
I get how social engineering works. Work a door for a few nights, manage an event, you'll hear all sorts of things and very quickly learn what'll never work, what
Waiting for an amusing sig.
Social engineering is social engineering. Penetrating a security system is penetrating a security system.
Bet this wouldn't work if you looked like a muslim.
It would in the Middle East.
I guess I fail to see how this is new.
Because the story isn't that people use social engineering. It's that these particular people used social engineering to sneak into the Superbowl, a high-profile, suppoedly high-security event, which just happened. Hence, "news."
systemd is Roko's Basilisk.
I guess I fail to see how this is new
Who said it was new? What is great about it is that the superbowl was classified as a "Level I National Security Event" - the very tippy-top of Homeland Security's classification system. These are the events they spend beaucoup (but not published) dollars on "securing" from oogy-boogy terrorists.
So, despite all this focus on security and crap, these kids just waltzed on in. Yet more proof of how much of a waste of money DHS's 43 billion dollar budget really is.
When information is power, privacy is freedom.
The best I've seen yet was a kid (I'm guessing around 16 yrs old) I watched in action at a concert at the Cow Palace in San Francisco many years ago.
A friend and I were waiting in line at a Judas Priest concert when I noticed this guy, wearing a light-blue button-up shirt and slacks, using one of them sweeper things--you know, the little broom and a pivot mounted dustpan thing on a long handle that is used to sweep trash into. He was working his way along the line, sweeping up all the crap the people in line were dropping. I watched as he filled the dustpan with trash, walked over to a trashcan near the door, emptied it and went back to work around the entrance--he swept the place clean, then started working his way around the inside of the front door area, even asking one of the security personnel to step aside so he could get to a soda can just behind him. I remember telling myself "What a lame job".
45 mins later, he was standing next to me about 10 feet from the stage, smoking a joint and obviously enjoying himself. After asking him if he minded passing that thing, I asked him where his broom was. He said with a big, stoned grin on his face that he usually leaves it in the bathroom until after the show. Sure enough, when I went to the bathroom between acts, his sweeper and broom were sitting in the corner.
Social engineering is social engineering.
"Social engineering" is lying or otherwise deceiving people. As euphemisms go, it's a pretty pathetic one.
It's not so hard to get from A to B in any public show: The trick is just to act like you belong there, just like everyone else who also belongs there. Blend in.
My own favorite was at a show at the Detroit State Theater. We had assigned seats in the balcony, but the sound really was very bad up there. So we left, wandered, and came up to the entrance for the general-admittance floor area.
There were two security guards looking at tickets before people were allowed into this space, with a small line formed before each of them. We walked right between them as if we owned the venue ourselves, and didn't encounter any trouble. (The sound at front, stage-left was excellent. Kudos to the boardmonkey, and meh to whoever it was that specified the line arrays for that show.)
And for other intermittently-crowded places, carrying a Motorola 2-way portable radio helps. You can direct traffic and behave authoritatively in almost any capacity, even with long hair, regular clothes, and a beard, as long as you have a radio and the gumption to make it look like you belong there. Do that for a little bit, and nobody around will think twice when you slip in through a side door. And after that, just blend in differently: At that level, people aren't paying much attention to security.
(And no, it doesn't matter if the radio works or can talk to anyone.)
So: Social engineering one's way into the Superbowl? Nice feat, but not very surprising.
Kid-proof tablet..
"Social engineering" is getting people to do exactly what you want them to do, that they normally wouldn't do, without them realizing that anything's amiss. But yeah, while that inevitably necessitates deception, I wouldn't say it's defined as deception.
Not necessarily. Sometimes social engineering takes advantage of people's assumptions. If you wear a printer servicing uniform and people assume that you're there to fix a printer, are you lying or deceiving them? I'd posit that their assumptions are incorrect and you're not deceiving them unless you're challenged and you start lying.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
You could dress like a camel, shut out the lights in the stadium and sneak in unnoticed , like I did...
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
Hmmm Superbowl in Dubai...
I bet they would, NFL'd eat a dead rat sandwich if they thought it would profit them.
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
is one of the oldest tricks in the books. I used to work for an entertainment company lugging around equipment. I have been to many venues and big hotels in Manhattan and some are pretty secure, requiring you to sign in and have your picture taken. But there are plenty where all you do is is walk in there like you own the place and no one says anything. As long as you are carrying something then they assume you are part of some staff and just let you walk right in. Even the secure places just require you to say you are from company X for party Y and they let you in without any scrutiny. The parties are planned by a planner who is not part of the venue. So security has no way to easily contact the planner to verify if vendor x is legit or not. They just do their job which is to get a signature and hand out a flimsy sticker pass. If you use a little creative social engineering and figure out what party is happening where you could easily gain access. Even carrying around some legit looking paper work is enough to get you into a venue.
Once we did a party in the museum of natural history, they have a private room in the back (I hear it was $20,000+ just to rent the room, rich kids, you should see some of the parties I have seen, amazing. Once I setup a million dollar bar mitzvah on the intrepid). Me and the guy I did the delivery with setup all the equipment and then walked down the hallway, jumped a set of ropes into the museum and went to the planetarium. No one stopped us or asked us what we were doing.
Across the street where I live is a house which the owner defaulted on his loan. Well he also had a loan through two other banks so the house sits there as the banks cant agree on a decent price which would let it sell. So one day I hear the house was robbed of all its copper pipe, electrical wiring along with the boiler and hot water heater. One neighbour said he saw a van parked outside with some men working in the house. They weren't working but robbing the place. All they needed to do was look legit and no one would question them. Essentially its more difficult to gain access if you look suspicious or try to hide what you are doing.
Not necessarily. Sometimes social engineering takes advantage of people's assumptions. If you wear a printer servicing uniform and people assume that you're there to fix a printer, are you lying or deceiving them? I'd posit that their assumptions are incorrect and you're not deceiving them unless you're challenged and you start lying.
Bullshit, of course you're deceiving them. You cannot expect normal human beings to question all their assumptions 24/7. Every time you blinked you'd have to prove to yourself that the whole universe hadn't just been switched off and then instantaneously recreated itself.
To have a right to do a thing is not at all the same as to be right in doing it
You should however expect normal humans to question assumptions when it comes to letting random people through security doors. Would you be happy if a bank got robbed and the bank staff turned round with "he was wearing a plumber's outfit, so we just assumed he was looking at the plumbing although we were a bit puzzled as to what plumbing was in the vault".
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
This reminds me of someone who was planting lots of garlic around his house too keep the vampires away. No vampires around, so his solution worked.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
You may have the intent of letting people deceive themselves, but I consider that different to actively deceiving/lying to people.
Here's a car analogy - a car advert might specify "does not contain carcinogenic seat material" with the intent that people will question other makes that don't have that disclaimer. Now, they are not actually deceiving people as they are making a true claim and advertising standards would have no problem with it.
If I go for a job interview wearing clothes that I normally wouldn't wear (suit, tie etc), am I deceiving the interviewers that I usually dress like that?
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Not necessarily. Sometimes social engineering takes advantage of people's assumptions. If you wear a printer servicing uniform and people assume that you're there to fix a printer, are you lying or deceiving them? I'd posit that their assumptions are incorrect and you're not deceiving them unless you're challenged and you start lying.
Bullshit, of course you're deceiving them. You cannot expect normal human beings to question all their assumptions 24/7. Every time you blinked you'd have to prove to yourself that the whole universe hadn't just been switched off and then instantaneously recreated itself.
True story, I once walked into an Apple store wearing a blue shirt.
As luck would have it - it looked pretty damn close to the blue shirts that all the "Geniuses" were wearing that day.
Once inside the store, I was bombarded by a constant stream of people asking me technical questions - which it just so happens that I'm good at answering! ^_^
I didn't deliberately choose to wear a blue shirt that day - it was just the luck of the draw.
Did I deceive anyone in this case??
Social engineering can take on many forms.
Superbowl: A giant toilet we flush cash down every year for no gain.
Thus the name I've used for quite a while to describe it when asked "are you gonna watch the super-bowl?".. I reply "oh you mean the toilet-bowl"
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
Bullshit, of course you're deceiving them. You cannot expect normal human beings to question all their assumptions 24/7.
In some circumstances you ARE supposed to question them. And that is the whole point. Its one thing when the secretary assumes the printer guy is the printer guy, its another when its the guard at the front door.
The untruth is in the person's incorrect assumption that someone wearing a particular uniform must necessarily be performing that function (or that someone who is in a particular area is supposed to be in that area). Without the observer, there is no deception, it's just someone wearing a particular set of clothing.
I don't believe that I'm responsible for other people's beliefs. If other people choose to believe something, then that is their concern. If I wear a Superman outfit, I don't feel that it's my responsibility to inform everyone that I'm not in fact the actual Superman - people are responsible for their own beliefs/misconceptions/thoughts etc.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Alright, Mr Smarty Pants. Was there a major terrorist spectacular at the Super Bowl?
Exactly, so the security worked.
(1) There were no arrests for attempted terrorism at the superbowl
(2) There were no terrorist attacks anywhere else in the weeks before or after
So, no, the security didn't "work" - there was nothing to stop. In the absence of a real threat, the security should have stopped anybody like these kids.
When information is power, privacy is freedom.