Observations at a Security Conference

Nearly every year since 2009, when THOTCON started, I’ve went as an attendee. My first year, I was still working in physical security. Both the conference and I have matured and it is great being a part of this field.

Each time I leave with new motivation, and a little more caution about how data is handled. This year I noticed three problems during this trip, the most egregious being…

Speakers Taking Attendees Out to Lunch

It should be a fair assumption that a conference speaker should follow best practices of security hygiene at all times. In this case, I seen a previous year’s speaker with a pretty clear American Express card, strapped face up onto a bag. This picture has been purposefully blurred and pixelated — the original having the numbers legible. The bag is also clearly abandoned at this point with nothing but a keychain stopping me from grabbing that card.

Credit card number face up, attached to a backpack
Let’s go shopping!

How Suite of You <3

Holiday Inn generally maintain very clean hotels, great staff, and decent rates. I have, however, been issued room keys just by giving out a room number or asking housekeeping staff. Somehow, this seems worse…

Hope that’s not a PIN…

Behind each of the small podium-style desks hung the master keys for the building. I could have potentially done the following:

  • Climbed onto the roof and realized I was afraid of heights and done nothing
  • Broke into the breakfast bar and made a leaning tower of 25 Belgium waffles
  • Went into the laundry room and OD’d on Tide Pods
  • Went into the pool after hours and… enjoyed myself? (Still can’t figure out why they close it on me)
  • Or perhaps most obvious, went room to room taking down TVs, collecting laptops, jewelry… Or obviously much worse.

I was an avid watcher of a show called Hotel Impossible. In this, the host (Anthony Melchiorri) had demonstrated how bad this is… He filled up the back of a cameraman’s SUV with a hotel’s televisions. He also hid in the bathroom of a room that was supposed to be empty, only to demonstrate to the housekeepers that he could have attacked them. He got this master key off of a roll-around maintenance cart. The show is fantastic, and I’d recommend it to travelers and hoteliers alike.

A friend of mine (who bought too much pickup truck) had checked bags at this hotel as well. We were pretty darn close to missing the Metra pickup time due to a fantastic SDR talk. Our Lyft driver got us to the hotel just in time to pick up our bags, and then get to the train station. My friend (with the oversized cab) ran in, said he needed the bags for room 143, and was in a hurry — the bags were handed over without question based on room number… Not name, identification, room key, etc.

Possibly the least entertaining problem, however, goes to the good ol’ United States Postal Service:

PII, Delivered

This postal worker was really friendly, carrying letters into a local business. The problem being is that there are a few folks standing outside of this business with flashing badges with stormtroopers on them, another badge with a chalk outline of a dead person, and shirts that say “HACKING IZ KEWL” on them… And this guy leaves a bin — on wheels — full of mail in front of those people while he goes inside of a business.

Meh, they’re probably just bills anyways.

Takeaway

Really — the takeaway here is — please train your federal employees, your hotel management, and your conference speakers on security. It truly is important, and most people aren’t like me — most will ignore these issues. Some will take pictures, laugh about it with friends, maybe make a blog post (this is me). But there are others who will just grab this stuff. Look around your cube right now… Do you have your wallet on your desk? Do you have your keys sitting out? Can I take pictures of them? (See: TSA keys leaked, for example). Do you have an empty package of Master Locks in your trash with the bitting code facing up? I’ve seen all of this within the past few weeks. Stop making me sad.

Leave a Reply

Your email address will not be published. Required fields are marked *