Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Crime Government Security Idle

Two Penetration Testers Arrested For Attempted Burglary (arstechnica.com) 63

Somewhere along the North Raccoon River in Adel, Iowa -- population 3,682 -- two men were arrested for trying to break into the county courthouse.

And then things got weird, the Des Moines Register reports: The men, outfitted with numerous burglary tools, told authorities they were on contract to test out the courthouse alarm system's viability and to gauge law enforcement's response time, an alleged contract that Dallas County officials said they had no knowledge of, according to a criminal complaint.

Authorities later found out the state court administration did, in fact, hire the men to attempt "unauthorized access" to court records "through various means" in order to check for potential security vulnerabilities of Iowa's electronic court records, according to Iowa Judicial Branch officials. But, the state court administration "did not intend, or anticipate, those efforts to include the forced entry into a building," a Wednesday news release from the Iowa Judicial Branch read.

Evidently, the courthouse's security system did its job. The alarm system was triggered by the two men whom law enforcement found walking around the courthouse's third floor at about 12:30 a.m. Wednesday, court records show. Justin Wynn, of Naples, Florida, and Gary Demercurio, 43, of Seattle, Washington, were both charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000.

"Our employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client," their employer, the cybersecurity company Coalfire, told the Inquirer.

When they contacted county sheriff Chad Leonard, he would only say that "It's a strange case. We're still investigating this thing."
This discussion has been archived. No new comments can be posted.

Two Penetration Testers Arrested For Attempted Burglary

Comments Filter:
  • ... is an offense. ~ Articles of the UCMJ.

  • "Somewhere along the north racoon river"?? Weren't they arrested at the courthouse? What kind of aww-shucks writing is this?

  • Job Performance (Score:5, Interesting)

    by Livius ( 318358 ) on Saturday September 14, 2019 @10:50AM (#59193974)

    They wanted to test their security, but only intended to test the security measures they already knew about, not attack vectors that they hadn't anticipated. On the bright side, the system was still secure against an attempt that they had not explicitly considered when they hired their contractors. Basically they got in trouble for doing their job better than their employer expected. No electronic system is secure if an attacker can physically access the hardware.

    I can see it's going to take a little bit of legal process before the charges get dropped, but they have the defence of having the government's implied permission, so no crime took place.

    Of course, that's all assuming that 'journalists' didn't distort the facts to make the story sound better...

    • Of course, that's all assuming that 'journalists' didn't distort the facts to make the story sound better...

      The men, outfitted with numerous burglary tools, told authorities they were on contract to test out the courthouse alarm system's viability and to gauge law enforcement's response time, an alleged contract that Dallas County officials said they had no knowledge of, according to a criminal complaint .

      Journalists don't generate criminal complaints.

      • Re: (Score:2, Informative)

        by Livius ( 318358 )

        But they have been known to sensationalize.

      • by Agripa ( 139780 )

        Of course, that's all assuming that 'journalists' didn't distort the facts to make the story sound better...

        The men, outfitted with numerous burglary tools, told authorities they were on contract to test out the courthouse alarm system's viability and to gauge law enforcement's response time, an alleged contract that Dallas County officials said they had no knowledge of, according to a criminal complaint .

        Journalists don't generate criminal complaints.

        What the journalists do is irrelevant. Cops and prosecutors are not paid to not arrest and not charge people.

    • No electronic system is secure if an attacker can physically access the hardware.

      But we are getting pretty close. It's only because the Trusted Platform Module doesn't verify the peripherals. But even then, physical access is less and less useful. If you install a key logger, you might get a password. But to use it, you may have to come back and steal the entire piece of hardware. Yes state-level actors still do some pretty interesting stuff, but even then, it's usually by having access to the hardware *before* the end customer so that they can install their surveillance tools prio

      • Re:Job Performance (Score:5, Interesting)

        by Antique Geekmeister ( 740220 ) on Saturday September 14, 2019 @11:41AM (#59194096)

        If I may say, nonsense. The Palladium software, which was inappropriately renamed the "Trusted Computing", is designed for Digital Rights Management, not for security. Ordinary office or household passage of data can only have its chain of custody from software with an authorized key assured, not the safety of its contents, by this toolkit. The underlying hardware remains vulnerable to packet sniffing on the network side, keystroke monitoring by both software and hardware means, or the introduction of even signed, authorized malware by stealing or replacing signature keys.

