Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT

How To Sneak In To a Security Conference 189

jfruh writes "You'd think that, of all events, security conferences would have tight security. But one anonymous human pen tester managed to sneak into the RSA conference without credentials, using tried and true techniques like waving a badge from another conference at security guards and slipping in through exits."
This discussion has been archived. No new comments can be posted.

How To Sneak In To a Security Conference

Comments Filter:
  • by Anonymous Coward on Tuesday February 28, 2012 @05:54PM (#39190831)

    It's easy to avoid notice if you act like you know what you're doing, where you're going and that you belong where you are. Never stand still or look around.

    • by SJHillman ( 1966756 ) on Tuesday February 28, 2012 @05:55PM (#39190849)

      This is why I keep my lab coat from college. A lab coat says you know what you're doing. Throw in a clipboard and you're gold.

      • by oakgrove ( 845019 ) on Tuesday February 28, 2012 @05:58PM (#39190879)
        And should you find yourself at a construction site just put a 2x4 over your shoulder and walk purposefully with a stern look on your face. Works every time.
      • by Anonymous Coward on Tuesday February 28, 2012 @06:37PM (#39191299)

        You said this as a joke but that you're actually right makes it even funnier. Sometimes I wouldn't bother taking off my lab coat on my way home from work, and you wouldn't believe how much authority that granted me to those I passed into on my way home. People always think the most ridiculous things when they see a lab coat. Was I a rocket scientist, a doctor? A nuclear physicist? Or was I just just a guy who had to wear a lab coat and didn't really do anything that important? Except no one except those that realize how normal lab coats are thinks the last one.

      • by MrEricSir ( 398214 ) on Tuesday February 28, 2012 @07:00PM (#39191579) Homepage

        I used to carry my shopping list on a clipboard, but I had to stop because people kept asking me questions about various products or where to find things. It was funny the first few times, but after a while it started to get old.

      • Or walk in through the loading dock of most companies with a clipboard and a white hardhat with the municipal logo on it - nothing says "surprise inspection" better.

        WARNING: Don't try doing the white hardhat thing on a construction site - you'll scare all the illegal/cash workers away.

      • by Anne_Nonymous ( 313852 ) on Tuesday February 28, 2012 @07:42PM (#39191961) Homepage Journal

        If you wear Wellington boots, a jock strap, and a huge sombrero, people generally don't mess with you.

        • by msauve ( 701917 ) on Tuesday February 28, 2012 @08:05PM (#39192165)
          "If you wear Wellington boots, a jock strap, and a huge sombrero, people generally don't mess with you."

          Especially if that's all you wear. Except in NYC, where you may get mistaken for the nekkid cowboy.
        • Mickey Flannigan did a skit on, I believe, Michael McIntyre's Comedy Roadshow where it stated that a cockney in a string vest walking down the high street with an open tin of Stella in one hand, another in his pocket, is given a very wide birth.
      • by minkie ( 814488 ) on Tuesday February 28, 2012 @09:29PM (#39192893)

        Tell me about it. I used to work in a hospital (not as a member of the medical staff). I had a labcoat that I kept mostly to keep warm when the air conditioning got too cold. If I put it on and wandered the halls, there was pretty much nowhere I couldn't go. I'll bet if I hung a stethoscope around my neck, I could have walked into the OR and nobody would have said "boo".

        Adjust the costume to fit the venue. Hardhat at a construction site. Trial case in a courthouse. If you saw a guy with a pitchfork and covered in manure walking through a stable, would you stop him and demand to see his ID?

        • what kind of stables are high security?

          i suppose if you had a labcoat they'd be more likely to stop you, just in case you're doping the racehorses.

          • presumably the stables of high-end race horses are rather high security when it comes to people who work with the *competing* high-end race horses.

            "let's see, a couple of ambien in the nosebag, and...there's one more competitor we don't have to worry about..."

