Connect with us

Biz & IT

Exonerated: Charges dropped against pentesters paid to break into Iowa courthouse

Published

on

Enlarge / The Dallas County Courthouse in Adel, Iowa.

Prosecutors have dropped criminal charges against two security professionals who were arrested and jailed last September for breaking into an Iowa courthouse as part of a contract with Iowa’s judicial arm.

The dismissal, which was announced on Thursday, is a victory not only for Coalfire Labs, the security firm that employed the two penetration testers, but the security industry as a whole and the countless organizations that rely on it. Although employees Gary DeMercurio and Justin Wynn had written authorization to test the physical security of the Dallas County Courthouse in Iowa, the men spent more than 12 hours in jail on felony third-degree burglary charges. The charges were later lowered to misdemeanor trespass.

The case cast a menacing cloud over an age-old practice that’s crucial to securing buildings and the computers and networks inside of them. Penetration testers are hired to hack or break into sensitive systems or premises and then disclose the vulnerabilities and techniques that made the breaches possible. Owners and operators then use the information to improve security.

“I’m very glad to hear this,” said a professional pentester when I told him the charges were dropped (he prefers to use only his handle: Tink). “Clients and security firms have an obligation to protect their pentesters and consultants. Pentesters are not criminals. Pentesters help organizations protect against criminals.”

Attempts to reach Dallas County Attorney Charles Sinnard after hours were unsuccessful. DeMarcurio and Wynn declined to speak with me.

Get out of jail free

DeMercurio and Wynn were arrested in the early hours of September 11 after a dispatcher with the Dallas County sheriff’s department observed the men wandering through the closed county courthouse with dark backpacks. When sheriff’s deputies confronted the men shortly afterward, they produced a letter—known as a get-out-of-jail-free card in pentesting parlance—that said they had been hired by Iowa’s State Court Administration to assess the security of its physical and network security. Deputies were friendly and interested as DeMercurio and Wynn explained how they used a lock-picking device to bypass a locked front door.

When Sheriff Chad Leonard arrived on the scene, things took a decidedly more adversarial tone. Leonard said he was unaware of any such arrangement and, furthermore, he said the State Court Administration lacked the authority to permit the after-hour entry of county property. The pentesters spent more than 12 hours in the county jail until they were released on $100,000 bail ($50,000 for each). In the days to follow officials discovered that the pentesters had also performed physical penetration tests on the Polk County Courthouse and Judicial Building.

The turf war between Dallas County and state officials was only one of the things complicating the case. The other issue was the legal agreement Coalfire signed with the State Court Administration. The full agreement was broken into three separate documents that contained confusing and contradictory terms describing the work to be performed. An initial service order outlined a plan to conduct “Physical Attacks” against the Dallas County courthouse and two other buildings, but in later forms, the pentesting activities were described as “Social Engineering.” There was also conflicting language about whether the pentesters were authorized to use lock-picking gear and whether they were permitted to test physical security after hours.

After learning of the pentesting contract, Dallas County Attorney Charles Sinnard reduced the charges, but despite there being no support for criminal intent, he continued to prosecute the two men. In a statement Coalfire issued on Thursday, officials wrote:

Following discussions between representatives of Coalfire, the Dallas County Sheriff and the Dallas County Attorney, it was the decision of the Dallas County Attorney to dismiss trespass charges against the Coalfire employees. It is clear that on September 11, 2019 it was the intention of the Dallas County Sheriff to protect the citizens of Dallas County and the State of Iowa by ensuring the integrity of the Dallas County Courthouse. It was also the intention of Coalfire to aid in protecting the citizens of the State of Iowa, by testing the security of information maintained by the Judicial Branch, pursuant to a contract with State Court Administration.

Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges. Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the Judicial Branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing. It is the hope of Dallas County and Coalfire that the Judicial Branch will work with them so that any issues carrying out such vital testing can be avoided in the future.

Coalfire CEO Tom McAndrew added, “With positive lessons learned, a new dialogue now begins with a focus on improving best practices and elevating the alignment between security professionals and law enforcement. We’re grateful to the global security community for their support throughout this experience.”

In a statement, DeMercurio and Wynn’s attorney said:

Mr. Wynn and De Mercurio are relieved that the accusations have been dismissed but are frustrated with the entirety of the process. Law enforcement and prosecutors should appreciate the fact that an arrest for a criminal offense can never be undone, even after the charge is dismissed.

The justice system ceases to serve its crucial function and loses credibility when criminal accusations are used to advance personal or political agendas. Such a practice endangers the effective administration of justice and our confidence in the criminal justice system. This entire ordeal could have been avoided by simply respecting the fact finding that the responding law enforcement officer conducted which verified the work was authorized by the Judicial Branch. Unfortunately, the lack of communication between government entities, an ignorance of the law, personal pride and politics overrode the objective investigation conducted by responding law enforcement.

