Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:30 PM

When Penetration Testers (Almost) Get Caught

Sometimes employees really do learn their physical security lessons

My company, Secure Network Technologies, was recently hired to perform a physical penetration test that required some extensive social engineering – and resulted in a surprise ending.

Over the years, we have penetrated numerous locations, posing as various characters with bogus reasons why we needed to get inside a client's facilities. But despite our experience, we still worry about getting caught. Waiting for a security guard or law enforcement officer to contact the client – and let us off the hook – is a nasty blow to your ego when you are contracted to demonstrate your expertise in social engineering.

To date, we have been able to successfully penetrate our clients' premises about 96 percent of the time. Occasionally, we get challenged by a receptionist or savvy help desk person who won’t help. Recently, however, we ran into a series of events that we didn't expect and had never seen before.

The goal of the job was to obtain internal network access by posing as contractors and gaining physical access to the building. We had successfully penetrated the client's physical security the year before, posing as copier repairmen and jacking into the network (we did actually fix the copier). This second engagement was a test to see if the training and mitigation steps that the client had taken in the interim would hold up against a second attack.

This time, we decided to penetrate the client's offices as heating and ventilation (HVAC) workers. During our planning for the engagement, we made the appropriate arrangements with the customer, had shirts embroidered with the name of a local HVAC company, and created bogus work orders and supporting documents in case anyone questioned our presence.

Once inside the building, we intended to plant a wireless access point on the client's network, then connect to it from a location outside of the facility.

On the day of the engagement, my partners – Bob Clary and Doug Shields – arrived at the customer's office park: a two-story, multi-tenant building. Both men were dressed in the HVAC disguises, wearing tool belts and carrying a ladder. Their conversation was littered with heating and ventilation jargon, like plenums, vents, and returns. Frightening to think neither man is capable of installing a window air conditioner.

They started just outside of the customer’s office space, peering into the crawl space above the ceiling tiles. After a while, they traced the “problem” to the customer’s offices, and asked for entry into the client's space. The security guard complied, swiping our guys in.

Upon entering the customer space, Bob and Doug were immediately questioned by the office manager. After several minutes of questioning, she checked with her boss and they were allowed to continue their work. Bob and Doug followed the “problem” to the back of the office to get some distance from the office manager, who still seemed suspicious. With the coast clear, they planted a wireless access point, gestured as if the HVAC problem was solved, and retreated to the car.

With the access point now in position and emitting a signal, our guys went to sit in the parking lot and scour through the client's internal network. While the guys were exiting the building, however, several police cars pulled into the parking lot and the officers began bounding into the building. Bob and Doug held their breath and kept moving away from the building, passing the officers on their way in.

Back in my Syracuse office, I received an urgent call from our customer. He said that the building had been broken into during the night, and several tenants had their desktop computers and laptops stolen. He asked me to make sure that it was not our people who had done the deed.

I immediately called Bob and Doug to make sure they had not gone rogue and started a mini-crime-spree while under contract. After checking with them, I called the customer back and assured him we weren't the thieves.

The customer then called Doug and Bob directly and requested them to wave off the rest of the effort. Bob and Doug returned to the office -- now a crime scene -- to learn of the break-in that occurred the previous night. Apparently, all of the tenants in the building were victims of the break-in -- except our client.

It was frightening to think of what might have happened if we'd been caught in our pen test just a few hours earlier. With thousands of dollars in missing equipment, irate tenants, and police on the trail, getting caught might have been a real ordeal.

In retrospect, I also think our client had some success to be proud of, even though we were able to get in with our elaborate HVAC apparel and gain limited access to their network before calling off the job. The client's escalated security measures warded off the real burglars, even if it didn't stop us. Who would have thought that our IT security effort would stop a physical crime?

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.