From pen-test to penitentiary: Infosec duo cuffed after physically breaking into courthouse during IT security assessment Two men hired to assess a court record system's computer security were arrested Wednesday – after they were caught physically sneaking into a courthouse. According to the Des Moines Register today, infosec pros Gary Demercurio and Justin Wynn were cuffed by deputies in Iowa, USA, after they tripped an intruder alarm at a …
so the pen pushers who acknowledge they did indeed contract the Co to try and access the court records, are non plussed when said testers actually do their job to the fullest extent ..................
colour me surprised that the pen pushers are now having a hissy fit, and are failing to spot that their internal physical security is actually bob on, and working as designed.
I always thought that the social engineering part of the pen test was a given, and that the additional bonus of physically tryng to - for want of a better term - break in was also included in the fees paid to test the scenario fully, they should really be paying the testers a bonus for this, but somehow, I can see it not playing out that way :o(
Where do you draw the line? Should they kidnap the county treasurer and tell her they'll kill her children unless she transfers all the county's money to them? Let's see if how vulnerable the county is to an overdone Hollywood trope!
This is stupid, if a security company isn't upfront about what it is going to do as part of its testing and tries a physical breakin, they deserve what they get. I suspect in the end the charges will get dropped with the payment of court costs, in exchange for their contract being dropped without payment, and the county will hire a more reputable firm.
Agreed. I cannot fathom how supposed professional pen testers failed to be explicit about what their action included.
As usual, lack of communication creates a misunderstanding which transforms into full-blown disagreement.
One would think that experienced pen testers would have already encountered this kind of situation and amended their proposal procedures accordingly. Am I supposed to understand that these guys have never, ever had a customer argue about what was authorized in the test protocol ?
Besides, I would think it is good marketing and a show of professionalism to list to the customer all the things the test will include. On top of that, had they done that they could shove the contract in the court's face and say : hey, you signed on this.
Because if you're too explicit, it's not a fair test.
Let's say the client wants a pen test done for compliance purposes. I.e. you're there to help them tick a box on an audit form.
If the client knows how to specifically deal with your boys, they can temporarily be "on the ball" for the purposes of the pen test...bit ordinarily be garbage.
This can impact your reputation as a pen tester because you might give a gold star to a firm that doesn't deserve it, and when they get rolled over you get called out for not spotting the problem.
In this instance the courthouse is being a shitty client.
This is specifically why I don't do physical engagements and stick to software/webapp/cloud pentesting.
People are dicks.
Your post shows a complete lack of understanding of commercials. There is not one instance of any form of security testing where someone senior on the client end should not be aware of EVERY element of a scope of works - doubly so when the subject is a public court of law. If a physical access test was to be planned, then it still should have been documented within the scope of the engagement, even if not necessarily cascaded down to the guards on the ground etc so to conserve its validity of execution.
The reason this is done is to prevent the very farce that has ensued here. All it would take is one senior resource to validate the access, and all of the noise would go away.
I Agree
Every pen test I have ever commissioned has had a very detailed scope. As I'm normally commissioning new services within corporate clients they have the estate regularly pen tested and the pen test of a new app is restricted to remote working. Every work package submitted by the pen test company has been absolutely explicit that physical access would not be required.
> restricted to remote working
Doesn't that run the risk of missing internal and side-channel vulnerabilities? I expect you have that covered, but it's not entirely clear to me from your brief comment.
I recently saw the results of a pen test where the testers had gained Domain Admin rights and then went on to exploit that in a chain of events that ultimately meant they were detected by a secondary mechanism - but it created a lot of clean-up work.
What if the customer doesn't know what they don't know? You could argue the testing company should have been explicit that physical access might be attempted.
You could equally argue that what's being tested is information security in the wider sense which includes physical controls, HR processes and refuse disposal, not just IT security.
Performing an actual break in as part of a test seems incredibly risky, what if in the dark one of the cops sent to the scene thinks they see a gun and kills one of the "pen testers"? This is the US, after all. I can't imagine any tester willingly participating in this, or any governmental body agreeing to it.
