Has no one considered the obvious, that the state of Iowa paid Coalfire to steal documents from a county courthouse, under the pretense of performing a “penetration test?”
10 Likes
Number 1 rule of pen testing:
Have a signed and notarized letter from the person in charge, stating who you are, what you were hired for, and that the person signing the letter has the right to request test.
At the very least, if it turns out that person didn’t have the authority to request the otherwise illegal action, it provides civil recompense after the fact.
(OK, not normally notarized, but if I were tasked with breaking in to a law enforcement building, it would be notarized)
14 Likes
Setting up someone to be disappointed with BoingBoing sounds like entrapment.
I must say that I find your comment disapp…
Damn!
26 Likes
If I could pick a new job, it would be a physical penetration tester… I think.
3 Likes
Something like this would happen?
2 Likes
Our company takes security very seriously- armed guards at every entrance, no physical servers, biometric MFA on everything, encryption out the wazoo everywhere. Then one day a scammer emailed HR with an email address that used the CEO’s name (misspelled) and asked for the payroll password. The HR person sent it to them and within hours every single employee had their identity stolen and fake tax returns filed.
The biggest security hole is always the people.
27 Likes
Vice Rear Admiral of Digital Penetration
8 Likes
They were paid to do a job and the did it. The governor should call a judge, get a court order, and send the state policy. They did not break the law. They were authorized to be there.
If the sheriff’s feelings are hurt, arrest him for kidnapping.
1 Like
So many double entandres, so little time. 
1 Like
You don’t tell blue team what you’re doing 
If you tell the people who hired you, they’ll tell someone because they don’t want them to look bad (or themselves , if it’s a procedure or policy that is found to cause the problem.)
Local law enforcement are often buddies with security people and talk about things they shouldn’t all the time.
2 Likes
I agree those are possible because humans. But the person(s) doing the hiring know they hired people to do security checks so they can already give the on site security folks the heads up to make sure the test passes even if they don’t know exactly when or how the testing will be done.
Obviously, the less people know, the less they can interfere with the results.
But with that said no security researcher should be jailed or killed for doing what they were hired to do.
Not my field so I don’t know what the best way to optimize both researcher safety and testing efficacy.
4 Likes
Security staff need to be mocked. Its the only way.
The biggest security hole is always the people.
Oh hi this is Enoch Root, can you reset my password please?
2 Likes
From Pen-Testing for the State to Testing the State Pen
4 Likes
It’s the ultimate pen test, where they arrive with butt sets, lock picks, and AKs like they’re about to rob a bank in LA
In the business we call it the “platinum package” - very exclusive
Penetration testers jailed…
Maybe they’re just cheapskates, doing this to get a free test of their other facilities.
3 Likes
The “server room” running my local Costco (Niles, IL). Hanging just over where they take new member photos. Just imagine all the rich transactional data you could slurp off of that and no one would know.
6 Likes
6 Likes
Can I come work for you?
1 Like
Hey, if you can stomach the Vancouver real estate market and have some sort of security related background, I’d love to consider hiring you. So many people that I talk to about getting into the security consulting business (working locksmiths etc.) don’t want to put in the time to build real-world experience and learning about policy, process and liability as it relates to implementing security designs, equipment and operational procedures.
It’s sometimes great fun to blow people’s minds at how easily I can defeat their security. It’s also great fun to have them adopt my recommendations and then later find out that the measures stopped the client from suffering losses.
4 Likes
