Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How To Sneak Into the Super Bowl With Social Engineering

timothy posted about a year and a half ago | from the appropriate-authorities dept.

Security 164

danielkennedy74 links to an instructive story captured on video introduced with these words: "Sneaking in near press/employee access points without going thru them, zigzagging through corridors, and once carrying a box so someone opens a door for them, two jokers from Savannah State University social engineer their way into Super Bowl XLVII for the most part simply by looking like they belong." USA Today has a slightly longer article.

Sorry! There are no comments related to the filter you selected.

Who Belongs... (-1)

Anonymous Coward | about a year and a half ago | (#42856507)

Bet this wouldn't work if you looked like a muslim.

Re:Who Belongs... (3, Insightful)

nukenerd (172703) | about a year and a half ago | (#42856879)

Bet this wouldn't work if you looked like a muslim.

It would in the Middle East.

Re:Who Belongs... (3, Informative)

flyneye (84093) | about a year and a half ago | (#42857667)

Hmmm Superbowl in Dubai...
I bet they would, NFL'd eat a dead rat sandwich if they thought it would profit them.

Re:Who Belongs... (2)

flyneye (84093) | about a year and a half ago | (#42857657)

You could dress like a camel, shut out the lights in the stadium and sneak in unnoticed , like I did...

Gitmo (5, Funny)

stormpunk (515019) | about a year and a half ago | (#42856543)

Maybe they can use their social engineering to get out of Gitmo after this video gets labeled by people with no sense of humor as terrorist training material.

Re:Gitmo (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42856925)

Are you so afraid you can not read such stories without immediately thinking about "gitmo", black helicopters or something? Don't be a coward, you will be dead in 100 years no matter what you do. Let go, don't worry and start doing stuff you want to do before your time is up.

Re:Gitmo (0, Funny)

Anonymous Coward | about a year and a half ago | (#42857267)

YOLO!

Re:Gitmo (4, Funny)

Anonymous Coward | about a year and a half ago | (#42858343)

Yes, I do indeed like owls. How'd you guess?

Re:Gitmo (1)

Kagato (116051) | about a year and a half ago | (#42858297)

Gitmo, nah. But they did document their trespassing. They have a scene where they are shown lying to a cop which might be a bigger crime than the trespassing.

hmmmm (1)

Anonymous Coward | about a year and a half ago | (#42856549)

So if I've got this right: you can lie and otherwise deceive people in order to access computer systems. So that makes it geeky , which means its also geeky to lie or otherwise deceive people in other contexts. Is that about it?

Re:hmmmm (4, Insightful)

ireallyhateslashdot (2297290) | about a year and a half ago | (#42856791)

Social engineering is social engineering. Penetrating a security system is penetrating a security system.

Re:hmmmm (2, Insightful)

Anonymous Coward | about a year and a half ago | (#42857055)

Social engineering is social engineering.

"Social engineering" is lying or otherwise deceiving people. As euphemisms go, it's a pretty pathetic one.

Re:hmmmm (3, Informative)

White Flame (1074973) | about a year and a half ago | (#42857445)

"Social engineering" is getting people to do exactly what you want them to do, that they normally wouldn't do, without them realizing that anything's amiss. But yeah, while that inevitably necessitates deception, I wouldn't say it's defined as deception.

Re:hmmmm (0)

Anonymous Coward | about a year and a half ago | (#42857721)

I'm sorry, I couldn't help myself.

http://www.youtube.com/watch?v=2efhrCxI4J0 [youtube.com]

Why didn't we ever make ourselves obnoxious UI's like this?

Re:hmmmm (2)

hawkinspeter (831501) | about a year and a half ago | (#42857607)

Not necessarily. Sometimes social engineering takes advantage of people's assumptions. If you wear a printer servicing uniform and people assume that you're there to fix a printer, are you lying or deceiving them? I'd posit that their assumptions are incorrect and you're not deceiving them unless you're challenged and you start lying.

Re:hmmmm (5, Interesting)

tehcyder (746570) | about a year and a half ago | (#42857989)

Not necessarily. Sometimes social engineering takes advantage of people's assumptions. If you wear a printer servicing uniform and people assume that you're there to fix a printer, are you lying or deceiving them? I'd posit that their assumptions are incorrect and you're not deceiving them unless you're challenged and you start lying.

Bullshit, of course you're deceiving them. You cannot expect normal human beings to question all their assumptions 24/7. Every time you blinked you'd have to prove to yourself that the whole universe hadn't just been switched off and then instantaneously recreated itself.

Re:hmmmm (4, Insightful)

hawkinspeter (831501) | about a year and a half ago | (#42858299)

You should however expect normal humans to question assumptions when it comes to letting random people through security doors. Would you be happy if a bank got robbed and the bank staff turned round with "he was wearing a plumber's outfit, so we just assumed he was looking at the plumbing although we were a bit puzzled as to what plumbing was in the vault".

Re:hmmmm (1)

Anonymous Coward | about a year and a half ago | (#42859001)

If it was on a day and around the same time a plumber was scheduled to show up to fix a clogged toilet when an extremely important client was in the office; no I wouldn't be happy, but I wouldn't blame the guy. I'd blame management for not having a system in place to avoid situations where the bank staff is forced to ask "do I risk pissing off our biggest client by having him use a shit-smelling, toilet clogged bathroom or do I hand wave this plumber-looking guy through?"

