Security Researchers Whose 'Penetration Test' Involved Breaking And Entering Now Facing Criminal Charges

from the [throws-brick-through-window]-this-needs-hardening dept

Turning security researchers into criminals is so popular we have a tag for it here at Techdirt. A security hole is found or a breach pointed out, and the first thing far too many entities do in response is turn the messenger over to law enforcement while muttering unintelligible things about "hacking."

Security researchers are invaluable. They've exposed a ton of security breaches and helped make the web safer for everyone. Their efforts are rarely appreciated by the entity caught with its security pants down. Just because the breachee has chosen to blow off its obligations to its customers and users doesn't make the person who discovered the breach a criminal. Unfortunately, the CFAA lends itself to abuse and the DOJ is more than willing to abuse it -- something that turns security research into a security risk for those who choose to follow this career path.

Then there are efforts like this one, which seems completely inexplicable. It's dog-bites-man news when a security researcher is arrested, but every other case we've covered involved nothing more than the use of a computer. This one expands the definition of "penetration testing."

Two men arrested for breaking into the Dallas County Courthouse told law enforcement they were hired to do so by the judicial branch.

The men, outfitted with numerous burglary tools, told authorities they were on contract to test out the courthouse alarm system's viability and to gauge law enforcement's response time, an alleged contract that Dallas County officials said they had no knowledge of, according to a criminal complaint.

Well, then. At first blush, it seems like the sort of thing one might say when pressed to explain their actions while facing breaking and entering charges. It's a better excuse than most off-the-cuff denials of wrongdoing. The thing is, this narrative appears to be true.

Authorities later found out the state court administration did, in fact, hire the men to attempt "unauthorized access" to court records "through various means" in order to check for potential security vulnerabilities of Iowa's electronic court records, according to Iowa Judicial Branch officials.

However, it appears judicial officials did not think "breaking and entering" would be part of the "various means." The men remain in jail on $500,000 bond despite this penetration test showing the courthouse's security response was hardened or whatever. The alarm system triggered a response by law enforcement and the men were found on site and arrested. The system -- at least the physical part of the court's alarm system -- works.

It appears the men's excuse is legitimate. As Sean Gallagher reports for Ars Technica, cybersecurity advisors Coalfire did indeed hire the men to carry out a test of the Dallas County courthouse's security. But it has, so far, refused to comment on the arrests, so it's unclear whether this was done with the company's blessing. And it appears this wasn't the testers' first run, either. The Des Moines Register says the men are also suspected of breaking into the Polk County Courthouse in Des Moines -- something that happened two days prior to their arrest at the Dallas County courthouse.

Unfortunately, this isn't going to make anything easier for security researchers. When researchers are hired to perform penetration tests, anything not explicitly defined in the contract could net them criminal charges, even if they were told to check systems for flaws.

This is some prime WTF-ness but even with its unusual details, it's still illustrative of the risks researchers face on a daily basis. Those that don't hire them are peeved when flaws are exposed and tend to treat them like criminals. Those hired to do the job run the risk of performing unanticipated tests, putting them in the same line of fire.

UPDATE: The Iowa Judicial Branch has released an official statement on the penetration tests, along with copies of its contract with Coalfire. The documents appear to authorize physical access to targeted courthouses, but nothing in the details suggests breaking-and-entering after hours was contemplated as part of the physical access test. Nothing in the language strictly forbids it either.

Here's what the Judicial Branch has to say about the two incidents, which may ultimately result in charges being dropped:

Recently, two penetration testers employed by Coalfire were arrested in the Dallas County Courthouse during a security testing exercise to help the Iowa Judicial Branch ensure the court’s highly sensitive data was secured against attack. Coalfire was working to provide quality client service and a stronger security posture. Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.

State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.

State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.

Filed Under: breaking and entering, pen test, penetration teesting, security, security researchers


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 18 Sep 2019 @ 1:15pm

    'We never considered criminals might not ask...'

    Given that first screenshot very explicitly says that the goal is to gain physical access to the documents in question, and notes that attempts to gain access 'Can be during the day and evening' I'd chalk this up to the government employees who hired them not asking enough questions to understand what exactly would be involved, and more importantly not telling the other government employees that they'd hired a company to run security testing.

    Social engineering in mentioned as one possible route, but testing the physical security in place would seem to be entirely within the scope of what they were hired to do as it notes that there would be 'minimal' rather than 'no' physical bypass employed, so charging them for doing their job would be rather absurd.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 18 Sep 2019 @ 1:58pm

      Re: 'We never considered criminals might not ask...'

      That said, there are established protocols for physical entry testing, and they were not followed in this case.

      Standard protocol says that you have a copy of the contract on you during your operations, that it be signed, and that at least one person local to the physical site being penetrated be notified prior to the attempt, and their contact information be on the signed contract to be called should the testers be apprehended.

      None of this was done in this case.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Sep 2019 @ 2:37pm

        Re: Re: 'We never considered criminals might not ask...'

        their contact information be on the signed contract to be called should the testers be apprehended.

        That's a little suspect. Were I a penetration tester with that requirement, I'd also carry a fake contact with a colleague's phone number, and they'd say everything's cool when called. Whoever apprehends me should not be trusting my list of phone numbers.

        reply to this | link to this | view in chronology ]

      • icon
        TKnarr (profile), 18 Sep 2019 @ 2:51pm

        Re: Re: 'We never considered criminals might not ask...'

        Yeah, I'd be certain to have not just the contract but a letter on official letterhead signed by someone with authority at the client that stated specifically that "bypass of physical security to gain surreptitious access to the premises outside of normal business hours" was explicitly authorized, and also that "no prior notification be given to site security, in order to insure that the test is of normal site security". If you're doing stuff like this, you make sure it's all spelled out in such a way the client can't claim to not know exactly what was going to happen or not have agreed to it.

        reply to this | link to this | view in chronology ]

      • icon
        Gary (profile), 18 Sep 2019 @ 3:46pm

        Re: Re: 'We never considered criminals might not ask...'

        Unfortunately the poor schmucks hired by the security company didn't know that. It was the job of the company that hired them to make sure everything was done right. The people who messed up are sitting in their office, not schlepping in the field.

        reply to this | link to this | view in chronology ]

      • identicon
        OGquaker, 18 Sep 2019 @ 7:40pm

        'We were never considered criminals'

        48 years ago Armand Hammer of Oxy Petroleum hired a friend of mine to discover why his private conversations with Mayor Sam Yorty were leaking to the LATimes.
        Armand couldn't trust anyone, my friend called his friends that might have three neurons in a string and 5 of us showed up at Oxy headquarters at midnight with oscilloscope, frequency monitors, et. al. and spent the night rummaging the top floor with "extreme" care. A tired ''bug'' was found, or placed & found, under a side table in a vice president's office.
        Because he still wanted to explore for petroleum under the homes on the bluff in Pacific Palisades, we searched one more time a month later, then we spent another night at Hammer's home in Bel Air. With an indoor pool, a white, a silver and a black RR in the garage; built in the 1920's, wires were everywhere, and so were pictures of Armand with JFK, Khrushchev, Mosaddegh, Yorty, Betancourt, Fahd bin Abdulaziz Al Saud and a few paintings that were supposed to be at the MET. As dawn brightened, I was the last to leave, cramming a 50 lbs. HP frequency monitor into the back seat of my 1959 Karmann Ghia when Security drove up and ask if this was the right address. Yes, i said and drove off to meet up at the "Pantry" on Figueroa.

        reply to this | link to this | view in chronology ]

      • identicon
        Baron von Robber, 19 Sep 2019 @ 9:02am

        Re: Re: 'We never considered criminals might not ask...'

        They did.

        "At 12:30am on the morning of September 11, penetration testers Justin Wynn and Gary DeMercurio were caught with lock picks inside the Dallas County courthouse by Dallas County Sheriff's Department officers. They presented documents showing they had authorization from the state; the officers contacted state officials on the document, who verified that the test was authorized. But they arrested Wynn and DeMercurio anyway and charged them with burglary."
        https://arstechnica.com/information-technology/2019/09/iowa-officials-claim-confusio n-over-scope-led-to-arrest-of-pen-testers/?comments=1

        reply to this | link to this | view in chronology ]

      • identicon
        Sharur, 19 Sep 2019 @ 11:05am

        Re: Re: 'We never considered criminals might not ask...'

        Per the story ArsTechnica about this, they did have the contract on them, and did have contact information for the appropriate state employees that authorized them, but the (county level) Sherriff's Deputies arrested them anyway...

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Sep 2019 @ 11:06am

        Re: Re: 'We never considered criminals might not ask...'

        An article about this very same topic at ArsTechnica states that they security researchers did have their contract information on them. And that the local police force then contacted the state office and confirmed that the contract existed and was correct as shown. The local officers arrested the two individuals anyway, and now the local sheriff's office is pursuing charges.

        reply to this | link to this | view in chronology ]

  • icon
    aerinai (profile), 18 Sep 2019 @ 1:15pm

    Hazard Pay?

    Wonder if these two will be compensated by Coalfire for their time in prison if, in fact, the company did think that these actions were warranted.

    Definitely would be bad for these guys' lives to be derailed for doing their job.

    Side Note: Usually giving police departments a heads up that this kind of stuff will be done is a good idea. I get that it kind of invalidates the tests, but even giving the Police chief IDs of the people who are going to probe a target might make sense...

    reply to this | link to this | view in chronology ]

  • icon
    Anonymous Anonymous Coward (profile), 18 Sep 2019 @ 1:28pm

    Stopping short of the line.

    How about apologizing to the two poor souls sitting in jail? I sure hope they are being paid double overtime for the total amount of the effort they have exerted, and are exerting.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2019 @ 1:41pm

    I think even if it didn't explicitely say no breaking and entering, breaking and entering is something you get permission for FIRST with a documented chain of evidence before you actually do that, especially if its not stated as one of the explicitely allowed things in the contract.

    reply to this | link to this | view in chronology ]

  • identicon
    whoadoggy, 18 Sep 2019 @ 2:00pm

    smh

    Time to sue for all kinds of things; this is unacceptable. no one should ever take a security contract for those areas, ever again.

    reply to this | link to this | view in chronology ]

  • identicon
    Doodmonkey, 18 Sep 2019 @ 2:23pm

    Qualified immunity

    They should get the same low bar that is set for government employees and should get qualified immunity.

    reply to this | link to this | view in chronology ]

    • identicon
      Tin-Foil-Hat, 18 Sep 2019 @ 6:58pm

      Re: Qualified immunity

      It's not even a low bar. They did exactly what they were instructed to do by an employer who was hired to do penetration testing. They should be well compensated for the damage done to their reputation. When you hire someone to do penetration testing, you shouldn't be surprised when they do penetration testing.

      reply to this | link to this | view in chronology ]

  • icon
    Isocrates (profile), 18 Sep 2019 @ 2:28pm

    Someone watched Sneakers too many times

    They do know that Sneakers (1992) isn't a documentary right?

    reply to this | link to this | view in chronology ]

  • identicon
    Max, 18 Sep 2019 @ 2:48pm

    Note to self: if ever doing penetration testing,
    1) spell out all the things explicitly in the contract, whether they like it or not (as in "you allow me to humiliate the lock on you front door, at ANY hour", etc...)
    2) expect to spend varying amounts of time in custody, until things actually get sorted out, including but not limited to multiple days.

    reply to this | link to this | view in chronology ]

  • icon
    Mike Masnick (profile), 18 Sep 2019 @ 4:07pm

    The line between pentesting and bank robbery

    When I first saw this story it reminded me of this fairly hilarious story about a pen test team that decided to rob a bank because they could:

    https://www.youtube.com/watch?v=RJVHTQSvUIo

    reply to this | link to this | view in chronology ]

    • identicon
      OGquaker, 18 Sep 2019 @ 8:04pm

      Re: The line between pentesting and bank robbery

      And sometimes the penetrators are the pigeons, see Coppola's 1974 "The Conversation"

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 18 Sep 2019 @ 8:12pm

        Re: Re: The line between pentesting and bank robbery

        And sometimes the bank robbers are the pigeons, see "The Getaway" 1972

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 18 Sep 2019 @ 8:26pm

          Re: Re: Re: The line between pentesting and bank robbery

          And sometimes the commenters are replying to themselves. See This Thread Right Here 2019.

          reply to this | link to this | view in chronology ]

          • icon
            Gary (profile), 18 Sep 2019 @ 9:36pm

            Re: Re: Re: Re: The line between pentesting and bank robbery

            And sometimes the commenters are replying to themselves.

            Nonsense. OG and AC are just good friends sharing the same computer. Not sock puppeting!

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 18 Sep 2019 @ 5:55pm

    Yeah, physical pen-testing is certainly a thing, but i am guessing someone relevant should have been in the loop, or that the in-the-loop person should have spoken up rather immediately.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Cowartd, 19 Sep 2019 @ 11:03am

    Nice Spin Tim

    This is standard nomenclature in a standard pen testing contract.
    Yes, it includes on-site penetration testing if you're going to one of the good companies.
    The 2 guys presented documentation.
    You can't warn the PD beforehand, because that defeats the purpose of the test.

    Nice spin Tim, may I suggest you avail yourself of your research skills prior to piling on to topics like this?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Sep 2019 @ 3:25am

    "nothing in the details suggests breaking-and-entering after hours was contemplated as part of the physical access test"

    You seem to have missed the part of the contract headed Project Schedule -

    "All penetration testing is expected to be conducted: During normal business hours: Monday through Friday between the hours of 6AM and 6PM..."

    The detail re. physical penetration is in the social engineering section and specifies "Talk your way into areas, limited physical bypass". There doesn't appear to be anything in there to authorise a night time B&E...

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.