      • More than likely, someone will stop you and harass you for wearing a lab coat outside of the lab, and wonder what they hell you're carrying a clipboard, instead of a lab notebook. No one who knows what they are doing thinks a lab coat says you know what you are doing (except in medicine, where lab coats are not safety equipment, but magical raiments invested with doctorly powers...f---in prodocs...)
    • by vinehair ( 1937606 ) on Tuesday February 28, 2012 @05:56PM (#39190863)

      It's easy to avoid notice if you act like you know what you're doing, where you're going and that you belong where you are. Never stand still or look around.

      Bingo. Simple tactics and social engineering are usually all you need if you really want to get at something.

      The weakest link in any security chain is always the people, and people are easy to deceive.

      • Re: (Score:2, Funny)

        by Anonymous Coward
        Sometimes the weakest link is the default password.
      • I certainly don't intend to, but it seems whenever I go out shopping for something I end up being asked "do you work here" - if someone doesn't outright assume I do and ask for help.

        It happens even when I'm wearing something completely different than the store's uniform. ... am I unintentionally giving that kind of impression, do you think? I wonder if I could put that into something useful :P

      • by JWSmythe ( 446288 ) <jwsmythe@@@jwsmythe...com> on Wednesday February 29, 2012 @03:30AM (#39194931) Homepage Journal

            Yup.

            I've only circumvented security in places where I was allowed to be, but the people who were my innocent victims had no clue who I was. Much of the time, it's more bother than it's worth to get your badge.

            A lot of it depends on the type of event you're crashing. For something like this, being a member of the media is amazingly useful. I *do* run a news site. We never bothered with "legitimate" press passes. That is, there is no such thing. A stack of business cards is handy, but not required. Something printed on card stock with the name of your publication, laminated, and in a clip on or noose (err, lanyard) will open a lot of doors. The most important part is having a DSLR camera in your hand. You can get older ones pretty cheap on eBay. It's nice if it works, but just as an access pass, it doesn't need to.

            Dressing the part is a good idea. The media, unless they're to be in front of the camera, don't wear button up shirts or ties. T-shirt and jeans are perfectly acceptable, and actually preferred.

            Once you're press identity works, you can be pretty much lost, and get help. That includes getting in the back stage door for the better shots.

            I've walked on stage at concerts, right on the side lines at sporting events, and walked right up to the podium to take pictures. It can help to keep playing the part. I'm not sure if it's required, as I'm really taking photos for legitimate purposes. usually walking past security doesn't require any actual words to be spoken. Hold the camera up a little to show that you have one, and a nod are all it usually takes.

            It's a good idea to have some sort of dialogue planned out. It's usually just "who do you work for." It really doesn't matter who it is. Smaller is frequently better, especially if there's a chance the organization you say you are with may actually attend.

            If you don't want to go the press route, you can usually walk in with a crowd. Most events aren't secure enough to require every person to show their badges to go through every door. Blend into a crowd of 6 people or more going past security at the same time. Just make sure you're on the far side of security, so they don't notice that you didn't have a badge.

            Security generally has no idea who's suppose to be there at such events. The only way they have a clue is because you have the cool badge. For a lot of events, it's a piece of paper inside a generic plastic holder, sometimes on a lanyard. Some of us bring our own lanyards. That's no big deal. The problem with lanyards is, your badge can easily flip around, so all the see is the white back of it. That "accident" can let you right through, with a plain piece of paper in it. An empty plastic holder can be good too. "Shit it must have fallen out. Can I get one after this session is over?" Many events stop taking signups after the first few hours of the event, so getting a "replacement' is impossible, and your empty holder is just as good as a replica of the real thing.

            The biggest thing is, look like you belong there. Walk with a purpose. Ignore those commoners who are also attending. Have a good idea of where you're going, so you can walk directly there, without stopping. Wandering around like a lost attendee bulks you into the crowd of attendees, and you will likely e stopped.

