STE WILLIAMS

How criminals today bypass smartphone anti-theft protection and harvest AppleID and passwords taken from fake Apple servers.

The nature of spearphishing attacks has drastically evolved: We’ve moved from crudely written, poorly spelled scattergun operations to highly targeted campaigns that leverage knowledge about the victim to increase the attacker’s chances of success. Once a focused attack on high-value targets, the mark has changed and the ordinary consumer is now in reach. A recent report revealed the rate at which people fall for mobile phishing attacks has increased 85% every year since 2011.

That’s not to say that I’m not a fan of recent anti-theft technology adopted by smartphone manufacturers like Apple. I am. Before Apple released features like Find My iPhone and Activation Lock, iPhones were the most stolen item in almost every city. In 2012, over 50% of robberies in San Francisco involved theft of a mobile communications device. With resale prices of new iPhones of dubious pedigree surpassing $1,000, it’s easy to see why. But within 12 months of the release of Activation Lock and Find My iPhone for iOS 7 in 2013, iPhone theft fell 50% in London, 40% in San Francisco, and 25% in New York. These features were exactly what we needed to head off surging crime rates. Unfortunately, there are few groups as innovative as criminals. Within months of Apple deploying these anti-theft measures, criminals found ways to limit their effectiveness.

Fast forward to today: When a smartphone is stolen, thieves now power it down and often place it into a foil-lined bag to prevent signals from reaching it. The devices are then powered up only when thieves are positive no signal can reach or inspect them. If the phone is out of date and a software vulnerability exists, they hack the phone and wipe it clean to be resold. If the phone is up to date but not valuable enough to resell, it is either junked or sold for parts. This can easily happen on both older and newer models of phones. For example, here’s how an attacker launched a spearphishing attack this past summer during the San Francisco Pride Parade. On June 30, a pickpocket stole an iPhone X from a teenager during the parade. The phone was up to date and locked with FaceID, and had Activation Lock as well as Find My iPhone enabled. The teenager realized the phone lost within 10 minutes, and immediately enabled lost mode. Too late. The thief had immediately powered the phone down and knew better than to do anything with it.

A little over a week later, the owner started to receive messages, claiming to come from Apple:

Despite reporting the messages as “junk,” per Apple’s own instructions, the texts continued to flood in. At one point, more than 10 messages per day came in at all hours. The strategy — to spam the target with messages — aims to bully and wear victims down until they click a link just to make it stop. In this case, the attacker employed a system that rotated through several iCloud addresses and phone numbers to prevent the target from blocking or ignoring any of the messages. The repeated nature of the messages and the reappearance of specific examples of spelling, capitalization, and punctuation errors made it clear this was an automated system. 

If the target clicked on one of the links, they were immediately redirected to a fake Find My iPhone page that attempted to harvest their AppleID and password, as shown below, taken from fake Apple servers.

If the target entered their AppleID credentials into the site, the phone would have been quickly deleted from their account. And often, the first moment targets know this has happened is when the missing device disappears from the list of devices trackable through Find My iPhone.

Sometimes, for good measure, the thief will hijack the target’s AppleID, changing email addresses and contact information to exploit the account further. As we become increasingly dependent on our online identities for tools like Apple Pay and online banking, the potential rewards from hijacking an account increase exponentially.

The Best Defense
Follow these eight simple measures to protect your privacy in the event of smartphone theft: 

1. Make sure your device has a strong alphanumeric password in addition to using security features, including biometrics like facial or fingerprint recognition.
2. If your device is lost or stolen, in addition to setting it to wipe and enabling lost mode, you should also change all of your passwords and log out of any accounts that you access via that device. 
3. Speed is important. Start by immediately remotely locking your device and then move onto locking down your accounts. Even if you aren’t sure if the device was misplaced, lost, or stolen, take steps to protect yourself.
4. Some applications and services allow you to examine and kill sessions you don’t recognize. If this feature is available, use it, but simply kill all sessions. Then you can log back in safely knowing that if a thief does gain access to your phone, they can’t get into your accounts.
5. While stories pop up from time to time about consumers recovering stolen devices themselves, it’s usually a better idea to leave crime-fighting to the police.
6. Take great care when handling messages with links. Never click on a link from an unknown sender and be very cautious with those from known senders. It’s increasingly common for attackers to hijack legitimate email accounts in order to send malicious links to friends and family. 
7. The more urgent a message seems, the more scrutiny you should give it. Attackers like to threaten, coerce, and demand because they know people act rashly when in a hurry.
8. If a message claims to come from an institution you use, instead of clicking on the link, open a new browser window and go to its website. Alternatively, pick up the telephone and call it. 