I also can't believe that any sort of accreditation would REQUIRE an attempted ACTUAL break in completely unsupervised. If a walk thru to look for weak points like unlocked windows or easy to pick locks on unalarmed back doors in dim lighting isn't good enough, then you'd have guys trying to perform a break in under the watchful eye (and protection!) of guards/police. I doubt any legit company EVER tries an actual break in where a real police response thinking it is an actual crime in progress may result. Only a moron would agree to that, on either the side of the company, the government, or the company employee.
Something is fishy here, I wonder if the people who were caught were acting outside their authority and figured with the knowledge they had from their pen testing they could break in and commit an actual crime, but have plausible deniability. "Someone else exploited the weaknesses we had identified and were in the process of documenting in our report". If part of what they'd identified so far was "password to county bank account containing millions of dollars is on a sticky note" then getting inside would be all that would be required for them to easily steal money...if those damn cops hadn't shown up!
Yup, "scope" must be explicitly agreed upon at an appropriate level for the test to be meaningful. End of story... mostly.
The funny thing is that, yes, it should be a high up official, meaning that maybe guards and officers should not have been warned, which then means that the testers should have been cuffed, what fun--but then they should already have been released. Come to think of it, they should have had a number to call to get released. Yup, these things should have been worked out before any physical access was attempted.
You've never dealt with senior management, clearly.
A senior manager may have brought them in to prove that his implementation was sound to upper managerment. When he saw his arse he could have thrown the penntesters under the bus.
The senior management may not have had executive consent. Senior management is a fucking rat's nest of scum bags. They aren't there because they're the golden bunch, they're there because they're a liability on the front line.
There is no argument for the client being reasonable in this case. They are arseholes.
I deal directly with upper management / executives in my line of work as a matter of course for client communication purposes mainly to prevent any shenanigans. Specifically to keep them in the loop and to prevent any middle management bullshit from occurring.
Throwing a contractor / supplier under the bus is a classic permie jobsworth move.
If I can't keep someone with accountability in the loop, I ain't helping...I'm out of there.
"When he saw his arse he could have thrown the penntesters under the bus."
That's why pentesters must have a written contract detailing what the parameters are, and carry it with them. If you have it in writing, then it doesn't matter if an executive tries to claim the acts weren't authorized later on.
"Senior management is a fucking rat's nest of scum bags. They aren't there because they're the golden bunch, they're there because they're a liability on the front line."
This.
It took me decades to accept the truth of this reality. I wish there were some way of convincing young people entering the workplace that this is how it is.
Security consultants are hired to help you find any deficiencies in your processes and procedures. They get paid regardless of whether they find anything. It's beneficial if they can point out things that you can address. The actual audit is just validating that you are in fact secure. Customers aren't hiring you to see what your audit vulnerability score is. They want to know that vulnerabilities that they don't know about, because they don't have the consultants expertise, are identified so that they can be fixed.
If I contracted a company to do penetration tests on my electronic systems, I would NOT expect them to be trying to get physical access to my data centers. If I'm worried about physical security, I'd hire someone who specializes in that. And in both cases the contract would define the scope to avoid misunderstandings or damage to systems or property.
Has similiar situation. Asked to test security on a new service. Phoned help desk and asked for passwords and got them without question.
Any heads up would have invalidated that test. Procedures did exist but were not being followed. A few red faces improves security. Same with tailgating. You cant tell everyone what you are going to test in advance when social engineering is involved.
It would be stupid to tell the security guards to expect a fake break in attempt on Thursday. It would be just as stupid to tell their manager.
Who says you'd tell the guards or their manager? But SOMEONE would have to know, to insure the cops aren't called, or better yet to have the cops watching it go down from a distance so they could intervene if things get dangerous (like a security guard who isn't supposed to be armed pulling out a personal gun)
The idea such a test would be conducted where NO ONE that hired in the company would know that they planned to try to break in is simply not credible on its face. No one does that.
"Because if you're too explicit, it's not a fair test."
It's not a true test in any case, there are many things that a real criminal might try that a law abiding firm cannot.
So when doing a test like this, someone sufficiently senior should always be fully aware of what's going on, even if the staff on the ground are not. The idea being that if you get caught, the incident is escalated to the senior guy within the target organisation who is aware and the test stops at that point before getting escalated to external agencies like the police.
