Comment by rainonmoon
14 hours ago
But I’m responding to the notion that they should’ve had signed documentation with the scope with them. They did. The fact that their own company hung them out to dry by not informing everyone on that list is not the pentesters’ fault.
I wasn't trying to suggest they did or didn't have the right documentation. I honestly don't know. I was just explaining how we normally operated. The idea that the emergency contact wouldn't answer, or even worse deny we had authority seems impossible to me... At least if you're doing things the way we did.
> The idea that the emergency contact wouldn't answer...seems impossible to me
I can’t understand how you think this is impossible if you do things “the right way”.
Phones gets stolen or dropped in the toilet. Your contact has been taken to the hospital. Bad cell service. And so on.
These episodes of Darknet Diaries were my favorite. Very suspenseful. I also always thought the people doing the testing were insane for assuming a piece of paper keeps them from getting dragged to jail or worse.
I mean this is stuff the security people tell you not to do. If you get an email from “your bank” saying “call us at this number”, you're supposed to independently verify by calling the main number, not the number they give you, right?
Those were always my favourite episodes too! Enough to get into a career doing social engineering and physical intrusions. It's very tense! You're right to think it's insane; the nature of these jobs is that unlike most kinds of pentesting, very few people are aware that a test is occurring. We will sometimes bring a fake "get out of jail free" card to test the very thing you mention, whether people will actually verify out of band. I've been on jobs where we've been called out and they've checked our fake details and you see people's whole body language change in those moments between them figuring out you're not who you say you are and figuring out what they're willing to do about it. You absolutely see the thought "Do I need to hurt these guys? Are they going to hurt me?" go through someone's mind. It's never come to anything truly harrowing in my experience, professionalism and good communication skills go a long way, but they also can only go so far. It's much more common to have zero issues though, because as you can surmise, social engineering is extremely effective, so getting challenged at all is pretty rare.