Black Hat: When penetration testing earns you a felony arrest record
“Uh, we’re in jail.”
When Coalfire inked a deal with the State Court Administration (SCA) to conduct security testing at the Dallas County Courthouse in Iowa, two of their team members being arrested at midnight and thrown behind bars was not quite what the company expected.
The saga began in September last year when security experts, Coalfire Systems senior manager Gary Demercurio and senior security consultant Justin Wynn, set out to test the court’s physical security.
Known as penetration testing in the cybersecurity field, testing a company or organization’s security posture can involve probing networks, apps, and websites to find vulnerabilities that need to be fixed before attackers find them and exploit them for nefarious purposes.
However, penetration testing can also include physical elements. Is it possible to access a company office through social engineering and pretending to be a guest? Are people dressed as maintenance staff challenged at the gates? Are doors to sensitive areas properly secured?
In the Iowa court’s case, how quickly does law enforcement respond in the case of a break-in?
As ZDNet previously reported, the penetration test deal agreed between the SCA and Coalfire resulted in Demercurio and Wynn setting out in the dead of night to test the security of court buildings.
Speaking at Black Hat USA on Wednesday, Demercurio and Wynn said that after-hours testing, at night, was originally only what the client wanted — and this was then extended to day and evening testing.
Before the test took place, Coalfire “went through the scope, building by building,” to make sure there was no miscommunication between the cybersecurity firm and the client in terms of what buildings could be targeted, and what should be avoided.
Under the terms of the contract, the team was permitted to use social engineering to impersonate staff and contractors, use false pretenses to try and gain access, tailgate employees, and access restricted areas — on the proviso that alarm systems were kept intact and no damage was caused on entry.
At the beginning of the test on Sunday night, a state trooper on patrol came across the team attempting to enter a door and was satisfied after proof of identification was provided by the researchers, noting that similar tests had been conducted in the past.
After the first test — and after the discovery of a Coalfire calling card in the IT room the next day — the client congratulated the team via email. So far, the penetration testers were satisfied that it was a “green flag” to go ahead.
On Tuesday, September 11, a courthouse door was found open. The researchers closed it as their mission was not to simply to walk in but test the physical security of the building, and after allowing it to lock, applied their tools to jimmy the lock back open again.
An alarm was sounded at 12.30 am, and the pen test team waited patiently on the third floor for law enforcement to arrive, brandishing their contract as a ‘get out of jail free card’ to prove they were there legally for after-hours testing.
“Credit where credit is due — it was the fastest response time we’ve ever seen, literally three minutes,” Wynn commented.
After shouting for five to seven minutes to make themselves and their purpose known, without receiving a response, Demercurio and Wynn made their way down the stairwell, hands raised.
The tone, at least at the beginning, was cordial and law enforcement on-site accepted Coalfire’s employees were there on legitimate business, quickly deciding to let them go. However, the team was having a “lot of fun” talking to them, and so decided to hang around and swap stories.
This, it seems, was a mistake, as Dallas County Sheriff Chad Leonard was en route.
Once Leonard arrived on scene, the tone “dramatically changed.”
“Up until the point the Sheriff arrived, we were treated with the utmost respect and like professionals,” Demercurio said.
In footage shown at the Black Hat presentation, Leonard calls the situation “bullsh*t.”
In a past interview, Leonard said the team was “crouched down like turkeys peeking over the balcony” when law enforcement arrived, and suggested both the date — September 11 — and the fact they were carrying backpacks gave more cause for alarm at the presence of the “unknown persons.”
Demercurio and Wynn were arrested and jailed for roughly 20 hours. In chains, strung up together, the researchers were then “paraded” to the courthouse they’d just broken into, to be berated by the judge, despite the researchers protesting that they were hired by the state.
Originally, bail was set at $7,000 for each Coalfire employee, but it was argued the pair was a flight risk and so the amount was increased to $50,000 each.
Charges of burglary in the third degree and the possession of burglary tools were set. This was later downgraded to trespass, and after discussions between Coalfire’s CEO, the Dallas County Sheriff, and Dallas County Attorney Charles Sinnard, all charges were dropped — a day before Coalfire’s motion to dismiss was set to go through. However, this process has taken months.
The SCA said in a statement at the time that the organization “did not intend, or anticipate, those efforts to include the forced entry into a building.” However, the researchers dismiss this, saying at Black Hat that the tests were not out of scope.
“It was the intention of the Dallas County Sheriff to protect the citizens of Dallas County and the State of Iowa by ensuring the integrity of the Dallas County Courthouse,” Coalfire said in a statement. “It was also the intention of Coalfire to aid in protecting the citizens of the State of Iowa, by testing the security of information maintained by the Judicial Branch, pursuant to a contract with the SCA.”
Demercurio and Wynn have been left with permanent felony arrest records. Unable to be scrubbed and despite the charges being dropped, the records are likely to hinder their future prospects in security work.
“This is severely detrimental for us to try and undergo these types of engagements in the future,” Wynn noted.
The issue at hand may have been the interpretation of the penetration agreement itself or heavy-handedness by law enforcement and a court system concerned with liability, but lessons can still be learned by the cybersecurity industry, police and any organization considering a penetration test to improve their security.
Demercurio and Wynn urge penetration companies to record every call made between company and client as a basic level of protection against similar situations in the future. In addition, the pair are trying to establish a “good samaritan” law which could be passed to protect penetration testing companies — and their employees — from similar lawsuits.
“All offensive security has effectively been axed in the state of Iowa, and that’s the crux of the matter,” Demercurio commented. “We’re trying to help people [..] we want to make things better, we want to protect them, and the real losers are the citizens of Iowa.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0