Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Sneak Into the Super Bowl With Social Engineering

Posted by timothy on from the appropriate-authorities dept.

danielkennedy74 links to an instructive story captured on video introduced with these words: "Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong." USA Today has a slightly longer article.

29 of 164 comments (clear)

  1. Gitmo by stormpunk · · Score: 5, Funny

    Maybe they can use their social engineering to get out of Gitmo after this video gets labeled by people with no sense of humor as terrorist training material.

    1. Re:Gitmo by Anonymous Coward · · Score: 4, Funny

      Yes, I do indeed like owls. How'd you guess?

  2. "by holding a box" by girlintraining · · Score: 5, Insightful

    How many hundreds of millions did Homeland spend to "secure" the super bowl again? Of all the things they've been accused of, fewest of the charges have been competence. When a couple college kids carrying a box can sneak past every security check point, without either them or their box being inspected, it becomes painfully obvious that the security provided is just a show... not unlike the one they're "protecting".

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:"by holding a box" by Pubstar · · Score: 5, Interesting

      This whole thing reminds me of the oldest trick in the book to get into night clubs: Have an extension cord/Power strip/DMX cable over your shoulder and just book it past the bouncer saying they need it on the stage NOW or the DJ is going to flip out. Works 99% of the time without you being so much as questioned.

    2. Re:"by holding a box" by guttentag · · Score: 4, Funny

      Actually, carrying a box that looks burdensome implies you are doing work, so people assume you belong there. I once walked into the courtyard of a large "fruit company" by helping a vendor carry in a box. He assumed I worked there, and they assumed I was with him. I even got a name tag at the door.

  3. congrats! by sdnoob · · Score: 3, Insightful

    You just ensured DHS VIPR teams will harass, molest and radiate every person that gets within a block of every Superbowl venue from here on.

    1. Re:congrats! by Anonymous Coward · · Score: 5, Insightful

      I find it funny how You somehow make it their fault and not DHS'

    2. Re:congrats! by tehcyder · · Score: 3, Insightful

      Screw that. If I get stopped by them and they identify themselves, I will tell them they are not police officers, drive away, and call the real police. Then I will take it as far as possible in court on the 4th amendment, hopefully reaching SCOTUS and putting an end to the insanity.

      No, you won't. There's a slight difference between talking tough as an AC on an internet forum and actually doing something about it in real life.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  4. Security is only as good as its weakest link. by Chas · · Score: 4, Insightful

    Unfortunately the weakest link is always going to be found in the form of huge sacks of protoplasm known as "people".

    This is why, no matter how well trained you get security, social engineering attempts like this will succeed more often than not.

    People are pretty much indoctrinated since birth to try to get along. So if someone looks authoritative, there's a default reaction to simply go with it.

    There's only so many things a person can pay strict attention to at a time. Eventually they're going to reach the limit of things they can keep straight in their heads. And openings in their awareness will occur.

    There's only so long that people can keep up such vigilance before they start relaxing. It's not laziness so much as stimulus saturation.

    I don't care how much money "security" firms and agencies throw at the situation. The only way to avoid it is to not have such events in the first place.

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re:Security is only as good as its weakest link. by Anonymous Coward · · Score: 4, Interesting

      Pay one person who knows what he's doing per hour to try to sneak in. Track performance and give bonuses to the people who manage to stop the intruders. The job of security is now suddenly a lot more interesting and challenging. Of course, actual productive work that spans the security area will grind to a halt due to security delays. In the military, newbies get told to guard something and then everyone else is supposed to try to get in. You don't have security if you don't test it.

    2. Re:Security is only as good as its weakest link. by thegarbz · · Score: 3, Funny

      Unfortunately the weakest link is always going to be found in the form of huge sacks of protoplasm known as "people".

      I've heard the TSA called a lot of things, but never "people".

    3. Re:Security is only as good as its weakest link. by Dr.+Evil · · Score: 4, Insightful

      "Track performance and give bonuses to the people who manage to stop the intruders."

      Ensure the bonus even goes to the average schmo hot-dog vendor who challenges somebody who doesn't have their ID showing. It's not a new strategy, but turning it into a game like this shifts cultures. Suddenly all the con-man defenses of "seriously, don't you know me?", "man, you're uptight, chill." or "Bob says it's okay" fall out the window to your "hey, I get $50 if you don't have a badge".

      Not to pick on hot-dog vendors. They're probably more people savvy than most of your security team.

