Security Researchers Whose 'Penetration Test' Involved Breaking And Entering Now Facing Criminal Charges
from the [throws-brick-through-window]-this-needs-hardening dept
Turning security researchers into criminals is so popular we have a tag for it here at Techdirt. A security hole is found or a breach pointed out, and the first thing far too many entities do in response is turn the messenger over to law enforcement while muttering unintelligible things about "hacking."
Security researchers are invaluable. They've exposed a ton of security breaches and helped make the web safer for everyone. Their efforts are rarely appreciated by the entity caught with its security pants down. Just because the breachee has chosen to blow off its obligations to its customers and users doesn't make the person who discovered the breach a criminal. Unfortunately, the CFAA lends itself to abuse and the DOJ is more than willing to abuse it -- something that turns security research into a security risk for those who choose to follow this career path.
Then there are efforts like this one, which seems completely inexplicable. It's dog-bites-man news when a security researcher is arrested, but every other case we've covered involved nothing more than the use of a computer. This one expands the definition of "penetration testing."
Two men arrested for breaking into the Dallas County Courthouse told law enforcement they were hired to do so by the judicial branch.
The men, outfitted with numerous burglary tools, told authorities they were on contract to test out the courthouse alarm system's viability and to gauge law enforcement's response time, an alleged contract that Dallas County officials said they had no knowledge of, according to a criminal complaint.
Well, then. At first blush, it seems like the sort of thing one might say when pressed to explain their actions while facing breaking and entering charges. It's a better excuse than most off-the-cuff denials of wrongdoing. The thing is, this narrative appears to be true.
Authorities later found out the state court administration did, in fact, hire the men to attempt "unauthorized access" to court records "through various means" in order to check for potential security vulnerabilities of Iowa's electronic court records, according to Iowa Judicial Branch officials.
However, it appears judicial officials did not think "breaking and entering" would be part of the "various means." The men remain in jail on $500,000 bond despite this penetration test showing the courthouse's security response was hardened or whatever. The alarm system triggered a response by law enforcement and the men were found on site and arrested. The system -- at least the physical part of the court's alarm system -- works.
It appears the men's excuse is legitimate. As Sean Gallagher reports for Ars Technica, cybersecurity advisors Coalfire did indeed hire the men to carry out a test of the Dallas County courthouse's security. But it has, so far, refused to comment on the arrests, so it's unclear whether this was done with the company's blessing. And it appears this wasn't the testers' first run, either. The Des Moines Register says the men are also suspected of breaking into the Polk County Courthouse in Des Moines -- something that happened two days prior to their arrest at the Dallas County courthouse.
Unfortunately, this isn't going to make anything easier for security researchers. When researchers are hired to perform penetration tests, anything not explicitly defined in the contract could net them criminal charges, even if they were told to check systems for flaws.
This is some prime WTF-ness but even with its unusual details, it's still illustrative of the risks researchers face on a daily basis. Those that don't hire them are peeved when flaws are exposed and tend to treat them like criminals. Those hired to do the job run the risk of performing unanticipated tests, putting them in the same line of fire.
UPDATE: The Iowa Judicial Branch has released an official statement on the penetration tests, along with copies of its contract with Coalfire. The documents appear to authorize physical access to targeted courthouses, but nothing in the details suggests breaking-and-entering after hours was contemplated as part of the physical access test. Nothing in the language strictly forbids it either.
Here's what the Judicial Branch has to say about the two incidents, which may ultimately result in charges being dropped:
Recently, two penetration testers employed by Coalfire were arrested in the Dallas County Courthouse during a security testing exercise to help the Iowa Judicial Branch ensure the court’s highly sensitive data was secured against attack. Coalfire was working to provide quality client service and a stronger security posture. Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.
State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.
State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breaking and entering, pen test, penetration teesting, security, security researchers
Reader Comments
Subscribe: RSS
View by: Time | Thread
'We never considered criminals might not ask...'
Given that first screenshot very explicitly says that the goal is to gain physical access to the documents in question, and notes that attempts to gain access 'Can be during the day and evening' I'd chalk this up to the government employees who hired them not asking enough questions to understand what exactly would be involved, and more importantly not telling the other government employees that they'd hired a company to run security testing.