Re:hmmmm (2)

dav1dc (2662425) | about a year and a half ago | (#42858421)

Not necessarily. Sometimes social engineering takes advantage of people's assumptions. If you wear a printer servicing uniform and people assume that you're there to fix a printer, are you lying or deceiving them? I'd posit that their assumptions are incorrect and you're not deceiving them unless you're challenged and you start lying.

Bullshit, of course you're deceiving them. You cannot expect normal human beings to question all their assumptions 24/7. Every time you blinked you'd have to prove to yourself that the whole universe hadn't just been switched off and then instantaneously recreated itself.

True story, I once walked into an Apple store wearing a blue shirt.
As luck would have it - it looked pretty damn close to the blue shirts that all the "Geniuses" were wearing that day.
Once inside the store, I was bombarded by a constant stream of people asking me technical questions - which it just so happens that I'm good at answering! ^_^

I didn't deliberately choose to wear a blue shirt that day - it was just the luck of the draw.
Did I deceive anyone in this case??

Social engineering can take on many forms.

Re:hmmmm (1)

Anonymous Coward | about a year and a half ago | (#42858169)

If you wear a printer servicing uniform and people assume that you're there to fix a printer, are you lying or deceiving them?

If you wear a printer servicing uniform with the intention of leading people to draw incorrect conclusions from that then of course you're deceiving them. Are you seriously saying that you thought otherwise?

Re:hmmmm (3, Insightful)

hawkinspeter (831501) | about a year and a half ago | (#42858385)

You may have the intent of letting people deceive themselves, but I consider that different to actively deceiving/lying to people.

Here's a car analogy - a car advert might specify "does not contain carcinogenic seat material" with the intent that people will question other makes that don't have that disclaimer. Now, they are not actually deceiving people as they are making a true claim and advertising standards would have no problem with it.

If I go for a job interview wearing clothes that I normally wouldn't wear (suit, tie etc), am I deceiving the interviewers that I usually dress like that?

Re:hmmmm (0)

Anonymous Coward | about a year and a half ago | (#42858927)

You're deceiving yourself then if you don't think you're actively deceiving people when you actively choose to wear a particular uniform with the intent to deceive.

If you wore the uniform out of habit or accidentally and somehow wandered in to somewhere where you shouldn't be in, then people were still deceived but you didn't intend to deceive them, nor did you intend to bypass "access controls" by using that uniform. So a reasonable court should rule you innocent.

Otherwise you're guilty of deceiving people.

Re:hmmmm (0)

Anonymous Coward | about a year and a half ago | (#42858429)

If you wear a printer servicing uniform and people assume that you're there to fix a printer, are you lying or deceiving them?

If you wear a printer servicing uniform *with the intention of leading people to draw incorrect conclusions from that* then of course you're deceiving them. Are you seriously saying that you thought otherwise?

I dunno, what if we set parsemode=XOR

The guy masquerading as a printer tech is *deceiving them*, but he's not *lying* to anybody :)

Re:hmmmm (1)

echucker (570962) | about a year and a half ago | (#42857429)

Social engineering is social engineering. Penetrating a security system is penetrating a security system.

Except security systems rarely exist without a human component.

no matter what (1)

Max_W (812974) | about a year and a half ago | (#42856569)

Justice works slowly, but finally it will get one.

"by holding a box" (5, Insightful)

girlintraining (1395911) | about a year and a half ago | (#42856571)

How many hundreds of millions did Homeland spend to "secure" the super bowl again? Of all the things they've been accused of, fewest of the charges have been competence. When a couple college kids carrying a box can sneak past every security check point, without either them or their box being inspected, it becomes painfully obvious that the security provided is just a show... not unlike the one they're "protecting".

Re:"by holding a box" (5, Interesting)

Pubstar (2525396) | about a year and a half ago | (#42856781)

This whole thing reminds me of the oldest trick in the book to get into night clubs: Have an extension cord/Power strip/DMX cable over your shoulder and just book it past the bouncer saying they need it on the stage NOW or the DJ is going to flip out. Works 99% of the time without you being so much as questioned.

Re:"by holding a box" (4, Funny)

guttentag (313541) | about a year and a half ago | (#42856829)

Actually, carrying a box that looks burdensome implies you are doing work, so people assume you belong there. I once walked into the courtyard of a large "fruit company" by helping a vendor carry in a box. He assumed I worked there, and they assumed I was with him. I even got a name tag at the door.

Re:"by holding a box" (0)

Anonymous Coward | about a year and a half ago | (#42858371)

What does "fruit company" stand for? Never came across that euphemism.

Re:"by holding a box" (0)

Anonymous Coward | about a year and a half ago | (#42858837)

He means Apple

Re:"by holding a box" (0)

Anonymous Coward | about a year and a half ago | (#42856837)

security is always for show, hackers know this very well.

Re:"by holding a box" (1)

tehcyder (746570) | about a year and a half ago | (#42857999)

security is always for show, hackers know this very well.

Indeed, that is why Al Qaeda have been able to "hack" their way through US military security and arm themselves with a few H-bombs.

congrats! (3, Insightful)

sdnoob (917382) | about a year and a half ago | (#42856589)

You just ensured DHS VIPR teams will harass, molest and radiate every person that gets within a block of every Superbowl venue from here on.

Re:congrats! (0)

Anonymous Coward | about a year and a half ago | (#42856607)

Gotta educate the masses somehow.

Re:congrats! (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42856617)

I find it funny how You somehow make it their fault and not DHS'

Re:congrats! (0)

Anonymous Coward | about a year and a half ago | (#42856795)

Authority is always right.

congrats! - This isn't news (0)

DKlineburg (1074921) | about a year and a half ago | (#42856635)

Social engineering is used all the time. This is like saying people are sheeple [xkcd.com] . some form of social engineering is used in a lot of ploys.

Social Hacking [wikipedia.org]

Smishing [engadget.com] is social engineering.

I guess I fail to see how this is new. I understand some of the best old school hacks; call the company and talk to the receptionist. If your good you can get information about employees, or other things to start on.

Re:congrats! - This isn't news (4)

wonkey_monkey (2592601) | about a year and a half ago | (#42856887)

I guess I fail to see how this is new.

Because the story isn't that people use social engineering. It's that these particular people used social engineering to sneak into the Superbowl, a high-profile, suppoedly high-security event, which just happened. Hence, "news."

Re:congrats! - This isn't news (1)

DKlineburg (1074921) | about a year and a half ago | (#42857065)

You quoted were I said it wasn't "new". The poster below you at least realized this and responded to that.

Re:congrats! - This isn't news (3, Interesting)

Jah-Wren Ryel (80510) | about a year and a half ago | (#42856921)

I guess I fail to see how this is new

Who said it was new? What is great about it is that the superbowl was classified as a "Level I National Security Event" [forbes.com] - the very tippy-top of Homeland Security's classification system. These are the events they spend beaucoup (but not published) dollars on "securing" from oogy-boogy terrorists.

So, despite all this focus on security and crap, these kids just waltzed on in. Yet more proof of how much of a waste of money DHS's 43 billion dollar budget really is.

Re:congrats! - This isn't news (0)

Anonymous Coward | about a year and a half ago | (#42857085)

That is interesting. I never heard that. I have to mention a while back I visited a navy installation. I don't know what study they did, but it was something about after 2 hours a "guard" is almost useless. They could see a gorilla stealing a car, and not recognize it due to brain boredom or something. Again, antidoctial, so take it at your value. I couldn't find a study online.

Re:congrats! - This isn't news (0)

Anonymous Coward | about a year and a half ago | (#42857883)

Again, antidoctial, so take it at your value.

I'm guessing you were shooting for anecdotal?

Re:congrats! - This isn't news (0)

logjon (1411219) | about a year and a half ago | (#42858609)

Antidotal, actually. He's got a terminal illness and he's looking for hope.

Re:congrats! - This isn't news (1)

tehcyder (746570) | about a year and a half ago | (#42858033)

Alright, Mr Smarty Pants. Was there a major terrorist spectacular at the Super Bowl?

Exactly, so the security worked.

Re:congrats! - This isn't news (1)

T-Bone-T (1048702) | about a year and a half ago | (#42858281)

How do you know it was security and not that the terrorists screwed up? Maybe they successfully planted a bomb in the stadium but it failed to detonate?

Re:congrats! - This isn't news (3, Funny)

war4peace (1628283) | about a year and a half ago | (#42858313)

This reminds me of someone who was planting lots of garlic around his house too keep the vampires away. No vampires around, so his solution worked.

Re:congrats! (2)

girlintraining (1395911) | about a year and a half ago | (#42857237)

You just ensured DHS VIPR teams will harass, molest and radiate every person that gets within a block of every Superbowl venue from here on.

Yup. Because all it takes is a couple of teenagers pulling a prank for our government to whip out the disintegrator rays and their flying armchairs and start zapping people while screaming "We're saving you motherf--ers! ZAP! SAFE! ZAP! SAFE!"

Re:congrats! (0)

Anonymous Coward | about a year and a half ago | (#42857605)

Screw that. If I get stopped by them and they identify themselves, I will tell them they are not police officers, drive away, and call the real police. Then I will take it as far as possible in court on the 4th amendment [wikipedia.org] , hopefully reaching SCOTUS and putting an end to the insanity.

Re:congrats! (3, Insightful)

tehcyder (746570) | about a year and a half ago | (#42858049)

Screw that. If I get stopped by them and they identify themselves, I will tell them they are not police officers, drive away, and call the real police. Then I will take it as far as possible in court on the 4th amendment [wikipedia.org] , hopefully reaching SCOTUS and putting an end to the insanity.

No, you won't. There's a slight difference between talking tough as an AC on an internet forum and actually doing something about it in real life.

Re:congrats! (2)

Jah-Wren Ryel (80510) | about a year and a half ago | (#42857697)

You just ensured DHS VIPR teams will harass, molest and radiate every person that gets within a block of every Superbowl venue from here on.

Fantastic! The only way the war diginity gets cancelled is if enough people are made to suffer the indiginities of it.

But... (1)

Anonymous Coward | about a year and a half ago | (#42856599)

This assumes you WANT to goto the superbowl...

I'd pay money not to hear about it ever again. Billions wasted every year on grown men playing 'ball'.

Superbowl: A giant toilet we flush cash down every year for no gain.

