Friday, March 28, 2014

VIP Social Engineering

Yesterday there was this big commercial vendor security event in Belgium with a VIP area. I was offered VIP entrance tickets but at the time offered I wasn't even sure I wanted to go and now I had regular tickets.

The thing was thus that a number of people I knew were VIP and I wanted access to the area were I was not supposed to come.

The first time I stopped at the lady checking the badges with my phone next to my ear, totally ignoring her and having a conversation with somebody who was actually inside. It was funny because I was describing the area loudly like "I see this banner, and to the left that poster and ... ok now I see you" and just walked right in like I belonged there without getting challenged.

The second time I wanted a different approach and got challenged. I showed my badge, she said I couldn't enter I asked why not so she had the feeling she was doing her job. Then I said, I really needed to talk to my colleague and pointed at a guy who was going to sit down. He was actually my colleague but I could have pointed at anybody just far away enough to make sure she couldn't leave her desk. Since she was alone, she had no way of going to check my story. She said ok, but I couldn't have any drinks or snacks ... sure, I said I needed a chat with that guy, no drinks, no snack.

One of the guys going in with me, piggy backed on my excuse and did not even have to speak a word, he just smiled.

Yes, we did this for fun and giggles but social engineering is daily used by bad people.

