| There's an elite cadre of professionals who get paid to break into supposedly secure buildings—corporate headquarters, data centers, factories, government installations. As Andy Greenberg writes this week on Backchannel, these so-called penetration testers probe vulnerabilities so their clients can plug the holes. Two such experts were hired last year to test the physical security of county courthouses in Iowa. The buildings were riddled with susceptibilities: unlatched doors, inattentive security guards, open laptops, sticky notes with passwords written on them. Late on the night of September 10, they targeted a courthouse in the city of Adel, easily entering the front door using a notched shim fashioned from a thin cutting board. Unlike some of the places they'd broken into, the alarm system in this courthouse worked. In a few minutes an officer from the sheriff's department across the street came to investigate. The two men greeted him at the door—the officer had no key and wasn't able to open it—and they quickly explained that they'd been hired by the state's judicial branch to test the building's security. They showed him a letter from their employer verifying the contract with the government. They chatted amiably for a few minutes. Then the county sheriff himself showed up and ordered the men arrested for burglary. "This is not state property. This is county property," he said. "Do you realize that?" They were marched across the street, interrogated, and charged with felony burglary. They spent the night in jail, which turned out to be just the start of five months in legal limbo that became a full-blown scandal in the state of Iowa. The incident has also sent a ripple of anxiety through the insular world of penetration testing. Mark Robinson | Features Editor, WIRED |
Post a Comment