Social engineering in mentioned as one possible route, but testing the physical security in place would seem to be entirely within the scope of what they were hired to do as it notes that there would be 'minimal' rather than 'no' physical bypass employed, so charging them for doing their job would be rather absurd.
[ link to this | view in chronology ]
Re: 'We never considered criminals might not ask...'
That said, there are established protocols for physical entry testing, and they were not followed in this case.
Standard protocol says that you have a copy of the contract on you during your operations, that it be signed, and that at least one person local to the physical site being penetrated be notified prior to the attempt, and their contact information be on the signed contract to be called should the testers be apprehended.
None of this was done in this case.
[ link to this | view in chronology ]
Re: Re: 'We never considered criminals might not ask...'
That's a little suspect. Were I a penetration tester with that requirement, I'd also carry a fake contact with a colleague's phone number, and they'd say everything's cool when called. Whoever apprehends me should not be trusting my list of phone numbers.
[ link to this | view in chronology ]
Re: Re: 'We never considered criminals might not ask...'
Yeah, I'd be certain to have not just the contract but a letter on official letterhead signed by someone with authority at the client that stated specifically that "bypass of physical security to gain surreptitious access to the premises outside of normal business hours" was explicitly authorized, and also that "no prior notification be given to site security, in order to insure that the test is of normal site security". If you're doing stuff like this, you make sure it's all spelled out in such a way the client can't claim to not know exactly what was going to happen or not have agreed to it.
[ link to this | view in chronology ]
Re: Re: 'We never considered criminals might not ask...'
Unfortunately the poor schmucks hired by the security company didn't know that. It was the job of the company that hired them to make sure everything was done right. The people who messed up are sitting in their office, not schlepping in the field.
[ link to this | view in chronology ]
'We were never considered criminals'
48 years ago Armand Hammer of Oxy Petroleum hired a friend of mine to discover why his private conversations with Mayor Sam Yorty were leaking to the LATimes.
Armand couldn't trust anyone, my friend called his friends that might have three neurons in a string and 5 of us showed up at Oxy headquarters at midnight with oscilloscope, frequency monitors, et. al. and spent the night rummaging the top floor with "extreme" care. A tired ''bug'' was found, or placed & found, under a side table in a vice president's office.
Because he still wanted to explore for petroleum under the homes on the bluff in Pacific Palisades, we searched one more time a month later, then we spent another night at Hammer's home in Bel Air. With an indoor pool, a white, a silver and a black RR in the garage; built in the 1920's, wires were everywhere, and so were pictures of Armand with JFK, Khrushchev, Mosaddegh, Yorty, Betancourt, Fahd bin Abdulaziz Al Saud and a few paintings that were supposed to be at the MET. As dawn brightened, I was the last to leave, cramming a 50 lbs. HP frequency monitor into the back seat of my 1959 Karmann Ghia when Security drove up and ask if this was the right address. Yes, i said and drove off to meet up at the "Pantry" on Figueroa.
[ link to this | view in chronology ]
Re: Re: 'We never considered criminals might not ask...'
They did.
"At 12:30am on the morning of September 11, penetration testers Justin Wynn and Gary DeMercurio were caught with lock picks inside the Dallas County courthouse by Dallas County Sheriff's Department officers. They presented documents showing they had authorization from the state; the officers contacted state officials on the document, who verified that the test was authorized. But they arrested Wynn and DeMercurio anyway and charged them with burglary."
https://arstechnica.com/information-technology/2019/09/iowa-officials-claim-confusio n-over-scope-led-to-arrest-of-pen-testers/?comments=1
[ link to this | view in chronology ]
Re: Re: 'We never considered criminals might not ask...'
Per the story ArsTechnica about this, they did have the contract on them, and did have contact information for the appropriate state employees that authorized them, but the (county level) Sherriff's Deputies arrested them anyway...
[ link to this | view in chronology ]
Re: Re: 'We never considered criminals might not ask...'
An article about this very same topic at ArsTechnica states that they security researchers did have their contract information on them. And that the local police force then contacted the state office and confirmed that the contract existed and was correct as shown. The local officers arrested the two individuals anyway, and now the local sheriff's office is pursuing charges.
[ link to this | view in chronology ]
Hazard Pay?
Wonder if these two will be compensated by Coalfire for their time in prison if, in fact, the company did think that these actions were warranted.
Definitely would be bad for these guys' lives to be derailed for doing their job.
