We continue to share with you cool information security materials that we found on the network. And we couldn’t ignore a decent English-language podcast Darknetdiaries… One of his episodes is a conversation between two experienced pentesters (Gary and Justin).
They tell the story of what a security audit once turned out to be for them. Pentesters hacked into the entrances to the premises and the IT infrastructure of the court, and just a few hours later they were there, but as defendants. They managed to prove their innocence only months later, so the story can be considered quite dramatic, if not for the sense of humor of the storytellers.
We share the find and retell the story from a third person for convenience. Pentesters disclose only a small part of the techniques that they use in their work so as not to give information to those who decide to use it for criminal purposes.
Original for those who wish here – both in audio and text format.
Gary and Justin are at Coalfire, a penetration testing company that reports security and information security issues to customers and develops strategies for countering social engineering. One such large customer was a government organization, it needed to check security systems in courthouses. The parties agreed on the scope of testing, possible penetration scenarios. Coalfire, as part of its usual practice, has formalized legal agreements so that the actions of their employees could not be interpreted as robbery.
It was necessary to ensure maximum realism. Only the vice president of the company, the chief of security, the head of the physical security group knew about the test being carried out in court.
What were the tasks of pentesters? Bypass the premises, check if there are unlocked computers, passwords or other confidential information in the public domain (on stickers, in notebooks, on whiteboards); whether alarm systems, locks on doors work. But first they had to get into the building. Gary and Justin decided they were using ventilation for this purpose.
According to legend, they were members of the security service. Without much difficulty, they figured out the daily security code (an access code that is generated every day). The same was done in the second courthouse, where they got access to the internal network and a program that assigns a daily code.
They got to the third building in full combat readiness: they had codes, and floor plans, and a strong legend. Nothing should have aroused suspicion. Nevertheless, at this stage, Gary and Justin still got it. But for pentesters, this is not a reason to abandon plans. Even if they are arrested, they try to come up with a new story in order to continue working and find as many vulnerabilities in the customer’s security system as possible. So this time. One of the pentesters was able to chat up the employees while the second tried to get into the office premises, learning how the alarms work, where the safes are located. As a result, they were able to get out without any problems.
The wrong one was attacked
They were informed about the further assignment by phone. The method of penetration was the same, but this time the legend did not last long. The pentesters tried to continue under the guise of another, but that didn’t work either. They ran into an incredibly vigilant branch worker who was completely out of the question. She called the police. It turned out that the woman was the assistant manager of the branch, the bosses were not on site, and she was as alert as possible, if not maniacally alert. How much should a financial officer be.
Only now were Gary and Justin forced to open up and admit that they were pentesters. But the employee’s confidence had already been undermined, she did not want to hear anything, although she still called the head of the security service. To the surprise of the pentesters, he denied conducting any tests. This was already a reason to get nervous. Fortunately, a minute later the head of the Security Council called back and admitted that, indeed, the “robbers” work in the law and were hired to conduct the test.
If all employees of the organization acted like this vigilant woman, it would be possible to admit that the customer’s security system survived. But most of the other staff were oblivious to the suspicious visitors, and as a result, Gary and Justin were able to walk through all three courthouses without much trouble. The client was impressed with the results and promised to fix all security issues.
One year later
All of the above is a preamble. The drama unfolded a year later, when the pentesters were invited to return with a new audit, it should have been more serious.
A week was allotted to a new project, pentesters had almost complete carte blanche – they could do anything: use master keys, break in through the back door, dig into garbage cans, plug in flash drives. The only thing they were forbidden was to turn off the alarm system.
Testers’ obligations were written on 28 pages. The insurance in case of arrest was a list of people – employees of the Iowa judiciary who were involved in the process and could prove that the pentesters were not criminals.
The first day of the weeklong project passed without incident. Penetrators entered the building at night, photographed the found signs of security problems. They left their business card on the customer’s table – as proof that they got inside, they told him about all their findings.
The next call was on Tuesday, and that night was scheduled to break the doors to the floors where the court hearings were held. The first door gave in easily, with the second there were problems – it had a hidden protective mechanism that the penetration testers did not see. They also had a room on their way with monitors from all the security cameras they could get into. From the cameras they saw that a security officer was bypassing the corridors. In order not to get noticed, the pentesters used a shelter in the “blind spots”, and then continued testing. But not for long – the alarm sounded. It turned out that the storey doors through which they had passed remained locked. Despite the fact that the alarm went off, the pentesters completed their tasks for that night and with laughter recalled how they hid from the SB in a pile of things.
