If you haven’t read the post from Coalfire’s CEO, Tom McAndrew, you should. It is here: https://www.coalfire.com/News-and-Events/Press-Releases/Coalfire-CEO-Tom-McAndrew-statement
TechRepublic’s report tells us that in 2019 so far, there is a 54% increase in breaches—over 3,800 so far this year. It is this exact reason we see intelligent companies increasing their spending, efforts, and time focusing on securing their people, perimeter, networks, and everything in between. That is exactly what two Coalfire pentesters were doing.
We personally had the privilege of having Justin Wynn as a student in our Advanced Practical Social Engineering class this summer. He was honorable and followed our motto to “always leave them feeling better for having met you.” When we look at how Justin and Gary handled this pentest, that motto seems to have been followed.
After gaining access to the Judicial Branch Building at the Dallas Iowa County, they left a business card, left everything intact, and exited the building. The next day, they were greeted with a “congratulations text” from their point of contact. The next night, they went to test the Courthouse facility and found that some employees left the door open—it was midnight. Instead of using this as part of their test (to be honest I would have), they closed the door, locked it, and proceed to perform their test as if the building was secure. After gaining access, they purposefully tripped the alarm to test the reaction times.
Upon greeting the deputies, they gave their authorization letter and had their state contacts on the phone. All of this was verified and they were just about to be released when Sheriff Chad Leonard arrived and arrested them. Now, Justin and Gary are being charged with criminal trespass.
In a time when law enforcement should be partnering with companies like Coalfire and other pentest groups, this is very disheartening indeed.
Like other companies in this space, Social-Engineer will be sending a support letter to the State of Iowa and Dallas County calling on their reason to drop these charges.
Christopher Hadnagy
CEO, Social-Engineer, LLC