SoylentNews is people
SoylentNews
from the maybe-they-should-have-tried-pencil-testing,-instead? dept.
On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).
[...] Under the terms of their contract (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, "tailgate" employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.
When the duo's early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county's sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they'd obtained entry to the premises via an unlocked door.
"They said they found a courthouse door unlocked, so they closed it from the outside and let it lock," Dan Goodin of Ars Technica wrote of the ordeal in November. "Then they slipped a plastic cutting board through a crack in the door and manipulated its locking mechanism. (Pentesters frequently use makeshift or self-created tools in their craft to flip latches, trigger motion-detected mechanisms, and test other security systems.) The deputies seemed impressed."
To assuage concerns they might be burglars, DeMercurio and Wynn produced an authorization letter detailing the job they'd been hired to do and listing the names and mobile phone numbers of Iowa state employees who could verify their story.
After contacting some of the court officials listed in the letter, the deputies seemed satisfied that the men weren't thieves. That is, until Dallas County Sheriff Chad Leonard showed up.
"The pentesters had already said they used a tool to open the front door," Goodin recounted. "Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm—something Coalfire officials vehemently deny. In Leonard's mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn't answer the deputies' calls, while another said he didn't believe the men had permission to conduct physical intrusions."
DeMercurio and Wynn were arrested, jailed, and held for nearly 24 hours before being released on a $100,000 bail. Initially they were charged with felony third-degree burglary and possessing burglary tools, although those charges were later downgraded to misdemeanor trespass.
-- submitted from IRC
(Score: 1, Insightful) by Anonymous Coward on Saturday February 01 2020, @01:08PM (4 children)
They wonder why people won't help them.
(Score: 2, Insightful) by Anonymous Coward on Saturday February 01 2020, @01:48PM (3 children)
prybars or similar, correct?
Using tools to bypass locks or other equipment in a non-damaging fashion would normally be acceptable for pentesters, while doing intentional physical damage to the property which could require repairs or compromise site security further would not. This does indicate their contract should more clearly define what kinds of tools and techniques are acceptable and desire what forcing a method of entry means in more clear terms.
(Score: 5, Interesting) by Booga1 on Saturday February 01 2020, @02:36PM (1 child)
Yeah, and a massive fail on the part of their contacts in the company "get out of jail" paperwork...
When you're getting a call from the cops regarding your employees' pentesting activities, pick up the damn phone! For the second person, discussing contract terms and details of the activities should have been reserved for post-mortem review. That person should have told the deputies something simple like, "Yes, they are our employees. Yes, they were scheduled for penetration testing tonight. Yes, this is all authorized by property manager So-and-so under contract ID#123456. We can only discuss specifics directly with them. We consider this is a successful and positive result on your part. Thank you for your concerns and thank you for contacting us." Even that might be too much.
Regardless, do not debate anything with a cop. You can't win an argument with them. They'll just arrest you and let a judge sort it out.
(Score: 2, Insightful) by Anonymous Coward on Saturday February 01 2020, @04:19PM
The reason more than one contact was on the list is precisely in case a contact was unavailable at any particular time. These days you never know when someone's phone is going to be turned off while in a bag of rice after having been dropped in the toilet.
(Score: 2) by lars on Saturday February 01 2020, @07:44PM
I didn't RTFA. Pry bar could be used for something like pushing a door bolt out of the mortise, or fooling a door sensor.
(Score: 2) by hemocyanin on Saturday February 01 2020, @07:07PM
As a poster above mentioned, the contract should probably clarify what that meant, though to me it meant something like "kick the door down" when I read the part above the fold. I guess I can see where the Sheriff was coming from on that point but it sure seems more like he was peeved at them for demonstrating they had an insecure door and then took it too far. Locks are in fact a form of security and so testing the locks in a non-destructive fashion is directly comparable to testing a firewall in a non-destructive fashion.
As for lockpicking, I recently ran across this youtube channel -- the lock picking lawyer -- it's pretty awesome and it demonstrates different levels of lock technology, though like firewalls or computer security, it also shows that the effectiveness of security is almost wholly dependent on the skill or knowledge of the attacker:
Knowledge, no skill: https://www.youtube.com/watch?v=q8AP5XYs8jg [youtube.com]
Knowledge + skill: https://www.youtube.com/watch?v=mAyTv64YkTI [youtube.com]
(Score: 3, Insightful) by bzipitidoo on Sunday February 02 2020, @01:41PM
The problem wasn't doubt about the purposes of the intruders. The cops got that all sorted out, contacting officials to verify that the intruders weren't making up a story.
Things got weird when the sheriff decided to play lawyer and come up with his own dubious interpretations of clauses in the contract. Not his business to do that. There was no doubt that they were employees of a security business that had been contracted to test government security. Clearly, they had not put anyone in harm's way. Nor had they damaged any property. There was no reason to throw the men in jail. Any problems with misunderstandings of the methods and scope of their activities should have been left to higher authorities. What the heck was the sheriff thinking, that this was a chance to indulge in a little personal vendetta against nerds?
It got weirder when politicians jumped in with accusations of endangering public safety. What were they thinking? Likely that this was an opportunity to score some points with those constituents who are scared stupid of criminals, and evil hackers. Real scummy and stupid thing to try, fanning irrational fears. Politicians do that all the time, the fools.
I know all too well how easily hysteria against hackers can be ginned up. One time a fellow who'd had his account hacked and his files deleted decided that I not only could have done it, but that I did do it when he came up accusing me of it and decided that my protestations of not even knowing of the system he was talking about let alone that he had an account there, was playing dumb and was therefore further evidence of my guilt. I denied having any interest whatsoever in his files. I had no motive, I am not a vandal, nor a "data kidnapper" (datanapper?) holding files for ransom. The dude actually assaulted me. Put me in a headlock. Took a few minutes for the half dozen others present to talk him down and get him to let go. I suppose I could have pressed charges against him, but I was not hurt. He already had a lousy reputation anyway, and further damaged it with that act. His general behavior was such that he might have been autistic. He certainly was severely unsocial.
Smart people are one of the major groups that suffer discrimination, as every nerd who survives high school learns. It's pretty unfair to be suspected and even accused every time anything happens with their rickety, aged computer systems with pathetic security, just because you might be able to do it, and they know that. The focus is all on racial and sexual discrimination, and maybe smart people don't need as much help because they are smart enough to help themselves and avoid pointless trouble for the most part. Yet I should like to see those state senators face an inquiry about having possibly committed a hate crime. Why, if the senators said the same thing about "endangering public safety" and "committing crimes" because those security testers had, say, entered a courthouse while black, social justice warriors would be all over them.