Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:30 PM

When Penetration Testers (Almost) Get Caught

Sometimes employees really do learn their physical security lessons

My company, Secure Network Technologies, was recently hired to perform a physical penetration test that required some extensive social engineering – and resulted in a surprise ending.

Over the years, we have penetrated numerous locations, posing as various characters with bogus reasons why we needed to get inside a client's facilities. But despite our experience, we still worry about getting caught. Waiting for a security guard or law enforcement officer to contact the client – and let us off the hook – is a nasty blow to your ego when you are contracted to demonstrate your expertise in social engineering.

To date, we have been able to successfully penetrate our clients' premises about 96 percent of the time. Occasionally, we get challenged by a receptionist or savvy help desk person who won’t help. Recently, however, we ran into a series of events that we didn't expect and had never seen before.

The goal of the job was to obtain internal network access by posing as contractors and gaining physical access to the building. We had successfully penetrated the client's physical security the year before, posing as copier repairmen and jacking into the network (we did actually fix the copier). This second engagement was a test to see if the training and mitigation steps that the client had taken in the interim would hold up against a second attack.

This time, we decided to penetrate the client's offices as heating and ventilation (HVAC) workers. During our planning for the engagement, we made the appropriate arrangements with the customer, had shirts embroidered with the name of a local HVAC company, and created bogus work orders and supporting documents in case anyone questioned our presence.

Once inside the building, we intended to plant a wireless access point on the client's network, then connect to it from a location outside of the facility.

On the day of the engagement, my partners – Bob Clary and Doug Shields – arrived at the customer's office park: a two-story, multi-tenant building. Both men were dressed in the HVAC disguises, wearing tool belts and carrying a ladder. Their conversation was littered with heating and ventilation jargon, like plenums, vents, and returns. Frightening to think neither man is capable of installing a window air conditioner.

They started just outside of the customer’s office space, peering into the crawl space above the ceiling tiles. After a while, they traced the “problem” to the customer’s offices, and asked for entry into the client's space. The security guard complied, swiping our guys in.

Upon entering the customer space, Bob and Doug were immediately questioned by the office manager. After several minutes of questioning, she checked with her boss and they were allowed to continue their work. Bob and Doug followed the “problem” to the back of the office to get some distance from the office manager, who still seemed suspicious. With the coast clear, they planted a wireless access point, gestured as if the HVAC problem was solved, and retreated to the car.

With the access point now in position and emitting a signal, our guys went to sit in the parking lot and scour through the client's internal network. While the guys were exiting the building, however, several police cars pulled into the parking lot and the officers began bounding into the building. Bob and Doug held their breath and kept moving away from the building, passing the officers on their way in.

Back in my Syracuse office, I received an urgent call from our customer. He said that the building had been broken into during the night, and several tenants had their desktop computers and laptops stolen. He asked me to make sure that it was not our people who had done the deed.

I immediately called Bob and Doug to make sure they had not gone rogue and started a mini-crime-spree while under contract. After checking with them, I called the customer back and assured him we weren't the thieves.

The customer then called Doug and Bob directly and requested them to wave off the rest of the effort. Bob and Doug returned to the office -- now a crime scene -- to learn of the break-in that occurred the previous night. Apparently, all of the tenants in the building were victims of the break-in -- except our client.

It was frightening to think of what might have happened if we'd been caught in our pen test just a few hours earlier. With thousands of dollars in missing equipment, irate tenants, and police on the trail, getting caught might have been a real ordeal.

In retrospect, I also think our client had some success to be proud of, even though we were able to get in with our elaborate HVAC apparel and gain limited access to their network before calling off the job. The client's escalated security measures warded off the real burglars, even if it didn't stop us. Who would have thought that our IT security effort would stop a physical crime?

— Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-11
Orca has arbitrary code execution due to insecure Python module load
PUBLISHED: 2019-12-11
RubyGem omniauth-facebook has an access token security vulnerability
PUBLISHED: 2019-12-11
JBossWeb Bayeux has reflected XSS
PUBLISHED: 2019-12-11
node-connect before 2.8.2 has cross site scripting in methodOverride Middleware
PUBLISHED: 2019-12-11
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote cod...