Wednesday, August 5, 2020

BH20: We Went to Iowa and All We Got were These Felony Arrest Records

Justin Wynn, Senior Security Consultant, Coalfire Systems
Gary Demercurio, Senior Manager, Coalfire Systems

Client asked them to come on sight and test physical penetration and plantation of drone device.  They were requested by the client to do the work at night/after hours.  What was said later to the press by the client was very different.  Originally it was night only, but they changed the contract later to add social engineering during the day.  It wasn't just the pentesters on the phone with the client, but also their project manager, manager and another pen tester. 

They also received a letter of authorization that also asked them to begin on Sunday (when the court house is closed), so for the client later said they only wanted it to happen during business hours (courthouses are closed on weekends).  The pentesters were given restrictions for each of the 5 buildings, like which floors are off limits, which data centers are in scope/out of scope. This was worked out building by building.  The contract was more generic, and the scoping call was more detail (lesson learned: record your scoping call)!

Charges were filed against each of them independently.

Spent the day on Sunday scoping locations, during business hours they got tours (some public/free access, some with escorted tour).

Started out Monday night at Judicial branch - a State Trooper came by (as expected), who said this was common practice and asked for a business card.  They did get inside, got into the IT department and left a card on his desk. The contact from client sent a "can't wait to see how this was done", reviewed the overnight footage, and didn't say anything.  Everything was seeming fine to the researchers.

Started again on Tuesday night, breached 3 more buildings with no alarms. They knew the last building had an alarm, and were hoping they would set it off.   they arrived at 11:30PM on Tuesday, did a brief walk around - could see the sheriff department across the street.  They found an open door when they arrived - wow.  They closed it, and then re-breached the door.  they tried the default codes for the alarm, didn't work - so they decided to hang out and wait for the police to arrive. 

They wanted to make sure they did not scare the police, or get surprised, so they called out regularly as they were moving down to the ground floor. 

Then we got to watch the body cam footage from first officer on scene, and can hear the police talking, seemed fine with the researchers and they were told they were good to go.

then the sheriff arrived.....and the police officers turn off their body cams.  Suddenly sheriff said the client didn't have the authority to authorize the pen test (state vs county property), and decides to arrest them for burglary. 

Up until when the sheriff arrives, everyone was very professional, then suddenly everyone's attitude changes. Suddenly, the fact that they are penetrating with commonly available tools, they couldn't possibly be professionals (!?!?!?).

Now being questioned about whether or not one of the testers was an actual marine, took a lot of pushing to get them to say they were under arrest.  Finally got ahold of the client, to let them know they were in jail. Asked for help.   "Andrew" was supposed to talk to the sheriff, but the sheriff won't budge because it's a county building - "nothing" can be done.

Judge at arraignment was not pleased that they had been arrested breaking into her courthouse... thought their client would come and protect them, but instead noted they were a flight risk - set their bail at $50,000 (same as people are given for murders).

This led into jurisdictional infighting. Client removed documents from Coalfire portal.

They want someone to be responsible for this.  Polk County DA was not going to charge the speakers, as he was aware that it was the three contacts from the client were at fault, but Polk County Sheriff was defensive of Dallas County Sheriff and threatens Coalfire CEO.

While things are moving forward, in their favor, the Chief Justice dies and everything dies with them.

Now they both have permanent felony records.  Cannot get firearms.

They have laws in the state that are more concerned with liability and less about the security of their infrastructure.  Based on this, all offensive security has stopped in Iowa. 

They would like to get laws passed to prevent this from happening again - if you can help, reach out!


Do you still have a felony record? Yes.

Was the sheriff of Dallas County ever reprimanded? No.

No comments:

Post a Comment