Written for Tripwire’s “scariest moment in security” Halloween series
I’ve had many “oh crap, I’m totally getting fired for this” moments in security (I never did get fired). The scariest single moment, however, was probably during a red team assessment overseas.
We were in the Middle East during The Arab Spring. In fact, the engagement was actually a result of some Arab Spring-related events. There were three of us, and assessing physical security was one of my tasks. We were onsite at a large industrial complex that also had several office buildings. I was using social engineering, picking locks and other techniques to break into areas that should have been secure.
I had made my way into a closet in one of the office buildings. The closet contained about a dozen file cabinets, with single-pin locks that were trivial to pick. I have video of one of my kids picking a similar lock at the age of five. I was going through the contents of these file cabinets and taking pictures when I heard someone outside the door. I turned off the light and did my best file cabinet impression behind the door.
As the door opened, I stayed behind it, on the side of the hinges, hoping whoever decided to investigate the closet would simply forget to check behind the door. No such luck. A face peaked around the door at me.
The face had the widest eyes I’ve ever seen, as if to say, “why are you in a closet, hiding behind the door?”
What could I do but shrug and smile, as if to say, “Ha! You caught me! Isn’t this a fun game?”
He was not amused. He spoke no English. I knew only a few words of Arabic. He didn’t have a gun. I sighed thankfully and did not have a ‘code brown’ moment.
I came out of the closet and did my best to explain who I was and why I was there — hiding behind the door, in a closet, taking pictures of documents. He was clearly a security guard, doing his job (rather well, I have to admit). I had my equivalent of a ‘get out of jail free’ card. This is something any penetration tester with their wits about them in this sort of situation should have on their person. Problem was, it was in English and meant nothing to this man. Luckily, I also had my point-of-contact’s business card and I handed it to him, emphasizing that he should probably give him a call.
We spent what felt like an hour standing in an empty hallway, not looking at each other. Waiting for my POC to arrive and explain what was going on.
My liaison arrived and as far as I can tell, he didn’t refer to me using the Arabic equivalent of nincompoop. The security guard visibly relaxed. I did my best to communicate that he did a good job and that busting me was something he should be proud of.
That wasn’t the last time we almost got arrested on that trip.
This is a Security Bloggers Network syndicated blog post authored by Adrian Sanabria. Read the original post at: Savage Security Blog - Medium