Exculpated: The Iowa Confusion

January 31, 2020 by Marc Handelman in Judicial Branch Security, Jurisprudence, Social Engineering, Penetration Testing

via the sagacious Dan Goodin, Security Editor at Ars Technica, comes news of the exoneration of two Coalfire (Coalfire is a security risk management firm with headquarters in the astoundingly-beautiful State of Colorado) Penetration Testers of all charges (see the previously published story and opinion piece) related to contract penetration testing (evidently, both physical and logical) work for the resplendent-yet-down-to-earth State of Iowa's Judicial Branch. This is great news for both the Information Security Industry and the two Pentesters.

Now, one more thing: Who's going to take care of expunging their respective police arrest records?

Original Coalfire and State of Iowa Courts Work Agreements

Requirements and Assumptions)
Service Order—Redacted
Rules of Engagement—Redacted
Social Engineering Authorization—Redacted
Master Agreement—Redacted

The Beans, Shall We Say, Have Been Spilt: State of Iowa Executes Partial Spillage

September 23, 2019 by Marc Handelman in Judicial Branch Security, Penetration Testing, Social Engineering

This suprisingly frank initial statement regarding the work Coalfire was contracted to perform and regarding the actions to be taken, thereto, follows after the next paragraph split.

Perhaps this entire scenario is indicative of governmental malfeascenace rather than profit-driven overreach by the corporate entity contracted to perform the labor and analysis... You be the judge...

September 18, 2019

State of Iowa State Court Administration Statement on the Coalfire Debacle:

Malicious cyber criminals use all techniques at their disposal—fair or foul—to access valuable data from private and public organizations. Global cybersecurity firms (such as Coalfire) involved in technical testing are professionally contracted to simulate real-world attacks using the same techniques any attacker may use to test the company’s defenses so that they can remedy their vulnerabilities before a real-world attack occurs.

Recently, two penetration testers employed by Coalfire were arrested in the Dallas County Courthouse during a security testing exercise to help the Iowa Judicial Branch ensure the court’s highly sensitive data was secured against attack. Coalfire was working to provide quality client service and a stronger security posture. Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.

State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.

State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.

Links below are to the contract documents with allowable redactions

Requirements and Assumptions Service Order—Redacted Rules of Engagement—Redacted Social Engineering Authorization—Redacted Master Agreement—Redacted

DerbyCon 2018, Adam Compton's 'Hillbilly Storytime: Pentest Fails' →

December 15, 2018 by Marc Handelman in Irongeek, Information Security, Penetration Testing

Videography Credit: Irongeek (Adrian Crenshaw).

En Garde, CnC!

July 27, 2018 by Marc Handelman in Penetration Testing, Information Security, Network Security, Web Security

Outstanding Command and Control using Web Sockets blog post, well-crafted and written by Craig Vincent of Black Hills Information Security, and focsing on the use of the web sockets vector to facilitate pen-testing heroics. Today's Must Read!

User Name Sieving, LinkedIn Grist

July 19, 2018 by Marc Handelman in Pen Test Analysis, Penetration Testing, Education, Information Security

In a tour de force instructional blog post at Black Hills Infosec, Carrie Roberts displays remarkable acumen in the effort to distill user names via Portswigger's Burp Suite, with LinkedIn as input. In the event that you are at all interested in garnering grist for your pentest mill (so to speak), examine - if you will - Carries' commanding work, you'll be glad you did.

SANS Webcast, Larry Pesce's 'Software Defined Radio for Penetration Testing and Analysis' →

July 02, 2018 by Marc Handelman in Software Defined Radio, Penetration Testing, Pen Test Analysis

WebApp Security, 'My Experience Leading A Purple Team' →

June 26, 2018 by Marc Handelman in Red Team, Blue Team, Purple Team, Penetration Testing, Information Security

A terrific Red & Blue (in reality - Purple's the Word, in this case) Teaming Leadership post (via Robert A., posting on the Web Application Security Consortium List) detailing his experience leading a Purple Team, and the oversight work assocciated with that team color). Very pleased to see this form of shared learning in the Red Team space. Today's Must Read.

"Purple: Purple teaming in my experience is the oversight of how red and blue operate, coordination to strengthen the effectiveness of both red/blue, and improved relationships with impacted stakeholders (dev/it/ops/etc). It likely isn't it's own team, it's the leaders of the blue/red teams coordinating with it's members and cross-org stakeholders to optimize how they operate." via Robert A.'s superlative post further via Web Application Security Consortium List**)

BSides Leeds, Rory McCune's 'Night Of The Living Dead Pentest →

March 04, 2018 by Marc Handelman in BSides, Conferences, Education, Information Security, Penetration Testing

BSides Leeds, Mark Carney's 'Pentesting Hardware And IoT' →

February 26, 2018 by Marc Handelman in Conferences, BSides, Education, Penetration Testing, Information Security, Cybersecurity

DerbyCon 2017, Daniel Brown's 'Retail Store POS Penetration Testing' →

December 11, 2017 by Marc Handelman in Information Security, Network Security, Penetration Testing, Conferences, DerbyCon, Education

BSides London 2017, Owen Shearing's 'IPv6 for Pentesters' →

July 27, 2017 by Marc Handelman in BSides, Conferences, Education, Information Security, Network Security, Network Protocols, Penetration Testing

BSides Cleveland 2017, Erik Daguerre's 'IoT Device Pentesting' →

July 17, 2017 by Marc Handelman in BSides, Conferences, IoT Security, IoT, Information Security, Penetration Testing

Kali, The Distro of Cloud GPUs →

April 28, 2017 by Marc Handelman in All is Information, Information Security, Network Security, Penetration Testing, Security Testing, Security Tooling, KALI

News - via El Reg writer Simon Sharwood, of new capabilities within Kali Linux distro (version 2017.1). The standout addition: The leveraging of cloud-based GPU infrastructure to crack pasword objects. Outstanding.

Shmoocon 2017, Falcon Darkstar and Sergey Bratus - LangSec for Penetration Testing: How and Why →

February 24, 2017 by Marc Handelman in All is Information, Conferences, Education, Information Security, Penetration Testing

PenTesters Framework Released →

May 27, 2015 by Marc Handelman in All is Information, Information Security, Penetration Testing, GitHub

News, via TrustedSec, of the release of the latest version of the eponymous PenTesters Framework (written by David Kennedy, CEO of TrustedSec). Download the PTF at GitHub or clone the project (git clone https://github.com/trustedsec/ptf). Enjoy.

Ira Winkler's ' Making Penetration Tests Actually Useful' →

April 27, 2015 by Marc Handelman in All is Information, Education, Information Security, Penetration Testing

A presentation of Ira Winkler's, from RSA Conference 2014. Over a year old, and interestingly, highly relevant.

SANS 2015 Penetration Testing Poster Available →

April 03, 2015 by Marc Handelman in All is Information, Education, Information Security, SANS, Penetration Testing

SANS Penetration Testing Curriculum has crafted a new security poster for 2015 and you can request to have a highly coveted paper copy mailed to you (at no charge, directly from SANS). The deadline to request a poster is April 15, 2015 (If you want one, get on this ASAP as they run out of inventory quickly).