When I checked in at the RSA 2012 conference, I was directed to wear my badge at all times.
"You won't be able to go anywhere without it," a registration official informed me.
But this does not seem to be an obstacle for my anonymous source, whom I met on the first day of the conference. A risk management and physical security expert, he is in the business of "pen-testing humans" via social engineering, he said, and he also has an expertise in event security. I met him while I was covering the event, and he agreed to give me details of how he snuck into RSA in a matter of minutes without any credentials—and then went back and got credentials under a fake name to boot.
[Also see How to rob a bank: a social engineering walkthrough]
My source was in the area attending the nearby B-Sides security event, and he had a B-Sides staff badge because he was working during some of that conference. Although he had not registered for RSA, he decided to wander over and see what was going on.
"I walked in, walked around, cased the place for a few minutes," he explained to me. "I saw where all the entry points were located and where the security guards where standing."
He stood for a short time and waited for a group of people to walk in together. When a new security guard came in to relieve another one near an entrance point, my source saw his chance.
"I started walking in with a large group of people. I held up my badge and covered the B-sides logo with my thumb. I flashed it and said 'I'm staff' and kept going in, never missing a step."
At that point, my source was in—and free to take part in many of the RSA Conference activities. He said he walked around for a while and even attended two of the scheduled presentations.
Expo hall: In through the out door
The next challenge he decided to take on was getting onto the RSA expo floor, the large area where security vendors display their products and newest releases to attendees. The floor was closed until 6 pm that evening and guards were positioned at the doors, turning away anyone who was curious to get in.
My source said he noticed there were several security guards manning the entrance, but only one on exit duty.
"The exit area was large. I waited around and when she started talking to someone, I walked in the exit when someone else was walking out."
At that point, he was on the expo floor, where most companies were still setting up displays and product demos for attendees.
"At that point you are looking to steal badges, t-shirts, hats so you can act like you're working for a company," explained my source. "If they had company computers out and active, I could have messed with those. I could easily install a USB device with key logging software on it."
Why not: Getting a badge under a fake name
After a short time on the expo floor, my source decided to exit the floor and left RSA to head back to B-Sides. But once he was out of the building, he searched on Google for any RSA RSVP codes companies had extended to clients and others to register for the conference for free.
Using a free registration code he found online, he registered for RSA without using his real name. He then went in to the venue again to obtain an RSA badge and was given one without showing any form of identification. He only had to turn on his smartphone and show a copy of the confirmation email (which he got using a free code) in order to get his badge.
My source noted as someone who makes a living by sneaking into events to check security, he thinks the biggest weakness was training for staff.
"They need training of awareness of badges and an understanding what is allowed in and what is not," he noted. "And social engineers will take advantage of the crowds and chaos. But that is something security guards should be trained to deal with."