How to sneak into a security conference

When I checked in at the RSA 2012 conference, I was directed to wear my badge at all times.

"You won't be able to go anywhere without it," a registration official informed me.

But this does not seem to be an obstacle for my anonymous source, whom I met on the first day of the conference. A risk management and physical security expert, he is in the business of "pen-testing humans" via social engineering, he said, and he also has an expertise in event security. I met him while I was covering the event, and he agreed to give me details of how he snuck into RSA in a matter of minutes without any credentials—and then went back and got credentials under a fake name to boot.

[Also see How to rob a bank: a social engineering walkthrough]

My source was in the area attending the nearby B-Sides security event, and he had a B-Sides staff badge because he was working during some of that conference. Although he had not registered for RSA, he decided to wander over and see what was going on.

"I walked in, walked around, cased the place for a few minutes," he explained to me. "I saw where all the entry points were located and where the security guards where standing."

He stood for a short time and waited for a group of people to walk in together. When a new security guard came in to relieve another one near an entrance point, my source saw his chance.

"I started walking in with a large group of people. I held up my badge and covered the B-sides logo with my thumb. I flashed it and said 'I'm staff' and kept going in, never missing a step."

At that point, my source was in—and free to take part in many of the RSA Conference activities. He said he walked around for a while and even attended two of the scheduled presentations.

Expo hall: In through the out door

The next challenge he decided to take on was getting onto the RSA expo floor, the large area where security vendors display their products and newest releases to attendees. The floor was closed until 6 pm that evening and guards were positioned at the doors, turning away anyone who was curious to get in.

My source said he noticed there were several security guards manning the entrance, but only one on exit duty.

"The exit area was large. I waited around and when she started talking to someone, I walked in the exit when someone else was walking out."

At that point, he was on the expo floor, where most companies were still setting up displays and product demos for attendees.

"At that point you are looking to steal badges, t-shirts, hats so you can act like you're working for a company," explained my source. "If they had company computers out and active, I could have messed with those. I could easily install a USB device with key logging software on it."

Why not: Getting a badge under a fake name

After a short time on the expo floor, my source decided to exit the floor and left RSA to head back to B-Sides. But once he was out of the building, he searched on Google for any RSA RSVP codes companies had extended to clients and others to register for the conference for free.

Using a free registration code he found online, he registered for RSA without using his real name. He then went in to the venue again to obtain an RSA badge and was given one without showing any form of identification. He only had to turn on his smartphone and show a copy of the confirmation email (which he got using a free code) in order to get his badge.

My source noted as someone who makes a living by sneaking into events to check security, he thinks the biggest weakness was training for staff.

"They need training of awareness of badges and an understanding what is allowed in and what is not," he noted. "And social engineers will take advantage of the crowds and chaos. But that is something security guards should be trained to deal with."

Join the CSO newsletter!

Error: Please check your email address.

More about GoogleRSARSVP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts