How to sneak into a security conference
A social engineering expert details how he managed to go anywhere he wanted at RSA 2012, and then got a free conference badge under a pseudonym to boot
By Joan Goodchild , Senior Editor
February 28, 2012 — CSO —
When I checked in at the RSA 2012 conference, I was directed to wear my badge at all times.
"You won't be able to go anywhere without it," a registration official informed me.
But this does not seem to be an obstacle for my anonymous source, whom I met on the first day of the conference. A risk management and physical security expert, he is in the business of "pen-testing humans" via social engineering, he said, and he also has an expertise in event security. I met him while I was covering the event, and he agreed to give me details of how he snuck into RSA in a matter of minutes without any credentials—and then went back and got credentials under a fake name to boot.
My source was in the area attending the nearby B-Sides security event, and he had a B-Sides staff badge because he was working during some of that conference. Although he had not registered for RSA, he decided to wander over and see what was going on.
"I walked in, walked around, cased the place for a few minutes," he explained to me. "I saw where all the entry points were located and where the security guards where standing."
He stood for a short time and waited for a group of people to walk in together. When a new security guard came in to relieve another one near an entrance point, my source saw his chance.
"I started walking in with a large group of people. I held up my badge and covered the B-sides logo with my thumb. I flashed it and said 'I'm staff' and kept going in, never missing a step."
At that point, my source was in—and free to take part in many of the RSA Conference activities. He said he walked around for a while and even attended two of the scheduled presentations.
Expo hall: In through the out door
The next challenge he decided to take on was getting onto the RSA expo floor, the large area where security vendors display their products and newest releases to attendees. The floor was closed until 6 pm that evening and guards were positioned at the doors, turning away anyone who was curious to get in.
My source said he noticed there were several security guards manning the entrance, but only one on exit duty.
"The exit area was large. I waited around and when she started talking to someone, I walked in the exit when someone else was walking out."
At that point, he was on the expo floor, where most companies were still setting up displays and product demos for attendees.
"At that point you are looking to steal badges, t-shirts, hats so you can act like you're working for a company," explained my source. "If they had company computers out and active, I could have messed with those. I could easily install a USB device with key logging software on it."