Security Researchers Whose 'Penetration Test' Involved Breaking And Entering Now Facing Criminal Charges
from the [throws-brick-through-window]-this-needs-hardening dept
Turning security researchers into criminals is so popular we have a tag for it here at Techdirt. A security hole is found or a breach pointed out, and the first thing far too many entities do in response is turn the messenger over to law enforcement while muttering unintelligible things about “hacking.”
Security researchers are invaluable. They’ve exposed a ton of security breaches and helped make the web safer for everyone. Their efforts are rarely appreciated by the entity caught with its security pants down. Just because the breachee has chosen to blow off its obligations to its customers and users doesn’t make the person who discovered the breach a criminal. Unfortunately, the CFAA lends itself to abuse and the DOJ is more than willing to abuse it — something that turns security research into a security risk for those who choose to follow this career path.
Then there are efforts like this one, which seems completely inexplicable. It’s dog-bites-man news when a security researcher is arrested, but every other case we’ve covered involved nothing more than the use of a computer. This one expands the definition of “penetration testing.”
Two men arrested for breaking into the Dallas County Courthouse told law enforcement they were hired to do so by the judicial branch.
The men, outfitted with numerous burglary tools, told authorities they were on contract to test out the courthouse alarm system’s viability and to gauge law enforcement’s response time, an alleged contract that Dallas County officials said they had no knowledge of, according to a criminal complaint.
Well, then. At first blush, it seems like the sort of thing one might say when pressed to explain their actions while facing breaking and entering charges. It’s a better excuse than most off-the-cuff denials of wrongdoing. The thing is, this narrative appears to be true.
Authorities later found out the state court administration did, in fact, hire the men to attempt “unauthorized access” to court records “through various means” in order to check for potential security vulnerabilities of Iowa’s electronic court records, according to Iowa Judicial Branch officials.
However, it appears judicial officials did not think “breaking and entering” would be part of the “various means.” The men remain in jail on $500,000 bond despite this penetration test showing the courthouse’s security response was hardened or whatever. The alarm system triggered a response by law enforcement and the men were found on site and arrested. The system — at least the physical part of the court’s alarm system — works.
It appears the men’s excuse is legitimate. As Sean Gallagher reports for Ars Technica, cybersecurity advisors Coalfire did indeed hire the men to carry out a test of the Dallas County courthouse’s security. But it has, so far, refused to comment on the arrests, so it’s unclear whether this was done with the company’s blessing. And it appears this wasn’t the testers’ first run, either. The Des Moines Register says the men are also suspected of breaking into the Polk County Courthouse in Des Moines — something that happened two days prior to their arrest at the Dallas County courthouse.
Unfortunately, this isn’t going to make anything easier for security researchers. When researchers are hired to perform penetration tests, anything not explicitly defined in the contract could net them criminal charges, even if they were told to check systems for flaws.
This is some prime WTF-ness but even with its unusual details, it’s still illustrative of the risks researchers face on a daily basis. Those that don’t hire them are peeved when flaws are exposed and tend to treat them like criminals. Those hired to do the job run the risk of performing unanticipated tests, putting them in the same line of fire.
UPDATE: The Iowa Judicial Branch has released an official statement on the penetration tests, along with copies of its contract with Coalfire. The documents appear to authorize physical access to targeted courthouses, but nothing in the details suggests breaking-and-entering after hours was contemplated as part of the physical access test. Nothing in the language strictly forbids it either.
Here’s what the Judicial Branch has to say about the two incidents, which may ultimately result in charges being dropped:
Recently, two penetration testers employed by Coalfire were arrested in the Dallas County Courthouse during a security testing exercise to help the Iowa Judicial Branch ensure the court’s highly sensitive data was secured against attack. Coalfire was working to provide quality client service and a stronger security posture. Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.
State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.
State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.
Filed Under: breaking and entering, pen test, penetration teesting, security, security researchers
Comments on “Security Researchers Whose 'Penetration Test' Involved Breaking And Entering Now Facing Criminal Charges”
'We never considered criminals might not ask...'
