back to article From pen-test to penitentiary: Infosec duo cuffed after physically breaking into courthouse during IT security assessment

Two men hired to assess a court record system's computer security were arrested Wednesday – after they were caught physically sneaking into a courthouse. According to the Des Moines Register today, infosec pros Gary Demercurio and Justin Wynn were cuffed by deputies in Iowa, USA, after they tripped an intruder alarm at a …

  1. IceC0ld Silver badge

    Pen Testing to Penitentiary Testing

    so the pen pushers who acknowledge they did indeed contract the Co to try and access the court records, are non plussed when said testers actually do their job to the fullest extent ..................

    colour me surprised that the pen pushers are now having a hissy fit, and are failing to spot that their internal physical security is actually bob on, and working as designed.

    I always thought that the social engineering part of the pen test was a given, and that the additional bonus of physically tryng to - for want of a better term - break in was also included in the fees paid to test the scenario fully, they should really be paying the testers a bonus for this, but somehow, I can see it not playing out that way :o(

    1. Anonymous Coward
      Anonymous Coward

      Doing their job to the fullest extent?

      Where do you draw the line? Should they kidnap the county treasurer and tell her they'll kill her children unless she transfers all the county's money to them? Let's see if how vulnerable the county is to an overdone Hollywood trope!

      This is stupid, if a security company isn't upfront about what it is going to do as part of its testing and tries a physical breakin, they deserve what they get. I suspect in the end the charges will get dropped with the payment of court costs, in exchange for their contract being dropped without payment, and the county will hire a more reputable firm.

      1. Pascal Monett Silver badge

        Re: hire a more reputable firm

        Agreed. I cannot fathom how supposed professional pen testers failed to be explicit about what their action included.

        As usual, lack of communication creates a misunderstanding which transforms into full-blown disagreement.

        One would think that experienced pen testers would have already encountered this kind of situation and amended their proposal procedures accordingly. Am I supposed to understand that these guys have never, ever had a customer argue about what was authorized in the test protocol ?

        Besides, I would think it is good marketing and a show of professionalism to list to the customer all the things the test will include. On top of that, had they done that they could shove the contract in the court's face and say : hey, you signed on this.

        1. Anonymous Coward
          Anonymous Coward

          Re: hire a more reputable firm

          Because if you're too explicit, it's not a fair test.

          Let's say the client wants a pen test done for compliance purposes. I.e. you're there to help them tick a box on an audit form.

          If the client knows how to specifically deal with your boys, they can temporarily be "on the ball" for the purposes of the pen test...bit ordinarily be garbage.

          This can impact your reputation as a pen tester because you might give a gold star to a firm that doesn't deserve it, and when they get rolled over you get called out for not spotting the problem.

          In this instance the courthouse is being a shitty client.

          This is specifically why I don't do physical engagements and stick to software/webapp/cloud pentesting.

          People are dicks.

          1. Aristotles slow and dimwitted horse Silver badge

            Re: hire a more reputable firm

            Your post shows a complete lack of understanding of commercials. There is not one instance of any form of security testing where someone senior on the client end should not be aware of EVERY element of a scope of works - doubly so when the subject is a public court of law. If a physical access test was to be planned, then it still should have been documented within the scope of the engagement, even if not necessarily cascaded down to the guards on the ground etc so to conserve its validity of execution.

            The reason this is done is to prevent the very farce that has ensued here. All it would take is one senior resource to validate the access, and all of the noise would go away.

            1. PM from Hell

              Re: hire a more reputable firm

              I Agree

              Every pen test I have ever commissioned has had a very detailed scope. As I'm normally commissioning new services within corporate clients they have the estate regularly pen tested and the pen test of a new app is restricted to remote working. Every work package submitted by the pen test company has been absolutely explicit that physical access would not be required.

              1. tfewster Silver badge

                @PM from Hell Re: hire a more reputable firm

                > restricted to remote working

                Doesn't that run the risk of missing internal and side-channel vulnerabilities? I expect you have that covered, but it's not entirely clear to me from your brief comment.

                I recently saw the results of a pen test where the testers had gained Domain Admin rights and then went on to exploit that in a chain of events that ultimately meant they were detected by a secondary mechanism - but it created a lot of clean-up work.

                1. Grooke

                  Re: @PM from Hell hire a more reputable firm

                  This is something a good security firm should make clear. Explain and document the limits and shortfalls of the agreed tests. But at the end of the day, if the customer doesn't want you to test something, you don't.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: @PM from Hell hire a more reputable firm

                    What if the customer doesn't know what they don't know? You could argue the testing company should have been explicit that physical access might be attempted.

