Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Submission Preview

Link to Story

Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security

Accepted submission by exec at 2020-01-31 23:57:12
News

"exec" writes:

Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3

Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.

FeedSource: [Krebs]

Time: 2020-01-31 21:13:19 UTC

Original URL: https://krebsonsecurity.com/2020/01/iowa-prosecutors-drop-charges-against-men-hired-to-test-their-security/ [krebsonsecurity.com] using UTF-8 encoding.

Title: Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security

--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---

Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security

Arthur T Knackerbracket has found the following story [krebsonsecurity.com]:

On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).

The courthouse in Dallas County, Iowa. Image: Wikipedia.

Under the terms of their contract [arstechnica.com] (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, “tailgate” employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.

When the duo’s early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county’s sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they’d obtained entry to the premises via an unlocked door.

“They said they found a courthouse door unlocked, so they closed it from the outside and let it lock,” Dan Goodin of Ars Technica wrote [arstechnica.com] of the ordeal in November. “Then they slipped a plastic cutting board through a crack in the door and manipulated its locking mechanism. (Pentesters frequently use makeshift or self-created tools in their craft to flip latches, trigger motion-detected mechanisms, and test other security systems.) The deputies seemed impressed.”

To assuage concerns they might be burglars, DeMercurio and Wynn produced an authorization letter detailing the job they’d been hired to do and listing the names and mobile phone numbers of Iowa state employees who could verify their story.

After contacting some of the court officials listed in the letter, the deputies seemed satisfied that the men weren’t thieves. That is, until Dallas County Sheriff Chad Leonard showed up.

“The pentesters had already said they used a tool to open the front door,” Goodin recounted. “Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm—something Coalfire officials vehemently deny. In Leonard’s mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.”

DeMercurio and Wynn were arrested, jailed, and held for nearly 24 hours before being released on a $100,000 bail. Initially they were charged with felony third-degree burglary and possessing burglary tools, although those charges were later downgraded to misdemeanor trespass.

What initially seemed to Coalfire as a momentary lapse of judgment by Iowa authorities quickly morphed into the surreal when state lawmakers held hearings questioning why and how someone in the state’s employ could have so recklessly endangered the safety and security of its citizens.

DeMercurio and Wynn, minus the orange jumpsuits.

Judicial Branch officials in Dallas County said in response to this grilling that they didn’t expect Coalfire’s physical penetration testing to be conducted outside of business hours. State Sen. Amy Sinclair [iowa.gov] was quoted as telling her colleagues that “the hiring of an outside company to break into the courthouses in September created ‘significant danger, not only to the contractors, but to local law enforcement, and members of the public.'”

“Essentially a branch of government has contracted with a company to commit crimes, and that’s very troubling,” lamented Iowa state Sen. Zach Whiting [iowa.gov]. “I want to find out who needs to be held accountable for this and how we can do that.”

Those strong words clashed with a joint statement released Thursday by Coalfire and Dallas County Attorney Charles Sinnard:

“Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges,” the statement reads. “Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the judicial branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing.

“Such a practice endangers the effective administration of justice and our confidence in the criminal justice system,” Linholm told The Des Moines Register, which broke the news [desmoinesregister.com] of the dropped charges.

While the case against Coalfire’s employees has rallied many in the cybersecurity community around the accused, not everyone sees this dispute in black-and-white. Chris Nickerson [linkedin.com], a digital intrusion specialist and founder of LARES Consulting, said in a Twitter post Thursday [twitter.com] that “when a company puts us in harm’s way due to their poor planning, failed sales education, inadequate project management and deplorable contract management…We shouldn’t celebrate them. We should hold them accountable.”

Asked to elaborate, Nickerson referred to a recent podcast [youtube.com] which touched on the arrests.

“The things that concern me about this situation are more of the pieces of safety that exist across how the industry instruments doing these types of engagements,” Nickerson said. “They seem very, very reasonable and obvious once they become obvious but until then they’re completely foreign to people.”

“It’s really on the owners of the organization to educate the customer of those potential pitfalls,” Nickerson continued. “Because there isn’t a good standard. We haven’t all gotten together and institutionalized the knowledge that we have in our heads and dump it down to paper so that someone who is new to the field being tasked with this can go through and say, ‘Hey, did you ask them if the city versus the state versus the building owner and the real estate people…are all of these people in lock step?'”

More importantly, McAndrew said, there was ambiguity around who actually owned the buildings that they were hired to test.

“If you’re doing a test for the state and you walk into the building and it’s the courthouse and you’re doing a test for the court system, you’d think that they would have jurisdiction or own it, and that turned out not to be the case in this scenario because there’s some things the state owns and some things the county owns, and that was something we weren’t aware of as we did some of this work,” he said. “We didn’t understand the nuances.”

Asked what Coalfire has learned from this ordeal, McAndrew said his company is likely to insist that local, state and even federal law enforcement be informed in advance of any penetration tests, at least as far as those engagements relate to public entities.

“When we look at the contracts and we look at who’s authorized to do what…typically, if a [chief security officer] says test these IP addresses, we would say okay that’s enough,” he said. “But we’re questioning from a legal perspective at what point does that need to have legal counsel review.”

McAndrew said it’s probably time for experts from various corners of the pen testing community to collaborate in documenting best practices that might help others avoid a repeat of the scenario in Dallas County.

“There’s no standard in the industry,” he said. “When it comes to these sorts of issues in red teaming — the legal challenges and the contracts — there’s really nothing out there. There are some things that can’t be undone. There’s the mugshots that are out there forever, but even as we get the charges dropped, these are permanently going to be in the federal database. This is a permanent thing that will reside with them and there’s no legal way we’re aware of to get these charges removed from the federal database.”

McAndrew said while he remains frustrated that it took so long to resolve this dispute, he doesn’t believe anyone involved acted with malicious intent.

“I don’t think there were any bad people,” he said. “Everyone was trying to do the right things — from law enforcement to the sheriff to the judges to the county — they all had the right intentions. But they didn’t necessarily all have the right information, and possibly people made decisions at levels they weren’t really authorized to do. Normally that’s not really our call, but I think people need to be thinking about that.”


                                 

                                                                     



                  [akamai.com]



Tags: Ars Technica [krebsonsecurity.com], Chad Leonard [krebsonsecurity.com], Chris Nickerson [krebsonsecurity.com], Coalfire [krebsonsecurity.com], Dallas County [krebsonsecurity.com], Dallas County Attorney Charles Sinnard [krebsonsecurity.com], Dan Goodin [krebsonsecurity.com], Gary DeMercurio [krebsonsecurity.com], Justin Wynn [krebsonsecurity.com], Matthew Linholm [krebsonsecurity.com], Sen. Zach Whiting [krebsonsecurity.com], State Sen. Amy Sinclair [krebsonsecurity.com], Tom McAndrew [krebsonsecurity.com]


                                       
                                                This entry was posted on Friday, January 31st, 2020 at 4:06 pm and is filed under A Little Sunshine [krebsonsecurity.com].
                                                You can follow any comments to this entry through the RSS 2.0 [krebsonsecurity.com] feed.

                                                                                                        You can skip to the end and leave a comment. Pinging is currently not allowed.

                                               
                                       
                               


Simple typo:

“there’s no legal way we’re aware of to get these charges removed form the federal database”

Should be “FROM”

Very interesting article.

Wonder why they say the mug shots are out there forever. The companies that put up those mugshots, I thought, were supposed to take them down if proper procedures and documentation is provided. In the last few years several of the owners of these mug shot websites who failed to take down the photos, and tried to extort money for doing so, have been criminally prosecuted. So what am I missing?

My understanding is that arrest records are basically permanent. Especially when you are charged, even if those charges are later dismissed for any reason, the record of arrest still remains active somewhere in the e-world.

My boyfriend has a serious criminal history and when I did my own internet searching (I have a legal background as a paralegal) to make sure he wasn’t keeping any secrets from me, I was able to find arrest records going back 25 years online. These weren’t super easy to find, but the information was stored in publicly available government-owned databases that can be accessed for free online by anyone who knows where to look for them.

My understanding (this has happened to a few friends of mine) is also that later on in life, when you apply for any job that requires a high level security clearance, things like prior arrests (even when you aren’t actually charged with a crime) can show up in these background searches.

Lastly, just as an example, if I type in my boyfriend’s first, middle and last name and do a Google search, the first listing shown is for extreme details regarding a case in which he was convicted and then he filed an unsuccessful criminal appeal, and nothing about the case was newsworthy or particularly significant – but the listing is for a criminal court database that can be accessed for free by anyone online without registering or giving any kind of documentation.

Nicholson is very knowledgeable but not with the parties involved, hence his comments. Below, SANS Newsbite editorial comment by Skoudis from September.

Skoudis wrote, “… given the high level of experience of the pen test company involved here, as well as the local players, I suspect that local politics may be involved in this particular situation.”

https://www.sans.org/newsletters/newsbites/xxi/73 [sans.org]

There’s no doubt they were clueless. Look at the median age of those senate critters. It’s over 70. There must be some term limits so that we don’t have a geriatric circus there like we have now.

…we used to call it a “get out of jail feed card” (apologies to the makers of Monopoly)

…technically knowledgeable is not the same as politically knowledgeable is what Skoudis means…

free not feed…

You should have tagged “Kevin Mitnick”, because his the foremost expert in social engineering and getting into buildings without being noticed.

Mitnick is not doing that anymore. He now has a company that employers can hire to educate their employees on phishing, etc. (disclosure: my employer has hired his company.)

What’s this based on? Mitnick isn’t the foremost expert on anything but himself.

The State Police of Iowa can, and should, remove and expunge the arrest records via court order. The place where the mugshots are held is the FBI database. The FBI can be contacted and, given a legal expungement request from the issuing authority, remove the record from their database. (and replace it with the picture of the idiot grandstanding sheriff and imbecile state legislators. ) (only the last part is made up)

Coalfire can call the FBI database division (sorry, I don’t have the number handy), and they will provide all the steps necessary to complete the removal.

Once the client advised them they “did not want Coalfire to make local law enforcement aware of the ongoing engagement prior to testing”, Coalfire should have said NO. The outcome could have been far worse than a false arrest.

Click image for my skimmer series.

A New York Times Bestseller!

Badguy uses for your PC

Tools for a Safer PC

Spammers Duke it Out

Your email account may be worth far more than you imagine.

eBanking Best Practices for Businesses

Innovations from the Underground

ID Protection Services Examined

The reasons for its decline

File 'em Before the Bad Guys Can

A crash course in carding.

Sign up, or Be Signed Up!

Finding out is not so easy.

...For Online Safety.


                © 2020 Krebs on Security.
                 Powered by WordPress [wordpress.org].
Privacy Policy [krebsonsecurity.com]
       

-- submitted from IRC

Original Submission