How To Sneak In To a Security Conference

jfruh writes "You'd think that, of all events, security conferences would have tight security. But one anonymous human pen tester managed to sneak into the RSA conference without credentials, using tried and true techniques like waving a badge from another conference at security guards and slipping in through exits."

Re:Body language is an effective tool

[vinehair]

It's easy to avoid notice if you act like you know what you're doing, where you're going and that you belong where you are. Never stand still or look around.

Bingo. Simple tactics and social engineering are usually all you need if you really want to get at something.

The weakest link in any security chain is always the people, and people are easy to deceive.

Security is about what you're securing.

[Anonymous Coward]

You'd think that, of all events, security conferences would have tight security.

No, I wouldn't think that. I'd think that a bank, or an event involving a US President would have tight security. Security is about what you're protecting, not who's involved in it. For the most part "stealing" admission to a conference is harmless, as long as a few people do it. The security only has to be good enough to make it so only a few people sneak in.

Security conferences aren't exactly a high profile event like, that appeals to millions (like say a Rock Concert), so people sneaking in is really not a big problem. If you didn't think you could sneak in to a conference before, you obviously haven't been paying attention.

Why?

[hipp5]

You'd think that, of all events, security conferences would have tight security.

Why?

I suspect the cost/hassle of doing more than basic security outweighs the benefit of catching a few people who didn't want to pay the $100 conference fee. I doubt the information being presented is secret and needs protecting. And I imagine of all conference organizers, the organizers of a security conference would have best grasp on this security cost/benefit.

Re:Security is about what you're securing.

[Ruke]

Absolutely. There's no reason to have a conference be that secure. Spending an extra five-to-ten seconds per attendee checking badges would be a major disruption in crowd flow. The primary benefit of security at this event was to make the attendees feel special, and the secondary benefit was preventing overwhelming crowds. There's basically no reason to keep out any one person who's not supposed to be there; the panels are advertisements, and the information is as good as public. Security is in place to keep out crowds of people who aren't supposed to be there, and they seemed to do well enough at that.

"sneak" into a sales presentation?

[mindcandy]

RSA 2012 is basically a big sales presentation.
To suggest sneaking in is a big achievement is like saying you got into BestBuy a few minutes early one day to shop for TVs.

Re:Body language is an effective tool

[Anonymous Coward]

Carrying things is also good.

I worked at a vending company, and let me say, if you're carrying a box of sodas with both hands while standing helplessly by the door, all you need to say is "I'm here for the vending machines" and someone will let you in for most places.

Now, federal sites that doesn't work so well. At a delivery company I worked with, if you're going to a federal site (post office, airport, etc) if you're not wearing the right clothes, have the right badge, and come in the right vehicle, you're not getting in.

Re:Body language is an effective tool

[The Mister Purple]

Default passwords remaining at default is caused by people.

Re:Body language is an effective tool

[Anonymous Coward]

Never stand still or look around.

I find this, in general, to be a good guideline in life. If you stop to look around at the beauty and wonder of life people think there is something wrong with you.

Yes! I've been asked if I'm alright, and know where I'm at. To the latter, I respond: "Yes. I'm right here!"

Re:Security is about what you're securing.

[Mr. Freeman]

Exactly, the entire point of a conference is to make things public, not exactly a security issue.

And the author mentions something about "I could have installed keylogging software on a demo computer". Who cares? I guess he could have stolen the generic "admin/admin" and "tester/tester" accounts from all the machines. Unless someone is stupid enough to hook their demo computer into a real set of confidential data, this isn't a problem. And if that is, in fact, the case then it's the company's issue, not the conference's.

Re:Body language is an effective tool

[minkie]

Tell me about it. I used to work in a hospital (not as a member of the medical staff). I had a labcoat that I kept mostly to keep warm when the air conditioning got too cold. If I put it on and wandered the halls, there was pretty much nowhere I couldn't go. I'll bet if I hung a stethoscope around my neck, I could have walked into the OR and nobody would have said "boo".

Adjust the costume to fit the venue. Hardhat at a construction site. Trial case in a courthouse. If you saw a guy with a pitchfork and covered in manure walking through a stable, would you stop him and demand to see his ID?

Re:Body language is an effective tool

[krept]

Find a pack of people smoking. They always know the easiest way to get out and back in quickly.