Related Content:

• 6 Questions to Ask Once You’ve Learned of a Breach
• Phishers’ Latest Tricks for Reeling in New Victims
• Phishing Campaign Uses SharePoint to Slip Past Defenses

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “UPDATE LINK“

 

 

 

Marc Rogers is the executive director of cybersecurity at Okta. With a career that spans more than 20 years, Marc has been hacking since the 80’s and is now a white-hat hacker. Prior to Okta, Marc served as the head of security for Cloudflare and spent a decade managing … View Full Bio

Article source: https://www.darkreading.com/risk/deconstructing-an-iphone-spearphishing-attack/a/d-id/1335801?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Security professionals will coordinate disclosure with researchers but may keep their self-discovered vulnerabilities secret, a new study shows.

Honesty is a virtue, say most cybersecurity professionals. That’s true even when the honesty involves disclosing vulnerabilities, with 90% of professionals saying that disclosure is a “public good” that increases transparency and improves overall IT security.

The bias toward disclosure is shown in the results of a recent survey conducted by 451 Research and sponsored by Veracode. According to the report, 37% of organizations have received unsolicited disclosures in the last 12 months and, of those, 90% publicly disclosed the vulnerabilities in coordination with the researcher(s) who discovered the issue.

Even so, only 9% of those who identified their own vulnerability opted to make a full disclosure.

For more, read here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The 20 Worst Metrics in Cybersecurity.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/security-pros-value-disclosure--sometimes/d/d-id/1335859?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An in-depth study of reported bugs has produced a list of the top 25 bug categories in software today. Those topping the list are decades old, showing us that we’ve a long way to go in the journey to creating quality software.

The Common Weakness Enumeration (CWE) project analysed reams of bug data from the Common Vulnerabilities and Exposures (CVE) database as part of its research. The CVE gets thousands of new bugs each year, and the CWE classifies them to help guide software analysis and testing.

In 2005, it began collecting these bugs into categories, building on internal work by MITRE (the company which began the CVE list). The idea was to publish a standard list of common software security weaknesses, giving developers and tools vendors a framework to work from when assessing software for security bugs.

This is the first CWE top 25 since 2011, and we were hoping for some analysis of the key movers, Top-Of-The-Pops style. Sadly, that’s not really possible because CWE changed its approach this time around. It remapped the CVEs to a broader list of categories. It also took a more data-focused approach by mining the National Data Vulnerability (NVD) database. The 2011 study used surveys and personal interviews with developers, security analysts, and vendors.

Still, there are some interesting findings. Buffer flaws (categorised as ‘Improper Restriction of Operations within the Bounds of a Memory Buffer’) topped the list this time around. This covers a range of evils including buffer overflows, which can lead to arbitrary code execution, and out-of-bounds reads, which can crash a system or access sensitive data (out of bounds read also gets its own entry in fifth place).

Cross-site scripting was second on the list. That this term, first coined by Microsoft in 2000, is still featuring heavily in real-world bugs shows how much work is left to do in teaching developers how to avoid it. HackerOne’s recent list of total report volumes and bounty payments per weakness type showed XSS leading the pack by far.

Third came improper input validation. This is a common problem for developers who don’t think about all the wrong ways that people could enter information into a system to manipulate it (such as entering negative numbers into an ecommerce shopping cart and crediting their account).

Fourth came information exposure, in which a program accidentally reveals valuable data to a user. This could be private messages or program configuration files that are supposed to be private and which could give attackers a way into the system. This category of bug came third on the Hacker One list.