    • by Johann Lau ( 1040920 ) on Tuesday February 28, 2012 @06:13PM (#39191039) Homepage Journal

      Exactly! As a hobby photographer it often amazed me how a decent camera and lens, plus the attitude you described, makes other people react sometimes or what it lets one get away with. Like stumbling into and through an area full of cops and only later finding out that civilians aren't allowed in there. Just act like you're on the way to something important, don't be a tourist, be light-hearted and content and focused. That is, even if you're just checking everything out, act like you're focusing on a task (it can even be just getting from A to B while checking your equipment (which in the case of this topic would be your mobile devices I guess :P)). Maybe even give a professional nod here and there haha. If nothing else, it's hilarious!

      • by AK Marc ( 707885 )
        And when you ask firmly, people rarely refuse. "hold this" "smile" When you act like you belong, others act like you belong as well.
      • Add a big lens hood and it works even better.

      • the problem is clearly that people don't wear hats any more, so you have nowhere convenient and immediately visible to stick your press pass.

    • by CanHasDIY ( 1672858 ) on Tuesday February 28, 2012 @06:24PM (#39191145) Homepage Journal
      This.

      When I was doing gig work, I learned the easiest way to get backstage at a show is to appear on the loading dock a few hours before the event, wearing all black, and start helping the crew do their load-in (industry term for "take the shit off the trucks and set it up on stage"). Once load in is complete just hang around the backstage area until the show.

      The downside is, since you're dressed like a stagehand, you'll probably be treated like one, so don't expect to spend the whole show standing around with your thumb up your ass.
    • by cptdondo ( 59460 ) on Tuesday February 28, 2012 @06:36PM (#39191283) Journal

      Long ago I learned that the best way to be invisible is to walk in dressed in overalls with a toolbelt, and announce "Plumber!" to everyone in earshot. You can walk into a women's bathroom, yell "Plumber!" and none of the women will even notice as you walk around....

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Carrying things is also good.

      I worked at a vending company, and let me say, if you're carrying a box of sodas with both hands while standing helplessly by the door, all you need to say is "I'm here for the vending machines" and someone will let you in for most places.

      Now, federal sites that doesn't work so well. At a delivery company I worked with, if you're going to a federal site (post office, airport, etc) if you're not wearing the right clothes, have the right badge, and come in the right vehicle, you'r

    • by Anonymous Coward on Tuesday February 28, 2012 @07:46PM (#39192011)

      Never stand still or look around.

      I find this, in general, to be a good guideline in life. If you stop to look around at the beauty and wonder of life people think there is something wrong with you.

      Yes! I've been asked if I'm alright, and know where I'm at. To the latter, I respond: "Yes. I'm right here!"

      • by Bazer ( 760541 )

        Yes! I've been asked if I'm alright, and know where I'm at. To the latter, I respond: "Yes. I'm right here!"

        If I got a response like that, from a person staring off in the distance I'd only feel reassured and head on my way and fast.

    • by krept ( 697623 ) on Tuesday February 28, 2012 @11:02PM (#39193583)
      Find a pack of people smoking. They always know the easiest way to get out and back in quickly.
    • by St.Creed ( 853824 ) on Wednesday February 29, 2012 @08:22AM (#39196271)

      In The Netherlands there was a new government going to the Queen to be sworn in in July 2002, and at one point an additional minister nobody knew popped up :) He had rented an expensive car and a new suit, and announced himself as the "Minister of the Environment". The palace guards allowed him in. Unfortunately for them, there was no minister for the environment - he was an activist :)

      He tried the same trick 6 months later and got all the way into parliament, helpfully escorted by security :)

  • by Anonymous Coward on Tuesday February 28, 2012 @05:58PM (#39190887)


    You'd think that, of all events, security conferences would have tight security.

    No, I wouldn't think that. I'd think that a bank, or an event involving a US President would have tight security. Security is about what you're protecting, not who's involved in it. For the most part "stealing" admission to a conference is harmless, as long as a few people do it. The security only has to be good enough to make it so only a few people sneak in.

    Security conferences aren't exactly a high profile event like, that appeals to millions (like say a Rock Concert), so people sneaking in is really not a big problem. If you didn't think you could sneak in to a conference before, you obviously haven't been paying attention.

    • by Ruke ( 857276 ) on Tuesday February 28, 2012 @06:12PM (#39191033)
      Absolutely. There's no reason to have a conference be that secure. Spending an extra five-to-ten seconds per attendee checking badges would be a major disruption in crowd flow. The primary benefit of security at this event was to make the attendees feel special, and the secondary benefit was preventing overwhelming crowds. There's basically no reason to keep out any one person who's not supposed to be there; the panels are advertisements, and the information is as good as public. Security is in place to keep out crowds of people who aren't supposed to be there, and they seemed to do well enough at that.
      • even the subway may not check that close with a big group moving though.

        A stadium just let out the station was packed and I like could of flashed a out of date / used ticket and they would likely not seen it or would of not tried to stop you if you did have a bad ticket.

        Some times even on trains where you pay / check tickets on the train they can get so packed they don't even get to all the people.

        When you have a big crowd moving in a small space some times fully checking cards / badges takes to much time.

      • by Bazer ( 760541 )

        Security is in place to keep out crowds of people who aren't supposed to be there, and they seemed to do well enough at that.

        In my opinion this guy earned his way into the conference fair and square. If I were organizing a security conference and someone got past the security undetected then I'd assume they are part of my targeted audience. A booth with badges "If you got this far you get a free pass." would be a fine touch on an event like that.

      • Absolutely. There's no reason to have a conference be that secure.

        I can confirm that security is usually not very tight, but I'm not so sure whether I agree with your suggestion that this is also not needed.

        A long time ago I once worked at the IFA for a big telco company---not as a promoter or salesman but as the guy who cleans LCD screens. (They weren't touch screens but apparently people still love to touch them with greasy fat fingers.) There was no security at all. As long as you were wearing a T-shirt with the right logo on it, you could do just about anything and go

    • I've been to enough conferences and simply walked into wrong rooms where other conferences were going on by accident, to be completely unimpressed by people "sneaking into" a conference that isn't the San Diego Comicon.

      • This.

        Plus the articles "guards" are near-min-wage employees hired by the conf organizer or the conf.center to just stand around and try and gate access some. They largely have no vested interest in the nature of the content or attendees.

        As for ComicCon, I think you'd have a harder time sneaking into a room at DragonCon since it's fan-run, not an industry show... those volunteers are putting in a lot of time for their badge, and if nothing else, they don't want to see someone getting what they have for free

    • by Mr. Freeman ( 933986 ) on Tuesday February 28, 2012 @07:54PM (#39192069)
      Exactly, the entire point of a conference is to make things public, not exactly a security issue.

      And the author mentions something about "I could have installed keylogging software on a demo computer". Who cares? I guess he could have stolen the generic "admin/admin" and "tester/tester" accounts from all the machines. Unless someone is stupid enough to hook their demo computer into a real set of confidential data, this isn't a problem. And if that is, in fact, the case then it's the company's issue, not the conference's.
    • Good point. If you wanted a security conference that secure, don't make it a conference. Just gather at a local bar and take over the back half of the place. Sometimes the best places to have private conversations is in a crowd.

  • Why? (Score:5, Insightful)

    by hipp5 ( 1635263 ) on Tuesday February 28, 2012 @05:59PM (#39190901)

    You'd think that, of all events, security conferences would have tight security.

    Why?

    I suspect the cost/hassle of doing more than basic security outweighs the benefit of catching a few people who didn't want to pay the $100 conference fee. I doubt the information being presented is secret and needs protecting. And I imagine of all conference organizers, the organizers of a security conference would have best grasp on this security cost/benefit.

    • Re:Why? (Score:5, Informative)

      by slew ( 2918 ) on Tuesday February 28, 2012 @06:26PM (#39191165)

      You'd think that, of all events, security conferences would have tight security.

      Why?

      I suspect the cost/hassle of doing more than basic security outweighs the benefit of catching a few people who didn't want to pay the $100 conference fee. I doubt the information being presented is secret and needs protecting. And I imagine of all conference organizers, the organizers of a security conference would have best grasp on this security cost/benefit.

