Turning security researchers into criminals is so popular we have a tag for it here at Techdirt. A security hole is found or a breach pointed out, and the first thing far too many entities do in response is turn the messenger over to law enforcement while muttering unintelligible things about "hacking."
Security researchers are invaluable. They've exposed a ton of security breaches and helped make the web safer for everyone. Their efforts are rarely appreciated by the entity caught with its security pants down. Just because the breachee has chosen to blow off its obligations to its customers and users doesn't make the person who discovered the breach a criminal. Unfortunately, the CFAA lends itself to abuse and the DOJ is more than willing to abuse it -- something that turns security research into a security risk for those who choose to follow this career path.
Then there are efforts like this one, which seems completely inexplicable. It's dog-bites-man news when a security researcher is arrested, but every other case we've covered involved nothing more than the use of a computer. This one expands the definition of "penetration testing."
Two men arrested for breaking into the Dallas County Courthouse told law enforcement they were hired to do so by the judicial branch.
The men, outfitted with numerous burglary tools, told authorities they were on contract to test out the courthouse alarm system's viability and to gauge law enforcement's response time, an alleged contract that Dallas County officials said they had no knowledge of, according to a criminal complaint.
Well, then. At first blush, it seems like the sort of thing one might say when pressed to explain their actions while facing breaking and entering charges. It's a better excuse than most off-the-cuff denials of wrongdoing. The thing is, this narrative appears to be true.
Authorities later found out the state court administration did, in fact, hire the men to attempt "unauthorized access" to court records "through various means" in order to check for potential security vulnerabilities of Iowa's electronic court records, according to Iowa Judicial Branch officials.
However, it appears judicial officials did not think "breaking and entering" would be part of the "various means." The men remain in jail on $500,000 bond despite this penetration test showing the courthouse's security response was hardened or whatever. The alarm system triggered a response by law enforcement and the men were found on site and arrested. The system -- at least the physical part of the court's alarm system -- works.
It appears the men's excuse is legitimate. As Sean Gallagher reports for Ars Technica, cybersecurity advisors Coalfire did indeed hire the men to carry out a test of the Dallas County courthouse's security. But it has, so far, refused to comment on the arrests, so it's unclear whether this was done with the company's blessing. And it appears this wasn't the testers' first run, either. The Des Moines Register says the men are also suspected of breaking into the Polk County Courthouse in Des Moines -- something that happened two days prior to their arrest at the Dallas County courthouse.
Unfortunately, this isn't going to make anything easier for security researchers. When researchers are hired to perform penetration tests, anything not explicitly defined in the contract could net them criminal charges, even if they were told to check systems for flaws.
This is some prime WTF-ness but even with its unusual details, it's still illustrative of the risks researchers face on a daily basis. Those that don't hire them are peeved when flaws are exposed and tend to treat them like criminals. Those hired to do the job run the risk of performing unanticipated tests, putting them in the same line of fire.
UPDATE: The Iowa Judicial Branch has released an official statement on the penetration tests, along with copies of its contract with Coalfire. The documents appear to authorize physical access to targeted courthouses, but nothing in the details suggests breaking-and-entering after hours was contemplated as part of the physical access test. Nothing in the language strictly forbids it either.
Here's what the Judicial Branch has to say about the two incidents, which may ultimately result in charges being dropped:
Recently, two penetration testers employed by Coalfire were arrested in the Dallas County Courthouse during a security testing exercise to help the Iowa Judicial Branch ensure the court’s highly sensitive data was secured against attack. Coalfire was working to provide quality client service and a stronger security posture. Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work. Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.
State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.
State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.
Filed Under: breaking and entering, pen test, penetration teesting, security, security researchers