        The key signatures may seem secure, but they are not. Microsoft retains the root signature keys and almost every individual computer's private keys in their own records. There is no judicial protection for these keys. Microsoft provides not even the slightest standard for when and how the keys might be released, or overridden. And Trusted Computing includes key revocation tools, so that an authorized key can be used to _lock out_ other keys.

        The system is aimed at vendor-owned software licensing, not at personal or business computing. The built-in publication of the escrowed private keys, typically to Microsoft, guarantees that it cannot be considered a robust security system because the management of the private keys is so vulnerable.

    • by jythie ( 914043 )
      Depending on the contract, I am not sure I would call that doing their job 'better than expected'. If I hire someone to test something, I expect them to test the things I hired them to go over, not decide they would rather test something else. When setting up a contract like this it is really important to be explicit about the scope.
      • by Livius ( 318358 )

        If one side (or the other) misinterpreted a contract, a court of law will (hopefully) see that they face the consequences. Maybe the contractors overstepped. Maybe the contract was too broad.

        • The difference is that going outside the bounds of a contract is a civil matter, not a criminal one. A fine might be levied, but not jail time.
          • by Paxtez ( 948813 )

            Umm. No. The contract is basically an agreement saying they are allowed to "break in" and not prosecute for X. But if they commit Y, that is on them. This is completely on the testers, they should have either had a more broad contract or followed it more carefully.

      • by cusco ( 717999 )

        "Can unauthorized people access documents of Type X?" is what a customer wants to know in most cases. How or in what format is immaterial, unauthorized people should not be able to download it to a thumb drive or walk out with a photocopy of it. It's up to the company's salescritters to get the customer to define where the limits of the test are, and if the customer says "Anything" you get to charge more for a bigger job.

        I know someone who managed to break into the client's main network distribution fram

    • by lgw ( 121541 )

      Physical pen testers are quite aware that one must be very careful indeed about the contract, and what measures you have legal coverage for. And it's for just this reason: your job is to find unexpected attack vectors, so what's the allowed universe of attack? Attempting physical pen testing without a clear contract is pretty dumb, as you don't then have a clear legal defense.

      Can you use destructive means? Can you lie to people (bizarrely, this is sometimes ruled out, which is a bit of a challenge for pe

      • by mysidia ( 191772 )

        Can you use destructive means?

        These are discussions that should be held with management in the first meeting and represented in the contract.
        Pentesters SHOULD be simulating the credible threat however: not merely getting in by any possible way.

        Can you do very dangerous things with elevators (elevators are usually a very weak point in building security, but messing with them is an easy way to die)?

        Pentesters should not be doing things they cannot conduct safely.
        Elevators are designed with multiple safet

        • by lgw ( 121541 )

          Elevators are designed with multiple safety system so its NOT that dangerous for pentesters to mess with them... I mean, so long as they are not breaking into the elevator system's hoistway

          Eelevator safety systems only protect you if you're inside the car. Elevators will straight-up kill you if you're getting clever. However, by getting clever you can sometimes bypass otherwise good security.

          Physical pen testing orgs often include professional elevator service techs for just this reason. Usually, the fireman's key or service tech's key to the elevator is all you need, but when it's not enough you want a trained pro doing the dangerous bit.

          Of course, often the best use of an elevator in phy

          • by mysidia ( 191772 )

            Usually, the fireman's key or service tech's key to the elevator is all you need

            If its not "all you need" to get the elevator anywhere it can go, then you probably discovered a
            much bigger legal risk and safety issue for the human building occupants than any security issue -- As in, Its required by law and life safety requirement for
            a building's elevator system to have FF service mode which must have access to every floor, and
            FF service mode must be capable of being enabled and operated by firefighters

            • by lgw ( 121541 )

              If its not "all you need" to get the elevator anywhere it can go, then you probably discovered a
              much bigger legal risk and safety issue for the human building occupants than any security issue

              The pen testers job isn't to break in, but to break in undiscovered. Thus the real question is whether the fire mode is monitored. If it is, the fireman's key is not enough.