Re:But... (0)

JustOK (667959) | about a year and a half ago | (#42857417)

It's technically called hand-egg

Re:But... (2)

LVSlushdat (854194) | about a year and a half ago | (#42858893)

Superbowl: A giant toilet we flush cash down every year for no gain.

Thus the name I've used for quite a while to describe it when asked "are you gonna watch the super-bowl?".. I reply "oh you mean the toilet-bowl"

Security is only as good as its weakest link. (4, Insightful)

Chas (5144) | about a year and a half ago | (#42856647)

Unfortunately the weakest link is always going to be found in the form of huge sacks of protoplasm known as "people".

This is why, no matter how well trained you get security, social engineering attempts like this will succeed more often than not.

People are pretty much indoctrinated since birth to try to get along. So if someone looks authoritative, there's a default reaction to simply go with it.

There's only so many things a person can pay strict attention to at a time. Eventually they're going to reach the limit of things they can keep straight in their heads. And openings in their awareness will occur.

There's only so long that people can keep up such vigilance before they start relaxing. It's not laziness so much as stimulus saturation.

I don't care how much money "security" firms and agencies throw at the situation. The only way to avoid it is to not have such events in the first place.

Re:Security is only as good as its weakest link. (4, Interesting)

Anonymous Coward | about a year and a half ago | (#42856805)

Pay one person who knows what he's doing per hour to try to sneak in. Track performance and give bonuses to the people who manage to stop the intruders. The job of security is now suddenly a lot more interesting and challenging. Of course, actual productive work that spans the security area will grind to a halt due to security delays. In the military, newbies get told to guard something and then everyone else is supposed to try to get in. You don't have security if you don't test it.

Re:Security is only as good as its weakest link. (2)

Runaway1956 (1322357) | about a year and a half ago | (#42857131)

In which military, and in what years, did this happen? I find it hard to believe that this is/was common practice in any branch of the US Armed Forces.

Marines guard most of the Navy's gates, facilities, etc, and it makes a marine's day to throw a sailor on the ground, stick the muzzle of a rifle in his ear, and shout "DON'T MOVE MOTHERFUCKER!!" In fact, a private on Adak Island was promoted to corporal after doing exactly that to a Navy Captain. Marines might be slightly more polite to civilians, depending on the circumstances, but I really doubt that. And, being polite doesn't preclude punching a hole through their chest with his assault rifle. When a marine says "Halt!", just assume that you are very close to death.

Smaller commands with no marines assigned are just as serious about security. Even though we all recognize each other, we know each other well, NO ONE moves during a security alert. NO ONE goes into a secure area without authorization. Period.

The Air Force, in my experience, was even more brainwashed than our sailors were.

The Army? I can't speak for them. I had almost zero contact with them while on active duty.

Re:Security is only as good as its weakest link. (1)

rmdingler (1955220) | about a year and a half ago | (#42857881)

I will guard everything within the limits of my post and quit my post only when properly relieved. _1st General Order, US Army. Heresay military studies of the time of my introduction to olive drab as a fashion statement were reported to suggest that privates with higher ASVAB scores (military IQ test) made worse sentries that those below a certain level of measured intelligence.

Re:Security is only as good as its weakest link. (2)

sribe (304414) | about a year and a half ago | (#42858183)

NO ONE goes into a secure area without authorization. Period.

I did once. As a civilian no less. Stupid gits I worked for sent me out with spare parts and neglected to tell me that the small anonymous-looking complex in the middle of town with an obscure bland name was a military research facility. Guard was asleep, slumped over so far I didn't even see that the uniform was real military as opposed to generic rent-a-cop. I drove on in, thinking I was being nice not waking the guy up.

Oh boy, from what I heard, hilarity ensued in my wake. Fortunately this happened decades before 9/11/2001, so once concerned guards caught up to me (which happened *very* quickly), it was all smoothed over quickly and politely and I got on with my work--for me that is, I assume "polite" had no relationship to how the guard was treated...

(That said, I of course only made it into the outer foyer of a building--I doubt that there was any way I would have been able to get to my actual destination inside without signing in, getting a badge, and being escorted.)

Re:Security is only as good as its weakest link. (4, Insightful)

Dr. Evil (3501) | about a year and a half ago | (#42857613)

"Track performance and give bonuses to the people who manage to stop the intruders."

Ensure the bonus even goes to the average schmo hot-dog vendor who challenges somebody who doesn't have their ID showing. It's not a new strategy, but turning it into a game like this shifts cultures. Suddenly all the con-man defenses of "seriously, don't you know me?", "man, you're uptight, chill." or "Bob says it's okay" fall out the window to your "hey, I get $50 if you don't have a badge".

Not to pick on hot-dog vendors. They're probably more people savvy than most of your security team.

Re:Security is only as good as its weakest link. (2)

bloodhawk (813939) | about a year and a half ago | (#42856941)

While I agree social engineering more often then not works, it is actually a sign of POOR training or execution of the security staff. This is exactly the type of thing they should be looking for. I work in areas with security where even if you know the name of the guard and drink with him on a Friday night he won't let you in without a security check and a valid pass as he knows that if he doesn't do it and someone sees him not doing the check he will get canned, The fact that they could socially engineer their way in so easily really was basic security failure.