The CWE list has its own weaknesses. The research project omits vulnerabilities found and fixed in online or bespoke internal services before a public release. Nevertheless, its sheer breadth and data-driven analysis make it a good litmus test for the kinds of bugs causing people the biggest security headaches today.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rJcjSJP7NLU/

Episode 9 of the Naked Security Podcast is now live!

I hosted the show again this week with Mark Stockley, Paul Ducklin and special guest Greg Iddon.

Greg discusses the most disruptive DDoS attack in recent memory affecting Wikipedia [5’17”], Mark shares another privacy boost for Firefox users [15’39]” and Duck explains why SSH-stealing NetCAT is not really a problem [29’30”].

Listen now and tell us what you think!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/-gNqC4SyKOk/

The US has filed suit against government surveillance secret leaker Edward Snowden for publishing a book – Permanent Record – in violation of the non-disclosure agreements (NDAs) he signed with both the Central Intelligence Agency (CIA) and the National Security Agency (NSA).

The NSA is, of course, where Snowden was working as a CIA employee and subcontractor when he leaked secret documents exposing covert NSA surveillance programs.

The government isn’t looking to stop or restrict the publication or distribution of the book, which was released worldwide on Tuesday – the same date that the lawsuit was filed. Rather, it wants to seize any money Snowden makes from book sales.

The government of the United States has just announced a lawsuit over my memoir, which was just released today worl… twitter.com/i/web/status/1…

—
Edward Snowden (@Snowden) September 17, 2019

The complaint alleges that Snowden published his book without submitting it to the CIA and NSA for pre-publication review, in violation of his express obligations under the agreements he signed when he went to work for the agencies.

The suit also alleges that Snowden has given public speeches on intelligence-related matters, also in violation of his NDAs.

The suit names the publishers, Macmillan Publishers Inc., Macmillan Publishing Group LLC (doing business as Henry Holt and Company), and Holtzbrinck Publishers LLC. In its press release, the US Attorney’s Office for the Eastern District of Virginia said that it’s suing the publishers just to make sure that they don’t pay anything to Snowden while the court resolves the US’s claims.

Snowden has been living in Russia since 2013: the country granted him asylum soon after he shared thousands of classified NSA documents with journalists Glenn Greenwald, Laura Poitras, and Ewen MacAskill.

G. Zachary Terwilliger, US Attorney for the Eastern District of Virginia:

Intelligence information should protect our nation, not provide personal profit. This lawsuit will ensure that Edward Snowden receives no monetary benefits from breaching the trust placed in him.

Assistant Attorney General Jody Hunt of the Department of Justice’s Civil Division:

Edward Snowden has violated an obligation he undertook to the United States when he signed agreements as part of his employment by the CIA and as an NSA contractor.

The United States’ ability to protect sensitive national security information depends on employees’ and contractors’ compliance with their non-disclosure agreements, including their pre-publication review obligations. This lawsuit demonstrates that the Department of Justice does not tolerate these breaches of the public’s trust. We will not permit individuals to enrich themselves, at the expense of the United States, without complying with their pre-publication review obligations.

The DOJ says that this lawsuit is separate from the criminal charges brought against Snowden for his alleged disclosures of classified information. On Snowden’s 30th birthday, on 21 June, 2013, the DOJ unsealed charges against Snowden of two counts of violating the Espionage Act of 1917 and theft of government property. The Department of State subsequently revoked Snowden’s passport.

The DOJ says that this time, the lawsuit is a civil action, “based solely on Snowden’s failure to comply with the clear pre-publication review obligations included in his signed non-disclosure agreements.”

In a series of tweets, Snowden said that within hours of the lawsuit being filed, his book became the No. 1 best-selling book in the world. As of Wednesday, it was Amazon’s #1 Best Seller.

Hours after the United States government filed a lawsuit seeking to punish the publication of my new memoir,… twitter.com/i/web/status/1…

—
Edward Snowden (@Snowden) September 17, 2019

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/sZMpIte9WGE/

Earlier this summer, researchers at German company Greenbone Networks decided to spend a few weeks trawling the internet to see how many medical imaging archives might be exposing patient data.

Presumably, they had a hunch they’d turn up something but appear to have been taken aback by the scale of the data leakage they uncovered.

Of the 2,300 archiving systems looked at, 590 were accessible from the internet, exposing 24 million medical records from 52 countries.

Linked to this patient data were 737 million medical images from x-rays, CT and MRI scans, including 400 million in a state that meant they could be downloaded and viewed using easily available software.

Just to rub in the lack of care and attention, a further 39 were so weakly secured that they allowed access to patient data using nothing more specialised than a web browser and HTTP.

In the US, the exposure was 45.8 million medical images associated with 13.7 million records which almost makes the UK’s figures of 5,000 images and 1,500 medical records sound good.

Clearly, something is going very wrong here, not only because so much medical data and imagery has been exposed but because it has taken a security company to point out this out.

The internet will see you now

What happened to medical confidentiality?

And why haven’t supposedly stringent regulations such as the Health Insurance Portability and Accountability Act (HIPAA) in the US and GDPR in the EU prevented this?

In fact, they almost certainly have but the scale of the problem, and the potential for technical controls to be misconfigured or forgotten, has simply left too many holes for regulation to cope with.

Let’s start with the system used to put all these images within reach of people with bad intentions – the Picture Archiving and Communication Systems (PACS) – which relies on a protocol called Digital Imaging and Communications in Medicine (DICOM).

In layman’s terms, PACS are the servers on which images are stored, while DICOM offers a universal way to store, transmit and view medical images in a standard format.

But that standardisation, and the use of 2,300 known IP addresses communicating across ports 104 and 11112, makes it easy to fire up things like Shodan and Censys to look for exposed servers.

Once that’s done, all you need is a viewer to check them for exposed images and their associated medical data, and some time on your hands.

Meanwhile, hospitals and physicians have become used to the convenience of being able to move images around and store them in databases that link them together.

According to Greenbone, the medical data stored with an exposed image might contain the following:

• First name and surname
• Date of birth
• Date of examination
• Scope of the investigation
• Type of imaging procedure
• Attending physician
• Institute/clinic
• Number of generated image

Vulnerabilities (again)

As with any server system, PACS and DICO can suffer from software vulnerabilities that put security at risk – lo and behold the company found 10,000 of these on the servers, including 2,000 falling into the ‘high severity’ and ‘critical’ categories.

This discovery – and the number of servers offering up a range of weak security and configuration problems – might offer a clue as to what’s been going wrong.

Taken at face value, it suggests that many of these servers are set up and then forgotten about, or at least irregularly patched.

Perhaps it’s a problem caused by the fragmentation of private health care in countries such as the US, or perhaps medical IT teams just have other stuff to worry about and make the dangerous assumption that because nobody has (as far as we know) attempted to breach this data on a large scale, attackers aren’t interested.

For medical organisations lucky enough to have dodged attacks so far, there is still time to act.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0XCH8Caa0mg/

Analysis WannaCry – the file-scrambling ransomware that infamously locked up Britain’s NHS and a bunch of other organisations worldwide in May 2017 – is still a live-ish threat to this day, infosec researchers reckon.

By simply observing the internet for telltale signs of the malware strain – also known as WannaCrypt – Brit security software outfit Sophos spotted newer variants still doing the rounds. Thankfully, though, the bit that encrypts and holds victims’ data to ransom itself becomes corrupted so the extortion isn’t working as intended.

About a year-and-a-half after the nasty surfaced, Sophos reckoned it picked up more than five million detections (i.e. not individual machines) of the original WannaCry signature.

“As nearly every machine that can install the EternalBlue patch has already done so, why are there still so many detections?” Sophos asked. “All we really know about the infected machines that attempt to spread the infection is that they don’t have a working antivirus product (certainly not ours) on them.”

Data analysis revealed something surprising: of 12,281 WannaCry-related files the company picked up, just 40 were the original 2017 version, “a number so low that it could easily be attributed to testing” by malware authors and other criminals.

