Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Sneak Into the Super Bowl With Social Engineering

Posted by timothy on from the appropriate-authorities dept.

danielkennedy74 links to an instructive story captured on video introduced with these words: "Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong." USA Today has a slightly longer article.

18 of 164 comments (clear)

  1. Gitmo by stormpunk · · Score: 5, Funny

    Maybe they can use their social engineering to get out of Gitmo after this video gets labeled by people with no sense of humor as terrorist training material.

    1. Re:Gitmo by Anonymous Coward · · Score: 4, Funny

      Yes, I do indeed like owls. How'd you guess?

  2. "by holding a box" by girlintraining · · Score: 5, Insightful

    How many hundreds of millions did Homeland spend to "secure" the super bowl again? Of all the things they've been accused of, fewest of the charges have been competence. When a couple college kids carrying a box can sneak past every security check point, without either them or their box being inspected, it becomes painfully obvious that the security provided is just a show... not unlike the one they're "protecting".

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:"by holding a box" by Pubstar · · Score: 5, Interesting

      This whole thing reminds me of the oldest trick in the book to get into night clubs: Have an extension cord/Power strip/DMX cable over your shoulder and just book it past the bouncer saying they need it on the stage NOW or the DJ is going to flip out. Works 99% of the time without you being so much as questioned.

    2. Re:"by holding a box" by guttentag · · Score: 4, Funny

      Actually, carrying a box that looks burdensome implies you are doing work, so people assume you belong there. I once walked into the courtyard of a large "fruit company" by helping a vendor carry in a box. He assumed I worked there, and they assumed I was with him. I even got a name tag at the door.

  3. Re:congrats! by Anonymous Coward · · Score: 5, Insightful

    I find it funny how You somehow make it their fault and not DHS'

  4. Security is only as good as its weakest link. by Chas · · Score: 4, Insightful

    Unfortunately the weakest link is always going to be found in the form of huge sacks of protoplasm known as "people".

    This is why, no matter how well trained you get security, social engineering attempts like this will succeed more often than not.

    People are pretty much indoctrinated since birth to try to get along. So if someone looks authoritative, there's a default reaction to simply go with it.

    There's only so many things a person can pay strict attention to at a time. Eventually they're going to reach the limit of things they can keep straight in their heads. And openings in their awareness will occur.

    There's only so long that people can keep up such vigilance before they start relaxing. It's not laziness so much as stimulus saturation.

    I don't care how much money "security" firms and agencies throw at the situation. The only way to avoid it is to not have such events in the first place.

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re:Security is only as good as its weakest link. by Anonymous Coward · · Score: 4, Interesting

      Pay one person who knows what he's doing per hour to try to sneak in. Track performance and give bonuses to the people who manage to stop the intruders. The job of security is now suddenly a lot more interesting and challenging. Of course, actual productive work that spans the security area will grind to a halt due to security delays. In the military, newbies get told to guard something and then everyone else is supposed to try to get in. You don't have security if you don't test it.

    2. Re:Security is only as good as its weakest link. by Dr.+Evil · · Score: 4, Insightful

      "Track performance and give bonuses to the people who manage to stop the intruders."

      Ensure the bonus even goes to the average schmo hot-dog vendor who challenges somebody who doesn't have their ID showing. It's not a new strategy, but turning it into a game like this shifts cultures. Suddenly all the con-man defenses of "seriously, don't you know me?", "man, you're uptight, chill." or "Bob says it's okay" fall out the window to your "hey, I get $50 if you don't have a badge".

      Not to pick on hot-dog vendors. They're probably more people savvy than most of your security team.

  5. This was done 6 years ago by mentil · · Score: 4, Interesting

    Zug.com snuck into the super bowl using social engineering as well.
    Details here

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:This was done 6 years ago by girlinatrainingbra · · Score: 4, Interesting
      Very nice linked article about the Zug.com prank team. I particularly like that they did it just a few days after the Boston LED Art prank that everyone thought was part of a bomb, and that they were still able to get away with it. They fucking moved two pallets of shrink-wrapped necklace LED lights that weighed a quarter-ton through security and into the stadium. Astounding that anyone can sneak in if they can pass the cardinal 5 rules listed! Lost in this spectacle, it was easy for me to slip past the security station by just pretending I belonged. I make this sound easy, but in fact I was just following the five magic rules for getting into any event in the world: 1. Wear a suit. 2. Wear a Bluetooth headset. 3. Pretend to be talking loudly to someone on the other line. 4. Carry a clipboard. 5. Be white.

      Also another killer quote from the fifth page when they ask the bomb squad to be allowed to borrow a small flatbed truck: http://www.zug.com/pranks/super/index05.html :

      The psychology of cat and mouse is that the mouse will never walk up to the cat and ask if he can borrow a forklift. Mice just don't do that.