In many cases a test has to be totally contrived so you can test multiple layers of their defence. You might not be able to breach their first layer in the limited time that you have, but that's not to say its impossible. You also want to take an "assume breach" scenario where someone has breached any number of the layers, so you can test the lower layers more thoroughly.
Hacks are highly opportunistic, for instance someone who's usually on the ball and won't fall for common scans might be having a bad day and let something through.
You'd normally have it covered, even if in a vague way "may enter client premises to perform tests at any time during dates between x and y without advance notice and without displaying ID" and leave it to the client to misunderstand that as public areas or during office hours.
I have worked in various aspects of physical security, it is easy to assess that without actually trying to break in to the building.
If they include that aspect of security in addition to actual infosec then they need to know a little more.
The fact that they got caught shows not only that the physical security works but also that they didn't do enough homework.
"The fact that they got caught shows not only that the physical security works but also that they didn't do enough homework."
They may have done their homework but the security was good enough to catch them. I doubt the client would hand them all of the data on the security systems. If a bad guy has that, they have a huge advantage and issues are somewhere else in the company being tested. If the pen testers are able to get the security systems documentation somehow and use it to bypass stuff, that's a really big problem.
relying on obscurity to hide serious flaws is not a good approach
Which is why it seems to be standard practice at both ends of the IT world. At the bottom end (especially for Internet-of-Tat), the cheapskates don't want to invest in security; at the upper end, they have the clout to sue anyone who looks too closely at their wares.
This was a fair measure of testing, as physical access is also a core requirement for meeting any compliance and legal obligations.
As for Coalfire, they're a massive organisation you've never heard of, especially in the PCI-DSS world (They are the auditors for AWS).
Surely they have the money to bail out their employees then?
Looking at the blandness of that Coalfire statement it seems fairly certain that they've already spent all their money on lawyers.
There's some arse-covering going on there, and some lawyer has persuaded them that bailing out their employees might be seen as an admission of corporate failure. They want to keep the option of claiming that the two men overstepped the mark and acted of their own accord.
"They want to keep the option of claiming that the two men overstepped the mark and acted of their own accord."
If Coalfire knows that the pentesters were acting as instructed and is trying to cover its own ass by throwing them under the bus (or even just keeping that option open), then that should serve as a huge warning to all Coalfire employees that perhaps they should rethink who they work for.
Clearly, this is all about the company lawyers covering their asses for not doing their job properly, while hanging out to dry the technical folks, who did their job to the best of their ability. Keeping in mind always that the legal beagles no doubt get paid no matter how it turns out for the company, or for the employees.
"Where do you draw the line?"
Pentesters can't break the law -- that's the line. Pentesters operate within the law by having permission for their activities. Breaking in? Totally legal if you have the proper permission. Kidnapping? Cant' ever be legal, since you can't give legitimate permission to assault someone else.
If they had the "proper permission" to break in, this would have never been in the news because they could have produced the signed statement giving them that permission. And if the "permission" was buried in the fine print of a contract, that's not going to fly as "permission".
"The state court administration issued an apology Wednesday to Dallas County officials, who are continuing to investigate the break-in." (from the linked article).
It can be unclear who does and does not have the authority to authorize said activity.
I'd want a signed brief document by some official that clearly states that they both have the authority and give permission.
This post has been deleted by its author
What was the scope of the testing? If the company didn't make it clear that the testing could include measures up to and including physically breaking and entering premises then they could be in trouble.
Unfortunately I'm guessing that the customer here has probably given a vague scope of works, "we need a security test", and the supplier hasn't made it clear within the contract documents what that will entail. Howeve I'd have hoped that this would soon become a case between customer and supplier and the employees will be taken out of the firing line.
Why would any security company want to attempt a break in where an actual police response would result? The liability is huge if a cop thinks they see a gun in the dark and kills one of the security company employees.
The more I think about the more I think these employees were attempting an actual crime, and figured they'd have a get out of jail free card by claiming it was part of their testing. The security company is probably confused as to what was going on but isn't ready to hang them out to dry just yet - not until their lawyers have fully explored their potential legal liability.
Why would any security company want to attempt a break in where an actual police response would result?
The naivety here is yours - such a break in that could result in actual police response is ROUTINE for a physical penetration tester.
Whether these guys were performing a routine physical penetration test and the client didn't bother read the scope of the test, or whether these guys were exceeding the scope, remains to be seen. Each are equally possible -- but remember that the court has ALREADY admitted that they hired these guys, ALREADY apologized to the county for not keeping them in the loop, and Coalfire is one of the BIGGEST and MOST REPUTABLE private security auditing companies out there.
Also, you are more likely to be shot in a routine traffic stop than during a physical penetration test, and you are more likely to be shot by private security than you are the police. Everything carries risk, but such risk for a penetration tester is infinitesimally small.
"Everything carries risk, but such risk for a penetration tester is infinitesimally small."
If caught, pen testers will immediately follow the orders of the police and have been trained for that. An officer may have their weapon out, but they aren't that likely to shoot if the person is complying with them and not being a dick.
You let the officer put the cuffs on, blood pressure and heart rates drop and you would then let them know you have been contracted to test the security of the facility. They won't let you go right away, but they should follow up on that statement and contact the person that could vouch for you. The cops may not be very happy about it, but you wouldn't likely be banged up in the slammer overnight.
Unless its dark, and a trigger happy cop sees a shadow in the right place to make him think there's a gun your hand. An unarmed person is shot by a cop dozens of times a year in the US, so often it usually doesn't make the news unless someone raises a stink.
I live in a city of under 100K and it happened here about 15 years ago, cops got an alarm from a business and entered the premises and believed they saw someone with a gun in their hand and shot him dead. It was the business owner, he had accidentally tripped the alarm and was waiting on hold with the security company to clear it.
Only an idiot would agree to do something like this as part of a job. Or someone hoping to train for a second "career" after they quit pen testing.
"Howeve I'd have hoped that this would soon become a case between customer and supplier and the employees will be taken out of the firing line."
If that's the case, then they probably will be -- but they may have to go to court and prove that they were operating in good faith and it's their employer that screwed up. I suspect that if that's the situation, then the pentesters may be able to win a rather juicy lawsuit against their employers, too.
This is a break-in and entry. That they got caught is an aside and not worthy right now.
There will be entities at gov level pushing for even more grasp and control on any cybersec/pentest etc.
There will be tenuous, vague correlations drawn, en-masse and deliberately to make not only another taxable income via businesses, but an especially strongly regulated "activity documentation declaration" where commercial security entities will be required to divulge not only activity, but clients hiringtheir sevices and tools and techniques and a whole load of skills that the 3/4 character agencies assimilate. The bonus is the commercial or private sec outfit will be charged (tax wise) to basically give the gov training.
In the end, it (specialised licensing) will happen in 4 years or less, i say.
Pen-testers usually have a solid understanding of their scope before starting an engagement, and won't stray beyond it unless there is a formal change of scope, or permission in writing (anything to CYA). SwiftOnSecurity said it well; this doesn't sound like over-eagerness on the pen-testers part.
Guess we'll see what the courts have to say; hope these guys don't get a criminal record out of this...
"hope these guys don't get a criminal record out of this."
They'll have a record of being arrested. Sadly, in the US, that is nearly as bad as being convicted (in terms of impact on your ability to rent a place to live, get a job, etc.) even if you were found not guilty.
It's not false at all, although this may vary from state to state. I know more than one person who have real problems because they were arrested, even though they were later found innocent or had the charges dropped.
Here's a reasonably good description of the problem: https://www.usatoday.com/story/news/nation/2015/09/20/criminal-records-expunged/72532932/
And how many of those people you know have been actually denied the ability to rent an apartment or apply for a job because of the arrest and dismissal? Arrest history that does not lead to a conviction is banned in hiring decisions, just like race and religion.
An arrest raises questions. Questions get answered, and you carry on.
"Arrest history that does not lead to a conviction is banned in hiring decisions, just like race and religion."
Those records don't always sit side by side in a database. The Big Data company an employer uses to vet people may only show the arrest record. The HR department may not be diligent enough to dig deeper to see if there was a conviction. One of the big issues at present is these Big Data companies aren't required to uphold any record quality standards. If they have you down for domestic violence, you may never hear about it. You just won't get called for any interviews.
I've heard people say that they wouldn't employ someone that's been arrested. It's an unreasonable and silly stance to adopt but recruiting managers can be unreasonable and silly too.
It's also not illegal under some circumstances. See the example quoted on https://work.chron.com/can-still-job-got-arrested-but-not-convicted-21382.html
Totally true Im afraid. When you enter the US they dont ask if you have been convicted at all. Just if you have been arrested.
They dont ask if you have political convictions they ask "have you ever done anything to undermine the current government" I'm always tempted to write Yes, I voted for the opposition.
Sometimes you are asked if you have ever been "convicted"... But sometimes you are asked if you have ever been "arrested".
This can happen on security clearance processes, job applications, visa applications etc. Having been arrested and subsequently released without charge is not as bad as being convicted, but it can still be damaging in some circumstances.
The fog of embarrassment is already strong with this story. Though most news outlets keep repeating "Dallas County Courthouse" along with images of the historic property, the building they apparently attempted to enter was a much bleaker looking county office around the corner at 908 Court St.
Their bond was set at $50,000.
"Authorities later found out the state court administration did, in fact, hire the men to attempt "unauthorized access" to court records "through various means" in order to check for potential security vulnerabilities of Iowa's electronic court records, according to Iowa Judicial Branch officials."
"The state court administration issued an apology Wednesday to Dallas County officials, who are continuing to investigate the break-in."
I assume this is about the local officials vs state officials and these two are just caught in the middle.
Cash bail is also turning into a political ball in play in the upcoming presidential election.
In case people missed it, Bernie Sanders said it was a bad thing that 200,000 Americans are in jail because they can't pay lots of money for their bail bonds. Politifact then said this was only half true because the actual number is 400,000.
Still a lot of people to lock up for not being rich.
"Still a lot of people to lock up for not being rich."
I'd like to see numbers on what percentage of those people are eventually convicted or given a not proven decision. I've managed to have not been arrested for anything in my lifetime. Watching the cop shows on TV, many of the people they haul downtown are not 9 to 5'rs. They look the part of somebody that should be in jail or watched very closely.
California was making noise about eliminating bail all together. You would be held without bail in the case of a murder/rape/serious assault or would be released with a notice to appear. I know the police were very unhappy about that.
Unfortunately, this is very black and white. Unless their documented scope of works includes a physical attempt at gaining access they have broken the law. At very best I would suspect they would have a physical inspection and desktop review of the physical system.
Had they wanted a physical attempt conducted I am sure court officials would need to be present to deal with any unexpected outcomes.
They use the words "Forced Entry" and "Break-in" what do they mean by this?
An exaggeration on their part or have the pen testers actually done something untoward?
I agree with the guy above though if physical access is mentioned in the contract, keep a copy with you incase you get busted
Alternatively, one day in the court house...
Official: "Names... OK, you are... scheduled in court on We.... hang on... I'm sure that screen just changed. Well, it says here that you are free to go, and *querulous tone* I'm to give you $10,000 each and a hall pass for a threesome with my wife? Well, OK. I mean, the computer can't be wrong."
Pen-testers: "FAIL".
Red teaming with physical access is a thing.
If it was in scope, then no-one should attempt it without a "get out of jail free" letter from the relevant very senior authority to protect yourself. In this case, a countersignature by the relevant PD would be advisable.
No letter, no physical access attempts. End of. In the US of A, I'd request a bulletproof best as well...
If it wasn't in scope, three things arise:
1. A crime has probably been committed - whatever the motivation
2. The pentesters were effectively carrying out unpaid work as it was not in the scope
3. The pentesters were not insured either.
Last, a break-in is crazy. If you want to put a USB keylogger on a PC or WIFI bridge on the wired LAN, there are easier ways to do it. Bribe the cleaner, break the Wifi or printer from outside the building, then turn up to "repair" it... Imagination, people...
"Bribing the cleaner is actually a more serious crime"
I don't think I've ever heard of bribing people being used in a pen test. That sort of thing is just to hard to control for. Most companies (and government) are much more concerned with theft of data or access through other means. Just about anybody can be bought. It's just a matter of price.
In my experience with pentesters, there is always a contract that clearly spells out what the pentesters can and cannot do (for obvious reasons).
So, either those pentesters were working within the terms of the contract or they weren't. This should be a simple matter to determine. If they weren't, then they were attackers with unknown motives, and the courthouse should probably scour their facilities to ensure that those guys didn't plant any devices on their network.
