How To Sneak Into the Super Bowl With Social Engineering

danielkennedy74 links to an instructive story captured on video introduced with these words: "Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong." USA Today has a slightly longer article.

"by holding a box"

[girlintraining]

How many hundreds of millions did Homeland spend to "secure" the super bowl again? Of all the things they've been accused of, fewest of the charges have been competence. When a couple college kids carrying a box can sneak past every security check point, without either them or their box being inspected, it becomes painfully obvious that the security provided is just a show... not unlike the one they're "protecting".

congrats!

[sdnoob]

You just ensured DHS VIPR teams will harass, molest and radiate every person that gets within a block of every Superbowl venue from here on.

Re:congrats!

[Anonymous Coward]

I find it funny how You somehow make it their fault and not DHS'

Security is only as good as its weakest link.

[Chas]

Unfortunately the weakest link is always going to be found in the form of huge sacks of protoplasm known as "people".

This is why, no matter how well trained you get security, social engineering attempts like this will succeed more often than not.

People are pretty much indoctrinated since birth to try to get along. So if someone looks authoritative, there's a default reaction to simply go with it.

There's only so many things a person can pay strict attention to at a time. Eventually they're going to reach the limit of things they can keep straight in their heads. And openings in their awareness will occur.

There's only so long that people can keep up such vigilance before they start relaxing. It's not laziness so much as stimulus saturation.

I don't care how much money "security" firms and agencies throw at the situation. The only way to avoid it is to not have such events in the first place.

Re:hmmmm

[ireallyhateslashdot]

Social engineering is social engineering. Penetrating a security system is penetrating a security system.

Re:Who Belongs...

[nukenerd]

Bet this wouldn't work if you looked like a muslim.

It would in the Middle East.

Re:Gitmo

[Anonymous Coward]

Are you so afraid you can not read such stories without immediately thinking about "gitmo", black helicopters or something? Don't be a coward, you will be dead in 100 years no matter what you do. Let go, don't worry and start doing stuff you want to do before your time is up.

Re:hmmmm

[Anonymous Coward]

Social engineering is social engineering.

"Social engineering" is lying or otherwise deceiving people. As euphemisms go, it's a pretty pathetic one.

Re:Security is only as good as its weakest link.

[Dr. Evil]

"Track performance and give bonuses to the people who manage to stop the intruders."

Ensure the bonus even goes to the average schmo hot-dog vendor who challenges somebody who doesn't have their ID showing. It's not a new strategy, but turning it into a game like this shifts cultures. Suddenly all the con-man defenses of "seriously, don't you know me?", "man, you're uptight, chill." or "Bob says it's okay" fall out the window to your "hey, I get $50 if you don't have a badge".

Not to pick on hot-dog vendors. They're probably more people savvy than most of your security team.

Re:congrats!

[tehcyder]

Screw that. If I get stopped by them and they identify themselves, I will tell them they are not police officers, drive away, and call the real police. Then I will take it as far as possible in court on the 4th amendment [wikipedia.org], hopefully reaching SCOTUS and putting an end to the insanity.

No, you won't. There's a slight difference between talking tough as an AC on an internet forum and actually doing something about it in real life.

Re:hmmmm

[hawkinspeter]

You should however expect normal humans to question assumptions when it comes to letting random people through security doors. Would you be happy if a bank got robbed and the bank staff turned round with "he was wearing a plumber's outfit, so we just assumed he was looking at the plumbing although we were a bit puzzled as to what plumbing was in the vault".

Re:hmmmm

[hawkinspeter]

You may have the intent of letting people deceive themselves, but I consider that different to actively deceiving/lying to people.

Here's a car analogy - a car advert might specify "does not contain carcinogenic seat material" with the intent that people will question other makes that don't have that disclaimer. Now, they are not actually deceiving people as they are making a true claim and advertising standards would have no problem with it.

If I go for a job interview wearing clothes that I normally wouldn't wear (suit, tie etc), am I deceiving the interviewers that I usually dress like that?