Charges Dropped Against Pentesters Paid To Break Into Iowa Courthouse (arstechnica.com) 37
Prosecutors have dropped criminal charges against two security professionals who were arrested and jailed last September for breaking into an Iowa courthouse as part of a contract with Iowa's judicial arm. From a report: The dismissal, which was announced on Thursday, is a victory not only for Coalfire Labs, the security firm that employed the two penetration testers, but the security industry as a whole and the countless organizations that rely on it. Although employees Gary DeMercurio and Justin Wynn had written authorization to test the physical security of the Dallas County Courthouse in Iowa, the men spent more than 12 hours in jail on felony third-degree burglary charges. The charges were later lowered to misdemeanor trespass. The case cast a menacing cloud over an age-old practice that's crucial to securing buildings and the computers and networks inside of them. Penetration testers are hired to hack or break into sensitive systems or premises and then disclose the vulnerabilities and techniques that made the breaches possible. Owners and operators then use the information to improve security. "I'm very glad to hear this," said a professional pentester when I told him the charges were dropped (he prefers to use only his handle: Tink). "Clients and security firms have an obligation to protect their pentesters and consultants. Pentesters are not criminals. Pentesters help organizations protect against criminals."
They should bill $75 per hour in jail + all costs (Score:5, Insightful)
They should bill $75 per hour in jail + all costs
Re: (Score:3)
Read your contracts (Score:5, Interesting)
"The full agreement was broken into three separate documents that contained confusing and contradictory terms describing the work to be performed. An initial service order outlined a plan to conduct “Physical Attacks” against the Dallas County courthouse and two other buildings, but in later forms, the pentesting activities were described as “Social Engineering.” There was also conflicting language about whether the pentesters were authorized to use lock-picking gear and whether they were permitted to test physical security after hours."
Sounds like their (both the state and the pen-testing company) contract administrators need a new job.
Re:Read your contracts (Score:4, Insightful)
Breaking and entering activities should be plainly disclosed, and you might want to discuss this with the police department BEFORE actually doing something like that. Make sure you have all the authorizations you need to not get charged and know who to call to confirm the facts for the police officers who actually will be arresting you if you get caught. Breaking into a public building, without all your ducks properly lined up is stupid.
Re: (Score:3)
True.
However too many people are raised to pass the test vs learning the lesson.
If you know what will be in the test, you will be able put your effort into solving the problem stated. Vs actually judging how safe you really are.
We see this across all sorts of metrics, and people basically hack the metric to look good, without actually changing for the better.
Re: (Score:2)
You get what you measure. So make sure you measure what you want people to do.
Re: (Score:2)
We see this across all sorts of metrics, and people basically hack the metric to look good, without actually changing for the better.
This happened where I work.
The shipping crew was given a bonus for shipping 95% of orders the same day they were placed.
So they talked to the sales department and arranged to have all the big orders held up and only entered into the database when they had time to ship them, which often meant they weren't entered until the following morning. For agreeing to do this, the salespeople got a cut of the bonus.
So employees got bonuses despite actually increasing delays.
Re: (Score:2)
I agree. The state agency that hired them should have alerted the police department that they had hired someone to do this kind of work.
Re: (Score:2)
Further, they should have had a discussion with the local police department BEFORE they did this. A quick discussion with the chief of police to discuss what you've been contracted to do and what documentation he needs to see to verify that might go a long way.
Anyway, I guess they proved that the physical security is pretty good at night... :)
Re: (Score:2)
No they didn't. If I remember right they actually closed the door themselves and set off the alarm themselves. Had they simply slipped-in through the door presumably left open by the night cleaning crew and made their way in they probably could've avoided detection through the entire act.
Re: (Score:2)
Wouldn't that defeat some part of the purposes of the test? "Hey, we should respond to that call super-fast, because there are penetration testers involved and they'll note what we do" or "Hey, no hurry to get over there, it's just penetration testers" would each seem to affect the analysis of the likelihood of a successful breach.
Surely the amount of time you can spend unmolested on premises has a pretty c
Re: (Score:2)
Re: (Score:2)
Police response times are part of penetration testing, and if you alert them beforehand, you get biased results.
If you don't alert the police beforehand, they are going in locked-and-loaded, and someone may end up dead.
One solution is to have someone stationed outside the building to greet the police with all the paperwork and permits before they enter the building.
Re: (Score:3)
Doesn't discussing it with the police pretty much defeat the purpose of the test?
Re: (Score:2)
Wouldn't having an adequate and proper police response be one of the factors of testing the security? If the police knew about the testing, they might go higher alert in the area just to ensure they catch the OPFOR. Or, they might shrug and ignore it altogether, reducing the overall effectiveness of the test by intentionally not catching the OPFOR and making it look as if their part of the job wasn't tested at all.
Re: (Score:2)
Wasn't it established that they found a door that should have been closed and locked instead propped-open when they arrived?