Re:Security is only as good as its weakest link. (3, Funny)

thegarbz (1787294) | about a year and a half ago | (#42857433)

Unfortunately the weakest link is always going to be found in the form of huge sacks of protoplasm known as "people".

I've heard the TSA called a lot of things, but never "people".

Re:Security is only as good as its weakest link. (2)

m00sh (2538182) | about a year and a half ago | (#42857779)

This is why, no matter how well trained you get security, social engineering attempts like this will succeed more often than not.

As long as the security is better trained than the social engineer, this will not succeed.

People are pretty much indoctrinated since birth to try to get along. So if someone looks authoritative, there's a default reaction to simply go with it.

Something that can be easily changed with training.

There's only so many things a person can pay strict attention to at a time. Eventually they're going to reach the limit of things they can keep straight in their heads. And openings in their awareness will occur.

The human brain does not work that way. With increasing complexity, the human brain groups patterns of actions into one and there is no shown limit of how much stimulus a human brain can handle in this way.

There's only so long that people can keep up such vigilance before they start relaxing. It's not laziness so much as stimulus saturation.

Again, that is not how the human brain and body works. Elite marathon runners can run at 12mph for 2-2.5 hours straight, a speed that most people cannot reach running or even if they do reach it, can only sustain it for a few seconds. With training, people can stay vigilant for hours. The gulf between a trained personnel and an average person is immense.

I don't care how much money "security" firms and agencies throw at the situation. The only way to avoid it is to not have such events in the first place.

The solution is to train the security staff, analyze security holes and create training regimens to block those holes. This costs money and as long as the cost of training is more than the cost of social engineers conning their way through for a free show, such social engineering freebies will be tolerated.

Re:Security is only as good as its weakest link. (1)

Chas (5144) | about a year and a half ago | (#42858941)

This is why, no matter how well trained you get security, social engineering attempts like this will succeed more often than not.

As long as the security is better trained than the social engineer, this will not succeed.

Sorry. But it's not only a matter of training. You can train people all day, every day to eat breathe and live this stuff. And, given the proper environment, it STILL all goes out the window and they default to social indoctrination.

People are pretty much indoctrinated since birth to try to get along. So if someone looks authoritative, there's a default reaction to simply go with it.

Something that can be easily changed with training.

*Easily* huh? I believe your idea of *easy* and mine are two COMPLETELY different things. And, again, it's not merely all about training.

There's only so many things a person can pay strict attention to at a time. Eventually they're going to reach the limit of things they can keep straight in their heads. And openings in their awareness will occur.

The human brain does not work that way. With increasing complexity, the human brain groups patterns of actions into one and there is no shown limit of how much stimulus a human brain can handle in this way.

With increasing complexity, the human brain groups patters of actions into one. Which means they lose to stimulus saturation. Reacting automatically to a certain behavior type is how social engineers are able to bypass this type of security.

There's only so long that people can keep up such vigilance before they start relaxing. It's not laziness so much as stimulus saturation.

Again, that is not how the human brain and body works. Elite marathon runners can run at 12mph for 2-2.5 hours straight, a speed that most people cannot reach running or even if they do reach it, can only sustain it for a few seconds. With training, people can stay vigilant for hours. The gulf between a trained personnel and an average person is immense.

Sorry. But you don't know what you're talking about. This has nothing to do with physical exertion and is, in fact, NOTHING like this. Stimulus saturation, can set in, in certain environments, extremely quickly. Again, it has nothing to do with training.

I don't care how much money "security" firms and agencies throw at the situation. The only way to avoid it is to not have such events in the first place.

The solution is to train the security staff, analyze security holes and create training regimens to block those holes. This costs money and as long as the cost of training is more than the cost of social engineers conning their way through for a free show, such social engineering freebies will be tolerated.

You're wrong. Granted, training will work to LESSEN these types of incidents. But they won't "block" the kinds of gaps these sorts of situations create, and the very notion that the situation is "blockable" in the first place is laughter-inducing.. And anyone who tells you differently is basically bilking you for cash.

Re:Security is only as good as its weakest link. (1)

tehcyder (746570) | about a year and a half ago | (#42858087)

I don't care how much money "security" firms and agencies throw at the situation. The only way to avoid it is to not have such events in the first place.

What, just ban any event where two or more people gather together? That'll work out well.

Re:Security is only as good as its weakest link. (1)

Chas (5144) | about a year and a half ago | (#42858965)

That's not what I meant.

It's a way of saying that there is no easy or pat, acceptable answer to this.

Re:Security is only as good as its weakest link. (0)

Anonymous Coward | about a year and a half ago | (#42858143)

I used to work in a secure government faciliity (not the US), were one day a year the staff were invited to try and break in. This gave security some exercise and the rest of us some fun and/or a day of if you ended up in the cells.

Of course this was cancelled the moment some one actually managed it.

Re:Security is only as good as its weakest link. (1)

Chas (5144) | about a year and a half ago | (#42859035)

Color me unsurprised.

That's almost the first reaction that happens in cases of a breach.

In some cases, it's the correct approach.

In others, it's not.

This was done 6 years ago (4, Interesting)

mentil (1748130) | about a year and a half ago | (#42856681)

Zug.com snuck into the super bowl using social engineering as well.
Details here [zug.com]

Re:This was done 6 years ago (4, Interesting)

girlinatrainingbra (2738457) | about a year and a half ago | (#42856789)

Very nice linked article about the Zug.com prank team. I particularly like that they did it just a few days after the Boston LED Art prank that everyone thought was part of a bomb, and that they were still able to get away with it. They fucking moved two pallets of shrink-wrapped necklace LED lights that weighed a quarter-ton through security and into the stadium. Astounding that anyone can sneak in if they can pass the cardinal 5 rules listed!
Lost in this spectacle, it was easy for me to slip past the security station by just pretending I belonged. I make this sound easy, but in fact I was just following the five magic rules for getting into any event in the world:
1. Wear a suit.
2. Wear a Bluetooth headset.
3. Pretend to be talking loudly to someone on the other line.
4. Carry a clipboard.
5. Be white.

Also another killer quote from the fifth page when they ask the bomb squad to be allowed to borrow a small flatbed truck: http://www.zug.com/pranks/super/index05.html [zug.com] :

The psychology of cat and mouse is that the mouse will never walk up to the cat and ask if he can borrow a forklift. Mice just don't do that.

Now of course, they never show the message, and I don't see proof that they plled it off, so is the prank on us? ;>)

Re:This was done 6 years ago (4, Informative)

MichaelSmith (789609) | about a year and a half ago | (#42856923)

Yeah like the Chaser APEC prank [wikipedia.org]

Re: So is the prank on us? (1)

TaoPhoenix (980487) | about a year and a half ago | (#42857199)

This is also a very real possibility, in this crispy new age of "sensational story - haha, it's just a joke, so long and thanks for all the ad clicks."

My big response is below. I'll end here by just saying that there is something seriously wrong with this story, so I'm not going to sit on pins and needles for 2-4 days for it to pan out as a joke if it is. Because if it's not, we're all busy going "haha cool joke man" when the 100 people pictured in this video are going to lose their jobs.

Re:This was done 6 years ago (1)

PeeAitchPee (712652) | about a year and a half ago | (#42857331)

5. Be white.

Did you watch this video? The two guys who got in were black. I know it's fashionable to hate on whitey and grant him magical unfair advantages at *everything*, but these two dudes just proved that black guys can play that game too.

Re:This was done 6 years ago (1)

Dins (2538550) | about a year and a half ago | (#42857973)

He was quoting the article on Zug.

(But I agree with you on general principle)

Re:This was done 6 years ago (1)

Dins (2538550) | about a year and a half ago | (#42857987)

Excuse me - she was quoting the article on Zug, apparently...

Re:This was done 6 years ago (1)

rmdingler (1955220) | about a year and a half ago | (#42857975)

There's a very real possibility a couple of black men sneaking into certain events, for instance a Superbowl in New Orleans, would stand out even less than a couple of young white men. That said (with regard to the cat and mouse analogy), when you're playing a mouse and there's no real chance the cat will catch and eat you, the pressure and nervousness factor is an order of magnitude less than a real run at espionage.

The Chaser does it better (1)

Quick Reply (688867) | about a year and a half ago | (#42856693)

Re:The Chaser does it better (1)

Anonymous Coward | about a year and a half ago | (#42856731)

This video contains content from Chaser Broadcasting Pty Ltd and The Australian Broadcasting Corporation, one or more of whom have blocked it in your country on copyright grounds.

I want my old internet back. I still remember... we all had simple access to everything. What a concept it was...

Re:The Chaser does it better (2)

Quick Reply (688867) | about a year and a half ago | (#42856737)

Wow seriously. Try this one: http://www.youtube.com/watch?v=N3zKuLgH_l8 [youtube.com]

Re:The Chaser does it better (0)

Anonymous Coward | about a year and a half ago | (#42857311)

Again,
This video contains content from Chaser Broadcasting Pty Ltd and The Australian Broadcasting Corporation, one or more of whom have blocked it in your country on copyright grounds.

I've watched already. But this is just sad, it's happening more and more this days.
And I am on a "free country": Brazil.

Re:The Chaser does it better (1)

Runaway1956 (1322357) | about a year and a half ago | (#42857215)

I have your old internet.

Hola Media Unblocker hola.org/unblocker.html

That was worth another watch. Thanks! (0)

Anonymous Coward | about a year and a half ago | (#42856779)

I like the fact that some of the party were seriously worried. They had gone way further than they expected and were now fully in sniper range.

I wish I could see the look on that officers face when he says "... Chaser"!

Wobble Wobble Wobble... (1)

hairyfish (1653411) | about a year and a half ago | (#42856721)

Is it too much to ask for steadycam?

Re:Wobble Wobble Wobble... (3, Funny)

mwvdlee (775178) | about a year and a half ago | (#42856753)

If you''re going to sneak into some place inconspicuously, the LEAST you can is bring along a complete camera crew.

Some tips on blagging your way in to something (2)

MrDoh! (71235) | about a year and a half ago | (#42856787)

After doing some security work at events, there's some easy tips on what todo/not todo.

