Security Researchers Whose 'Penetration Test' Involved Breaking And Entering Now Facing Criminal Charges

from the [throws-brick-through-window]-this-needs-hardening dept

Turning security researchers into criminals is so popular we have a tag for it here at Techdirt. A security hole is found or a breach pointed out, and the first thing far too many entities do in response is turn the messenger over to law enforcement while muttering unintelligible things about “hacking.”

Security researchers are invaluable. They’ve exposed a ton of security breaches and helped make the web safer for everyone. Their efforts are rarely appreciated by the entity caught with its security pants down. Just because the breachee has chosen to blow off its obligations to its customers and users doesn’t make the person who discovered the breach a criminal. Unfortunately, the CFAA lends itself to abuse and the DOJ is more than willing to abuse it — something that turns security research into a security risk for those who choose to follow this career path.

Then there are efforts like this one, which seems completely inexplicable. It’s dog-bites-man news when a security researcher is arrested, but every other case we’ve covered involved nothing more than the use of a computer. This one expands the definition of “penetration testing.”

Two men arrested for breaking into the Dallas County Courthouse told law enforcement they were hired to do so by the judicial branch.

The men, outfitted with numerous burglary tools, told authorities they were on contract to test out the courthouse alarm system’s viability and to gauge law enforcement’s response time, an alleged contract that Dallas County officials said they had no knowledge of, according to a criminal complaint.

Well, then. At first blush, it seems like the sort of thing one might say when pressed to explain their actions while facing breaking and entering charges. It’s a better excuse than most off-the-cuff denials of wrongdoing. The thing is, this narrative appears to be true.

Authorities later found out the state court administration did, in fact, hire the men to attempt “unauthorized access” to court records “through various means” in order to check for potential security vulnerabilities of Iowa’s electronic court records, according to Iowa Judicial Branch officials.

However, it appears judicial officials did not think “breaking and entering” would be part of the “various means.” The men remain in jail on $500,000 bond despite this penetration test showing the courthouse’s security response was hardened or whatever. The alarm system triggered a response by law enforcement and the men were found on site and arrested. The system — at least the physical part of the court’s alarm system — works.

It appears the men’s excuse is legitimate. As Sean Gallagher reports for Ars Technica, cybersecurity advisors Coalfire did indeed hire the men to carry out a test of the Dallas County courthouse’s security. But it has, so far, refused to comment on the arrests, so it’s unclear whether this was done with the company’s blessing. And it appears this wasn’t the testers’ first run, either. The Des Moines Register says the men are also suspected of breaking into the Polk County Courthouse in Des Moines — something that happened two days prior to their arrest at the Dallas County courthouse.

Unfortunately, this isn’t going to make anything easier for security researchers. When researchers are hired to perform penetration tests, anything not explicitly defined in the contract could net them criminal charges, even if they were told to check systems for flaws.

This is some prime WTF-ness but even with its unusual details, it’s still illustrative of the risks researchers face on a daily basis. Those that don’t hire them are peeved when flaws are exposed and tend to treat them like criminals. Those hired to do the job run the risk of performing unanticipated tests, putting them in the same line of fire.

UPDATE: The Iowa Judicial Branch has released an official statement on the penetration tests, along with copies of its contract with Coalfire. The documents appear to authorize physical access to targeted courthouses, but nothing in the details suggests breaking-and-entering after hours was contemplated as part of the physical access test. Nothing in the language strictly forbids it either.

Here’s what the Judicial Branch has to say about the two incidents, which may ultimately result in charges being dropped:

Recently, two penetration testers employed by Coalfire were arrested in the Dallas County Courthouse during a security testing exercise to help the Iowa Judicial Branch ensure the court’s highly sensitive data was secured against attack. Coalfire was working to provide quality client service and a stronger security posture. Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.

State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.

State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Security Researchers Whose 'Penetration Test' Involved Breaking And Entering Now Facing Criminal Charges”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

'We never considered criminals might not ask...'

Given that first screenshot very explicitly says that the goal is to gain physical access to the documents in question, and notes that attempts to gain access ‘Can be during the day and evening’ I’d chalk this up to the government employees who hired them not asking enough questions to understand what exactly would be involved, and more importantly not telling the other government employees that they’d hired a company to run security testing.

Social engineering in mentioned as one possible route, but testing the physical security in place would seem to be entirely within the scope of what they were hired to do as it notes that there would be ‘minimal’ rather than ‘no’ physical bypass employed, so charging them for doing their job would be rather absurd.

Anonymous Coward says:

Re: 'We never considered criminals might not ask...'

That said, there are established protocols for physical entry testing, and they were not followed in this case.