                    You could equally argue that what's being tested is information security in the wider sense which includes physical controls, HR processes and refuse disposal, not just IT security.

            2. Anonymous Coward
              Anonymous Coward

              Even then

              Performing an actual break in as part of a test seems incredibly risky, what if in the dark one of the cops sent to the scene thinks they see a gun and kills one of the "pen testers"? This is the US, after all. I can't imagine any tester willingly participating in this, or any governmental body agreeing to it.

              I also can't believe that any sort of accreditation would REQUIRE an attempted ACTUAL break in completely unsupervised. If a walk thru to look for weak points like unlocked windows or easy to pick locks on unalarmed back doors in dim lighting isn't good enough, then you'd have guys trying to perform a break in under the watchful eye (and protection!) of guards/police. I doubt any legit company EVER tries an actual break in where a real police response thinking it is an actual crime in progress may result. Only a moron would agree to that, on either the side of the company, the government, or the company employee.

              Something is fishy here, I wonder if the people who were caught were acting outside their authority and figured with the knowledge they had from their pen testing they could break in and commit an actual crime, but have plausible deniability. "Someone else exploited the weaknesses we had identified and were in the process of documenting in our report". If part of what they'd identified so far was "password to county bank account containing millions of dollars is on a sticky note" then getting inside would be all that would be required for them to easily steal money...if those damn cops hadn't shown up!

              1. sfcfsbcn

                Re: Even then

                100% agree. They could have been shot by police. Either they are completely stupid or there is something more to this story.

            3. GnuTzu Silver badge

              Re: hire a more reputable firm

              Yup, "scope" must be explicitly agreed upon at an appropriate level for the test to be meaningful. End of story... mostly.

              The funny thing is that, yes, it should be a high up official, meaning that maybe guards and officers should not have been warned, which then means that the testers should have been cuffed, what fun--but then they should already have been released. Come to think of it, they should have had a number to call to get released. Yup, these things should have been worked out before any physical access was attempted.

            4. Anonymous Coward
              Anonymous Coward

              Re: hire a more reputable firm

              You've never dealt with senior management, clearly.

              A senior manager may have brought them in to prove that his implementation was sound to upper managerment. When he saw his arse he could have thrown the penntesters under the bus.

              The senior management may not have had executive consent. Senior management is a fucking rat's nest of scum bags. They aren't there because they're the golden bunch, they're there because they're a liability on the front line.

              There is no argument for the client being reasonable in this case. They are arseholes.

              I deal directly with upper management / executives in my line of work as a matter of course for client communication purposes mainly to prevent any shenanigans. Specifically to keep them in the loop and to prevent any middle management bullshit from occurring.

              Throwing a contractor / supplier under the bus is a classic permie jobsworth move.

              If I can't keep someone with accountability in the loop, I ain't helping...I'm out of there.

              1. JohnFen Silver badge

                Re: hire a more reputable firm

                "When he saw his arse he could have thrown the penntesters under the bus."

                That's why pentesters must have a written contract detailing what the parameters are, and carry it with them. If you have it in writing, then it doesn't matter if an executive tries to claim the acts weren't authorized later on.

              2. Simon Reed
                Big Brother

                I am so stealing this

                "Senior management is a fucking rat's nest of scum bags. They aren't there because they're the golden bunch, they're there because they're a liability on the front line."

                This.

                It took me decades to accept the truth of this reality. I wish there were some way of convincing young people entering the workplace that this is how it is.

          2. JohnFen Silver badge

            Re: hire a more reputable firm

            "Because if you're too explicit, it's not a fair test."

            Not true. Typically, only one or two people are aware that the test is happening and what the parameters are. Being 100% clear is essential and doesn't invalidate the test.

            1. HereIAmJH

              Re: hire a more reputable firm

              Security consultants are hired to help you find any deficiencies in your processes and procedures. They get paid regardless of whether they find anything. It's beneficial if they can point out things that you can address. The actual audit is just validating that you are in fact secure. Customers aren't hiring you to see what your audit vulnerability score is. They want to know that vulnerabilities that they don't know about, because they don't have the consultants expertise, are identified so that they can be fixed.

              If I contracted a company to do penetration tests on my electronic systems, I would NOT expect them to be trying to get physical access to my data centers. If I'm worried about physical security, I'd hire someone who specializes in that. And in both cases the contract would define the scope to avoid misunderstandings or damage to systems or property.

            2. teknopaul Silver badge

              Re: hire a more reputable firm

              Has similiar situation. Asked to test security on a new service. Phoned help desk and asked for passwords and got them without question.

              Any heads up would have invalidated that test. Procedures did exist but were not being followed. A few red faces improves security. Same with tailgating. You cant tell everyone what you are going to test in advance when social engineering is involved.