  5. This was done 6 years ago by mentil · · Score: 4, Interesting

    Zug.com snuck into the super bowl using social engineering as well.
    Details here

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:This was done 6 years ago by girlinatrainingbra · · Score: 4, Interesting
      Very nice linked article about the Zug.com prank team. I particularly like that they did it just a few days after the Boston LED Art prank that everyone thought was part of a bomb, and that they were still able to get away with it. They fucking moved two pallets of shrink-wrapped necklace LED lights that weighed a quarter-ton through security and into the stadium. Astounding that anyone can sneak in if they can pass the cardinal 5 rules listed! Lost in this spectacle, it was easy for me to slip past the security station by just pretending I belonged. I make this sound easy, but in fact I was just following the five magic rules for getting into any event in the world: 1. Wear a suit. 2. Wear a Bluetooth headset. 3. Pretend to be talking loudly to someone on the other line. 4. Carry a clipboard. 5. Be white.

      Also another killer quote from the fifth page when they ask the bomb squad to be allowed to borrow a small flatbed truck: http://www.zug.com/pranks/super/index05.html :

      The psychology of cat and mouse is that the mouse will never walk up to the cat and ask if he can borrow a forklift. Mice just don't do that.

      Now of course, they never show the message, and I don't see proof that they plled it off, so is the prank on us? ;>)

    2. Re:This was done 6 years ago by MichaelSmith · · Score: 4, Informative

      Yeah like the Chaser APEC prank

      --
      http://michaelsmith.id.au
  6. Re:Wobble Wobble Wobble... by mwvdlee · · Score: 3, Funny

    If you''re going to sneak into some place inconspicuously, the LEAST you can is bring along a complete camera crew.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  7. Re:hmmmm by ireallyhateslashdot · · Score: 4, Insightful

    Social engineering is social engineering. Penetrating a security system is penetrating a security system.

  8. Re:Who Belongs... by nukenerd · · Score: 3, Insightful

    Bet this wouldn't work if you looked like a muslim.

    It would in the Middle East.

  9. Re:congrats! - This isn't news by wonkey_monkey · · Score: 4

    I guess I fail to see how this is new.

    Because the story isn't that people use social engineering. It's that these particular people used social engineering to sneak into the Superbowl, a high-profile, suppoedly high-security event, which just happened. Hence, "news."

    --
    systemd is Roko's Basilisk.
  10. Re:congrats! - This isn't news by Jah-Wren+Ryel · · Score: 3, Interesting

    I guess I fail to see how this is new

    Who said it was new? What is great about it is that the superbowl was classified as a "Level I National Security Event" - the very tippy-top of Homeland Security's classification system. These are the events they spend beaucoup (but not published) dollars on "securing" from oogy-boogy terrorists.

    So, despite all this focus on security and crap, these kids just waltzed on in. Yet more proof of how much of a waste of money DHS's 43 billion dollar budget really is.

    --
    When information is power, privacy is freedom.
  11. The best I've seen yet... by Anachragnome · · Score: 5, Interesting

    The best I've seen yet was a kid (I'm guessing around 16 yrs old) I watched in action at a concert at the Cow Palace in San Francisco many years ago.

    A friend and I were waiting in line at a Judas Priest concert when I noticed this guy, wearing a light-blue button-up shirt and slacks, using one of them sweeper things--you know, the little broom and a pivot mounted dustpan thing on a long handle that is used to sweep trash into. He was working his way along the line, sweeping up all the crap the people in line were dropping. I watched as he filled the dustpan with trash, walked over to a trashcan near the door, emptied it and went back to work around the entrance--he swept the place clean, then started working his way around the inside of the front door area, even asking one of the security personnel to step aside so he could get to a soda can just behind him. I remember telling myself "What a lame job".

    45 mins later, he was standing next to me about 10 feet from the stage, smoking a joint and obviously enjoying himself. After asking him if he minded passing that thing, I asked him where his broom was. He said with a big, stoned grin on his face that he usually leaves it in the bathroom until after the show. Sure enough, when I went to the bathroom between acts, his sweeper and broom were sitting in the corner.

  12. Public shows by adolf · · Score: 3, Interesting

    It's not so hard to get from A to B in any public show: The trick is just to act like you belong there, just like everyone else who also belongs there. Blend in.

    My own favorite was at a show at the Detroit State Theater. We had assigned seats in the balcony, but the sound really was very bad up there. So we left, wandered, and came up to the entrance for the general-admittance floor area.

    There were two security guards looking at tickets before people were allowed into this space, with a small line formed before each of them. We walked right between them as if we owned the venue ourselves, and didn't encounter any trouble. (The sound at front, stage-left was excellent. Kudos to the boardmonkey, and meh to whoever it was that specified the line arrays for that show.)