Ten files in the wider sample “accounted for 3.4 million” detections in total. None of these appeared to have been halted by the kill-switch domain discovered by Marcus “MalwareTech” Hutchins, later targeted by US law enforcement agency the FBI during a visit to the Black Hat and DEF CON conferences in the USA for his teenage misdeeds in writing malware.

Alterations in the newer, evolved samples of WannaCry found by Sophos showed that a kill-switch bypass had been incorporated into them. The firm noted that “the changes appear to have been made via the use of a hex editor rather than through recompilation of the original source code. This suggests that these changes were not made by the original creators.”

It’s like cowpox

There is hope, however. WannaCry consists of two parts: one that spreads the malware to other machines and the payload, which is a zip archive that extracts itself and encrypts everything within reach. In the newer variants, Sophos found, the zip archive was corrupt.

When you think how infamous NHS-pwning malware’s still hitting the unwary, it’ll make you WannaCry – Kaspersky

READ MORE

“Everything now made sense,” said the firm. “The large volume of detections were due to the lack of a kill switch, with nobody complaining about encrypted files because almost every sample seen in the wild had a corrupt archive that doesn’t encrypt anything.”

Handily, the corrupted version of WannaCry acts a bit like cow pox does to smallpox. If a “live” version of WannaCry detects a borked version on the machine it is intending to infect, “the dangerous version ignores the infected computer” and moves on.

(Before you write in, we’re aware that this behaviour is not exactly comparable with the immunological mechanisms of a vaccination and that it is only broadly analogous.)

It’s not all good news, sadly. Some people and organisations are still trying to pay off the original WannaCry crooks in response to recent infections – even though the original authors have long abandoned their Bitcoin wallets following the global focus on their activities.

“WannaCry includes three hardcoded Bitcoin addresses, to which you must send your $300 worth of Bitcoins if you choose to pay the ransom,” said Sophos. The attackers are no longer monitoring incoming payments, said the company.

As ever, don’t pay off ransoms. You encourage criminals in general by doing so and make the world that bit less safe. Install updates from trusted vendors, procure up-to-date security software from reputable outlets and don’t click suspicious links. ®

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/19/wannacry_analysis_sophos/

A Belgian F-16 fighter jet pilot has been rescued from a power line after getting into difficulties and ejecting from his stricken aircraft.

The two-seat jet, which appeared to be on a routine and unarmed flight, was flying between Belgium and a French naval aviation base when it came down between Pluvigner and Landaul in Brittany, north-western France, according to Forces News.

Belgium operates a small number of two-seat F-16Bs for training purposes, along with frontline single-seat variants. It is not known at present how or why the jet got into difficulties severe enough for the pilots to eject.

One pilot ejected safely but the other was unlucky enough for his parachute to snag on a power line, leaving him dangling in the air. Local news website Le Telegramme is running a live blog complete with pictures.

The local council (prefecture, en francais) of Morbihan said, in a statement translated by the most convenient free service El Reg could find:

The F-16 aircraft was unarmed and its cargo is under investigation. The pilot and his co-pilot were able to eject before the crash. Both of them have been located and are alive. One of them has already been taken care of by the emergency services deployed on site, the second is currently suspended on a high-voltage line by his parachute. ENEDIS [France’s low-voltage version of the National Grid] is on hand to help the soldier’s recovery.

Around 100 police are said to be on the scene. At least one house was damaged by the F-16 crash, though no injuries have been reported so far. A photo shown by Le Telegramme depicts a fire burning in what appears to be a field of crops, with a power line in the background.

It is unknown whether the pilot’s colleagues have given him the new callsign Sparky. ®

Sponsored:
Beyond the Data Frontier

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/19/belgium_f16_pilot_power_line_dangle/

Security leaders are increasingly making their case through metrics, as well they should – as long as they’re not one of these.

After a decade or more of exhortations from cybersecurity pundits that CISOs need to be more data-driven and speak in the language of business — namely through numbers and measurement — the metrics message is finally sinking in. Whether it is to justify spending, quantify risk, or generally keep the executive suite up on security doings, CISOs discussions are now awash in dashboards, charts, and key performance indicators. The only problem? A lot of the numbers security teams and their leadership uses are, well, not very useful.

