How To Sneak In To a Security Conference 189
jfruh writes "You'd think that, of all events, security conferences would have tight security. But one anonymous human pen tester managed to sneak into the RSA conference without credentials, using tried and true techniques like waving a badge from another conference at security guards and slipping in through exits."
Body language is an effective tool (Score:5, Interesting)
It's easy to avoid notice if you act like you know what you're doing, where you're going and that you belong where you are. Never stand still or look around.
Large Concerts (Score:5, Interesting)
You can easily sneak into large concerts, gigs, expos, whatever if you have a cap with a TV station logo, dress shabby and carry a large video camera. If you don't have a camera, a set of cables or a tripod would do just fine. Badges? No need.
I used to work for a local branch of a known TV station, I had access to an old training video camera at all times. Every time there was a gig I wanted to attend to, I went to my workplace, grabbed that camera, went to the gig, got in, left the camera in one of the the tech rooms, achievement unlocked. Sometimes I brought my girlfriend in by letting her carry a microphone. We even interviewed a security dude just for the kicks.
So yeah, it's easier than expected.
Re:Body language is an effective tool (Score:5, Interesting)
Exactly! As a hobby photographer it often amazed me how a decent camera and lens, plus the attitude you described, makes other people react sometimes or what it lets one get away with. Like stumbling into and through an area full of cops and only later finding out that civilians aren't allowed in there. Just act like you're on the way to something important, don't be a tourist, be light-hearted and content and focused. That is, even if you're just checking everything out, act like you're focusing on a task (it can even be just getting from A to B while checking your equipment (which in the case of this topic would be your mobile devices I guess :P)). Maybe even give a professional nod here and there haha. If nothing else, it's hilarious!
Re:Body language is an effective tool (Score:5, Interesting)
When I was doing gig work, I learned the easiest way to get backstage at a show is to appear on the loading dock a few hours before the event, wearing all black, and start helping the crew do their load-in (industry term for "take the shit off the trucks and set it up on stage"). Once load in is complete just hang around the backstage area until the show.
The downside is, since you're dressed like a stagehand, you'll probably be treated like one, so don't expect to spend the whole show standing around with your thumb up your ass.
Re:even the subway may not check that close with b (Score:5, Interesting)
I was on the commuter train in San Diego. It was run mostly on the honor system but you can get a ticket if you can't show you have paid. It was packed and there was bairly room to stand
Two police officers jumped on and about 1/2 of the people (most looked like students) suddenly remembered it was their stop. Suddenly you could even sit down,
Sometimes just just suck you in. . . (Score:3, Interesting)
It gets worse.
You don't even have to voluntarily sneak into a conference
Some of these conference security folks are such a joke and hotel layouts are messed up that you can end up in a conference even if you never intended to go to that conference.
I booked a night at a hotel in San Francisco once. I arrive on my bicycle after a long trip. I just wanted to check in, go to my room, and shower and *crash*.
Well, I ended up at this stoopid keynote reception with a bunch of suits. I was in lycra shorts and tee shirt.
***No one*** challenged me nor asked me if they could help me. I looked **utterly lost, tired, and miserable**.
After about 1/2 hour, I finally found the darn reception desk and checked in.
After a shower and a 6 hour nap, I got up to get something to eat.
And ended up in their stupid **banquet reception**.
I gave up and found a restaurant outside and ate
Sometimes I wonder if these conferences actually want to suck you in and get lost.
Just a tired bicyclist after 50 miles of 95 degree dusty heat wanting a little cool rest.
Re:Body language is an effective tool (Score:5, Interesting)
Yup.
I've only circumvented security in places where I was allowed to be, but the people who were my innocent victims had no clue who I was. Much of the time, it's more bother than it's worth to get your badge.
A lot of it depends on the type of event you're crashing. For something like this, being a member of the media is amazingly useful. I *do* run a news site. We never bothered with "legitimate" press passes. That is, there is no such thing. A stack of business cards is handy, but not required. Something printed on card stock with the name of your publication, laminated, and in a clip on or noose (err, lanyard) will open a lot of doors. The most important part is having a DSLR camera in your hand. You can get older ones pretty cheap on eBay. It's nice if it works, but just as an access pass, it doesn't need to.
Dressing the part is a good idea. The media, unless they're to be in front of the camera, don't wear button up shirts or ties. T-shirt and jeans are perfectly acceptable, and actually preferred.
Once you're press identity works, you can be pretty much lost, and get help. That includes getting in the back stage door for the better shots.
I've walked on stage at concerts, right on the side lines at sporting events, and walked right up to the podium to take pictures. It can help to keep playing the part. I'm not sure if it's required, as I'm really taking photos for legitimate purposes. usually walking past security doesn't require any actual words to be spoken. Hold the camera up a little to show that you have one, and a nod are all it usually takes.
It's a good idea to have some sort of dialogue planned out. It's usually just "who do you work for." It really doesn't matter who it is. Smaller is frequently better, especially if there's a chance the organization you say you are with may actually attend.
If you don't want to go the press route, you can usually walk in with a crowd. Most events aren't secure enough to require every person to show their badges to go through every door. Blend into a crowd of 6 people or more going past security at the same time. Just make sure you're on the far side of security, so they don't notice that you didn't have a badge.
Security generally has no idea who's suppose to be there at such events. The only way they have a clue is because you have the cool badge. For a lot of events, it's a piece of paper inside a generic plastic holder, sometimes on a lanyard. Some of us bring our own lanyards. That's no big deal. The problem with lanyards is, your badge can easily flip around, so all the see is the white back of it. That "accident" can let you right through, with a plain piece of paper in it. An empty plastic holder can be good too. "Shit it must have fallen out. Can I get one after this session is over?" Many events stop taking signups after the first few hours of the event, so getting a "replacement' is impossible, and your empty holder is just as good as a replica of the real thing.
The biggest thing is, look like you belong there. Walk with a purpose. Ignore those commoners who are also attending. Have a good idea of where you're going, so you can walk directly there, without stopping. Wandering around like a lost attendee bulks you into the crowd of attendees, and you will likely e stopped.
Re:Body language is an effective tool (Score:4, Interesting)
In The Netherlands there was a new government going to the Queen to be sworn in in July 2002, and at one point an additional minister nobody knew popped up :) He had rented an expensive car and a new suit, and announced himself as the "Minister of the Environment". The palace guards allowed him in. Unfortunately for them, there was no minister for the environment - he was an activist :)
He tried the same trick 6 months later and got all the way into parliament, helpfully escorted by security :)