> In my experience with pentesters, there is always a contract that clearly spells out what the pentesters can and cannot do
First I've heard of such a contract, I think the pentesters were showing good initiative in assessing the courts computer security system. If they had succeeded then that would mean anyone and his dog could have done so, therefore rendering the validity of such records tainted. In my experience it would have been easier accessing the home computers of the officers of the court through a combination of hacking and social engineering. First thing would be to create an org chart of the organization. You can do this using employment sites like LinkedIn and seeing what particular IT skills they are looking to hire. Then using this information to guess the nature of the IT platform they're on. Then create a duplicate system at your place and run pen testing against this at your leisure. Then when you have discovered a workable hack, run this against the target system, at night over the weekend, using the valid employee credentials you garnered earlier. Generally hacking consists of accessing a particular machine using a restricted account and then promoting the account to full system access. If the machine you're on won't allow account promotion then you use path traversal to move to one that does. The network attached printer is usually the easiest way in or the wireless router. You can sit in the parking garage while you do it, no one will bother you, there is no charge for this service.
I would just like to say that JohnFen's responses and explanations are excellent examples of how to cut through all the hyperbole and knee-jerkism and get to the issue's core.
JohnFen's explanation of exactly how a "responsible" pentesting firm would have approached this particular kind of test is, I feel, pretty much the only response that doesn't play to the gallery, and is eminent common sense. Not only that, it tallies with the very few examples of the field I am aware of in any detail.
Thanks, JohnFen.
However, I would just like to join the fun by posting my own conspiracy theory of How It All Might Have Happened:
Manager A: I hate Sid and Frank. They are lazy troublemakers
Manager B: Me too. I have an idea. Follow my lead. Sid! Frank! We need you to break into the courthouse tonight and see if you can access the computers. You can have double time and an extra vacation day each once the exercise is over. You'll do it? Swell!
Manager A: Good lads! This'll mean promotions!
That night Sid and Frank are arrested while breaking into the courthouse
Manager B: Can't think what possessed them to do it!
Manager A: Me neither!
I now return you to your regularly scheduled hooting and hollering.
""The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building.""
Was physical access part of the scope talked about with the client but the words "various means" the language in the contract?
If gaining access to the hardware was really simple (apparently it isn't), it would matter little that there is robust firewall in place. I can envision a powerful person that's been arrested for a serious crime to have the money to hire a person/team to break into a facility and backdoor the network via physical access to the computer system. Depending on what's there, people could play merry hell with the court by changing and deleting all sorts of records that could lead to the person getting let off. Transcript of depositions could be changed. Evidence information deleted. Lab results altered. Physical evidence ordered destroyed or moved breaking the chain of custody and unusable.
I have to belive that Coalfire has a very robust set of contracts and scope of work documents. You don't get to the size they are by playing fast and loose. Employees would not be taking it on themselves to do tasks, they'd be assigned things to do. A contract involving physical side testing would also be much more expensive than just remote analysis. If the testers weren't local, there would be travel vouchers and stuff. All of the companies I have worked with would never allow anybody to just run up travel expenses without a manager sign off or a job number referenced. If I were putting charges on my own card, I'd make damn sure I had a manager sign off in advance so I'd get reimbursed. I would also likely be given a budget.
The Court being pissy because another organisation organised a pen test without telling them?
The pen testers might have all the expected authorisation, but not from the local court who have them in clink.
So, many political points being scored with the pen testers stuck in the middle?
Reading this i cant help but think its just a case of left vs right hand, and someone senior doubling down to not look like a tit.
Pure speculation but...
Pen testers hired by IT/Legal dept, verbose proposal of test, full of big unapollogetically technical words lands on a senior mangements desk, gets delegated down the chain of command, full content not known by person at top who also couldnt be arsed to read the summary reports that bubbled up the chain.
Scheduled physical pen test occurs, and they get busted, facilities go round high fiving each other job well done, as senior in charge of commisioning pen test didnt read proposal facilities were unaware that this was legit, testers get arrested.
Senor in charge of pen test realises they have ballsed up chooses to come clean or throw them under bus
Can only hope that the damage done to the horizontally promoted seat occupiers career is handled with a swift retirement or idefinite gardening leave with a big red DO NOT HIRE stamp on their cv....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