    And for other intermittently-crowded places, carrying a Motorola 2-way portable radio helps. You can direct traffic and behave authoritatively in almost any capacity, even with long hair, regular clothes, and a beard, as long as you have a radio and the gumption to make it look like you belong there. Do that for a little bit, and nobody around will think twice when you slip in through a side door. And after that, just blend in differently: At that level, people aren't paying much attention to security.

    (And no, it doesn't matter if the radio works or can talk to anyone.)

    So: Social engineering one's way into the Superbowl? Nice feat, but not very surprising.

    --
    Kid-proof tablet..
  13. Re:hmmmm by White+Flame · · Score: 3, Informative

    "Social engineering" is getting people to do exactly what you want them to do, that they normally wouldn't do, without them realizing that anything's amiss. But yeah, while that inevitably necessitates deception, I wouldn't say it's defined as deception.

  14. Re:Who Belongs... by flyneye · · Score: 3, Informative

    Hmmm Superbowl in Dubai...
    I bet they would, NFL'd eat a dead rat sandwich if they thought it would profit them.

    --
    *Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
  15. Look like you belong... by LoRdTAW · · Score: 4, Interesting

    is one of the oldest tricks in the books. I used to work for an entertainment company lugging around equipment. I have been to many venues and big hotels in Manhattan and some are pretty secure, requiring you to sign in and have your picture taken. But there are plenty where all you do is is walk in there like you own the place and no one says anything. As long as you are carrying something then they assume you are part of some staff and just let you walk right in. Even the secure places just require you to say you are from company X for party Y and they let you in without any scrutiny. The parties are planned by a planner who is not part of the venue. So security has no way to easily contact the planner to verify if vendor x is legit or not. They just do their job which is to get a signature and hand out a flimsy sticker pass. If you use a little creative social engineering and figure out what party is happening where you could easily gain access. Even carrying around some legit looking paper work is enough to get you into a venue.

    Once we did a party in the museum of natural history, they have a private room in the back (I hear it was $20,000+ just to rent the room, rich kids, you should see some of the parties I have seen, amazing. Once I setup a million dollar bar mitzvah on the intrepid). Me and the guy I did the delivery with setup all the equipment and then walked down the hallway, jumped a set of ropes into the museum and went to the planetarium. No one stopped us or asked us what we were doing.

    Across the street where I live is a house which the owner defaulted on his loan. Well he also had a loan through two other banks so the house sits there as the banks cant agree on a decent price which would let it sell. So one day I hear the house was robbed of all its copper pipe, electrical wiring along with the boiler and hot water heater. One neighbour said he saw a van parked outside with some men working in the house. They weren't working but robbing the place. All they needed to do was look legit and no one would question them. Essentially its more difficult to gain access if you look suspicious or try to hide what you are doing.

  16. Re:hmmmm by tehcyder · · Score: 5, Interesting

    Not necessarily. Sometimes social engineering takes advantage of people's assumptions. If you wear a printer servicing uniform and people assume that you're there to fix a printer, are you lying or deceiving them? I'd posit that their assumptions are incorrect and you're not deceiving them unless you're challenged and you start lying.

    Bullshit, of course you're deceiving them. You cannot expect normal human beings to question all their assumptions 24/7. Every time you blinked you'd have to prove to yourself that the whole universe hadn't just been switched off and then instantaneously recreated itself.

    --
    To have a right to do a thing is not at all the same as to be right in doing it
  17. Re:hmmmm by hawkinspeter · · Score: 4, Insightful

    You should however expect normal humans to question assumptions when it comes to letting random people through security doors. Would you be happy if a bank got robbed and the bank staff turned round with "he was wearing a plumber's outfit, so we just assumed he was looking at the plumbing although we were a bit puzzled as to what plumbing was in the vault".

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
  18. Re:congrats! - This isn't news by war4peace · · Score: 3, Funny

    This reminds me of someone who was planting lots of garlic around his house too keep the vampires away. No vampires around, so his solution worked.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  19. Re:hmmmm by hawkinspeter · · Score: 3, Insightful

    You may have the intent of letting people deceive themselves, but I consider that different to actively deceiving/lying to people.

    Here's a car analogy - a car advert might specify "does not contain carcinogenic seat material" with the intent that people will question other makes that don't have that disclaimer. Now, they are not actually deceiving people as they are making a true claim and advertising standards would have no problem with it.

    If I go for a job interview wearing clothes that I normally wouldn't wear (suit, tie etc), am I deceiving the interviewers that I usually dress like that?

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe