Coalfire’s Gary De Mercurio and Justin Wynn share the details of their physical penetration-testing engagement gone wrong, as well as recommendations for protecting all red teamers.

When they first scanned the cardkey to the front entrance of the Dallas County Courthouse in Iowa, red-team experts Gary De Mercurio and Justin Wynn didn’t hear the requisite click of a lock disengaging. It was after midnight on Sept. 11, 2019, the last leg of their penetration-testing engagement for the state of Iowa’s Judicial Branch, and they got their first big surprise of that now-infamous evening.

“Justin grabs the door and we look at each other, and I said, ‘Did it work?’ and he’s like, ‘No, it’s open,'” recalls De Mercurio, a senior manager at Coalfire. “The door was locked, but they hadn’t latched it all the way.”

So the two social engineering and physical pen-test experts could get a more accurate take on the entrance security, Wynn closed the door and they started all over again with the cardkey, this time with the door locked. De Mercurio then slid a plastic cutting board retrofitted with a handy notch into the doorjamb and used it to unlatch the door. The pair figured they had somewhere between 20 to 30 seconds from then until the building alarm would sound, so they executed the usual next step in the physical testing process: checking the strength of the alarm’s passcode settings by first typing in the system’s default code as well as easy-to-guess combinations.

Once the alarm sounded, the pair went back to work looking for other potential vulnerabilities in the courthouse while waiting to see if the authorities would respond. … Read the full story here:  Pen Testers Who Got Arrested Doing Their Jobs Tell All