Given that first screenshot very explicitly says that the goal is to gain physical access to the documents in question, and notes that attempts to gain access ‘Can be during the day and evening’ I’d chalk this up to the government employees who hired them not asking enough questions to understand what exactly would be involved, and more importantly not telling the other government employees that they’d hired a company to run security testing.
Social engineering in mentioned as one possible route, but testing the physical security in place would seem to be entirely within the scope of what they were hired to do as it notes that there would be ‘minimal’ rather than ‘no’ physical bypass employed, so charging them for doing their job would be rather absurd.
Re: 'We never considered criminals might not ask...'
That said, there are established protocols for physical entry testing, and they were not followed in this case.
Standard protocol says that you have a copy of the contract on you during your operations, that it be signed, and that at least one person local to the physical site being penetrated be notified prior to the attempt, and their contact information be on the signed contract to be called should the testers be apprehended.
None of this was done in this case.
Re: Re: 'We never considered criminals might not ask...'
That’s a little suspect. Were I a penetration tester with that requirement, I’d also carry a fake contact with a colleague’s phone number, and they’d say everything’s cool when called. Whoever apprehends me should not be trusting my list of phone numbers.
Re: Re: 'We never considered criminals might not ask...'
Yeah, I’d be certain to have not just the contract but a letter on official letterhead signed by someone with authority at the client that stated specifically that "bypass of physical security to gain surreptitious access to the premises outside of normal business hours" was explicitly authorized, and also that "no prior notification be given to site security, in order to insure that the test is of normal site security". If you’re doing stuff like this, you make sure it’s all spelled out in such a way the client can’t claim to not know exactly what was going to happen or not have agreed to it.
Re: Re: 'We never considered criminals might not ask...'
Unfortunately the poor schmucks hired by the security company didn’t know that. It was the job of the company that hired them to make sure everything was done right. The people who messed up are sitting in their office, not schlepping in the field.
Re: Re: 'We were never considered criminals'
48 years ago Armand Hammer of Oxy Petroleum hired a friend of mine to discover why his private conversations with Mayor Sam Yorty were leaking to the LATimes.
Armand couldn’t trust anyone, my friend called his friends that might have three neurons in a string and 5 of us showed up at Oxy headquarters at midnight with oscilloscope, frequency monitors, et. al. and spent the night rummaging the top floor with "extreme" care. A tired ”bug” was found, or placed & found, under a side table in a vice president’s office.
Because he still wanted to explore for petroleum under the homes on the bluff in Pacific Palisades, we searched one more time a month later, then we spent another night at Hammer’s home in Bel Air. With an indoor pool, a white, a silver and a black RR in the garage; built in the 1920’s, wires were everywhere, and so were pictures of Armand with JFK, Khrushchev, Mosaddegh, Yorty, Betancourt, Fahd bin Abdulaziz Al Saud and a few paintings that were supposed to be at the MET. As dawn brightened, I was the last to leave, cramming a 50 lbs. HP frequency monitor into the back seat of my 1959 Karmann Ghia when Security drove up and ask if this was the right address. Yes, i said and drove off to meet up at the "Pantry" on Figueroa.
Re: Re: 'We never considered criminals might not ask...'
They did.
"At 12:30am on the morning of September 11, penetration testers Justin Wynn and Gary DeMercurio were caught with lock picks inside the Dallas County courthouse by Dallas County Sheriff’s Department officers. They presented documents showing they had authorization from the state; the officers contacted state officials on the document, who verified that the test was authorized. But they arrested Wynn and DeMercurio anyway and charged them with burglary."
https://arstechnica.com/information-technology/2019/09/iowa-officials-claim-confusion-over-scope-led-to-arrest-of-pen-testers/?comments=1
Re: Re: 'We never considered criminals might not ask...'
Per the story ArsTechnica about this, they did have the contract on them, and did have contact information for the appropriate state employees that authorized them, but the (county level) Sherriff’s Deputies arrested them anyway…
Re: Re: 'We never considered criminals might not ask...'
An article about this very same topic at ArsTechnica states that they security researchers did have their contract information on them. And that the local police force then contacted the state office and confirmed that the contract existed and was correct as shown. The local officers arrested the two individuals anyway, and now the local sheriff’s office is pursuing charges.