    • Tell that to Terry Childs

    • by Livius ( 318358 )

      Though if different government agencies, or different levels of government, owned the computer system and the physical building, things could get confusing.

  • by Ungrounded Lightning ( 62228 ) on Saturday September 14, 2019 @10:53AM (#59193988) Journal

    This is why professional penetration testers normally require very clear contracts signed by carefully chosen authorities within the organizations hiring them for the test.

    Sounds like these two were deficient in several ways:
      - They didn't get their ducks aligned with clear contracts with competent authorities.
      - They set off the burglar alarm, didn't notice it, and hung around.
      - They didn't liase with the local cops beforehand.

    • They set off the burglar alarm, didn't notice it, and hung around.

      And why not? They aren't actually engaging in burglary. They thought they were authorized to be there. I've accidentally triggered alarms in places that I've worked. You wait around for the police to arrive and apologize profusely. They fine the building owner a hundred bucks for the false alarm and that's the end of it.

    • by weilawei ( 897823 ) on Saturday September 14, 2019 @11:10AM (#59194026)

      They didn't liase with the local cops beforehand.

      That's probably the number one thing they should've done. I, many many many years ago, went door-to-door for a week. And then I quit, because I hated walking onto peoples' property and bothering them. However, I did learn a valuable lesson: you show up at the police station in town at the beginning of your day, explain to them what you're doing in their town, give them your name and a phone number. By generally making yourself available to the authorities and displaying good faith where you intend to do something that might reasonably be misconstrued as an illegal (and possibly dangerous) act, you can alleviate a lot of misunderstanding down the line.

      • by cusco ( 717999 )

        It must have been many, many years ago, now they'll call down the wrath of the gods on you if they can.

    • by Sique ( 173459 )
      In a certain way, notifying the cops beforehand would not yield the right result, as the police's response was part of the test.
      • by Ungrounded Lightning ( 62228 ) on Saturday September 14, 2019 @11:29AM (#59194068) Journal

        In a certain way, notifying the cops beforehand would not yield the right result, as the police's response was part of the test.

        True you've created an "observer effect".

        On the other hand, if telling the cops you're going to pen test some county buildings and then they DON'T respond, you've found a vulnerability. B-)

      • by jythie ( 914043 )
        Ideally one should coordinate with the people in charge of the police so the bosses know what is going on, or even better have someone from the department with you while doing the test.
        • by brausch ( 51013 )

          When I hired testers to do similar things* at a financial institution (I was IS Director which included banking operations and security systems), I gave them a letter from me to carry with them. Then if/when something hit the fan, I was called. It did happen once and they were very happy to have that letter in their possession.

          Non-destructive electronic and physical pen testing.

      • Of course that very much depends on whether they were in fact hired to test police response time. It seems to me that one of two things happened:

        A. The pentesters didn't read the scope of work document that was part of the contract with the company they work for, and went far outside of it.

        B. The company utterly failed to create a scope of work document, go over it with the customer, and have it signed.

        If the pen testers and the judges who represent the customer aren't both clear on the scope for a love p

        • There's another possible way to do this. As pentesting becomes a more routine part of life, perhaps we should consider organizing it. It could be as simple as any other permitting process. You designate the appropriate level authorities (local, state, federal) to handle registering pentest requests.

          When a business wants their security test, they hire a pentester and go to the registrar together to certify their intent and authority. The registrar gives them back cards with a generated token tied to the loca

          • Some futher thoughts: this case, assuming everyone involved was legitimately trying to do things in good faith, is primarily a result of miscommunication and lack of clarity.

            Police time was wasted, on the public dime, for something that didn't actually represent a real emergency and is within our power to prevent (unlike many things we criminalize for better or worse).

            If:

            • you have a way to notify an official responsible for maintaining professional courtesy between the stakeholders (including the police a
        • by sjames ( 1099 )

          Or they did and then the people who signed it decided they didn't want to own up to authorizing burglary.