      Of course in many conference venues (like the moscone center where the RSA conference is held), you must use the approved contractors that use local union labor to handle things like setup, teardown, electrical, network installation, theatrical services, and security. You don't really get to customize stuff like this too much, so security is probably exactly the same as any other conference at the same venue.

    • I doubt the information being presented is secret and needs protecting.

      He got onto the expo floor while it was still being set up.
      If he had walked off with laptops unattended booths, that could represent a major security threat to whatever company he was targeting.
      If he had walked off with the laptop of a presenter, that could easily represent unpublished exploits ripe for immediate use.

      And I imagine of all conference organizers, the organizers of a security conference would have best grasp on this security cost/benefit.

      The organizers have very little to lose from thefts, because they don't have much that can be stolen.
      Their risk profile is very different from that of any particular presenter, booth owner, or

    • by Kagato ( 116051 )

      Spot on. Conferences have notoriously bad security. The guys manning the door are usually temp workers or low wage security guards. They have very little incentive to go the extra mile. If anything, they are there to challenge entrance by anyone who doesn't look like they belong. (i.e. Homeless vagrant, teenagers who keep walking on the lawn, etc.) Your average rock concert will have much better security.

  • Large Concerts (Score:5, Interesting)

    by war4peace ( 1628283 ) on Tuesday February 28, 2012 @06:01PM (#39190921)

    You can easily sneak into large concerts, gigs, expos, whatever if you have a cap with a TV station logo, dress shabby and carry a large video camera. If you don't have a camera, a set of cables or a tripod would do just fine. Badges? No need.

    I used to work for a local branch of a known TV station, I had access to an old training video camera at all times. Every time there was a gig I wanted to attend to, I went to my workplace, grabbed that camera, went to the gig, got in, left the camera in one of the the tech rooms, achievement unlocked. Sometimes I brought my girlfriend in by letting her carry a microphone. We even interviewed a security dude just for the kicks.

    So yeah, it's easier than expected.

    • by Hentes ( 2461350 )

      But why bother when a ticket is much cheaper than a camera?

      • But why bother when a ticket is much cheaper than a camera?

        Who says its cheaper? I bought an old over the shoulder video camera for a couple of bucks at an auction. Tickets to some venues can cost ten times what I paid for the camera.

      • But why bother when a ticket is much cheaper than a camera?

        Or even better, a clipboard and a black t-shirt that says STAFF on the back.

      • by AK Marc ( 707885 )
        They look at the tickets. The "Pink" ticket doesn't work for "Lady Gaga" but the camera works for both.
      • Um, you buy ONE camera for 300 USD and can go to say 50 concerts with it. That's a shitload of saved money on tickets, my friend.

    • Badges?

      We don't need no stinkin' badges!

    • by k6mfw ( 1182893 )

      , I had access to an old training video camera at all times. Every time there was a gig I wanted to attend to, I went to my workplace, grabbed that camera, went to the gig, got in,

      This may work for another five years or so. I can access events with my over the shoulder ENG camera, or attend choice spots at parades. However, cameras even for news stations are getting smaller. More of them are packing the "Fisher Price" cams and getting same size as consumer cams. Old school of large camera = expensive-ENG-must-be-a-real-newsguy, new school large camera = old technology. Yes, pack a $60K Panasonic with P2 cards and the techies will say "old technology!" It may become packing a shoulde

      • But bring a tripod, ***required*** for good shots with small HD cameras.

        You should try one of those mini-steadycam rigs.

      • i think until the current crop of camera folks are all dead, it's going to be shoulder cams.

        but given what gets broadcast, you could ENG today with an iphone.

    • Not all events are the same. I've experienced "camera man rock star" treatment for a number of events, but some, like NYS wrestling finals, have a list of approved camera men, photographers, etc, and you have to beg for credentials to get on the list because they do check. Even if you're on the list, some places hassle you, anyway.

  • is about risk.
    There is no black and white demarcation.
    An important lesson many people in the modern security business seem to forget.