In fact, many of the measurements made are vanity metrics, presented with little context, collected in volume with little analysis, and often instrumented to the wrong observables to truly communicate risk. The Edge recently asked security experts around the industry about their least favorite metrics — and boy did they have a lot to say. The following are 20 of the worst metrics in cybersecurity, as described by the people who live and breathe security every day.

(Image: maxxasatori via Adobe Stock)

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/edge/theedge/the-20-worst-metrics-in-cybersecurity/b/d-id/1335842?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The infosec duo cuffed during an IT penetration test that went south last week are out of jail, though not necessarily out of the woods.

Both Florida man Justin Wynn, 29, and Gary Demercurio, 43, of Seattle, are out on bond following their arrest in the small hours of last Wednesday on burglary allegations.

If you need a quick catch up: Wynn and Demercurio, of computer security biz Coalfire, were hired by the US state of Iowa to test the IT defenses of its court system. During such tests, contractors typically play the role of hackers trying to break into an organization’s networks or offices to steal or tamper with data and equipment, and then draw up a report on their findings and methods so that the customer can plug any gaps in its security.

As part of this assessment process, the pair decided to physically slip into the county courthouse of Dallas, Iowa, at night and see what equipment they could access. However, both were nabbed by county sheriff Chad Leonard, who accused the duo of third-degree burglary. It is claimed that even though the professionals told Leonard they were on a job, and put him in contact with a state official who said the men should be set free, the lawman detained them nonetheless.

“I advised them that this building belonged to the taxpayers of Dallas county and the state had no authority to authorize a break-in of this building,” Leonard wrote in an email obtained by the Des Moines Register.

Wynn and Demercurio were booked into jail, and released later that day after posting bail and without any formal charges filed. An attorney for Demercurio told El Reg this evening that prosecutors in the US state have yet to announce whether they will pursue charges against the infosec pair.

For his part, Wynn seems to be taking the affair in his stride…

*whistles inconspicuously*

— Red Team Wynns (@RTWynns) September 12, 2019

Earlier today, the Iowa Judicial Branch and Coalfire issued a joint statement setting out their separate versions of events leading up the collaring of Wynn and Demercurio in the early hours of September 11. Contracts and other paperwork describing the probe were also publicly shared for all to see, albeit with redactions.

Coalfire said it believed, from the wording of its contract, that its employees were allowed to physically break into the courthouse as part of the $75,000 IT penetration test Iowa had commissioned. However, the court officials said they had a different interpretation of the penetration test contract: while it was agreed that physical penetrations were authorized, officials didn’t agree with Coalfire on the scope of these probes.

The primary rub right now seems to be that the contract states that all tests must be carried out during business hours – 6am to 6pm Mountain Time, Monday to Friday – though this can be varied with a change order. There is no sign of such a change order in the released paperwork, though all of the appendices are missing from the bundle, so if one exists, it may be in there somewhere. Remember that Wynn and Demercurio were nabbed at shortly after midnight.

“Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work,” the two sides said in their joint press release, which includes the contracts and other materials.

“Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement.

“Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.

“State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.”

So, essentially, it seems, the state’s court administrators were under the impression the Coalfire team would only try to enter its offices, in order to access computers on the network, during the day. Demercurio and Wynn, however, were under the impression they could make their move at any hour.

The rules of engagement, for what it’s worth, allow for “limited physical bypass” at three locations, including the Dallas County Courthouse: think tailgating clerks through doors, picking locks, and so on. This may or may not cover sneaking in at night while in possession of, as the sheriff alleged, burglary tools.

Look, clearly these guys aren’t burglars: judging by the above statements, this is a pen-test during which the rules got lost in translation. Likely, we will not have the full story until prosecutors decide on whether to press charges, and the two infosec bods are at liberty to share their side of the story. ®

Sponsored:
What next after Netezza?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/09/19/iowa_pentester_update/