Craig discusses the wrong way to do penetration testing and why.
For more tech tips, news, and updates visit – CraigPeterson.com
Automated Machine-Generated Transcript:
[00:00:00] Craig Peterson: Hey, you hire a penetration tester to check your security out. apparently that’s what happened and then they went to jail.
Hey Craig, Peterson here with a little bit of a word of warning. If you are a computer security company and you perform a penetration test. Be very cautious, because man, this is a sad story. I spoke about it a couple of months ago when it first happened. And there have been, of course now some changes and the whole status of that.
[00:01:00] That’s just the way that naturally ends up going over time. But there were a couple of guys here who were doing penetration testing. This is an article you’ll find on dark reading.com. A very good site. Again, I love some of the stuff that they do. I watch it closely as you can probably guess.
But when these guys were hired, they were doing, what’s known as physical penetration testing. Hey, can you break into the building? And you’ll, they’ll use normal types of ways of doing this and playing with this where they’ll try and get a card key, steal it off of someone. All the surreptitious ways you’ll do it.
They’ll call up on the phone and they’ll do what’s called vishing. Where they are calling you up and pretending they’re from it or building maintenance or whatever it might be in order to try and get in. Then once they’re in the building, it’s okay. how far can I go?
[00:02:00] What can I get into, what can I do? What trouble could I cause not that they’re going to necessarily? cause that trouble and they are what are known as red teamers. the military does this all the time. We do that as well.
You have tabletop and other sorts of exercises that are a red team, blue team. So you have some, a team that’s different. Defending your infrastructure and a team that’s breaking into the infrastructure. So these guys were red teamers and the concern that’s come up because of this is, if you are a penetration tester, you’re a red teamer, what’s going to happen to you.
[00:03:00] These guys were hired by a company to check the entrance and exit after hours of the Dallas County courthouse in Iowa. They went up to the door and checked the door and they didn’t hear it disengage when they tried to scan their car key. Card key. It was after midnight. This was September 11th last year. This was the last leg of their penetration testing engagement.
This was part of the stuff that was hired by the state of Iowa’s judicial branch. They just grabbed the door and said, did it work? And no, it’s already open. The door was locked, but they hadn’t latched it all the way. So all he had to do is pull the door open. These two social engineering and physical penetration testing experts could get a more accurate take on this whole entrance security.
He closed the door and they started all over again with the card key. This time the door was not only locked, but it was latched. Then he slid a plastic cutting board that was retrofitted so that it would be able to be put into the door jam and released the latch and he was able to unlatch the door.
[00:04:00] They figured they had between 20 to 30 seconds from then until the building alarm sounded. So they ran inside and they got to the alarm panel and they started typing in the default system code. Because you go in first, you check and see what kind of alarm system is it. Think like The Italian Job, right?
What kind of alarm system is it? What’s the default passcode on it. They type that in that didn’t work. They typed in some common code. Most of us are still using default passwords on our firewalls. We’re using them on some of the security systems, many security systems, by the way, also have, it’s an administrative passcode where what ends up happening is the service guy comes in and says, Hey, I need to mess with your panel.
And he goes downstairs. He types in his code and he now has full administrative access to your panel. So they tried all of that sort of stuff and none of it worked. So the alarm went off and they went back to work seeing if they could find any other vulnerabilities while waiting to see if the cops would show up.
[00:05:00] Now they had tested three other facilities for the state and the building alarms had not dialed out to law enforcement, which is pretty bad. The alarms go off and law enforcement is not notified. They wanted to see if it would here and it did. Then what happened was an arrest. They were arrested, they got felony charges.
They spent the night in jail and nearly five months in a legal battle here. Now, this legal battle was fueled by a power struggle between the state who had hired them and County officials in Iowa, who said they had the legal jurisdiction over the courthouse, building these people had entered and not the state. Isn’t that interesting?
[00:06:00] So it wasn’t until January this year. So that’s September through January, this year and all charges against them were dropped. Just last week at the black hat USA virtual conference, they shared their story of what had happened and their advice for penetration testing.
Now, You have to be very careful because this is an interesting problem. The company that had contracted with the state is known as coal fire. That’s the name of the company and the state had court administration had hired them a number of times since 2015. This was the first time that these two guys had worked for CoalFire. So they were probably subcontractors. The engagement was for full scope, red team, project internal, external testing, penetration testing in the application, social engineering, and the physical penetration test.
[00:07:00] So they did a whole lot of stuff. They had with the call to get out of jail free letter. Written authorization signed by the judicial branch approved they were working on behalf of the state. So the officers that first responded check their IDs, the letter verified the story and found that they were legit and free to go.
Then the sheriff showed up. Everything changed. The sheriff was very upset. Dallas County sheriff, Chad Leonard, berated them. According to these two pen testers for thinking the courthouse, it was under the state’s jurisdiction. How would they know, obviously the state thought that it was under their jurisdiction.
The article goes on and talks a lot about what happened. The judge was very upset with what had happened because she was not informed of the truth behind this whole thing. So they had an arraignment a little later in the day in that same courthouse they’d broken into just hours earlier.
[00:08:00] The judge they say took it personally. Clearly she had not been filled in. All she has been told is we caught these two guys last night breaking into the courthouse. Then she loses it and raises the bail 10 fold above the norm $50,000 each rather than the normal 5,000 that it would be. Now, the good news is that the company that had hired them coal-fire did stick with them, did pay for all of this legal stuff and by the way, the state was trying to back out of it saying we had nothing to do with this. These officials that had hired them denied anything and everything.
So clue number one, record the call. These guys regret that they did not record it, make your contract iron clad, and succinct. So if you are doing any pen testing, some serious words of caution.
[00:09:00] When we come back, I’m going to talk about a real cool website. In case you missed it in the first hour today we’re also going to talk about some election worries here. What’s going to happen when it comes to electronics and hacking and tampering?
You’re listening to Craig Peterson and WGAN.
Make sure you visit me online. Craig peterson.com.
Stick around. We’ll be right back.
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: