Infosecurity.US

Information Security & Occasional Forays Into Adjacent Realms

  • Web Log

Dallas County Iowa Courthouse

Exculpated: The Iowa Confusion

January 31, 2020 by Marc Handelman in Judicial Branch Security, Jurisprudence, Social Engineering, Penetration Testing

via the sagacious Dan Goodin, Security Editor at Ars Technica, comes news of the exoneration of two Coalfire (Coalfire is a security risk management firm with headquarters in the astoundingly-beautiful State of Colorado) Penetration Testers of all charges (see the previously published story and opinion piece) related to contract penetration testing (evidently, both physical and logical) work for the resplendent-yet-down-to-earth State of Iowa's Judicial Branch. This is great news for both the Information Security Industry and the two Pentesters.

Now, one more thing: Who's going to take care of expunging their respective police arrest records?

Original Coalfire and State of Iowa Courts Work Agreements

  • Requirements and Assumptions)
  • Service Order—Redacted
  • Rules of Engagement—Redacted
  • Social Engineering Authorization—Redacted
  • Master Agreement—Redacted
January 31, 2020 /Marc Handelman
Judicial Branch Security, Jurisprudence, Social Engineering, Penetration Testing

Dallas County Iowa Courthouse

The Beans, Shall We Say, Have Been Spilt: State of Iowa Executes Partial Spillage

September 23, 2019 by Marc Handelman in Judicial Branch Security, Penetration Testing, Social Engineering

This suprisingly frank initial statement regarding the work Coalfire was contracted to perform and regarding the actions to be taken, thereto, follows after the next paragraph split.

Perhaps this entire scenario is indicative of governmental malfeascenace rather than profit-driven overreach by the corporate entity contracted to perform the labor and analysis... You be the judge...

September 18, 2019

State of Iowa State Court Administration Statement on the Coalfire Debacle:

Malicious cyber criminals use all techniques at their disposal—fair or foul—to access valuable data from private and public organizations. Global cybersecurity firms (such as Coalfire) involved in technical testing are professionally contracted to simulate real-world attacks using the same techniques any attacker may use to test the company’s defenses so that they can remedy their vulnerabilities before a real-world attack occurs.

Recently, two penetration testers employed by Coalfire were arrested in the Dallas County Courthouse during a security testing exercise to help the Iowa Judicial Branch ensure the court’s highly sensitive data was secured against attack. Coalfire was working to provide quality client service and a stronger security posture. Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.

State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.

State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.

Links below are to the contract documents with allowable redactions

Requirements and Assumptions Service Order—Redacted Rules of Engagement—Redacted Social Engineering Authorization—Redacted Master Agreement—Redacted

September 23, 2019 /Marc Handelman
Judicial Branch Security, Penetration Testing, Social Engineering