36

A previous question of mine lead to this discussion which mentioned the subject of Document forgery.

I've seen many people (in videos) forge IDs and employee badges for such engagements so that seems fine as a test. However, if asked to present a more critical/serious document like a "Permission to Attack" slip (when caught), or asked by a police officer to present some ID, should we test them by first show them a forged "Permission to Attack" slip or ID and only show the real documents if caught?

schroeder
  • 123,438
  • 55
  • 284
  • 319
ChocolateOverflow
  • 3,452
  • 4
  • 17
  • 34
  • 60
    I really think that you need to consider the legal aspects to your questions which override any desires of the tester or the client. Showing fake ID to law enforcement will get you arrested in many jurisdictions. – schroeder Nov 18 '19 at 09:34
  • 16
    If you remove all consideration about what to do with law enforcement by considering it a matter of law and not security (and off-topic here), then you are left with what the client wants, will allow, and feels comfortable with. That's defined by the scope, and when in doubt ***ask the client!!!*** – schroeder Nov 18 '19 at 09:36
  • 4
    Interesting timing! Published today - https://github.com/trustedsec/physical-docs – Matthew Steeples Nov 18 '19 at 22:16
  • 1
    @schroeder exactly. It depends on the *level* of permission you have. A local police department can presumably give you permission to show fake documents to their officers, and the national government could authorize you to present a fake passport or visa at the border. – Robert Columbia Nov 20 '19 at 13:12

2 Answers2

110

It depends on the scope of the engagement.

If the customer wants you to focus on one specific task (e.g. bypassing locks, social engineering, etc.), then that's all you're authorized to do and all you are legally allowed to do.

If the customer wants you to use "anything that's legal", in order to best simulate a real attacker, them you can indeed present a forged permission to attack, possibly even with instructions added that you should be left alone during the engagement.

Why would you do that? In order to check if security personnel actually verifies of a Permission to Attack is valid or not. Otherwise an attacker could present a forged Permission to Attack and use this to gain entry to the company?

What about law enforcement?

Never show law enforcement a forged document or lie to them about who you are or what you are doing. You are testing the company, not the law enforcement.

Or to put it in simple terms: When you talk to the police, you're no longer a pentester.

  • 8
    My guess is, this should be written into the contract explicitly, in order to authorize certain people as "straw man" pentesters for that phase of the test. – Spencer Nov 18 '19 at 15:09
  • 23
    In basic agreement. However, a minor exception is that when your client is the government, in which case it might be appropriate to test the police response. But unless it is painfully obvious that you are to test the police (e.g., the police department hired you to pen-test the police department) then this answer is true. – emory Nov 18 '19 at 16:14
  • 33
    Rather, when you talk to the police you are no longer currently pentesting. – Delioth Nov 18 '19 at 17:47
  • 9
    I think you can still be a pentester while talking to police, but they are not being tested so you can talk to them as you would your client (ie. someone who is 'in' on your situation). – Aequitas Nov 19 '19 at 03:24
  • To your last statement, unless you're testing law enforcement/intelligence/security/government, in which case, probably clear this beforehand, maybe in writing in your authentic documents. – toonarmycaptain Nov 20 '19 at 18:00
  • An interesting middle ground is when your client is large enough to have their own deputized police force, but I agree that you should have in writing whether they are in-scope or not in either case. – bracec Nov 20 '19 at 18:12
35

Unless your engagement is with the police, they are out of scope and you are not allowed to test them. If someone called the police, you already lost, actually. You should stop them right before they do that (friends of mine who do this kind of stuff work in England, where the emergency number is 999 and their principle is that they give up when someone dials the 2nd "9").

Specifically, you do not have permission to attack the police. Your slip doesn't cover lying to the police or presenting forged documents to the police.

When acting within the scope of your permission to attack, forged documents are typically fine, however I would definitely include a mention of such tactics in one of the documents signed, either the permission itself, or the offer or something else appropriate. Just in case anyone is not a fan, you want to have something written that says "but we agreed that such methods are ok to be used".

There have been a number of recent cases where pentesters got into trouble for exceeding the scope of their engagement. Don't do that. Always stay well within what was agreed, and if you ask yourself if a specific method is fine, that is a very good sign that it should be explicitly stated somewhere as a method you might employ. I mean, if it isn't clear to you, it probably isn't clear to the customer, either.

Tom
  • 10,124
  • 18
  • 51
  • 7
    _“they give up when someone dials the 2nd ‘9’”_ Just out of curiosity: How is it done practically? Unless there is a [rotary dial](https://en.wikipedia.org/wiki/Rotary_dial) phone, it might well be a fraction of second between the two 9’s. – Melebius Nov 19 '19 at 08:49
  • 2
    @Melebius I would guess some people would press the "9" once obviously, in hopes to scare the perpetrator into submission. – Linny Nov 19 '19 at 12:59
  • 10
    What Linny says. Most people will take out their phone. Some people actually start dialing, then check your reaction. If you're unfazed, the vast majority of people will begin to fear they'll cause trouble to themselves if they call the police for no good reason. – Tom Nov 19 '19 at 13:30
  • 5
    I had always interpreted the "second nine" cutoff as figurative speech, not literal. In other words, you wait until the last possible second, whatever that is. In many cases you may not be witness to an actual person dialing a phone (i.e. someone hitting a panic button, or someone yelling or messaging to a person out of sight to call police). – dwizum Nov 19 '19 at 18:05
  • @dwizum the specific example my friend was referring to was when people stop them in the hallways to challenge if they should be there. In that setting, people taking out their phones is the thing, not a panic button. – Tom May 27 '20 at 09:24