Mr. Wynn and De Mercurio would like to thank the responding sheriff deputies and City of Adel Police Department officers for their professionalism. They would also like to thank Coalfire for the unconditional support they received especially from CEO Tom McAndrew and Vice President Mike Weber. Finally, they would like to thank the Cyber Security family for the immense amount of support they provided.

This was an unprecedented event for the Cyber Security Community. Mr. Wynn and De Mercurio are looking forward to sharing their experiences in an effort to help educate others in order to better secure this nation.

Continue Reading

Biz & IT

China’s and Russia’s spying spree will take years to unpack

Published

on

First it was SolarWinds, a reportedly Russian hacking campaign that stretches back almost a year and has felled at least nine US government agencies and countless private companies. Now it’s Hafnium, a Chinese group that’s been attacking a vulnerability in Microsoft Exchange Server to sneak into victims’ email inboxes and beyond. The collective toll of these espionage sprees is still being uncovered. It may never be fully known.

Countries spy on each other, everywhere, all the time. They always have. But the extent and sophistication of Russia’s and China’s latest efforts still manage to shock. And the near-term fallout of both underscores just how tricky it can be to take the full measure of a campaign even after you’ve sniffed it out.

By now you’re probably familiar with the basics of the SolarWinds attack: Likely Russian hackers broke into the IT management firm’s networks and altered versions of its Orion network monitoring tool, exposing as many as 18,000 organizations. The actual number of SolarWinds victims is assumed to be much smaller, although security analysts have pegged itin at least the low hundreds so far. And as SolarWinds CEO Sudhakar Ramakrishna has eagerly pointed out to anyone who will listen, his was not the only software supply chain company that the Russians hacked in this campaign, implying a much broader ecosystem of victims than anyone has yet accounted for.

“It’s become clear that there’s much more to learn about this incident, its causes, its scope, its scale, and where we go from here,” said Senate Intelligence Committee chair Mark Warner (D-Virginia) at a hearing related to the SolarWinds hack last week. Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency, estimated in an interview with MIT Technology Review this week that it could take up to 18 months for US government systems alone to recover from the hacking spree, to say nothing of the private sector.

That lack of clarity goes double for the Chinese hacking campaign that Microsoft disclosed Tuesday. First spotted by security firm Volexity, a nation-state group that Microsoft calls Hafnium has been using multiple zero-day exploits—which attack previously unknown vulnerabilities in software—to break into Exchange Servers, which manage email clients including Outlook. There, they could surreptitiously read through the email accounts of high-value targets.

Continue Reading

Biz & IT

Windows.com bitsquatting hack can wreak “unknown havoc” on PCs

Published

on

Getty Images

Bit flips are events that cause individual bits stored in an electronic device to flip, turning a 0 to a 1 or vice versa. Cosmic radiation and fluctuations in power or temperature are the most common naturally occurring causes. Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bit flip within three days.

An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft’s windows.com domain. Windows devices do this regularly to do things like making sure the time shown in the computer clock is accurate, connecting to Microsoft’s cloud-based services, and recovering from crashes.

Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip away from windows.com. He provided the following to help readers understand how these flips can cause the domain to change to whndows.com:

01110111 01101001 01101110 01100100 01101111 01110111 01110011
w i n d o w s
01110111 01101000 01101110 01100100 01101111 01110111 01110011
w h n d o w s

Of the 32 bit-flipped values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because normally, Microsoft and other companies buy these types of one-off domains to protect customers against phishing attacks. He bought them for $126 and set out to see what would happen. The domains were:

  • windnws.com
  • windo7s.com
  • windkws.com
  • windmws.com
  • winlows.com
  • windgws.com
  • wildows.com
  • wintows.com
  • wijdows.com
  • wiodows.com
  • wifdows.com
  • whndows.com
  • wkndows.com
  • wmndows.com

No inherent verification

Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown in the device clock is correct. What the researcher found next was even more surprising.

“The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that it’s after 03:14:07 on Tuesday, 19 January 2038 and wreaking unknown havoc as the memory storing the signed 32-bit integer for time overflows,” he wrote in a post summarizing his findings. “As it turns out though, for ~30% of these computers doing that would make little to no difference at all to those users because their clock is already broken.”

The researcher observed machines trying to make connections to other windows.com subdomains, including sg2p.w.s.windows.com, client.wns.windows.com, skydrive.wns.windows.com, windows.com/stopcode, and windows.com/?fbclid.

