So much time is spent these days on logical security, penetration testing, intrusion detection, etc… The reality is most attacks occur from the inside. This week I attended a trade show at which I was scheduled to speak. Upon arrival at the convention center I approached the speakers registration booth to collect my conference badge and materials. After 2 or 3 minutes of searching it appeared that there was no badge for me and I was not in the system as a registered attendee or a speaker. Apparently I did nor register but if I have received numerous confirmations on the speaking engagements should I not already be registered? Anyway, when I was not found in the system I proceeded to open a conference program and point out that I was scheduled to speak at two sessions, how could I not be registered. The person manning the booth then proceeded to enter my name into the computer and create me a badge with the name of the speaker I pointed out in the program. Never did they ask to see identification to verify that I was actually that person, I had socially engineered my way into the conference.
The biggest whole in any secure system is the human beings who work within the system. Even in theatrical scenarios like the ones portrayed in Mission Impossible 1 through 1000 🙂 the key to entry is always a person. Find the weakest link with the most information and power and social engineering goes to work. Once I received my badge I proceed to walk onto the show floor in large part unmanned at the hour I was there, there was literally next to no security with plasma and LCD TVs everywhere and computers powering these TVs I pretty much could have walked out with anything.
It was a pretty good show overall and I thought this experience was worth sharing.