1) have some good lucking women with you. Chances are you'll have a guard somewhere that can be distracted by cleavage.
2) if there's 2+ of people trying to blag their way in, A) only let 1 person talk B) if you're both talking, have the same script "My boyfriend went to the room to get the tickets and they were gone" from the girl, as the guy's saying "I left the tickets in the car, I think the valet took them" WILL get you turned away.
3) turn up when there's a line, before the event starts of course, but not too early, if you make a scene, it might be easier to just let you in.
4) if you get turned away by one guard, ask who you need to see to sort this out, go to them, be nice, wave back at the first person who sent you over, if they wave, say 'he took the ticket and said it was ok'
5) never say 'do you know who I am', and if you do, don't claim to be the person stood behind the guard. (that cracked me up)
6) if there's a list with names on, you might be able to peek and claim a name.
7) "where'd you get this obviously fake ticket?" "there's a guy in the foyer selling them, he said it was legit" "it's not, you need to see that person and get your money back" "but I have a ticket!" "it's fake" "but it's for this event" "yeah, no." is the wrong way. Playing the sob story that this was what you bought online, give as much info as you can. If an event has 5k tickets printed, it's not unknown for the printer/promoter to not only keep some tix behind, but to run dupes. This isn't the punters fault, dropping hints that the promoter/printer is dodgy is all too believable and may help you get in if they think you've done the right thing, not got a cheap tix from a dodgy guy out front.
for an event that's 'no re-admittance', the old 'I have explosive poop' will get you out, but might not get you back in, still, worth a try.

I get how social engineering works. Work a door for a few nights, manage an event, you'll hear all sorts of things and very quickly learn what'll never work, what /might/ work.

Ob (1)

Hognoxious (631665) | about a year and a half ago | (#42856819)

Somebody here called for an electrician. Can you tell me what the fault is?

Shit man, it's dark in here!

Re:Ob (1)

rmdingler (1955220) | about a year and a half ago | (#42858069)

Well done.

Accident (1)

Nishi-no-wan (146508) | about a year and a half ago | (#42856881)

I've done this by accident a number of times at both the Asia Series and World Baseball Classic at Tokyo Dome. Thinking back, all I did was have a general admission ticket on a pass carrier around my neck and just walk into the press area while nodding to the guard at the entrance. I was supposed to meet some friends there once, but they got stopped by security. "What? This is a restricted zone?" I had no idea before then that anyone wasn't allowed in there.

I guess it goes to show that if you really believe you belong somewhere and look the part that few will challenge you.

The best I've seen yet... (5, Interesting)

Anachragnome (1008495) | about a year and a half ago | (#42856981)

The best I've seen yet was a kid (I'm guessing around 16 yrs old) I watched in action at a concert at the Cow Palace in San Francisco many years ago.

A friend and I were waiting in line at a Judas Priest concert when I noticed this guy, wearing a light-blue button-up shirt and slacks, using one of them sweeper things--you know, the little broom and a pivot mounted dustpan thing on a long handle that is used to sweep trash into. He was working his way along the line, sweeping up all the crap the people in line were dropping. I watched as he filled the dustpan with trash, walked over to a trashcan near the door, emptied it and went back to work around the entrance--he swept the place clean, then started working his way around the inside of the front door area, even asking one of the security personnel to step aside so he could get to a soda can just behind him. I remember telling myself "What a lame job".

45 mins later, he was standing next to me about 10 feet from the stage, smoking a joint and obviously enjoying himself. After asking him if he minded passing that thing, I asked him where his broom was. He said with a big, stoned grin on his face that he usually leaves it in the bathroom until after the show. Sure enough, when I went to the bathroom between acts, his sweeper and broom were sitting in the corner.

Re:The best I've seen yet... (0)

Anonymous Coward | about a year and a half ago | (#42858661)

So, he 'paid' for his admission with honest labour :^)

SOCIAL engineering (1)

Errol backfiring (1280012) | about a year and a half ago | (#42856989)

So why is this on Slashdot?

Re:SOCIAL engineering - Why on Slashdot? (1)

TaoPhoenix (980487) | about a year and a half ago | (#42857087)

Because of the immense blowback that's about to happen.

If this was told as a "college beer frat party" story even if it was all the same, we would all have "lol okay back to work". Instead there's *video footage of people and "stuff" (places, unmanned areas, etc.)

So we have a real problem coming up: Youtube is already ahead of us wondering if this is just a "footage hoax" ... or the big mean Security Theater Beast will be really PISSED and then we'll see more rounds of lockdown.

Bruce Schneier himself said a ways back that he is shifting focus slightly away from ever more ultra algorithmic breaks to stuff like just calling "Mr./Mrs. X" in some company and getting an insecurely defended password that someone mistakenly gave too many privileges.

Chris Chase from USA Today expressed a similar note of caution with the *CLEARLY INCOMPLETE* story he'd been handed and wondered what's the next step to (maybe/maybe not) punking the security force of the biggest football game of the year. (Does hit the Libel/Slander rules if it is in fact a hoax but makes them look bad?)

Easy ... (1)

rmdingler (1955220) | about a year and a half ago | (#42858233)

Easy there... this is Slashdot and generally folks here who exploit weaknesses in security systems without regard for personal gain are on the white hat side of the field. Here's what should happen: these two will make their 15 minutes complete with a round of guest appearances on the morning show circuit, and if the story really catches on, maybe even culminating with a nighttime appearance on Letterman. If any lesson is to be learned from this breach by security forces, it is probably one they already suspect: their job is a hoax. It is impossible to keep an event like this secure and they are there to perpetrate the illusion of security. The Superbowl sites are picked years in advance. There are years for 'neer-do-wells to access the structures.