      • by cusco ( 717999 )

        When the police response is known to be "drawn weapon, finger on the trigger" you might want to re-think that one.

      • by mysidia ( 191772 )

        Unless the agency the cops are working for is the one that actually hired you (I.E. Your authorization papers are signed by someone like the Chief of Police and the Mayor who has direct authority to test that police force), then you DONT actually have any legal authority to test the police's response times or even to deliberately incite a police response to a bogus issue... that in fact sounds criminal.

        Just because a company relies on a police response in order for their security system to work does N

    • by stephanruby ( 542433 ) on Saturday September 14, 2019 @11:25AM (#59194054)

      - They didn't get their ducks aligned with clear contracts...

      Are you sure? Assuming the contract is written the way it's quoted.

      hire the men to attempt "unauthorized access" to court records "through various means"

      It seems very clear to me.

    • "Liasing with the local cops" defeats the purpose of the test, if the test includes the reponse time of the police and possible security abuses by law enforcement personnel. Since this security test was at a court building, the local cops are likely the court bailiffs who are the ones being tested.

    • by Cederic ( 9623 )

      It's very likely that they didn't know the alarm had gone off - probably a silent alarm that triggers a police response with no noise to alert the intruders.

      Whether they had the clear contract remains to be seen. They work for a very reputable company that's being doing this for a long time so it may just be the police flexing their muscles in annoyance at being called out at 3am.

  • Every time I see an article about breaking and entering into a business, I can only remember a story my mom told me once. She works with the police in the small city I'm originally from, and when I was visiting once told me about a recent crime that had been reported.

    These guys were going to break in to a pawn shop and steal a bunch of the gold and guns I assume. Their plan was to park on the street behind the small section of woods behind the shop. They then walked to the back side of the stores.... a

    • by Opportunist ( 166417 ) on Saturday September 14, 2019 @11:27AM (#59194060)

      Reminds me of a security review we did for a server room a while ago. They got everything in order, secure doors, total surveillance of the (only) corridor leading to the room, everything looked great 'til we got to the room itself and found out that on the other side of the back wall is an unmonitored and rarely used storage room and that the wall itself was drywall.

    • It was the "Brick Man":
      https://www.comedy.co.uk/tv/ye... [comedy.co.uk]

    • My understanding is that this is where the phrase "breaking and entering" originally comes from, in the context of wattle-walled medieval peasant huts (Gies, Life in a Medieval Village).

  • They weren't shot? Holy buckets.
    • While there have been many tragedies, most police try very hard _not_ to shoot people, even people trying to get themselves shot, unless there is a very clear need. Understandably, if a penetration tester has a foot long metal tool in their hand when confronted, or even a fist fool of keys or the pockets of their jackets look to have metal objects in them, the police will need to exert extra caution. This is why a sensible penetration tester will be _very polite_ and do their utmost to stay very calm when c

    • This is why there's no black or latino pentesters. Anymore.
  • $xxx.xx as per contract, $x,xxx,xxx.xx for false arrest and legal fees?
    • Exposing the government as a hypocrite too proud to admit that it messed up the paperwork...priceless

    • by Minupla ( 62455 )

      Having worked in this area, thereâ(TM)s NO WAY the price tag resembled in any way shape or form $xxx.xx - you canâ(TM)t get Coalfire out of bed for less then 5 digits in front of the decimal point.

  • by gordona ( 121157 ) on Saturday September 14, 2019 @01:21PM (#59194342) Homepage
    Any contracted pentesting activity MUST include a scope of work that defines the range of permitted and not permitted activities. This is mutually agreed to by both parties in the contract. This includes testing physical security. Either the latter was not included in the scope of work and ignored by the pentester, or was not communicated adequately to the pentester. In any event work done not specifically in the scope of work leaves the pentester liable for illegal activities. Coalfire has to know this.
  • Comment removed based on user account deletion

C makes it easy for you to shoot yourself in the foot. C++ makes that harder, but when you do, it blows away your whole leg. -- Bjarne Stroustrup

Working...