Side Note: Usually giving police departments a heads up that this kind of stuff will be done is a good idea. I get that it kind of invalidates the tests, but even giving the Police chief IDs of the people who are going to probe a target might make sense...
[ link to this | view in chronology ]
Stopping short of the line.
How about apologizing to the two poor souls sitting in jail? I sure hope they are being paid double overtime for the total amount of the effort they have exerted, and are exerting.
[ link to this | view in chronology ]
I think even if it didn't explicitely say no breaking and entering, breaking and entering is something you get permission for FIRST with a documented chain of evidence before you actually do that, especially if its not stated as one of the explicitely allowed things in the contract.
[ link to this | view in chronology ]
smh
Time to sue for all kinds of things; this is unacceptable. no one should ever take a security contract for those areas, ever again.
[ link to this | view in chronology ]
Re: smh
Definitely a learning experience for Coalfire, who did entirely too little in the CYA department.
[ link to this | view in chronology ]
Qualified immunity
They should get the same low bar that is set for government employees and should get qualified immunity.
[ link to this | view in chronology ]
Re: Qualified immunity
It's not even a low bar. They did exactly what they were instructed to do by an employer who was hired to do penetration testing. They should be well compensated for the damage done to their reputation. When you hire someone to do penetration testing, you shouldn't be surprised when they do penetration testing.
[ link to this | view in chronology ]
Someone watched Sneakers too many times
They do know that Sneakers (1992) isn't a documentary right?
[ link to this | view in chronology ]
Re: Someone watched Sneakers too many times
Too Many Secrets.
[ link to this | view in chronology ]
Note to self: if ever doing penetration testing,
1) spell out all the things explicitly in the contract, whether they like it or not (as in "you allow me to humiliate the lock on you front door, at ANY hour", etc...)
2) expect to spend varying amounts of time in custody, until things actually get sorted out, including but not limited to multiple days.
[ link to this | view in chronology ]
The line between pentesting and bank robbery
When I first saw this story it reminded me of this fairly hilarious story about a pen test team that decided to rob a bank because they could:
https://www.youtube.com/watch?v=RJVHTQSvUIo
[ link to this | view in chronology ]
Re: The line between pentesting and bank robbery
And sometimes the penetrators are the pigeons, see Coppola's 1974 "The Conversation"
[ link to this | view in chronology ]
Re: Re: The line between pentesting and bank robbery
And sometimes the bank robbers are the pigeons, see "The Getaway" 1972
[ link to this | view in chronology ]
Re: Re: Re: The line between pentesting and bank robbery
And sometimes the commenters are replying to themselves. See This Thread Right Here 2019.
[ link to this | view in chronology ]
Re: Re: Re: Re: The line between pentesting and bank robbery
And sometimes the commenters are replying to themselves.
Nonsense. OG and AC are just good friends sharing the same computer. Not sock puppeting!
[ link to this | view in chronology ]
Yeah, physical pen-testing is certainly a thing, but i am guessing someone relevant should have been in the loop, or that the in-the-loop person should have spoken up rather immediately.
[ link to this | view in chronology ]
Re:
They did. After the pen testers showed them their documented authorization, the Sheriffs called the state and confirmed the pen testers were working for them. The Sheriffs arrested them anyways.
https://arstechnica.com/information-technology/2019/09/iowa-officials-claim-confusion-over- scope-led-to-arrest-of-pen-testers/
[ link to this | view in chronology ]
Nice Spin Tim
This is standard nomenclature in a standard pen testing contract.
Yes, it includes on-site penetration testing if you're going to one of the good companies.
The 2 guys presented documentation.
You can't warn the PD beforehand, because that defeats the purpose of the test.
Nice spin Tim, may I suggest you avail yourself of your research skills prior to piling on to topics like this?
[ link to this | view in chronology ]
"nothing in the details suggests breaking-and-entering after hours was contemplated as part of the physical access test"
You seem to have missed the part of the contract headed Project Schedule -
"All penetration testing is expected to be conducted: During normal business hours: Monday through Friday between the hours of 6AM and 6PM..."
The detail re. physical penetration is in the social engineering section and specifies "Talk your way into areas, limited physical bypass". There doesn't appear to be anything in there to authorise a night time B&E...
[ link to this | view in chronology ]
Penetration Testing
[ link to this | view in chronology ]