Public shows (3, Interesting)

adolf (21054) | about a year and a half ago | (#42857097)

It's not so hard to get from A to B in any public show: The trick is just to act like you belong there, just like everyone else who also belongs there. Blend in.

My own favorite was at a show at the Detroit State Theater. We had assigned seats in the balcony, but the sound really was very bad up there. So we left, wandered, and came up to the entrance for the general-admittance floor area.

There were two security guards looking at tickets before people were allowed into this space, with a small line formed before each of them. We walked right between them as if we owned the venue ourselves, and didn't encounter any trouble. (The sound at front, stage-left was excellent. Kudos to the boardmonkey, and meh to whoever it was that specified the line arrays for that show.)

And for other intermittently-crowded places, carrying a Motorola 2-way portable radio helps. You can direct traffic and behave authoritatively in almost any capacity, even with long hair, regular clothes, and a beard, as long as you have a radio and the gumption to make it look like you belong there. Do that for a little bit, and nobody around will think twice when you slip in through a side door. And after that, just blend in differently: At that level, people aren't paying much attention to security.

(And no, it doesn't matter if the radio works or can talk to anyone.)

So: Social engineering one's way into the Superbowl? Nice feat, but not very surprising.

What, Like John Hargrave? (0)

Anonymous Coward | about a year and a half ago | (#42857317)

http://www.zug.com/pranks/super/index01.html [zug.com]
Well, assuming the "prank" actually happened.

"I'm with the band" (1)

Dan B. (20610) | about a year and a half ago | (#42857619)

This method has been used by about a gazillion people in so many places, so many times, it just doesn't seem like news. Perhaps the only reason it is "news" is because these guys filmed it? I don't know.

I've done the same thing plenty of times to get in place I shouldn't be; all it takes is a pair of cohunas and a bit of front to just go right in where you want to, without stopping once to check you are in without being noticed.

Simpsons Did it! (0)

Anonymous Coward | about a year and a half ago | (#42857681)

And they got thrown in "Superbowl Jail" too.

Look like you belong... (4, Interesting)

LoRdTAW (99712) | about a year and a half ago | (#42857835)

is one of the oldest tricks in the books. I used to work for an entertainment company lugging around equipment. I have been to many venues and big hotels in Manhattan and some are pretty secure, requiring you to sign in and have your picture taken. But there are plenty where all you do is is walk in there like you own the place and no one says anything. As long as you are carrying something then they assume you are part of some staff and just let you walk right in. Even the secure places just require you to say you are from company X for party Y and they let you in without any scrutiny. The parties are planned by a planner who is not part of the venue. So security has no way to easily contact the planner to verify if vendor x is legit or not. They just do their job which is to get a signature and hand out a flimsy sticker pass. If you use a little creative social engineering and figure out what party is happening where you could easily gain access. Even carrying around some legit looking paper work is enough to get you into a venue.

Once we did a party in the museum of natural history, they have a private room in the back (I hear it was $20,000+ just to rent the room, rich kids, you should see some of the parties I have seen, amazing. Once I setup a million dollar bar mitzvah on the intrepid). Me and the guy I did the delivery with setup all the equipment and then walked down the hallway, jumped a set of ropes into the museum and went to the planetarium. No one stopped us or asked us what we were doing.

Across the street where I live is a house which the owner defaulted on his loan. Well he also had a loan through two other banks so the house sits there as the banks cant agree on a decent price which would let it sell. So one day I hear the house was robbed of all its copper pipe, electrical wiring along with the boiler and hot water heater. One neighbour said he saw a van parked outside with some men working in the house. They weren't working but robbing the place. All they needed to do was look legit and no one would question them. Essentially its more difficult to gain access if you look suspicious or try to hide what you are doing.

Re:Look like you belong... (1)

sribe (304414) | about a year and a half ago | (#42858215)

One neighbour said he saw a van parked outside with some men working in the house. They weren't working but robbing the place. All they needed to do was look legit and no one would question them.

Yep, unoccupied house next to mine, one day all the furniture went away in a moving van driven by thieves...

Re:Look like you belong... (1)

LoRdTAW (99712) | about a year and a half ago | (#42858807)

Seriously, if you want to rob someones house all you need to do is to stakeout the place for a few days to get the owners habits down and then come back with a van with lettering on the side. I have seen so many beat to shit vans with writing done in marker, spray paint and those black-lettering-on-gold house number stickers. They look like creepy rape vans but they are legit. So its impossible to know who is legit and who isn't. Just roll up in a van or pickup truck, wear a tool belt and your good to go. The tool belt easily conceals the fact that the hammer and screwdriver are to break open a door or window. also some phony paperwork can also help if a cop rolls up but honestly, cops would most likely pass by if it looked like an ordinary work crew. No one robs a home in the middle of the night wearing black anymore, its all done in broad daylight when people are at work.

I bet you could just as easily walk down a street pretending to be a utility worker with a clip board and walk onto peoples property while looking at their power lines and meter. Then slip around the back and do a quick smash and grab.

The high use of subcontractors and contractors (1)

Joe_Dragon (2206452) | about a year and a half ago | (#42858675)

The high use of subcontractors and contractors makes it even easier as you can say stuff like my firm does not give us ID's or just show some thing that looks like a work order.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?