  • by DragonWriter ( 970822 ) on Tuesday February 28, 2012 @06:08PM (#39190985)

    The RSA conference, like most industry conferences, is in very large part a sales conference for industry products. There's no reason for it to be particularly secure (obviously, they want to maintain some security to maintain ticket prices and the marketing value of the information gathered along with those sales), a few extra people coming in without paying isn't a huge deal (whereas intrusive security measures that inconvenience legitimate ticketed attendees would be.)

    Its not like the conference presents eyes-only sensitive material that only ticketed attendees are cleared for and that there is some danger to the conference sponsors if anyone outside gets wind of it. Just because its a conference about security practices and products doesn't mean that it somehow has any particular high-security needs.

  • by mindcandy ( 1252124 ) on Tuesday February 28, 2012 @06:21PM (#39191123)
    RSA 2012 is basically a big sales presentation.
    To suggest sneaking in is a big achievement is like saying you got into BestBuy a few minutes early one day to shop for TVs.
  • Journalists do this all the time (good ones at least). My favorite is holding a walkie talkie to your ear and waving in acknowledgment to the guards (with a slight nod) while walking in. It's better to wear dark glasses for this one.
  • The security researchers inside the conference are no doubt very aware of security. The security hacks that implement the security for such conferences: not so much. Same problem with security everywhere.
  • lost and confused some times can get you past people or if you get caught just act like you have the wrong building, wrong date, wrong conference.

  • by xxxJonBoyxxx ( 565205 ) on Tuesday February 28, 2012 @07:45PM (#39192007)

    I've been going to RSA now for many years, both as an attendee and as an exhibitor. By Thursday you'll see the occasional homeless woman (almost always female) going up and down the aisles grabbing all the candy, clothing and electronic widgets she can find.

    Furthermore, I've never had to pay to get in. Simply mention an IT job title to a sponsoring vendor or sign up on a sponsoring vendor's web site and you can get a free pass months in advance.

    Color me unimpressed by this article.

  • by nitehawk214 ( 222219 ) on Tuesday February 28, 2012 @08:12PM (#39192197)

    he is in the business of "pen-testing humans"

    Is that not called "rape"? :)

  • Hell, I joined the Ops team at Shmoocon this year without any credentials or signup. I tell you that isn't part of their plan. http://storyinmemo.com/?p=48 [storyinmemo.com]

    I spent a day at my first DEFCON missing my badge and managed to keep going all over the conference. Every year at DEFCON I make it a point to get into a guest-listed party that I didn't have access to. Why would RSA be different? I guarantee the DEFCON goons care more and the RSA ticket funds aren't going to making the conference more secure.

    Their cost / benefit for tightening things down would be basically nothing.

  • by oldmac31310 ( 1845668 ) on Tuesday February 28, 2012 @10:30PM (#39193343) Homepage
    It wasn't just any old 'badge though, it was psychic paper...
  • by mallyn ( 136041 ) on Tuesday February 28, 2012 @11:34PM (#39193827) Homepage
    Folks:

    It gets worse.

    You don't even have to voluntarily sneak into a conference

    Some of these conference security folks are such a joke and hotel layouts are messed up that you can end up in a conference even if you never intended to go to that conference.

    I booked a night at a hotel in San Francisco once. I arrive on my bicycle after a long trip. I just wanted to check in, go to my room, and shower and *crash*.

    Well, I ended up at this stoopid keynote reception with a bunch of suits. I was in lycra shorts and tee shirt.

    ***No one*** challenged me nor asked me if they could help me. I looked **utterly lost, tired, and miserable**.

    After about 1/2 hour, I finally found the darn reception desk and checked in.

    After a shower and a 6 hour nap, I got up to get something to eat.

    And ended up in their stupid **banquet reception**.

    I gave up and found a restaurant outside and ate

    Sometimes I wonder if these conferences actually want to suck you in and get lost.

    Just a tired bicyclist after 50 miles of 95 degree dusty heat wanting a little cool rest.

    • by Skapare ( 16644 )

      ***No one*** challenged me nor asked me if they could help me. I looked **utterly lost, tired, and miserable**.

      You were obviously seen as a non-threat in that condition.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...