The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Arrested Iowa hackers spark alarm among security pros

Analysis by
Anchor of The Cybersecurity 202 newsletter
November 13, 2019 at 7:25 a.m. EST

with Tonya Riley

THE KEY

Shockwaves are rippling through the cybersecurity community after researchers hired to test the digital and physical defenses of Iowa county courthouses ended up facing criminal charges instead.

The researchers from Coalfire were arrested Sept. 9 after tripping an alarm at a Dallas County, Iowa courthouse in what seemed at first like an honest case of confusion. But they’re still facing burglary charges more than two months later, as CNBC’s Kate Fazzini reported.

That’s sparking major anxiety among “penetration testing” companies, which worry they can’t guarantee protection for their employees who role-play as hackers and burglars trying to sneak into organizations’ networks and buildings to steal their data.

The Coalfire employees were arrested during a physical security check, but penetration testers also frequently cross digital barriers that could land them in jail — if they didn’t have express permission from the clients who own those digital networks. The Coalfire employees’ main job was also to verify the physical security of digital files.

The timing couldn’t be worse, with such companies prepping to vet the security of hundreds of local election operations in advance of the 2020 contests amid widespread concerns Russia will try to hack voting machines and other election infrastructure as it did in 2016. If those machines and the buildings that store them aren't properly vetted, they could be far more vulnerable. 

“I’ve had a lot of discussions with owners of organizations that do this kind of work that are kind of freaking out about this,” David Kennedy, founder of Binary Defense and Trusted Sec, aconsulting firm that conducts penetration tests, told Kate. “We are all watching this very closely, and we are concerned.”

The Iowa fracas could dangerously damage the relationship between government agencies and testing companies in the runup to 2020, Casey Ellis, founder of Bugcrowd, which also does penetration testing, told Kate

“I can only see the need for this accelerating,” he said.

It’s not uncommon for penetration testers to end up dealing with law enforcement, but they can typically prove their bona fides before any charges are filed. In the Dallas County case, Coalfire employees Justin Wynn and Gary Demercurio showed sheriff’s deputies their paperwork and credentials but were still arrested on burglary charges and spent a night in jail.

The main problem seems to have been confusion between Coalfire and Iowa State Court Administration, which purchased the cybersecurity and physical security testing package, about some of the methods the penetration testers would use, according to a third- party review commissioned by the Iowa Supreme Court.

Iowa Chief Justice Mark Cady apologized for that confusion in an October statement to a legislative oversight committee, noting that “In our efforts to fulfill our duty to protect confidential information of Iowans from cyberattack, mistakes were made.”

He pledged the judicial branch is “doing everything possible to correct those mistakes, be accountable for the mistakes, and to make sure they never, ever occur again.”

That does little good for Wynn and Demercurio, though, whose robbery charges have been reduced but not dropped.

PINGED, PATCHED, PWNED

PINGED: Russian hackers struggled to publicize the trove of sensitive documents they stole from the Democratic Party in 2016 before WikiLeaks stepped in, according to a report released last nightmy colleague Craig Timberg  writes. In fact, their initial Facebook posts publicizing the stolen documents generated just 11 “likes,” 17 shares and zero comments.

“Direct messages to American journalists, made through a fictitious Twitter persona called Guccifer 2.0, generated a spate of news coverage soon after. But that was modest compared to the deluge that came five weeks later, on July 22, when WikiLeaks published the documents and tweeted a link to its 3.2 million followers,” Craig reports.

The report was prepared by the Stanford Internet Observatory using data Facebook provided to the Senate Intelligence Committee. The committee’s Vice Chairman Mark R. Warner (D-Va.) called the report further evidence that “big platforms need to do a better job of making sure they don’t become tools for Russian manipulation of American voters.”

PATCHED: Chinese hackers penetrated the National Association of Manufacturers over the summer, a powerful industry group that has helped shape President Trump’s policies, Reuters’s Christopher Bing reports.

The hack could have given China inside information in an ongoing trade war that has roiled both nations. A cybersecurity firm concluded the hack came from China because it used tools and techniques previously associated with known Chinese hacking groups, Christopher reports.