Standard protocol says that you have a copy of the contract on you during your operations, that it be signed, and that at least one person local to the physical site being penetrated be notified prior to the attempt, and their contact information be on the signed contract to be called should the testers be apprehended.

None of this was done in this case.

Anonymous Coward says:

Re: Re: 'We never considered criminals might not ask...'

their contact information be on the signed contract to be called should the testers be apprehended.

That’s a little suspect. Were I a penetration tester with that requirement, I’d also carry a fake contact with a colleague’s phone number, and they’d say everything’s cool when called. Whoever apprehends me should not be trusting my list of phone numbers.

TKnarr (profile) says:

Re: Re: 'We never considered criminals might not ask...'

Yeah, I’d be certain to have not just the contract but a letter on official letterhead signed by someone with authority at the client that stated specifically that "bypass of physical security to gain surreptitious access to the premises outside of normal business hours" was explicitly authorized, and also that "no prior notification be given to site security, in order to insure that the test is of normal site security". If you’re doing stuff like this, you make sure it’s all spelled out in such a way the client can’t claim to not know exactly what was going to happen or not have agreed to it.

OGquaker says:

Re: Re: 'We were never considered criminals'

48 years ago Armand Hammer of Oxy Petroleum hired a friend of mine to discover why his private conversations with Mayor Sam Yorty were leaking to the LATimes.
Armand couldn’t trust anyone, my friend called his friends that might have three neurons in a string and 5 of us showed up at Oxy headquarters at midnight with oscilloscope, frequency monitors, et. al. and spent the night rummaging the top floor with "extreme" care. A tired ”bug” was found, or placed & found, under a side table in a vice president’s office.
Because he still wanted to explore for petroleum under the homes on the bluff in Pacific Palisades, we searched one more time a month later, then we spent another night at Hammer’s home in Bel Air. With an indoor pool, a white, a silver and a black RR in the garage; built in the 1920’s, wires were everywhere, and so were pictures of Armand with JFK, Khrushchev, Mosaddegh, Yorty, Betancourt, Fahd bin Abdulaziz Al Saud and a few paintings that were supposed to be at the MET. As dawn brightened, I was the last to leave, cramming a 50 lbs. HP frequency monitor into the back seat of my 1959 Karmann Ghia when Security drove up and ask if this was the right address. Yes, i said and drove off to meet up at the "Pantry" on Figueroa.

Baron von Robber says:

Re: Re: 'We never considered criminals might not ask...'

They did.

"At 12:30am on the morning of September 11, penetration testers Justin Wynn and Gary DeMercurio were caught with lock picks inside the Dallas County courthouse by Dallas County Sheriff’s Department officers. They presented documents showing they had authorization from the state; the officers contacted state officials on the document, who verified that the test was authorized. But they arrested Wynn and DeMercurio anyway and charged them with burglary."

Anonymous Coward says:

Re: Re: 'We never considered criminals might not ask...'

An article about this very same topic at ArsTechnica states that they security researchers did have their contract information on them. And that the local police force then contacted the state office and confirmed that the contract existed and was correct as shown. The local officers arrested the two individuals anyway, and now the local sheriff’s office is pursuing charges.

aerinai (profile) says:

Hazard Pay?

Wonder if these two will be compensated by Coalfire for their time in prison if, in fact, the company did think that these actions were warranted.

Definitely would be bad for these guys’ lives to be derailed for doing their job.

Side Note: Usually giving police departments a heads up that this kind of stuff will be done is a good idea. I get that it kind of invalidates the tests, but even giving the Police chief IDs of the people who are going to probe a target might make sense…

Tin-Foil-Hat says:

Re: Qualified immunity

It’s not even a low bar. They did exactly what they were instructed to do by an employer who was hired to do penetration testing. They should be well compensated for the damage done to their reputation. When you hire someone to do penetration testing, you shouldn’t be surprised when they do penetration testing.

Anonymous Cowartd says:

Nice Spin Tim

This is standard nomenclature in a standard pen testing contract.
Yes, it includes on-site penetration testing if you’re going to one of the good companies.
The 2 guys presented documentation.
You can’t warn the PD beforehand, because that defeats the purpose of the test.

Nice spin Tim, may I suggest you avail yourself of your research skills prior to piling on to topics like this?

Anonymous Coward says:

"nothing in the details suggests breaking-and-entering after hours was contemplated as part of the physical access test"

You seem to have missed the part of the contract headed Project Schedule –

"All penetration testing is expected to be conducted: During normal business hours: Monday through Friday between the hours of 6AM and 6PM…"

The detail re. physical penetration is in the social engineering section and specifies "Talk your way into areas, limited physical bypass". There doesn’t appear to be anything in there to authorise a night time B&E…

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...