Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Saturday February 01 2020, @01:03PM   Printer-friendly
from the maybe-they-should-have-tried-pencil-testing,-instead? dept.

On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).

[...] Under the terms of their contract (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, "tailgate" employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.

When the duo's early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county's sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they'd obtained entry to the premises via an unlocked door.

"They said they found a courthouse door unlocked, so they closed it from the outside and let it lock," Dan Goodin of Ars Technica wrote of the ordeal in November. "Then they slipped a plastic cutting board through a crack in the door and manipulated its locking mechanism. (Pentesters frequently use makeshift or self-created tools in their craft to flip latches, trigger motion-detected mechanisms, and test other security systems.) The deputies seemed impressed."

To assuage concerns they might be burglars, DeMercurio and Wynn produced an authorization letter detailing the job they'd been hired to do and listing the names and mobile phone numbers of Iowa state employees who could verify their story.

After contacting some of the court officials listed in the letter, the deputies seemed satisfied that the men weren't thieves. That is, until Dallas County Sheriff Chad Leonard showed up.

"The pentesters had already said they used a tool to open the front door," Goodin recounted. "Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm—something Coalfire officials vehemently deny. In Leonard's mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn't answer the deputies' calls, while another said he didn't believe the men had permission to conduct physical intrusions."

DeMercurio and Wynn were arrested, jailed, and held for nearly 24 hours before being released on a $100,000 bail. Initially they were charged with felony third-degree burglary and possessing burglary tools, although those charges were later downgraded to misdemeanor trespass.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Interesting) by Booga1 on Saturday February 01 2020, @02:36PM (1 child)

    by Booga1 (6333) on Saturday February 01 2020, @02:36PM (#952327)

    Yeah, and a massive fail on the part of their contacts in the company "get out of jail" paperwork...

    Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn't answer the deputies' calls, while another said he didn't believe the men had permission to conduct physical intrusions."

    When you're getting a call from the cops regarding your employees' pentesting activities, pick up the damn phone! For the second person, discussing contract terms and details of the activities should have been reserved for post-mortem review. That person should have told the deputies something simple like, "Yes, they are our employees. Yes, they were scheduled for penetration testing tonight. Yes, this is all authorized by property manager So-and-so under contract ID#123456. We can only discuss specifics directly with them. We consider this is a successful and positive result on your part. Thank you for your concerns and thank you for contacting us." Even that might be too much.

    Regardless, do not debate anything with a cop. You can't win an argument with them. They'll just arrest you and let a judge sort it out.

    Starting Score:    1  point
    Moderation   +3  
       Insightful=1, Interesting=2, Total=3
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2, Insightful) by Anonymous Coward on Saturday February 01 2020, @04:19PM

    by Anonymous Coward on Saturday February 01 2020, @04:19PM (#952377)

    When you're getting a call from the cops regarding your employees' pentesting activities, pick up the damn phone!

    The reason more than one contact was on the list is precisely in case a contact was unavailable at any particular time. These days you never know when someone's phone is going to be turned off while in a bag of rice after having been dropped in the toilet.