Life changing risks pentesters take to help you boost security

Should you hire pentesters or opt for a complete monitoring toolset?

This might be not the question about ensuring a better protection but about protecting people from jeopardising their careers. The story is based on the interview with Gary and Justin, pentesters. The podcast is posted on the Darknet Diaries.

Part I

Conducting a penetration test on a courthouse and defending in front of a judge in the same building a few hours after – this is what happened to two pentesters working under contract.

Coalfire company provides organisations with penetration testing, physical and software security issues reporting, social engineering prevention strategies by getting access to an organisation, checking security systems and making notes to inform the organisation’s owners or managers about potential risks. Security assessment, website testing, password evaluation, compliance check are among many tasks Coalfire specialists perform.

Financial institute contacted penetration testers to ask for a physical penetration test on their branches, to make sure the building’s security level meets the requirements. They agreed on the scope of testing, what the scenarios could be.
It is important that everything is within a law, legal, Coalfire works with lawyers to make sure the agreement on the scope will not turn them into burglars.

The VP, the Head of security, the Head of physical security team were the only people in the courthouse who knew about the test being conducted.

What do pentesters do? They would come and pay attention whether there are computers unlocked, passwords written in the notepad or some sensitive information is exposed, alarm systems, locks on the doors. So Gary and Justin, the two pentesters working for Coalfire, which was hired by the state to perform a test on the courthouse. They decided to pretend that they would exploit the air conditioning unit to get into the building.

As they entered the building and collected the intel, they found out there was a daily security code.

They broke into the second branch at night, bypassed the entry into the branch location, gained access to internal network, found the software that assigns that daily code and waited till the code changed for the next day.
In the third branch they had more knowledge already, layouts of the buildings, the code, but the cover was blown. They had to say they are part of internal security team and showed the employees that they knew the code. Pentesters, even when busted, always keep trying to figure out the new story only to continue their work and find as many security loopholes as possible. One of them would chat staffers away while the other one would walk around the place invading anywhere a stranger shouldn’t, learning details about alarm systems and safes that were used and could be bypassed by a real violator attacking a building’s system. They got out successfully.

Next branch they were going to visit was informed by them on the phone – the same purpose was used by the testers, air cooling unit needed to be fixed, but they felt this time it wouldn’t be so easy. The story about air thing fizzed out pretty quickly, and the team went on with the internal security pretext. Nothing what they said was good enough for the branch employee, instead of taking any explanation she called the police. Only that’s where Gary and Justin had to come fully clean about their profession.

Before that happened they tried to tell the code of the day, but the branch employee had no interest in any information which they could provide her with. She would hardly even look at their legitimate ID if they actually worked there.

She appeared to be an assistant branch manager, and the manager was away, so she took her responsibilities with as much of paranoia as she could have while in charge – a perfect bank employee.

As they finally revealed themselves as pentesters, the employee called the head of security, and much to their surprise, her boss denied any testing conducted that day of which he might knew, which made the penetration testers start to sweat.

Thankfully, in a minute he called back and said that, of course, it was true, he remembered about the guys who were hired to conduct a test. And everything was ok. Except for the thing, that the majority of employees let the pentesters in, showing little concern for the suspicious visitors.

And the police in such scenarios would usually act very involved saying how cool the testers’ occupation was, and all of them would exchange some polite advice and appraise stating how smart they were to approach the situation and come clean to the police instead of waiting till the police would catch them. The client was impressed with the results and was to ensure all the discovered loopholes got covered.

One year later the pentesters were even invited to return with a new task there. They were to conduct an in-depth internal research. They had a week for the assignment and could let themselves do nearly anything they wanted, i.e. use lockpicks, tailgating, dumpster digging, plugging flash drives – what they couldn’t do is to turn off the alarms as it would neutralise the actual purpose of testing the security system. The pentesters were warned about the Supreme Court convening which was going to take place on the third and fourth floors. The employees asked them to try to breach the doors which led to those floors, but later.

The rules of engagement were a 28-page document, and they discussed significantly less details on the phone. They created a get-out-of-jail-free card – the list of people, security employees who worked at the Iowa Judicial Branch, who would prove that the pentesters were really pentesters if they got caught by the police.

Not all the loopholes or tricks or vulnerabilities can be disclosed here, but there will be mentioned some of them.

An under-the-door tool would let them open a door with a handle mechanism easier than with lockpicks. “I can what, 80%, if you had to put a number on it, 80% of doors can be bypassed by bypassing the latch”.
They entered at night and began to look where to plug in their drone and make photos of any security issues. They got to the desk of the person who hired them and left a present there – a business card – as a proof that they got there. They would contact every day with him informing about discovered vulnerabilities and that minor fixes in security could cover them.

The next time, on Tuesday, they went back at night and had to unlock two doors. The first one gave in easily, but the second one seemed to have a latching mechanism they couldn’t see. Eventually they got into the room with access to all the security cameras. They could see one man going through the corridors and checking the building. The pentesters kept in mind the so-called “blind spots” where they could sneak and continue their testing. The first alarm they “tripped on” was triggered by opening the door which they pushed. The sound of alarm wrapped the house aloud. They figured out that the doors they passed through were left propped. That’s why the alarm got triggered.

They managed to complete the testing on Tuesday with not any problem. Except for the alarm. But no one noticed that misstep. Anyway, they recollect how fun it was to look at the cameras and “hide under stuff”.

As they finished quite quickly, they went on checking up another courthouse – Dallas County Courthouse. The pentesters decided to have a break and a snack before entering the second building, they used the time to make sure no one patrolled the courthouse, and remembered that they were asked to not bypass the alarm on the building as there was an opportunity for others to walk in with no alarm ringing in case it was turned off.

So they were about to enter and realised that the door was open. When they pushed the door the alarm didn’t work. After a few guesses and attempts to make the alarm ring they closed the door to see what could be wrong from the very beginning. And yes, as they tried to open the door it started to beep giving them seconds to enter the security code before the real alarm would set off. And it started to ring. So loud the entire town could hear. They waited for the police to come to the site. As the officer came he couldn’t open the door, and they would do this for him offering to have a talk as they were only testing the security and were hired by Iowa State Courts.

As the police was not part of the scope, the pentesters came clean without hesitation giving their get-out-of-jail-free card. Two out of three numbers written in the list didn’t answer to the police trying to verify the testers’ presence in the building at night.

Then the story took a drastic turn. The sheriff appeared. He said the testers had no authorisation to do what they were doing because the people who signed the contract didn’t own the courthouse.

The worst case scenario for the pentesters was to spend an hour or two in a cell while all things got sorted out. But this time it was different. The sheriff accused them of trespassing and claimed that they should be arrested for burglary.

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.