Time remained, and they continued to check another courthouse. When they were about to enter, it turned out that the door was open. They pushed her, but the alarm didn’t go off. After several attempts to awaken the alarm, they decided to close the door in order to break it according to their task. And as soon as they started to open it, they heard a warning signal, followed by a real alarm. It happened so quickly that there was no time to enter the security code to stop the alarm. She screamed so loudly that the whole city could hear. The pentesters only had to wait for the police.
“Here is your ginger suit”
When the policeman showed up, they told him who they were and who they were hired by. They were hired by the customers of the state of Iowa, the police officers who arrived were district subordination, and therefore the pentesters decided not to postpone and immediately got their insurance against arrest – a secret list of contacts. Two out of three did not answer. The third said he could sort things out in the morning. At the employer Coalfire, no one answered due to the late hour.
Then the story took a decisive turn – the sheriff appeared. He said the testers did not have permission to test because the customers are not the owners of the courthouse.
Spending an hour or two in a cell before finding out a circumstance is the worst scenario for pentesters. But it turned out to be even worse. The sheriff stated that Gary and Justin should be arrested for burglary. They were interrogated in different rooms, and none of the documents that were supposed to secure them worked. All the tools they had for the job seemed to the police to be instruments of crime. Thus, pentesters were threatened with a term not only for penetration, but also for storing illegal devices.
A small lyrical digression. One of the devices of pentesters is the so-called. under-the-door tool (the name for which we did not find a decent translation into Russian, but we give an illustration).
They report that this “gadget” allows them to open a door with a flat handle more easily than with a lock pick. Gary and Justin claim that they manage to open 80% of the latches in this way. It is more difficult with round handles.
But back to the story.
A few more minutes – and the pentesters have already been dressed in orange overalls like real prisoners, placed in a cell.
Gary and Justin had an appointment with the judge in the morning. Ironically, in the same courthouse that they stormed at night. Only now they were accompanied by the police.
The pentesters turned out to be completely unprotected – the person from the secret list who was supposed to clarify the situation in court did not come. The other two contacts did not respond, and the employer’s representatives simply did not make it in time for the court hearing.
The judge didn’t believe a single word Gary said. Moreover, she was outraged that such things as penetration testing existed at all, especially in government agencies. She posted a $ 5,000 bond.
But the district attorney considered this amount insufficient. As soon as the judge learned that the “robbers” were operating not somewhere, but in her courthouse, she zealously supported the prosecutor. So the amount of the bond increased to $ 50,000. Plus there was a seven-year prison term ahead!
“Break in? And who asked you about this ?! “
The employer paid the bond, Gary and Justin were released from prison. They hired a lawyer and then it turned out that the participants in the trial were only the pentesters themselves, the investigation did not take into consideration the participation of any third party in the form of a customer. Everything turned out to be more dire consequences than it seemed at first.
The investigation lasted several months. Local news claimed that the court only hired pentesters to check information security, not physical hacking. The customer stood on this, Coalfire demonstrated the contract, where it was said that the hack had been agreed. So the parties threw over arguments, challenging points of what seemed to be an ideally drawn up agreement.
This altercation finally brought to light an important disagreement. The penetration test was ordered by state representatives. And the sheriff, judge and prosecutor, being employees of the district, did not know about the decision of the state and therefore had every right to take pentesters for criminals.
So, finally, a third party appeared in the investigation. The court began to investigate whether the actions were state legal. The lawyer said yes, because the state is the legal tenant of the district’s property and can take measures to ensure its safety.
The district attorney disagreed and continued to object. Senators also objected, who spoke of “a significant danger not only of contractors, but also of law enforcement agencies and the public.”
The investigation ended with the court upholding the state’s right to hire pentesters. So the grave charges were dropped, but petty misdemeanors remained. This was not a good outcome for the pentesters, and they continued to struggle to whitewash their honest names.
As a result, on January 30, 2020, the charges against the pentesters were dropped, Gary and Justin became free people. In addition to exhausted nerves, wasted time, they suffered another tangible damage – reputation. Indeed, in the eyes of the customers, they are now forever those who aroused the suspicion of law enforcement officers. But most importantly, they became famous in all states. And fame is a completely unnecessary companion in the work of pentesters.