Hazard Pay?
Wonder if these two will be compensated by Coalfire for their time in prison if, in fact, the company did think that these actions were warranted.
Definitely would be bad for these guys’ lives to be derailed for doing their job.
Side Note: Usually giving police departments a heads up that this kind of stuff will be done is a good idea. I get that it kind of invalidates the tests, but even giving the Police chief IDs of the people who are going to probe a target might make sense…
Stopping short of the line.
How about apologizing to the two poor souls sitting in jail? I sure hope they are being paid double overtime for the total amount of the effort they have exerted, and are exerting.
I think even if it didn’t explicitely say no breaking and entering, breaking and entering is something you get permission for FIRST with a documented chain of evidence before you actually do that, especially if its not stated as one of the explicitely allowed things in the contract.
smh
Time to sue for all kinds of things; this is unacceptable. no one should ever take a security contract for those areas, ever again.
Re: smh
Definitely a learning experience for Coalfire, who did entirely too little in the CYA department.
Qualified immunity
They should get the same low bar that is set for government employees and should get qualified immunity.
Re: Qualified immunity
It’s not even a low bar. They did exactly what they were instructed to do by an employer who was hired to do penetration testing. They should be well compensated for the damage done to their reputation. When you hire someone to do penetration testing, you shouldn’t be surprised when they do penetration testing.
Someone watched Sneakers too many times
They do know that Sneakers (1992) isn’t a documentary right?
Re: Someone watched Sneakers too many times
Too Many Secrets.
Note to self: if ever doing penetration testing,
1) spell out all the things explicitly in the contract, whether they like it or not (as in "you allow me to humiliate the lock on you front door, at ANY hour", etc…)
2) expect to spend varying amounts of time in custody, until things actually get sorted out, including but not limited to multiple days.
The line between pentesting and bank robbery
When I first saw this story it reminded me of this fairly hilarious story about a pen test team that decided to rob a bank because they could:
https://www.youtube.com/watch?v=RJVHTQSvUIo
Re: The line between pentesting and bank robbery
And sometimes the penetrators are the pigeons, see Coppola’s 1974 "The Conversation"
Re: Re: The line between pentesting and bank robbery
And sometimes the bank robbers are the pigeons, see "The Getaway" 1972
Re: Re: Re: The line between pentesting and bank robbery
And sometimes the commenters are replying to themselves. See This Thread Right Here 2019.
Re: Re: Re:2 The line between pentesting and bank robbery
And sometimes the commenters are replying to themselves.
Nonsense. OG and AC are just good friends sharing the same computer. Not sock puppeting!
Yeah, physical pen-testing is certainly a thing, but i am guessing someone relevant should have been in the loop, or that the in-the-loop person should have spoken up rather immediately.
Re: Re:
They did. After the pen testers showed them their documented authorization, the Sheriffs called the state and confirmed the pen testers were working for them. The Sheriffs arrested them anyways.
https://arstechnica.com/information-technology/2019/09/iowa-officials-claim-confusion-over-scope-led-to-arrest-of-pen-testers/
Nice Spin Tim
This is standard nomenclature in a standard pen testing contract.
Yes, it includes on-site penetration testing if you’re going to one of the good companies.
The 2 guys presented documentation.
You can’t warn the PD beforehand, because that defeats the purpose of the test.
Nice spin Tim, may I suggest you avail yourself of your research skills prior to piling on to topics like this?
"nothing in the details suggests breaking-and-entering after hours was contemplated as part of the physical access test"
You seem to have missed the part of the contract headed Project Schedule –
"All penetration testing is expected to be conducted: During normal business hours: Monday through Friday between the hours of 6AM and 6PM…"
The detail re. physical penetration is in the social engineering section and specifies "Talk your way into areas, limited physical bypass". There doesn’t appear to be anything in there to authorise a night time B&E…
Penetration Testing
This article was really helpful in getting good knowledge. To know about <a href=”https://ae.securiumsolutions.com/server-penetration-testing/”>penetration testing</a>, its applications and the different services associated with it.