Seems like the night crew provided all of the social engineering in advance of their arrival.
Re: (Score:2)
Re: (Score:2)
> Which, in the view of the Sheriff, ran afoul of the "no forced entry" clause.
Where I'm from the only evidence of a picked lock (well done) are possibly some slight scratches on the keyway. Forced entry has broken door jams, usually (unless a window is conveniently located nearby).
No, I think this Sheriff was embarrassed and abusing his office.
Re: (Score:2)
More importantly, what are the lessons learned (Score:5, Interesting)
I've been following this story from the beginning and by the sounds of it balls were dropped by all parties. This case truly needs to become a textbook example of what not to do for the security field. These professionals came perilously close to serving hard time in prison for doing their job.
This is the kind of thing where lessons need to be learned by all parties. A hard look at the entire thing needs to be performed by an independent third party that can doesn't have a stake in the results. Presentations need to be given at professional conferences on what went wrong and how to avoid repeating those mistakes.
Professionals in the industry have to learn from this. The industry has a stake in this as well as the pentesters themselves. We can't count on the charges getting dropped next time.
Re: (Score:2, Insightful)
I'm sure balls got dropped all around, but the "professional" pentesters have ALL the blame here. You must protect YOURSELF and not take anything for granted. IMHO - You should be totally sure I had all the necessary approvals and documentation to prove it by discussing with the customer AND the police department before attempting something that looks like breaking and entering, using lock picking tools or being confused for a criminal. If you don't have all that in place, don't do stupid stuff.
Breaking
Re:More importantly, what are the lessons learned (Score:5, Interesting)
I'm sure balls got dropped all around, but the "professional" pentesters have ALL the blame here. You must protect YOURSELF and not take anything for granted...
Unless you are a trained lawyer, there's about a 98% chance you have no clue how to properly analyze legal agreements to protect yourself. As far as the employees having ALL the blame here, I highly doubt Coalfire would take kindly to every employee demanding to be included in every contract negotiation. And I highly doubt those employees want to even be involved in such activity for rather obvious (IANAL) reasons, regardless of personal liability.
Put yourself in these employees shoes. If this happened to you, would you be sulking about taking ALL the blame, or would you be looking to sue your employer for putting you in such a position? Try not to bullshit yourself when you answer...
Re: (Score:2)
The pentesters aren't responsible for the overreaction of filing felony charges after the cops found out what was really going on.
There's nobody in this circus that is blameless.
Re: (Score:3)
I've been following this story from the beginning and by the sounds of it balls were dropped by all parties. This case truly needs to become a textbook example of what not to do for the security field. These professionals came perilously close to serving hard time in prison for doing their job.
This is the kind of thing where lessons need to be learned by all parties...
All parties? Just how many pentesters working for corporations also hold the responsibility of reviewing all corporate contracts in relation to a job their employer told them to do?
Here, I'll give you a hint. None.
You're just the lowly IT person being tasked with a job, and that job sure as hell doesn't include pouring over legalese using IANAL non-skills to provide maximum personal impact and liability to the company. That's what you hire trained lawyers to do.
Re: (Score:2)
The pentesters were hardly in clear either. Their went to work with a scope of work that was poorly defined. I've done professional consulting for years, you always review your scope of work ahead of time. If there are questions you get them clarified before you go to work.
Their contract had contradictory language about the services (their scope) that they were to provide. Certainly it was enough to get them arrested whereas pentesters normally don't have problems with their get out of jail cards (they actu
Re: (Score:1)
https://www.grammarly.com/blog... [grammarly.com]
Re: (Score:2)
Well That's One Way... (Score:2)
Wrong thread ... (Score:3)
Yikes ...
Posted in the wrong article.
Site admins, please delete this message and its parent.
From the MidWest (Score:4, Insightful)
Should have pulled a Sneakers (Score:2)
Hack the phone system then break into the building. Once alarms go off, intercept call and assure security guard it's a false alarm. In the meantime, the penetrators find and disable the alarm system.
A few days later withdraw money from a test account your created then meet with the executives and ask for you money while telling them they have lax security.
In other words:
Step 1. Hack phone system
Step 2. Break into bank
Step 3. ???
Profit!
Re: (Score:2)
My voice is my passport. Verify me.
Re: (Score:1)
>Once alarms go off, intercept call and assure security guard it's a false alarm.
Then fail to provide the passphrase or whatever and the pigs are on their way.
Time for a fat lawsuit (Score:2)
Smells like malicious prosecution to me. Bet there's going to be a nice paycheck in it for the pentesters.
yar (Score:2)
Except (Score:2)
For the fact that they were sneaking around at odd hours and trying to physically break into the building despite not having written authorization to do so. Unless the original reporting on this when it first broke was inaccurate, I'm not sure why the prosecutors overlooked that.