              It would be stupid to tell the security guards to expect a fake break in attempt on Thursday. It would be just as stupid to tell their manager.

              1. Anonymous Coward
                Anonymous Coward

                Re: hire a more reputable firm

                Who says you'd tell the guards or their manager? But SOMEONE would have to know, to insure the cops aren't called, or better yet to have the cops watching it go down from a distance so they could intervene if things get dangerous (like a security guard who isn't supposed to be armed pulling out a personal gun)

                The idea such a test would be conducted where NO ONE that hired in the company would know that they planned to try to break in is simply not credible on its face. No one does that.

          3. Joe Montana

            Re: hire a more reputable firm

            "Because if you're too explicit, it's not a fair test."

            It's not a true test in any case, there are many things that a real criminal might try that a law abiding firm cannot.

            So when doing a test like this, someone sufficiently senior should always be fully aware of what's going on, even if the staff on the ground are not. The idea being that if you get caught, the incident is escalated to the senior guy within the target organisation who is aware and the test stops at that point before getting escalated to external agencies like the police.

            In many cases a test has to be totally contrived so you can test multiple layers of their defence. You might not be able to breach their first layer in the limited time that you have, but that's not to say its impossible. You also want to take an "assume breach" scenario where someone has breached any number of the layers, so you can test the lower layers more thoroughly.

            Hacks are highly opportunistic, for instance someone who's usually on the ball and won't fall for common scans might be having a bad day and let something through.

          4. Anonymous Coward
            Anonymous Coward

            Re: hire a more reputable firm

            You'd normally have it covered, even if in a vague way "may enter client premises to perform tests at any time during dates between x and y without advance notice and without displaying ID" and leave it to the client to misunderstand that as public areas or during office hours.

      2. Chris G Silver badge

        Re: Doing their job to the fullest extent?

        I have worked in various aspects of physical security, it is easy to assess that without actually trying to break in to the building.

        If they include that aspect of security in addition to actual infosec then they need to know a little more.

        The fact that they got caught shows not only that the physical security works but also that they didn't do enough homework.

        1. MachDiamond Silver badge

          Re: Doing their job to the fullest extent?

          "The fact that they got caught shows not only that the physical security works but also that they didn't do enough homework."

          They may have done their homework but the security was good enough to catch them. I doubt the client would hand them all of the data on the security systems. If a bad guy has that, they have a huge advantage and issues are somewhere else in the company being tested. If the pen testers are able to get the security systems documentation somehow and use it to bypass stuff, that's a really big problem.

          1. Joe Montana

            Re: Doing their job to the fullest extent?

            Having data on a system should not enable you to break that system unless there are serious flaws with it... Most security systems are available on the open market to be studied, relying on obscurity to hide serious flaws is not a good approach.

            1. SImon Hobson Silver badge
              FAIL

              Re: Doing their job to the fullest extent?

              relying on obscurity to hide serious flaws is not a good approach

              Which is why it seems to be standard practice at both ends of the IT world. At the bottom end (especially for Internet-of-Tat), the cheapskates don't want to invest in security; at the upper end, they have the clout to sue anyone who looks too closely at their wares.

        2. Anonymous Coward
          Anonymous Coward

          Re: Doing their job to the fullest extent?

          > I have worked in various aspects of physical security, it is easy to assess that without actually trying to break in to the building.

          True. My guess is that they were hoping to install a keylogger.

          1. Anonymous Coward
            Anonymous Coward

            Re: Doing their job to the fullest extent?

            Why would they need to break in to do that? Couldn't do that while they were doing the audit? Or are you suggesting they were installing a keylogger for "personal use"?

      3. K

        Re: Where do you draw the line?

        This was a fair measure of testing, as physical access is also a core requirement for meeting any compliance and legal obligations.

        As for Coalfire, they're a massive organisation you've never heard of, especially in the PCI-DSS world (They are the auditors for AWS).

        1. Anonymous Coward
          Anonymous Coward

          Re: Where do you draw the line?

          "As for Coalfire, they're a massive organisation you've never heard of, especially in the PCI-DSS world (They are the auditors for AWS)."

          Surely they have the money to bail out their employees then?

          1. Rich 11 Silver badge

            Re: Where do you draw the line?

            Surely they have the money to bail out their employees then?

            Looking at the blandness of that Coalfire statement it seems fairly certain that they've already spent all their money on lawyers.

            There's some arse-covering going on there, and some lawyer has persuaded them that bailing out their employees might be seen as an admission of corporate failure. They want to keep the option of claiming that the two men overstepped the mark and acted of their own accord.