NAM spokeswoman Erin Streeter told Christopher that the organization’s networks are now secure. “We know we are a target for cyberattacks. We identified suspicious activity relating to certain company systems and investigated the matter,” she said

PWNED: Hackers have attacked Britain's two major political parties, attempting to disable their online platforms with a flood of malicious traffic ahead of national elections next month, Jack Stubbs and Kylie MacLellan at Reuters report. Two denial of service attacks against Britain's Labour Party over the past two days were followed by an attack on the country's Conservative Party by what appears to be a different group, they report

Labour officials were able to repel the first attack, but users may still have trouble accessing their sites after the second one, a Labour Party spokesman told Reuters.

The Conservative Party's website was hit with an even larger denial of service attack, sources tell Reuters, but it remains online. A Conservative Party spokeswoman had no immediate comment and told Reuters she was unaware of the attack.

There is currently no evidence that foreign actors launched the attacks, but Britain's security agencies have warned that Russia and other nation-states could use cyberattacks to derail the upcoming elections. British intelligence has accused Russia of spying and interference in the 2016 Brexit referendum and a 2017 national election.

PUBLIC KEY

There were some top cybersecurity leaders from the Obama administration among the 133 former officials who signed onto a letter endorsing Joe Biden for president yesterday.

Among the signatories were: former assistant attorney general John Carlin; former Homeland Security Department deputy secretary Alejandro N. Mayorkas; former Pentagon under secretary for policy James N. Miller; former homeland security adviser Lisa Monaco; former State Department coordinator for communications and information policy Daniel Sepulveda; and former DHS assistant secretary for cyber policy Robert Silvers.

Here’s a full rundown  from my colleague Josh Rogin.

— More cybersecurity news from the public sector:

Huawei to pay workers an extra month’s salary, give bonuses for ‘struggle’ against U.S. (Anna Fifield)

Justice Dept. inspector general invites witnesses to review draft of Russia report, signaling public release is close (Matt Zapotosky and Devlin Barrett)

Alleged Russian scammer appears in U.S. court after extradition battle - CyberScoop (CyberScoop)

Senior official describes cyber workforce shortage as national security threat (The Hill)

Sensitive data from 1,800 people, including crime victims and law enforcement officials, may have fallen into hands of felon, Virginia town says (Justin Jouvenal)

Sen. Chuck Schumer Raises Security Concerns About The Army Using TikTok To Try To Recruit Young People (BuzzFeed News)

PRIVATE KEY

Next-generation 5G telecommunications technology could open the door for new cyberattacks, despite being touted by government and industry leaders as a more secure alternative to older networks. That's the conclusion reached by researchers at Purdue University and the University of Iowa, who found 11 vulnerabilities in 5G that hackers could exploit to track a phone's location and possibly even broadcast fake emergency alerts, Zack Whittaker at TechCrunch reports.

In some cases, the researchers were also able to make the phones' connection to the mobile network less secure and more vulnerable to surveillance or to knock a phone's service offline.

— More cybersecurity news from the private sector:

Intel Failed to Fix a Hackable Chip Flaw Despite a Year of Warnings (Wired)

Facebook bug turns on iPhone camera when users scroll through their feed (The Guardian)

Malware developers are betting you’ll be fooled by the ‘Donald Trump Screen of Death’ (Marie C. Baca)

THE NEW WILD WEST

— Cybersecurity news from abroad:

Stronger regulations could help protect against cyber attacks: Bank of Canada official (Reuters)

ZERO DAYBOOK

— Today:

  • The House Committee on Veterans Affairs will host a hearing on “Hijacking our Heroes: Exploiting Veterans through Disinformation on Social Media” on Wednesday at 2 p.m. Eastern time

— Coming up:

  • New York University’s Center for Cybersecurity, the Journal of National Security Law & Policy will host an event titled “Catching the Cybercriminal: Reforming Global Law Enforcement” on November 18 at 10 a.m.
  • The House Financial Services Committee will host a hearing on the role of big data in financial services on November 21 at 9:30 a.m.
  • The 2019 International Conference on Cyber Conflict U.S. (CyCon U.S.) will take place 18-20 Nov 2019 in at the Crystal Gateway Marriott in Arlington, VA.  
  • CYBERWARCON takes place on November 21 in Arlington, Va.