It’ll depend on how the legal code is interpreted, and I’m too lazy to go rooting through statutes and case law, but I’d be willing to bet that in order to arrest or prosecute, there’d have to be considerable evidence for “intent” to defraud. It’s possible that someone could try to make a case for negligence, but IMHO that’s be specious, at best.

(IANAL, but my Sig Other is)

Since the CU knew about the nature of the forged NCUA document they have a problem on their hands.

As for the consultancy involved – they’re essentially at the mercy of the Feds at this point. The fact that this is receiving more and more attention isn’t necessarily a good thing.

I’ve read Brent Huston’s spin – the fact of the matter is that NCUA and for that matter CUISPA, and the Federal Reserve have all distributed relevant and timely alerts when they become aware of an issue. This didn’t raise awareness it simply demonstrated how the system that is in place and working at the NCUA worked yet again.

All of the praise is just vibratto. These types of events are dealt with daily by financial institutions who work closely with their regulators as well as state, local, and federal law enforcement in investigating such issues.

Microsolved DID NOT DO THE RIGHT THING. Breaking the law under the guise of security testing is still breaking the law. At a minimum they’ve committed mail fraud. What’s worse is they’ve placed their client in a difficult position. I wouldn’t touch them with a 10 foot pole at this point (I wouldn’t have before either – I had never heard of them).

I don’t know if it’s a “nice cover”, and FWIW I don’t work with the NCUA or SCMagazine, etc. But, I suppose you could take it that way. Frankly, I’m just working off what I saw (prior to what Microsolved is saying).

RE: Out of office “dates” I suppose that works if the PTO is scheduled. IME most OOO time isn’t scheduled (sick days, or PTO days when family needs arise). But if MicroSolved performed the test while the guy was on vacation or something, that would have been a mistake, yes. IME however, that’s something we tended to scope for (doesn’t mean there wasn’t an oversight, I’m just relating my experience).

RE: a “heads up” for the authorities, the NCUA oversees something on the order of 2,000 or so CUs that (as of several years ago at least) were “required” to have PenTests. I’m not sure that the NCUA has the infrastructure to keep up with roughly 10 PenTest notifications a day (note that spreading them out like that is a misnomer – our business used to pick up in August and not stop until February – I’m sure at least 1500 of those CUs would scedule all in Q4 to get the requirement met).

RE: “if they are all parties should be very well aware of the potential consequences.”

Kind of defeats the purpose of an SE exercise, doesn’t it? I mean, usually the process is for the client to notify only those people who need to know. If it’s a CU with a small staff, that might only be 2 people (CEO, IT Mgr). It’s a fine balance, but it’s been my experience that once you tell the wrong people, the whole organization knows. And yeah, I’ve been the SE guy on site when someone decided that they were going to let *their* employees know, and then those employees only told a friend or two and so on… It makes for a really short SE test, and is frankly a waste of about $1,500.

When you say that the NCUA doesn’t appear to be pleased, is there something you’re basing that off of?

RE: the CU having prior knowledge, that’s claimed in the update link at the top of the page.

Really poor execution.

They forged correspondence from a Federal agency and then mailed it via the USPS.

The fact that it was a “valid”, “contracted” penetration test means absolutely nothing in terms of criminal liability.

The NCUA doesn’t appear to be pleased – hopefully the credit union involved didn’t have prior knowledge as to the details, otherwise an adverse action – and likely a fine is coming. Nothing like pissing the people who regulate your business off.

As for the parties involved in performing the test – I hope they have retained counsel and aren’t making comments. At the very least they’re looking at a Federal criminal investigation and a fine.

If you’re going to test with live explosives, that level of effort makes sense. There’s probably less harm in this story getting out of control than others.

At what point does it become cry wolf?

Sounds like they had the right idea and executed it poorly to me. If they had their Sh*t together they would have been aware of out of office dates and had appropriate contact information to nip this in the bud earlier, but still allow things to play out. I can imagine several scenarios whereby this could have run it’s course w/o setting off alarms all over.

So – well done but rather bush league.

Next time – AT LEAST know the schedules, know the alternate phone numbers. Know the escalation contact(s) at the NCUA in case things get out of control.

Next time – Perhaps provide some heads up and perhaps even identify the look of the CD to authorities and a time frame of when the “test” is going to run.

There’s a lot of ways to burn an individual or organization to prove a point – that doesn’t mean they should be utilized and if they are all parties should be very well aware of the potential consequences. – Digby

Once upon a time in the pre-Internet days, snail mailing floppies was the only way for most of us to move data.

Even in the late 1990′s, the SEC still administered certain license exams by mailing you a floppy disk that you booted off of to take the test, then mailed back the floppy afterwards.

I used “change” because I wasn’t aware of this as a common vector, and several other folks (I’ll find the links if I get a second today) mentioned that while it wasn’t conceptually new, the frequency of real attacks via snail mail hadn’t been of noticeable significance.

RE: Information Sharing

Granted, the information shared was “false”, but even that has some meaning. So while I tend to see changes in observed frequency as threat information sharing, even false alarms have meaning in terms of “certainty”.

But then again, I’m a dork with models.