Penetration Testers arrested while testing

TheFORCE

Scope is everything when doing pen tests!
https://www.google.com/amp/s/arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/?amp=1

JDMurray

There is a thing called a "get out of jail letter," which is written authority to be performing physical or cyber pentesting activities. This letter is to be presented by the pentester to anyone that attempts to apprehend the pentester while on the job. There's no mention that such a device was present during this physical security test.

kaiju

Iowa state court officials contracted with Coalfire to conduct "penetration tests" on its security; as part of those tests, two Coalfire employees broke-and-entered the Adel, Iowa courthouse, and were caught by law-enforcement, whose bosses in Dallas County were not notified of the test.The state has apologized to the county, but the two Coalfire employees were still in jail as of this writing.As Sean Gallagher points out at Ars Technica, penetration testers often have broadly defined scopes of work for their engagements, and this highlights the risk of a brief that essentially goes, "Just do what it takes to figure out if criminals could compromise our security."

State court administration (SCA) is aware of the arrests made at the Dallas County Courthouse early in the morning on September 11, 2019. The two men arrested work for a company hired by SCA to test the security of the court’s electronic records. The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building. SCA apologizes to the Dallas County Board of Supervisors and law enforcement and will fully cooperate with the Dallas County Sheriff’s Office and Dallas County Attorney as they pursue this investigation. Protecting the personal information contained in court documents is of paramount importance to SCA and the penetration test is one of many measures used to ensure electronic court documents are secure.

Obviously State was trying to check on county and failed to provide a get-out-of-jail-free card to the pen tester because they, state, assumed the pen testers would not go this route. Lesson learned for all!

UnixGuy

I saw this on LinkedIn. I was skeptical about it and didn't believe it at first. How could physical pentesting not be included in the contract?

Just how bad can engagement managers be....

MrsWilliams

JDMurray said:

There is a thing called a "get out of jail letter," which is written authority to be performing physical or cyber pentesting activities. This letter is to be presented by the pentester to anyone that attempts to apprehend the pentester while on the job. There's no mention that such a device was present during this physical security test.

This really kinda sums it up.

You give people an inch and they take half a football field.

UnixGuy said:

I saw this on LinkedIn. I was skeptical about it and didn't believe it at first. How could physical pentesting not be included in the contract? I didn't know that it had to be included in the penetration test . When the Pentagon, not to far from where the President of the United States lives does those yearly hack me events, they don't say try and see if you can get physical access as well. I am sure someone would get shot trying to get past the Pentagon Force Protection Agency and others guarding the Pentagon. Not every organization that promotes doing penetration tests, is capable of doing a physical penetration test. Not every organization that wants a penetration tests needs a physical penetration test (in my option). Not every organization that wants a penetration test has the budget for a physical penetration test. The term penetration test is vague. You can't take it and run with it anyway you see fit. 

I was at a SANS conference this year and it was a presentation on physical penetration tests. The guy told us how he used costumes, an Uber sticker to get inside the building premises, and had these long range cameras. Long story short (search YouTube), they aren't teaching you how to do a physical pen test in Hack The Box, OSCP, GPEN, etc. But, guess what? These companies are looking for certifications, education, and experience. They aren't saying see if you can gain physical access before you are hired.

To add to that, someone attempted to do a physical test on a court house that probably had 10-40 (ARMED) deputies, police, sherifs,  detectives in it at any given time? Yeah....I don't feel sorry for them at all. The court house in ANY American city is full of law enforcement personnel. Either guarding the place or showing up for court (traffic tickets and criminal proceedings). 

So I think THEY made a (stupid life changing - rookie) mistake

Just how bad can engagement managers be.... <- LOL I won't respond to that. I have to do something. I might come back and respond LOL

I put in CoalFire Penetration Tester in Linkedin and I wasn't impressed with the first two profiles I clicked on. 

People get titles and promote themselves and the company to those who know no better and BOOM you have business. It's just a little marketing. Selling yourself (no pun attended). 

This from the article explains it->

Unfortunately, the Iowa state court officials who ordered the test never told county officials about it Of course not. If everyone knew it would be no point in doing it. Your gig is up.—and evidently ------>>no one anticipated that a physical break-in would be part of the test <-------

Exactly what proves the point of JD and myself.

LonerVamp

There's a lotta things going on that could have happened or been the issue. Especially when it comes to public works and services going through their very public motions. I mean, state and county officials not talking? No surprise there, they have **** matches all the time for those state dollars! Police show up somewhere and it looks like someone is breaking the law? Yeah you gotta take them in, and yes you have process to follow while the phone calls fly.

Either way, I think SwiftOnSecurity accurately voiced one of my early thoughts last week in a more humorous way: "Despite how edgy you think physical pentesters are, nobody is like 'I’m going to fly over to Iowa and YOLO it with American cops in the dark.'" I mean, you don't just go in with someone making a singular wrong assumption about the engagement when said engagement includes response by armed law enforcement.

To be fair, I think more onus is on Coalfire to make sure the customer understood every facet of the engagement and had addressed every item that customer needed to do, twice. But I wouldn't be surprised if everyone knew this, communication just didn't happen to the county, and someone at the county is just making a point to the state level. ("Hey, this is *our* courthouse. You come down here and deal with this.")

edited to add: Of note, they hit another courthouse days prior to the one they got caught in. If similar bungling occurred here, local law enforcement or even county officials may have shared notes and a heads-up about it, especially if the prior attempt was de-escalated properly.

edit #2: Sounds like the prior attempt (Polk County courthouse) was not stopped or detected until after the fact, but a Coalfire device left behind was discovered. That could still mean area courthouses/LEO were informed and warned.

(Full disclosure: This county is my backyard. Also, the pentesting/red teaming community is small and you're always 0-1 people removed from decent pentesting firms. And I still don't know the details.)

Cyberscum

How in the hell did they get caught penetrating the courthouse lmao.  In all of my exp the gov is by far the worst off for security lol.

TheFORCE

On an updated version it looks like the pentesters had everything in writing even the physical test and building units.