How I snuck into a cybersecurity conference with fake credentials

The name of the conference and its parent company’s identity will be censored and protected until I have permission from them to be identified.

This is how I faked my corporate credentials to sneak into a cybersecurity conference

Thursday’s conference was a gathering of security-minded professionals and vendors. The message of the day was that preventing threats is the first, and most important step in keeping your business open. Naturally, I decided to sneak in.

I am a professioNO

This conference was supposed to be for experienced professionals. No students, no consultants, no random men in Black Metal shirts and kilts. The filter to keep said people out was a form that required a corporate email. This would “prove” that you were a professional currently working for a valid company and presumably not some unemployed networker looking for work… and well, that was it. My mission was clear: make up a fake cybersecurity company, build a website that would only pass at a glance, and assign myself an email.

The fake company needed a tech-sounding name, a “.com” was a must, and, for fun, I decided it had to be just odd enough to raise a brow if read more than once. The most important aspect of this mission was to leave enough red flags on the website so that an actual cybersecurity professional would wonder how I got in at all. Of course, getting a .com at a budget these days is a tall order. Not so if the name is ridiculous enough and obscure, so “1nfornography” was born (a portmanteau of info and, well, you know). I decided to steal the business motto of the villainous corporation from Robocop (Omni-Consumer Products) and modify their fake logo. That done, I found a theme on WordPress for tech consulting and barely modified it or changed much of its language. The only link that works on the entire site leads to a page that states that the site is a farce, with info on where to find my resume. Minutes later I had an email assigned to me with my full name and the fake company’s web address. I filled out the form and waited. About a day later I got my confirmation.

Lists are social proof.

At this point (supposedly) at least one pair of eyes had seen my email and my website as my credentials were not immediately approved. A week after confirmation a representative of the conference called me. They were pleasant and let me know of all of the fun things that would be going on at the conference. They confirmed my name, my email, and the organization I was with. There was, however, a light pause when they read “1nfornography” back to me, but no resistance after that. The call ended and I had an indulgent laugh, looking forward to the conference.

The phone rang again. It was the same number. Was the gig up, had I been found out now that another set of eyes saw what I was up to? No. The rep had accidentally dialed me again instead of the next participant.

I showed up to the conference in a blazer and a kilt. Refuge in audacity I figured. It was a pleasant experience. Most people were excited to talk to me about cybersecurity, and I was honest with my credentials and means of sneaking in with those familiar with penetration testing. A very nice business leader had a chuckle with me when he saw the Robocop references.

No one noticed this guy?

It was not enough for me, however, to just have me fake my credentials. Better is the point I am making if others sneak in and join. So I gave a one, Dr. Rokhousen, an 1nfornography email and he arrived post-haste with a cacti drink.

Blazers. I’d buy that for a dollar!

He could, of course, select whatever title he wanted when he signed up, and I suggested a few industry titles for him to use. He ignored all of them. Dr. Rokhousen went for the gold. Without intending, he chose one of the highest titles in the business: CPO.

The team was complete, it was time to talk to some marketers.

We naturally fell into a pattern. I would shmooze the booth guys with jargon and platitudes and Dr. Rokhousen would quickly grab as much marketing swag as he could, adding a little quip here or there. “Are you guys hiring?” a marketer asked, “No,” said Dr. Rokhausen, “we’ve had massive layoffs— you could say our business is more cyber-insecurity right now!” A smatter of unconfident laughter responded. Good people.

It was, admittedly, a low-stakes adventure, especially seeing as I had no ulterior motives, just hubris and gumption. Sneaking into a free cybersecurity conference is not the same thing as sneaking into Fort Knox. The marketers want you there. But the irony was too fun to ignore. I’ve reached out to the event leaders to let them know what I’ve done with good intentions. I will update if I get a response.

–=⛧⛧⛧=– About the author: Michael Fitzgerald is a penetration tester, post-apocalyptic parody author, and a mad scientist. –=⛧⛧⛧=–

Updates

12.24.23:

I have not heard back from the event leaders. However, I passed along a few business cards with a QR code at this conference which led to a page informing whomever scanned it “that this site is a farce“. This is also the same page that any working link on the fake page goes to. Since the conference, I have heard from multiple marketers who have not yet checked that QR (or did more than glance at the page) and are under the impression that 1nfornography is a real company. I do not know yet how I am going to break it to them.

Go to a random site!
2 thoughts on “How I snuck into a cybersecurity conference with fake credentials”
  1. Pingback: This site is a farce. – 1nfornography
  2. Pingback: 我使用伪造的证件偷偷潜入了一场网络安全会议。 - 偏执的码农
Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Filed under: Cybersecurity,Pentesting - @ November 29, 2023 4:45 am

Tags: ,