      Now of course, they never show the message, and I don't see proof that they plled it off, so is the prank on us? ;>)

    2. Re:This was done 6 years ago by MichaelSmith · · Score: 4, Informative

      Yeah like the Chaser APEC prank

      --
      http://michaelsmith.id.au
  6. Re:hmmmm by ireallyhateslashdot · · Score: 4, Insightful

    Social engineering is social engineering. Penetrating a security system is penetrating a security system.

  7. Re:congrats! - This isn't news by wonkey_monkey · · Score: 4

    I guess I fail to see how this is new.

    Because the story isn't that people use social engineering. It's that these particular people used social engineering to sneak into the Superbowl, a high-profile, suppoedly high-security event, which just happened. Hence, "news."

    --
    systemd is Roko's Basilisk.
  8. The best I've seen yet... by Anachragnome · · Score: 5, Interesting

    The best I've seen yet was a kid (I'm guessing around 16 yrs old) I watched in action at a concert at the Cow Palace in San Francisco many years ago.

    A friend and I were waiting in line at a Judas Priest concert when I noticed this guy, wearing a light-blue button-up shirt and slacks, using one of them sweeper things--you know, the little broom and a pivot mounted dustpan thing on a long handle that is used to sweep trash into. He was working his way along the line, sweeping up all the crap the people in line were dropping. I watched as he filled the dustpan with trash, walked over to a trashcan near the door, emptied it and went back to work around the entrance--he swept the place clean, then started working his way around the inside of the front door area, even asking one of the security personnel to step aside so he could get to a soda can just behind him. I remember telling myself "What a lame job".

    45 mins later, he was standing next to me about 10 feet from the stage, smoking a joint and obviously enjoying himself. After asking him if he minded passing that thing, I asked him where his broom was. He said with a big, stoned grin on his face that he usually leaves it in the bathroom until after the show. Sure enough, when I went to the bathroom between acts, his sweeper and broom were sitting in the corner.

  9. Look like you belong... by LoRdTAW · · Score: 4, Interesting

    is one of the oldest tricks in the books. I used to work for an entertainment company lugging around equipment. I have been to many venues and big hotels in Manhattan and some are pretty secure, requiring you to sign in and have your picture taken. But there are plenty where all you do is is walk in there like you own the place and no one says anything. As long as you are carrying something then they assume you are part of some staff and just let you walk right in. Even the secure places just require you to say you are from company X for party Y and they let you in without any scrutiny. The parties are planned by a planner who is not part of the venue. So security has no way to easily contact the planner to verify if vendor x is legit or not. They just do their job which is to get a signature and hand out a flimsy sticker pass. If you use a little creative social engineering and figure out what party is happening where you could easily gain access. Even carrying around some legit looking paper work is enough to get you into a venue.

    Once we did a party in the museum of natural history, they have a private room in the back (I hear it was $20,000+ just to rent the room, rich kids, you should see some of the parties I have seen, amazing. Once I setup a million dollar bar mitzvah on the intrepid). Me and the guy I did the delivery with setup all the equipment and then walked down the hallway, jumped a set of ropes into the museum and went to the planetarium. No one stopped us or asked us what we were doing.

    Across the street where I live is a house which the owner defaulted on his loan. Well he also had a loan through two other banks so the house sits there as the banks cant agree on a decent price which would let it sell. So one day I hear the house was robbed of all its copper pipe, electrical wiring along with the boiler and hot water heater. One neighbour said he saw a van parked outside with some men working in the house. They weren't working but robbing the place. All they needed to do was look legit and no one would question them. Essentially its more difficult to gain access if you look suspicious or try to hide what you are doing.

  10. Re:hmmmm by tehcyder · · Score: 5, Interesting

    Not necessarily. Sometimes social engineering takes advantage of people's assumptions. If you wear a printer servicing uniform and people assume that you're there to fix a printer, are you lying or deceiving them? I'd posit that their assumptions are incorrect and you're not deceiving them unless you're challenged and you start lying.

    Bullshit, of course you're deceiving them. You cannot expect normal human beings to question all their assumptions 24/7. Every time you blinked you'd have to prove to yourself that the whole universe hadn't just been switched off and then instantaneously recreated itself.

    --
    To have a right to do a thing is not at all the same as to be right in doing it
  11. Re:hmmmm by hawkinspeter · · Score: 4, Insightful

    You should however expect normal humans to question assumptions when it comes to letting random people through security doors. Would you be happy if a bank got robbed and the bank staff turned round with "he was wearing a plumber's outfit, so we just assumed he was looking at the plumbing although we were a bit puzzled as to what plumbing was in the vault".

    --
    You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe