Iowa state court officials contracted with Coalfire to conduct “penetration tests” on its security; as part of those tests, two Coalfire employees broke-and-entered the Adel, Iowa courthouse, and were caught by law-enforcement, whose bosses in Dallas County were not notified of the test.
The state has apologized to the county, but the two Coalfire employees were still in jail as of this writing.
As Sean Gallagher points out at Ars Technica, penetration testers often have broadly defined scopes of work for their engagements, and this highlights the risk of a brief that essentially goes, “Just do what it takes to figure out if criminals could compromise our security.”
State court administration (SCA) is aware of the arrests made at the Dallas County Courthouse early in the morning on September 11, 2019. The two men arrested work for a company hired by SCA to test the security of the court’s electronic records. The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building. SCA apologizes to the Dallas County Board of Supervisors and law enforcement and will fully cooperate with the Dallas County Sheriff’s Office and Dallas County Attorney as they pursue this investigation. Protecting the personal information contained in court documents is of paramount importance to SCA and the penetration test is one of many measures used to ensure electronic court documents are secure.
Check the scope: Pen-testers nabbed, jailed in Iowa courthouse break-in attempt [Sean Gallagher/Ars Technica]
Eleanor Saitta’s (previously) 2016 essay “Coercion-Resistant Design” (which is new to me) is an excellent introduction to the technical countermeasures that systems designers can employ to defeat non-technical, legal attacks: for example, the threat of prison if you don’t back-door your product.
For decades, people (including me) have predicted that cyberinsurers might be a way to get companies to take security seriously. After all, insurers have to live in the real world (which is why terrorism insurance is cheap, because terrorism is not a meaningful risk in America), and in the real world, poor security practices destroy […]
The Canadian activist group Open Privacy Research Society has discovered that Vancouver, BC hospitals routinely wirelessly broadcast patient telemetry and admissions data, without encryption to doctor paging systems. It is trivial to intercept these transmission.
If you’re in the market for a stable, durable camera fully suited for first-person video, there’s a good chance that you’re the adventurous type. So why settle on a familiar name like GoPro? The DJI Osmo Action 4K HDR Camera checks off all the same boxes on the action cam checklist as the GoPro 4K […]
The market for web developers is wide open these days. If only we could say the same about the pathway to that career. If you’re not already an experienced coder, it can be difficult to get things rolling. A four-year college degree or technical school? Sure, if you’ve got the money. What about web tutorials? […]
Microsoft Excel has long been taken for granted in the modern office, but that’s quickly changing as the field of data analytics becomes more vital. If you haven’t moved beyond spreadsheets yet, it might be time to open up the functionality of this trusty platform – and this course on Microsoft Excel Data Analysis & […]