Remy said that not all of the domain mismatches were the result of bitflips. In some cases they were caused by typos by people behind the keyboard, and in at least one case the keyboard was on an Android device, as it attempted to diagnose a blue-screen-of-death crash that had occurred on a Windows machine.

To capture the traffic devices sent to the mismatched domains, Remy rented a virtual private server and created wildcard domain lookup entries to point to them. The wildcard records allow traffic destined for different subdomains of the same domain—say, ntp.whndows.com, abs.xyz.whndows.com, or client.wns.whndows.com—to map to the same IP address.

“Due to the nature of this research dealing with bits being flipped, this allows me to capture any DNS lookup for a subdomain of windows.com where multiple bits have flipped.”

Remy said he’s willing to transfer the 14 domains to a “verifiably responsible party” and in the meantime will simply sinkhole them, meaning he will hold onto the addresses and configure the DNS records so they are unreachable.

“Hopefully this spawns more research”

I asked Microsoft representatives if they’re aware of the findings and the offer to transfer the domains. The representatives are working on getting a response. Readers should remember, though, that the threats the research identifies aren’t limited to Windows.

In a 2019 presentation at the Kaspersky Security Analysts Summit, for instance, researchers from security firm Bishop Fox obtained some eye-opening results after registering hundreds of bitflipped variations of skype.com, symantec.com, and other widely visited sites.

Remy said the findings are important because they suggest that bitflip-induced domain mismatches occur at a scale that’s higher than many people realized.

“Prior research primarily dealt with HTTP/HTTPS, but my research shows that even with a small handful of bitsquatted domains you can still siphon up ill-destined traffic from other default network protocols that are constantly running, such as NTP,” Remy said in a direct message. “Hopefully this spawns more research into this area as it relates to the threat model of default OS services.”

Continue Reading

Biz & IT

SpaceX Starlink factory in Texas will speed up production of Dishy McFlatface

Published

on

Enlarge / The SpaceX Starlink satellite dish partway through a teardown.

SpaceX says it is building a factory in Austin, Texas, to design systems that will help make satellite dishes, Wi-Fi routers, and other equipment for its Starlink satellite broadband network. The news comes from a job posting for an automation and controls engineer position flagged in a story Tuesday by local news channel KXAN.

“To keep up with global demand, SpaceX is breaking ground on a new, state of the art manufacturing facility in Austin, TX,” the job posting said. “The Automation & Controls Engineer will play a key role as we strive to manufacture millions of consumer facing devices that we ship directly to customers (Starlink dishes, Wi-Fi routers, mounting hardware, etc).”

The factory apparently won’t make the dishes and routers on site but will instead design systems that improve the manufacturing process. “Specifically, they will design and develop control systems and software for production line machinery—ultimately tackling the toughest mechanical, software, and electrical challenges that come with high-volume manufacturing, all while maintaining a focus on flexibility, reliability, maintainability, and ease of use,” the job posting said.

Starlink is in beta and is serving over 10,000 customers, and it has asked the Federal Communications Commission for permission to deploy up to 5 million user terminals in the US. SpaceX calls this piece of hardware “Dishy McFlatface,” and it receives transmissions from SpaceX’s low-Earth orbit satellites. See our article about a Dishy McFlatface teardown for more details on the hardware’s inner portions, and this article for more pictures of the dish in its fully intact state.

Starlink has been charging $99 per month plus a one-time fee of $499 for the user terminal, mounting tripod, and router. Starlink recently began taking preorders for service that would become available in the second half of 2021.

Shipping to 25 countries this year

The new job posting said the successful applicant will work in Austin but spend up to 25 percent of the time at SpaceX headquarters in Los Angeles “until [the] Austin facility is fully established.” The new engineer will make an impact on Starlink’s ability to ship hardware this year. The person will “set, implement, and maintain schedules and budgets to ensure project completion as we strive to ship to 25+ countries by the end of the year,” the job posting said.

The engineer will be expected to “design, develop, and manage automation and controls projects to manufacture consumer electronics that are easy for humans around the world to use, but are technically very sophisticated—this includes initial factory ideation, on-line commissioning and proof of rate capability, and eventual hand-off to operational teams.” The engineer will also “spearhead facility bring up and initial equipment conceptual development by carefully balancing product specifications, process requirements, layout complexity, cost, and lead-time limits,” the job posting said.

We asked SpaceX for more detail on plans for the Austin facility and when it will open, and on where exactly the dishes and routers will be manufactured. We’ll update this article if we get an answer.

The new SpaceX factory would be near Tesla’s planned car factory in Austin. SpaceX founder and CEO Elon Musk is also the CEO of Tesla.

Continue Reading

Trending