Schneier on Security
A blog covering security and security technology.
« TSA Proud of Confiscating Non-Dangerous Item |
| 3,000 Blank British Passports Stolen »
July 30, 2008
Video demonstrating how easy it is to social engineer your way into clubs by pretending you're the DJ.
Posted on July 30, 2008 at 1:30 PM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
And he's wearing a bag which could house a lot of things. Like a bomb or more simply, guns.
Tells us how much terrorist are lazy. Or over-feared.
What they don't show is the places they were denied entry/access.
This is hardly a believable report as clearly they edited the tape themselves. After all, their story-line is about how easy it is to abuse trust and lie.
I see a similar thing among party goers every club night. They cruise to all their favorite spots and pretend to be a VIP or with a VIP, etc.. The next day they talk up all the "cool" places that let them in for free. They never mention the ones that turned them down. That would spoil the image/fame, right?
A more realistic study would be of events like the musician in Santa Cruz who was severely delayed because he was denied entry to his own concert by guards who profiled him. He went outside for a quick smoke, leaving his ID and such behind, and then couldn't get back in without a struggle.
Uhh, yeah, I'm with the band.
Yes, it works almost all of the time and it really helps if you're holding musical / audio equipment at the time of entry.
Is this really news to anyone?
no. what this is is a demo of how a noted security expert can be tricked into shilling for a soft-drink.
note the credits at the end of the piece.
see, it really is all about expectations. :-)
As opposed to being female and having large, practically (or actually) bare breasts? There are many, many ways into clubs without proper checks.
I worked as a doorman/security for two bars/clubs during college. If someone walked up to me dressed like that claiming to be the DJ, I would have probably let them in too. Then again, these were not your typical NYC or LA nightclubs that are heavily guarded - so good points @Davi.
If he tried and we didn't have a DJ there that night, it would have caught my attention.
What's more worrying is that the same con seem to have worked at Parliament House, Sydney. Although as a public building it is probably freely accessible however the security guard didn't query why a DJ might be playing a gig in Parliament and just ushered him in.
@Matt Wharton: If you listen closely to the Parliament bit, the guard indicates that the "DJ" still has yet to go through a security checkpoint (as opposed to the front door), which they didn't show in the video.
I worked at a music publication for a few years, and ever since I've gotten into a lot of shows for free just by saying I'm with a local paper or magazine. Although there were a couple times when I was legitimately supposed to get in for the paper when someone else had already used the trick on the doorman. Nowadays I usually only try that one if it's something that's sold out, though.
I was one of four guys who breezed past the ticket checkers at a Jefferson Airplane concert at the Syria Mosque in Pittsburgh without saying a word, simply because we looked and acted like roadies.
Having spent years as a door guy I'm familliar with the "I'm the dj trick." People try it all the time (and this is not social engineering, this is lying. Social engineering would be more of knowing the guy at the side door and not needing to dress like the DJ). While, yes on occasion you will get the new guy who doesn't know who is DJing or whatnot- but its not common. When I ran my crews all DJ's/staff were wrist banded or stamped and were always greeted by the manager of the evening... But then again, I was keen on security and being a jerk of a bouncer ;)
That being said, it is amusing to watch some folks get duped.
When I was in the US Air Force, I found I could wander almost anywhere I wished simply by carrying a large aluminum clipboard, and acting purposefully. Once, that included a base command post, despite my lack of controlled area credentials.
Speaking as a dj, this absolutely works (at clubs and shows, at least - I've never tried it at government buildings). I've never abused it, but as any regular Crypto-Gram reader probably would, I've noticed that hardly anybody ever checks when I show up with some dj gear and announce that I'm playing tonight. It usually extends to a +1 as well (typically my wife, in my case), and for events when I'm bringing my whole rig, a couple friends to carry everything could get in, too.
In my town, there was also a "floating" gay club for a while that would take over local venues with themed parties. It was a two part operation. First a bunch of people would show up and start running up tabs. ("What are all these gay cowboys doing at the goth night?" "I don't know, but they sure are thirsty!") Then, later in the night, the dj shows up and announces that he was booked to do the party months ago, and hey, just *look* at all the patrons who came out to support him! If they were *really* going to cancel it with no warning at the last minute like this, then fine, but all his people were liable to walk out on their tabs when they heard.
So, the manager would reluctantly agree to give him a short set, and for a couple hours there would be a costumed gay disco in the middle of the biker bar / oldies / top 40 / whatever format the club usually ran. And then everybody paid their tab and left.
Here's my experience.
I was sat in the bar with the DJ and several friends. I went to buy some drinks and was refused service because the bar was closing to prepare for the evening session. I said I was with the DJ and the barmaid laughed. I returned to the table and took the DJ to the bar. The barmaid still refused to believe us. That was until the DJ flashed his ring which had his initials on it -- also his DJ name. Thereafter drinks were generally on the house.
After we had finished in the bar we moved onto a nightclub were a fellow DJ was playing. We arrived at the door and were refused entry due to the time of the evening. Once again we cited we were with the DJ. We were refused admision. Even with the DJ on the phone -- during his set! -- the door staff would not let us in. Eventually the DJ left his decks and came to the door. The door staff apologised, took us to the VIP area and arranged some drinks.
So in my experience it is difficult for DJs to convince people of their identity. However, if they aren't believed it typically results in free drinks.
I've actually seen the reverse happen. When Portishead did a secret set at a venue here in Bristol last year, the bouncer charged Beth Gibbons to get in.
Who would have guessed that readers of this blog had so much experience with clubs, bouncers, and DJs?
Tried and Failed: I would guess your mistake was saying that you're "with" the DJ. Bouncers get that - or even more commonly, "I'm with the band" - all the time, and I'm not surprised that it's difficult to convince them they've made a mistake once they decide you're trying to slip past them. The trick is to say that you *are* the DJ, preferably with some DJ-related accoutrements. Or, to actually walk in with the guy who looks like he is the DJ.
I have applied the same trick to stage musicals as opposed to night clubs. The differences with a musical are that you have a large cast (50 or so people), a large orchestra (30 - 40 people) and the customers are paying $40 - $100 to get in.
If you show up wearing all black and carrying a musical instrument and go for the stage door rather than the main entrance the security guards won't give you a second glance. The best thing is that it works better during the second week because the security guards are getting to recognise your face.
The most recent example on a really grand scale of social engineering in Australia has to be when the satirical comedy team from The Chasers War on Everything http://www.abc.net.au/tv/chaser/war/ put together a fake motorcade under the Canadian flag to see how far into the government declared no go "Red Zone" they could get during the 2007 Asia Pacific Economic Cooperation (APEC) conference, in Sydney Australia. http://www.smh.com.au/news/apec/... The government passed special laws to secure parts of Sydney, including restricted no fly airspace patrolled by Royal Australian Air Force FA-18 Hornets http://www.defence.gov.au/opdeluge/images/...
Social Engineering, plays a major part in The Chaser teams comedy, it never ceases to amaze me how, just being dressed in a non-descript business suit and tie, being average height and build, clean shaven with short hair, seems to be the main key to gaining un-authorised entry to many places. http://www.youtube.com/watch?v=kOEWd_M5m44
Australian comedian John Safran did this years ago by dressing up a bunch of teenagers as members of slipknot and getting them into an exclusive nightclub.
This isn't new and these guys probably ripped the idea from Safran.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.