            1. JohnFen Silver badge

              Re: Where do you draw the line?

              "They want to keep the option of claiming that the two men overstepped the mark and acted of their own accord."

              If Coalfire knows that the pentesters were acting as instructed and is trying to cover its own ass by throwing them under the bus (or even just keeping that option open), then that should serve as a huge warning to all Coalfire employees that perhaps they should rethink who they work for.

              1. amusedscientist

                Re: Where do you draw the line?

                Clearly, this is all about the company lawyers covering their asses for not doing their job properly, while hanging out to dry the technical folks, who did their job to the best of their ability. Keeping in mind always that the legal beagles no doubt get paid no matter how it turns out for the company, or for the employees.

      4. JohnFen Silver badge

        Re: Doing their job to the fullest extent?

        "Where do you draw the line?"

        Pentesters can't break the law -- that's the line. Pentesters operate within the law by having permission for their activities. Breaking in? Totally legal if you have the proper permission. Kidnapping? Cant' ever be legal, since you can't give legitimate permission to assault someone else.

        1. Anonymous Coward
          Anonymous Coward

          Re: Doing their job to the fullest extent?

          If they had the "proper permission" to break in, this would have never been in the news because they could have produced the signed statement giving them that permission. And if the "permission" was buried in the fine print of a contract, that's not going to fly as "permission".

    2. ZenCoder

      Re: Pen Testing to Penitentiary Testing

      "The state court administration issued an apology Wednesday to Dallas County officials, who are continuing to investigate the break-in." (from the linked article).

      It can be unclear who does and does not have the authority to authorize said activity.

      I'd want a signed brief document by some official that clearly states that they both have the authority and give permission.

    3. TRT Silver badge

      Re: Pen Testing to Penitentiary Testing

      If they get sent to prison, they could up making biros for the next 8 to 10. I bet they get put in quality control.

      1. This post has been deleted by its author

  2. ThatOne Silver badge
    Devil

    Naivety...

    The court paid said pen testers to get a certificate of conformity, not to be actually tested.

    1. ZenCoder
      Joke

      Re: Naivety...

      Security should have been more understanding when they explained that they were under contract to officially document any alleged incompetence.

      1. 0laf Silver badge
        Facepalm

        Re: Naivety...

        What was the scope of the testing? If the company didn't make it clear that the testing could include measures up to and including physically breaking and entering premises then they could be in trouble.

        Unfortunately I'm guessing that the customer here has probably given a vague scope of works, "we need a security test", and the supplier hasn't made it clear within the contract documents what that will entail. Howeve I'd have hoped that this would soon become a case between customer and supplier and the employees will be taken out of the firing line.

        1. Anonymous Coward
          Anonymous Coward

          Re: Naivety...

          Why would any security company want to attempt a break in where an actual police response would result? The liability is huge if a cop thinks they see a gun in the dark and kills one of the security company employees.

          The more I think about the more I think these employees were attempting an actual crime, and figured they'd have a get out of jail free card by claiming it was part of their testing. The security company is probably confused as to what was going on but isn't ready to hang them out to dry just yet - not until their lawyers have fully explored their potential legal liability.

          1. Donn Bly

            Re: Naivety...

            Why would any security company want to attempt a break in where an actual police response would result?

            The naivety here is yours - such a break in that could result in actual police response is ROUTINE for a physical penetration tester.

            Whether these guys were performing a routine physical penetration test and the client didn't bother read the scope of the test, or whether these guys were exceeding the scope, remains to be seen. Each are equally possible -- but remember that the court has ALREADY admitted that they hired these guys, ALREADY apologized to the county for not keeping them in the loop, and Coalfire is one of the BIGGEST and MOST REPUTABLE private security auditing companies out there.

            Also, you are more likely to be shot in a routine traffic stop than during a physical penetration test, and you are more likely to be shot by private security than you are the police. Everything carries risk, but such risk for a penetration tester is infinitesimally small.

            1. Anonymous Coward
              Anonymous Coward

              Re: Naivety...

              > Also, you are more likely to be shot in a routine traffic stop than during a physical penetration test, and you are more likely to be shot by private security than you are the police.

              > Everything carries risk

              Like living in America, it seems.

            2. MachDiamond Silver badge

              Re: Naivety...

              "Everything carries risk, but such risk for a penetration tester is infinitesimally small."

              If caught, pen testers will immediately follow the orders of the police and have been trained for that. An officer may have their weapon out, but they aren't that likely to shoot if the person is complying with them and not being a dick.

              You let the officer put the cuffs on, blood pressure and heart rates drop and you would then let them know you have been contracted to test the security of the facility. They won't let you go right away, but they should follow up on that statement and contact the person that could vouch for you. The cops may not be very happy about it, but you wouldn't likely be banged up in the slammer overnight.

              1. Anonymous Coward
                Anonymous Coward

                They "aren't that likely to shoot"

                Unless its dark, and a trigger happy cop sees a shadow in the right place to make him think there's a gun your hand. An unarmed person is shot by a cop dozens of times a year in the US, so often it usually doesn't make the news unless someone raises a stink.

                I live in a city of under 100K and it happened here about 15 years ago, cops got an alarm from a business and entered the premises and believed they saw someone with a gun in their hand and shot him dead. It was the business owner, he had accidentally tripped the alarm and was waiting on hold with the security company to clear it.

                Only an idiot would agree to do something like this as part of a job. Or someone hoping to train for a second "career" after they quit pen testing.

                1. Psmo Silver badge

                  Re: They "aren't that likely to shoot"

                  An unarmed person is shot by a cop dozens of times a year in the US

                  If you think your job sucks, think of that guy.

        2. JohnFen Silver badge

          Re: Naivety...

          "Howeve I'd have hoped that this would soon become a case between customer and supplier and the employees will be taken out of the firing line."

          If that's the case, then they probably will be -- but they may have to go to court and prove that they were operating in good faith and it's their employer that screwed up. I suspect that if that's the situation, then the pentesters may be able to win a rather juicy lawsuit against their employers, too.

  3. Unbelievable!

    This is going to set ground in law courts. Expect stringent licensing.

    This is a break-in and entry. That they got caught is an aside and not worthy right now.

    There will be entities at gov level pushing for even more grasp and control on any cybersec/pentest etc.

    There will be tenuous, vague correlations drawn, en-masse and deliberately to make not only another taxable income via businesses, but an especially strongly regulated "activity documentation declaration" where commercial security entities will be required to divulge not only activity, but clients hiringtheir sevices and tools and techniques and a whole load of skills that the 3/4 character agencies assimilate. The bonus is the commercial or private sec outfit will be charged (tax wise) to basically give the gov training.

    In the end, it (specialised licensing) will happen in 4 years or less, i say.

  4. canthinkofagoodname

    More info required

    Pen-testers usually have a solid understanding of their scope before starting an engagement, and won't stray beyond it unless there is a formal change of scope, or permission in writing (anything to CYA). SwiftOnSecurity said it well; this doesn't sound like over-eagerness on the pen-testers part.

    Guess we'll see what the courts have to say; hope these guys don't get a criminal record out of this...

    1. Anonymous Coward
      Anonymous Coward

      Re: More info required

      SwiftOnSecurity is, a little too popular for it's own boots. inflating it's ego is one thing. Let it do that. You don't have to

      1. Anonymous Coward
        Anonymous Coward

        Re: SwiftOnSecurity is, a little too popular for it's own boots.

        Not as popular as AC snark apparently.

    2. JohnFen Silver badge

      Re: More info required

      "hope these guys don't get a criminal record out of this."

      They'll have a record of being arrested. Sadly, in the US, that is nearly as bad as being convicted (in terms of impact on your ability to rent a place to live, get a job, etc.) even if you were found not guilty.

      1. Donn Bly

        Re: More info required

        Completely and utterly false.

        Being CONVICTED of a felony will be a problem. Being accused of one is not.

        Too high of the percentage of the US population has had brushes with overzealous police and prosecutors for the mere accusation to be real problem.

        1. JohnFen Silver badge

          Re: More info required

          It's not false at all, although this may vary from state to state. I know more than one person who have real problems because they were arrested, even though they were later found innocent or had the charges dropped.

          Here's a reasonably good description of the problem: https://www.usatoday.com/story/news/nation/2015/09/20/criminal-records-expunged/72532932/

          1. Donn Bly

            Re: More info required

            And how many of those people you know have been actually denied the ability to rent an apartment or apply for a job because of the arrest and dismissal? Arrest history that does not lead to a conviction is banned in hiring decisions, just like race and religion.

            An arrest raises questions. Questions get answered, and you carry on.

            1. MachDiamond Silver badge

              Re: More info required

              "Arrest history that does not lead to a conviction is banned in hiring decisions, just like race and religion."

              Those records don't always sit side by side in a database. The Big Data company an employer uses to vet people may only show the arrest record. The HR department may not be diligent enough to dig deeper to see if there was a conviction. One of the big issues at present is these Big Data companies aren't required to uphold any record quality standards. If they have you down for domestic violence, you may never hear about it. You just won't get called for any interviews.

            2. Cederic Silver badge

              Re: More info required

              I've heard people say that they wouldn't employ someone that's been arrested. It's an unreasonable and silly stance to adopt but recruiting managers can be unreasonable and silly too.

              It's also not illegal under some circumstances. See the example quoted on https://work.chron.com/can-still-job-got-arrested-but-not-convicted-21382.html

        2. Anonymous Coward
          Anonymous Coward

          Re: More info required

          Totally true Im afraid. When you enter the US they dont ask if you have been convicted at all. Just if you have been arrested.

          They dont ask if you have political convictions they ask "have you ever done anything to undermine the current government" I'm always tempted to write Yes, I voted for the opposition.

        3. Joe Montana

          Re: More info required

          Sometimes you are asked if you have ever been "convicted"... But sometimes you are asked if you have ever been "arrested".

          This can happen on security clearance processes, job applications, visa applications etc. Having been arrested and subsequently released without charge is not as bad as being convicted, but it can still be damaging in some circumstances.

  5. ds6

    Bonkers that you get arrested by the people paying you to do the job. Entrapment!

    1. ds6
      Joke

      Sorry, forgot icon.

  6. Anonymous Coward
    Anonymous Coward

    Odd

    Most people are trying to escape court, not get in.

  7. Chozo

    The fog of embarrassment is already strong with this story. Though most news outlets keep repeating "Dallas County Courthouse" along with images of the historic property, the building they apparently attempted to enter was a much bleaker looking county office around the corner at 908 Court St.

  8. JimC

    I can't help thinking

    that if the guys are still in custody and have not been released there must be much more to the story than we've heard so far.

    1. ZenCoder

      Re: I can't help thinking

      Their bond was set at $50,000.

      "Authorities later found out the state court administration did, in fact, hire the men to attempt "unauthorized access" to court records "through various means" in order to check for potential security vulnerabilities of Iowa's electronic court records, according to Iowa Judicial Branch officials."

      "The state court administration issued an apology Wednesday to Dallas County officials, who are continuing to investigate the break-in."

      I assume this is about the local officials vs state officials and these two are just caught in the middle.

      1. diver_dave

        Re: I can't help thinking

        Where are Woodward and Bernstein when you need them?

        1. nichomach
          Trollface

          Re: I can't help thinking

          Next cell along. Bail hearing's Tuesday.

        2. Rich 11 Silver badge

          Re: I can't help thinking

          Retired.

      2. Ordinary Donkey

        Re: I can't help thinking

        Cash bail is also turning into a political ball in play in the upcoming presidential election.

        In case people missed it, Bernie Sanders said it was a bad thing that 200,000 Americans are in jail because they can't pay lots of money for their bail bonds. Politifact then said this was only half true because the actual number is 400,000.

        Still a lot of people to lock up for not being rich.

        1. MachDiamond Silver badge

          Re: I can't help thinking

          "Still a lot of people to lock up for not being rich."

          I'd like to see numbers on what percentage of those people are eventually convicted or given a not proven decision. I've managed to have not been arrested for anything in my lifetime. Watching the cop shows on TV, many of the people they haul downtown are not 9 to 5'rs. They look the part of somebody that should be in jail or watched very closely.

          California was making noise about eliminating bail all together. You would be held without bail in the case of a murder/rape/serious assault or would be released with a notice to appear. I know the police were very unhappy about that.

  9. Cleary1981

    Were their actions defined in the scope

    Unfortunately, this is very black and white. Unless their documented scope of works includes a physical attempt at gaining access they have broken the law. At very best I would suspect they would have a physical inspection and desktop review of the physical system.

    Had they wanted a physical attempt conducted I am sure court officials would need to be present to deal with any unexpected outcomes.

    1. Doctor Syntax Silver badge

      Re: Were their actions defined in the scope

      Whether it's black and white depends very much on the actual wording of the document. Throw in a bit of ambiguity and there's only grey.

  10. LeviPsyTurner

    Forced Entry? Break-In?

    They use the words "Forced Entry" and "Break-in" what do they mean by this?

    An exaggeration on their part or have the pen testers actually done something untoward?

    I agree with the guy above though if physical access is mentioned in the contract, keep a copy with you incase you get busted

    1. Psmo Silver badge

      Re: Forced Entry? Break-In?

      "Forced Entry" and "Break-in" what do they mean by this?

      As they've not been charged with destruction of property, kinda sounds like a locked door that just needed a jiggle to bypass.

      And the pen-testers didn't notice the silent alarm.

      1. Cardinal

        Re: Forced Entry? Break-In?

        @Psmo

        "a locked door that just needed a jiggle to bypass"

        Is that you Raffles?

    2. JohnFen Silver badge

      Re: Forced Entry? Break-In?

      In most places in the US, "forced entry" occurs if you have to move anything to enter. For instance, if a door is left slightly ajar and you push it open a little more to enter, that counts as "forced entry".

      1. Donn Bly

        Re: Forced Entry? Break-In?

        Turning the handle on an unlocked door, pushing the door open, and sticking your head in to take a peek and/or say "hello, is anyone here" can still be considered forced entry.

  11. DontFeedTheTrolls Silver badge
    Coat

    Sneakers

    Setec Astronomy anyone?

  12. Jason Hindle

    I predict they will go to state Pen

    And break out having hatched a cunning plan involving one of them having a tattoo of the plans for the jail on his back.

    1. TRT Silver badge

      Re: I predict they will go to state Pen

      Alternatively, one day in the court house...

      Official: "Names... OK, you are... scheduled in court on We.... hang on... I'm sure that screen just changed. Well, it says here that you are free to go, and *querulous tone* I'm to give you $10,000 each and a hall pass for a threesome with my wife? Well, OK. I mean, the computer can't be wrong."

      Pen-testers: "FAIL".

  13. Nick Kew
    Facepalm

    Lucky escape

    Once upon a time, I was kind-of invited to pen-test Iowa.

  14. vcayenne

    Plot Twist

    Their real mission is to test the security at the incarceration facility. The plan is working...

    1. Anonymous Coward
      Anonymous Coward

      Re: Plot Twist

      Testing how easy it is to break out of jail? I think that was the plot of a movie with Sylvester Stallone...

      1. LeahroyNake Silver badge

        Re: Plot Twist

        There has been at least two of them starring Stallone, not that great but better than ummmm prison I suppose.

  15. 2+2=5 Silver badge
    Facepalm

    Disaster recovery

    Good thing they weren't hired to test a disaster recovery plan - they'd have been caught trying to deflect an asteroid onto the data center...

  16. LeahroyNake Silver badge

    Maybe

    Try this stunt on a Monday morning to avoid an unforgettable weekend away?

    I wonder if the company will pay them overtime? /half joking.

  17. Anonymous Coward
    Anonymous Coward

    Scope....

    Red teaming with physical access is a thing.

    If it was in scope, then no-one should attempt it without a "get out of jail free" letter from the relevant very senior authority to protect yourself. In this case, a countersignature by the relevant PD would be advisable.

    No letter, no physical access attempts. End of. In the US of A, I'd request a bulletproof best as well...

    If it wasn't in scope, three things arise:

    1. A crime has probably been committed - whatever the motivation

    2. The pentesters were effectively carrying out unpaid work as it was not in the scope

    3. The pentesters were not insured either.

    Last, a break-in is crazy. If you want to put a USB keylogger on a PC or WIFI bridge on the wired LAN, there are easier ways to do it. Bribe the cleaner, break the Wifi or printer from outside the building, then turn up to "repair" it... Imagination, people...

    1. Donn Bly

      Re: Scope....

      Bribing the cleaner is actually a more serious crime, having higher penalties.

      1. MachDiamond Silver badge

        Re: Scope....

        "Bribing the cleaner is actually a more serious crime"

        I don't think I've ever heard of bribing people being used in a pen test. That sort of thing is just to hard to control for. Most companies (and government) are much more concerned with theft of data or access through other means. Just about anybody can be bought. It's just a matter of price.

  18. JohnFen Silver badge

    This sounds easy to clear up

    In my experience with pentesters, there is always a contract that clearly spells out what the pentesters can and cannot do (for obvious reasons).

    So, either those pentesters were working within the terms of the contract or they weren't. This should be a simple matter to determine. If they weren't, then they were attackers with unknown motives, and the courthouse should probably scour their facilities to ensure that those guys didn't plant any devices on their network.

    1. Anonymous Coward
      Anonymous Coward

      Re: This sounds easy to clear up

      > In my experience with pentesters, there is always a contract that clearly spells out what the pentesters can and cannot do

      First I've heard of such a contract, I think the pentesters were showing good initiative in assessing the courts computer security system. If they had succeeded then that would mean anyone and his dog could have done so, therefore rendering the validity of such records tainted. In my experience it would have been easier accessing the home computers of the officers of the court through a combination of hacking and social engineering. First thing would be to create an org chart of the organization. You can do this using employment sites like LinkedIn and seeing what particular IT skills they are looking to hire. Then using this information to guess the nature of the IT platform they're on. Then create a duplicate system at your place and run pen testing against this at your leisure. Then when you have discovered a workable hack, run this against the target system, at night over the weekend, using the valid employee credentials you garnered earlier. Generally hacking consists of accessing a particular machine using a restricted account and then promoting the account to full system access. If the machine you're on won't allow account promotion then you use path traversal to move to one that does. The network attached printer is usually the easiest way in or the wireless router. You can sit in the parking garage while you do it, no one will bother you, there is no charge for this service.

  19. Stevie Silver badge

    Bah!

    I would just like to say that JohnFen's responses and explanations are excellent examples of how to cut through all the hyperbole and knee-jerkism and get to the issue's core.

    JohnFen's explanation of exactly how a "responsible" pentesting firm would have approached this particular kind of test is, I feel, pretty much the only response that doesn't play to the gallery, and is eminent common sense. Not only that, it tallies with the very few examples of the field I am aware of in any detail.

    Thanks, JohnFen.

    However, I would just like to join the fun by posting my own conspiracy theory of How It All Might Have Happened:

    Manager A: I hate Sid and Frank. They are lazy troublemakers

    Manager B: Me too. I have an idea. Follow my lead. Sid! Frank! We need you to break into the courthouse tonight and see if you can access the computers. You can have double time and an extra vacation day each once the exercise is over. You'll do it? Swell!

    Manager A: Good lads! This'll mean promotions!

    That night Sid and Frank are arrested while breaking into the courthouse

    Manager B: Can't think what possessed them to do it!

    Manager A: Me neither!

    I now return you to your regularly scheduled hooting and hollering.

  20. MachDiamond Silver badge

    Various means

    ""The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building.""

    Was physical access part of the scope talked about with the client but the words "various means" the language in the contract?

    If gaining access to the hardware was really simple (apparently it isn't), it would matter little that there is robust firewall in place. I can envision a powerful person that's been arrested for a serious crime to have the money to hire a person/team to break into a facility and backdoor the network via physical access to the computer system. Depending on what's there, people could play merry hell with the court by changing and deleting all sorts of records that could lead to the person getting let off. Transcript of depositions could be changed. Evidence information deleted. Lab results altered. Physical evidence ordered destroyed or moved breaking the chain of custody and unusable.

    I have to belive that Coalfire has a very robust set of contracts and scope of work documents. You don't get to the size they are by playing fast and loose. Employees would not be taking it on themselves to do tasks, they'd be assigned things to do. A contract involving physical side testing would also be much more expensive than just remote analysis. If the testers weren't local, there would be travel vouchers and stuff. All of the companies I have worked with would never allow anybody to just run up travel expenses without a manager sign off or a job number referenced. If I were putting charges on my own card, I'd make damn sure I had a manager sign off in advance so I'd get reimbursed. I would also likely be given a budget.

  21. TrumpSlurp the Troll Silver badge
    Trollface

    Turf war?

    The Court being pissy because another organisation organised a pen test without telling them?

    The pen testers might have all the expected authorisation, but not from the local court who have them in clink.

    So, many political points being scored with the pen testers stuck in the middle?

  22. HmYiss

    Pass.

    Infosec pros?

    Please.. next time pick up the phone and let local law enforcment know you are going to ATTEMPT a physical intrusion on a public facility which MAY fail.

    Duh.

    1. Anonymous Coward
      Anonymous Coward

      Re: Pass.

      Hi, I work for a security company. I will be doing several security tests at various local banks today. If you get any alarms or phone calls claiming that a bank is being robbed then please ignore it. Thanks.

  23. chuBb. Bronze badge

    Doubling Down

    Reading this i cant help but think its just a case of left vs right hand, and someone senior doubling down to not look like a tit.

    Pure speculation but...

    Pen testers hired by IT/Legal dept, verbose proposal of test, full of big unapollogetically technical words lands on a senior mangements desk, gets delegated down the chain of command, full content not known by person at top who also couldnt be arsed to read the summary reports that bubbled up the chain.

    Scheduled physical pen test occurs, and they get busted, facilities go round high fiving each other job well done, as senior in charge of commisioning pen test didnt read proposal facilities were unaware that this was legit, testers get arrested.

    Senor in charge of pen test realises they have ballsed up chooses to come clean or throw them under bus

    Can only hope that the damage done to the horizontally promoted seat occupiers career is handled with a swift retirement or idefinite gardening leave with a big red DO NOT HIRE stamp on their cv....

  24. tripflare

    Schoolboy Error

    I undertake these tests on a regular basis, it is normal to carry a signed authorised letter of engagement from the requester with contact telephone numbers in case the parties are caught.......

    There is no accounting for the simple mistake

  25. Chozo
    Pirate

    UPDATE:

    Appears the duo also successfully planted an unspecified 'device' inside the Polk County Courthouse on Sept 9th

    source APnews https://www.apnews.com/88df1bce5dd5491083af761758b74554

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020