County Pays $600,000 To Pentesters It Arrested For Assessing Courthouse Security (arstechnica.com) 49
An anonymous reader quotes a report from Ars Technica, written by Dan Goodin: Two security professionals who were arrested in 2019 after performing an authorized security assessment of a county courthouse in Iowa will receive $600,000 to settle a lawsuit they brought alleging wrongful arrest and defamation. The case was brought by Gary DeMercurio and Justin Wynn, two penetration testers who at the time were employed by Colorado-based security firm Coalfire Labs. The men had written authorization from the Iowa Judicial Branch to conduct "red-team" exercises, meaning attempted security breaches that mimic techniques used by criminal hackers or burglars.
The objective of such exercises is to test the resilience of existing defenses using the types of real-world attacks the defenses are designed to repel. The rules of engagement for this exercise explicitly permitted "physical attacks," including "lockpicking," against judicial branch buildings so long as they didn't cause significant damage. [...] DeMercurio and Wynn's engagement at the Dallas County Courthouse on September 11, 2019, had been routine. A little after midnight, after finding a side door to the courthouse unlocked, the men closed it and let it lock. They then slipped a makeshift tool through a crack in the door and tripped the locking mechanism. After gaining entry, the pentesters tripped an alarm alerting authorities.
Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter -- known as a "get out of jail free card" in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building. DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called "war stories" to deputies who had asked about the type of work they do. When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn't authorized any such intrusion. Leonard had the men arrested, and in the days and weeks to come, he made numerous remarks alleging the men violated the law. A couple months after the incident, he told me that surveillance video from that night showed "they were crouched down like turkeys peeking over the balcony" when deputies were responding. I published a much more detailed account of the event here. Eventually, all charges were dismissed.
The objective of such exercises is to test the resilience of existing defenses using the types of real-world attacks the defenses are designed to repel. The rules of engagement for this exercise explicitly permitted "physical attacks," including "lockpicking," against judicial branch buildings so long as they didn't cause significant damage. [...] DeMercurio and Wynn's engagement at the Dallas County Courthouse on September 11, 2019, had been routine. A little after midnight, after finding a side door to the courthouse unlocked, the men closed it and let it lock. They then slipped a makeshift tool through a crack in the door and tripped the locking mechanism. After gaining entry, the pentesters tripped an alarm alerting authorities.
Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter -- known as a "get out of jail free card" in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building. DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called "war stories" to deputies who had asked about the type of work they do. When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn't authorized any such intrusion. Leonard had the men arrested, and in the days and weeks to come, he made numerous remarks alleging the men violated the law. A couple months after the incident, he told me that surveillance video from that night showed "they were crouched down like turkeys peeking over the balcony" when deputies were responding. I published a much more detailed account of the event here. Eventually, all charges were dismissed.
I expected better (Score:1)
Sure, they've been wrongfully arrested but I expected better than "a few minutes" before tripping an alarm. Clearly they needed better recce before playing Couching Tiger, Hidden Dragon in the middle of the night. On a job like this you don't just walk in unprepared. You observe the place, walk in under a false pretext and take note of all the systems they may have, you research every single bit of kit you see on the walls. Only then, when you have a solid plan, you proceed with the objectives.
Re: (Score:2)
Re: (Score:2)
Good thing, I suspect Pennsylvania would fail.
Re: (Score:3)
Are you saying you read the article as if they'd intentionally tripped the alarm? 'cos no, that's not what happened.
Re: (Score:3)
Are you saying you read the article as if they'd intentionally tripped the alarm?
Worked and designed burglar alarms just out of high school. If the door was unlocked and ajar, the alarm would have refused to set up unless the zone was "troubled" out by whoever set it at the very lest. If a AA security installation, the locking bolt would also have had a sensor monitoring that it was actually engaged.
As far as "intentionally tripping" the alarm, that's a part of pen testing too - after you've taken standard measures to block the alarm from reporting. Prior to about 2005-2010, that would
Re: (Score:2)
I read that as the door was unlocked, not necessarily ajar though. Keep in mind that we're talking about a courthouse in Iowa, the door may not have been alarmed at all. They probably only put security on doors that are commonly used, assuming that lesser-used doors would always be locked. It's far more common than you think.
Re: (Score:2)
I read that as the door was unlocked, not necessarily ajar though.
Agreed. See comment about AA alarm installation monitoring the dead bolt. AA installations usually ALSO has AA reporting but not necessarily.
Keep in mind that we're talking about a courthouse in Iowa, the door may not have been alarmed at all.
In the years I did alarm systems, I never once saw a portal (door, window, vent, pipe, grate with a duct, bricked over window, window with bars) unprotected. Standards drift and it's been many years now. Maybe that sort of work/business ethic is acceptable in their eyes now but "back when" heads would be "adjusted".
They probably only put security on doors that are commonly used, assuming that lesser-used doors would always be locked. It's far more common than you think.
Perhaps that's the standard now. I wouldn't know. Woul
Re: (Score:2)
Standard? No, of course not, but in 17 years working in security I've seen standards ignored at least as often as they were embraced. For example, I know of a hospital in the Pacific Northwest where the doctors' entrance has used the same key code for over 20 years (even after a nurse's armed ex-husband used it to enter), no matter how hard we tried to enforce establishing a secure perimeter. Around 2006 one of the country's largest accounting firms standardized on an IP video recording system which allo
Re: (Score:2)
UPDATE:
Turns out my suspicion of the system being bypassed to trouble (armed when a zone isn't closed) was correct. The report also indicates it was the main entry way, and that they closed it, then re-opened the main door using a plastic shim of some sort specifically to trip the alarm. Station KCRG report on 2025/01/30
Further, the county attorney promises to "prosecute to the fullest extent of the law" any future pen-testers. I guess he's unaware of the statute about willfully abridging rights by law enfo
Re: (Score:2)
- "They needed better [recon]
- "On a job like this you don't just walk in unprepared", i.e.: he thinks they were unprepared.
- And in order to prepare, one would: "observe the place, walk in under a false pretext and take note of all the systems they may have, you research every single bit of kit you see on the walls.
I.e., his entire comment is about steps one would take to avoid intentionally tripping an alarm,
Re: (Score:3)
Worked with some pen testers who checked an office complex we monitored. They set off an alarm getting into the MDF (since we had done the job right), and when the cops showed up they hid. Reviewing the video afterward it was a good thing they did, since the responder was a very nervous rookie who walked through the space gun drawn with HIS FINGER ON THE TRIGGER the whole time. We told them, only half jokingly, that they had dodged a bullet on that job.
Sounds like (Score:4, Insightful)
Small town Sheriff Leonard was the person who left the side door unlocked.
Overreaction, but also poor planning (Score:5, Insightful)
Their "get out of jail free" letter is so vague as to be useless; the biggest thing is it doesn't say anything about what buildings they could access. And it turned out that the state organization who hired them didn't have authority to grant them access to county-owned facilities (which I believe would also be the case in my state). It also sounds like both the testing company and the state agency failed in how the contracts were written. Really, while not surprised a state agency wrote a bad contract, a testing company should know better, so comes off as somewhat incompetent (having legal coverage for every action should be rather high on the priority list).
That said, when it became obvious it was a good-faith test and not an attack, at most there should have been some civil penalty against the company, not arrests of the individuals. Probably some sheriff up for reelection looking to get his name in the news for "protecting the county".
Re:Overreaction, but also poor planning (Score:5, Insightful)
> Probably some sheriff up for reelection looking to get his name in the news for "protecting the county".
More likely a power trip. TFA and linked TFA article even suggests the Sheriff was blaming the state saying it had no authority to order pen testing in the first place.
Good faith and a lack of physical damage should be a consideration before arresting anyone if it's obvious at the time. And honestly, I suspect however bad the GOOJF letter was, it was written expecting everyone would be reasonable, and that any questions of whether the pen testers had themselves overstepped their boundaries would be handled as a typical contract situation, not a crime. To me, this is 100% on a power tripping sheriff, not on the state, nor on the pen testers' managers.
Re: (Score:3)
When I read deeper, it sounds like the state probably did not have authority to "allow" physical penetration testing to the county building... it's really not much different than me trying to tell someone they can do physical penetration tests against your home. At that point, the letter is just Ron Swanson's "I can do what I want" permit. In my state, the county owns the property and the building for the courthouse (they can use it for other county offices as well), there's nobody at the state level that c
Re: (Score:2)
Re:Overreaction, but also poor planning (Score:5, Informative)
Re: (Score:2)
That sheriff should be fired & made to pay the court costs of both parties - from his pension if necessary - for making a mountain out of a molehill.
All he had to do was check their ID / creds and get in touch with whoever hired them or gave permission.
If you can't manage that basic level of competence or common sense, you're not fit to be a dogcatcher.
Likely to happen a LOT more often... (Score:3)
Centers for Medicare has *demanded* frequent penetration testing to be performed by all healthcare organizations that store digital patient records, as part of their new security rule.
You can read all about it here:
https://www.federalregister.go... [federalregister.gov]
NATURALLY, I expect Hospital Management, and other pointy haired bosses to not understand the new requirements, and to flip out when the mandated penetration testing happens, that their own compliance officers and IT staff coordinated.
Re: (Score:2)
Re: (Score:2)
may need to play the fake fire inspector card to get in that place.
Re:Likely to happen a LOT more often... (Score:5, Interesting)
Nope, that doesn't work either. If you don't have valid prior permission to enter you don't get in (I helped create the AWS security procedures and systems). At one point a VP showed up as the new Dublin DC was opening with his entourage, and his secretary had forgotten to add his name to the list. He arrived and no matter how much hell he raised while his party went in and got the dog and pony show he had to cool his heels in the lobby. When he got back to Seattle and cooled down he wrote a letter of recommendation for the staff at Dublin and for us in the SOC. (No idea what he said to his secretary, though.)
Anyway, fire inspectors have access to a Knox Box on the outside of the building with a key card granting them escorted-only access. It's 24x7, but they can't go anywhere in the building without an escort, if no escort is available they have to wait until one is since the card won't work by itself (I set that up and only after we implemented it got around to writing the policy. Oops.)
Re: (Score:2)
what about areas where the fire codes that say Knox Box must full access keys?
now in some cases tripping fire sprinkler flow switch may force an unlock all based on how the fire system is linked to the door systems.
Re: (Score:2)
full access keys as in real keys and not some system that needs power / controllers to work.
Re: (Score:2)
Oh, yes, brass keys are often a requirement in the Knox Box, **BUT** Amazon isn't going to let them use them unless there's an actual fire. In actuality, I know of several cases where once the inspections were over and the fire marshal signed off on the Certificate of Occupation that the DC security manager opened the box and removed them.
Re: (Score:3)
Wouldn't the storage be at datacenters?
But the admin password would be in the courthouse. On a Post-It stuck to the IT guy's monitor.
Re: (Score:2)
Wouldn't the storage be at datacenters?
There will always be SOME patient records stored on site, because some of them are on paper, e.g. any time a patient fills out a form which happens all the time. Yes you can typically fill out forms online now, but I have observed e.g. Providence collect data on paper forms and they are not exactly small. So, no.
Re: Likely to happen a LOT more often... (Score:2)
There's also inter-hospital secure emails (and local mailboxes), locally saved attachments, digital fax services, scan-in temporary folders before batch upload, etc, that *cannot* be taken out of the medical institution's local intranet.
EPHI is EPHI, and if they have it in any way, the new security rule applies.
Meaning basically every hospital, clinic, dental office, chiropractor, or skilled nursing facility, is gonna have yearly penetration tests, at a minimum.
Thats a lot of yearly pentesting.
And a lot of
Darknet Diaries episode (Score:3)
I thought this was a good podcast. I really enjoyed this episode, which covers the story mentioned.
https://darknetdiaries.com/epi... [darknetdiaries.com]
Decision makers should pay the $600k (Score:2)
If Sheriff Leonard is elected, that would be the taxpayers.
If he was appointed then Sheriff Leonard and whoever appointed him should foot the bill, not the taxpayers.
Maybe Sheriff Leonard should be looking for work as a mall cop.
Re: (Score:2)
They're messed up (Score:2)
600k isn't enough of a settlement, especially after you pay lawyer fees. Coalfire should also get a payday as this engagement tarnished their brand.
Re: They're messed up (Score:2)
$600k not enough (Score:2)
Seriously after the lawyers get a chunk of that, plus taxes(?) .. how much are they left with? Considering how much this whole ordeal must have cost them in terms of sanity and lost wages it should be a lot more. At least $6 million, maybe even $10 million.
Not quite A+ (Score:1)
Re: (Score:2)
A professional would call the police AHEAD OF TIME to tell them.
While the Sheriff clearly overreacted, I do agree with this. You cannot assume that government will do the right thing at any level, so you can't trust that the Sheriff will have been notified internally like he should have been.
OTOH if part of the goal was to check up on the Sheriff... well, they should have provided a liaison to the pen testers.
Re: (Score:2)