Prosecutors dropped felony criminal charges against a pair of ethical pen testers arrested while assessing the security of an Iowa courthouse. But the the two men are not ready move on just yet.
Coalfire employees Gary DeMercurio, managing senior, and Justin Wynn, senior security consultant, lobbied Wednesday at the virtual Black Hat conference for a Good Samaritan law that would protect their industry peers from the kind of overzealous prosecution they say they experienced for roughly five months, after a local sheriff had them arrested on Sept. 11, 2019 for alleged third-degree burglary. The two men picked a lock on the door of the Dallas County Courthouse in Iowa and entered the facility, triggering an alarm.
Demercurio and Wynn had been contracted by Iowa’s State Court Administration to evaluate the cyber and physical security of various buildings, but some Dallas County officials claimed the act was unauthorized because the county actually controls the courthouse property, yet was never notified.
The charges were later dropped in late January 2020.
SC Media spoke to DeMercurio and Wynn in advance of their conference presentation.
Why is now the time to recount your experience in such a major public forum?
Wynn: This is the first time we were able to go public with the story. During the entire time events were unfolding we were advised to remain silent on the process and the media just kind of took things by storm and we were never able to get our story out there. So this presentation, it’s 40 minutes and it’s basically just a condensed summary of the events that unfolded over those six months. At the end we wrap up [with] where we want to go with the industry and how we want to have more protection for the people doing this kind of work. And then a synopsis of the actions that the Iowa judicial branch took in response to this, which was a knee-jerk reaction – the opposite of what we want to see happen for proactive security testing.
Had you ever had a serious encounter with law enforcement before this?
Wynn: Pretty much anybody who’s done this type of work, you run into law enforcement at some point, and usually the interactions go: Suspicion, they’re curious why you’re there and then you go through the validation process, the client gets the okay and then the police are waved off and that’s as far as pretty much it’s gone for anybody in the industry to date. And for Gary and I, personally we’ve had squeaky clean records. I mean absolutely nothing involving law enforcement at all to this extent whatsoever.
There were cyber and physical security components to this particular security assignment, correct?
Wynn: Yep. This was a full-scope red team engagement, so we’d been working on that project for probably about a month prior and that includes external, internal network penetration testing, wireless penetration, application [security… This] was the physical pentation portion of the testing, so that’s why we were outside… One of the interesting things about that, too, was we were supposed to do the internal network penetration test afterwards. One of the [news] articles caught wind that we plugged a drone or a device in on site. We were following the rules of engagement. They wanted us to come on site, see if we could break in, and then plant that device for the follow-up internal network penetration test. So they really wanted to simulate a real-life adversary: “Can somebody walk into our building, plant a remote access device, and then from there show us what they can do? And we’ll follow up with the internal penetration test afterwards.”
You were contracted to test state-run judicial assets by the State Court Administration, but it was the local county that pursued this case from a prosecutorial perspective. So what happened with the communication between these two level of government that couldn’t have cleared this up in a day?
Wynn: From our point of view, it could have been. It really came down to a jurisdictional dispute. So one entity, the county, wanted to assert their authority and say this is the county courthouse and the state doesn’t have authorization to conduct these sort of tests for that location. So that’s really all it came down to – and that’s why the legal dispute, that’s why we got dragged through everything, was they were trying to sort that out.
It felt like we were held on as collateral. There was really no need for us to be hooked into that process for five months. I mean it’s kind of between state and country or at the least between Coalfire and whoever involved, but not individuals, not us, the guys just doing the work. [The county decided], ”Even though this is a free service for us to benefit our community and our citizens and our courthouse, the state shouldn’t be paying for this kind of stuff. This is our grounds and so take them to jail.” That how I look at it in my eyes.
The Supreme Court later this year will be looking at the Computer Fraud and Abuse Act to determine if violating a system or website’ terms of service constitute a criminal act if the actor otherwise has been authorized access to it. The white-hat community is concerned that more protections are needed to ensure their own ethical pen testing and hacking is considered legal. What protections would you like to see instituted?
DeMercurio: The thing that we’re trying to concentrate on is having a “Good Samaritan” law in place. So the good Samaritan law, as far as the research that we’ve done and what we’ve gone through, would supersede any terms of service as it relates to ethical hacking.
If you’re an ethical hacker – or a maybe a better term would be ethical pen tester – [and whether] you’re performing a pen test physically or you’re… social engineering or what have you, if you’re performing a test in good faith for a customer who has hired you and you are within the scope of what you should be doing or what you believe that you should be doing, then you shouldn’t have any repercussions…
But you did face repercussions for your actions.
DeMercurio: We were given a scope, we felt that we were in that scope… Later on the state admitted that we were in scope, but prior to that, due to either personal reasons or political reasons or what have you, they tried to throw us under the bus and they tried to say we were out of scope – that we weren’t performing the thing that we were supposed to perform. But later on after the judicial hearing, everything came out. Yes, indeed, we were doing exactly what we were supposed to be doing.
…[But] even if we misstep on the scope due to some confusion or lack of terms or something that’s not really laid out perfectly, the general consensus is we’re trying to do the right thing and we shouldn’t be prosecuted as if we’re criminals, because we’re not… If we’re doing what we should be doing after speaking with the customer, they shouldn’t be able to come back and say, “Well that’s not exactly what we had in mind. Now we’re going got try to send you to prison. If you’re out of scope completely and you’re not doing what you’re supposed to be doing, that’s a different story.
Explain a little more about how politics complicated this matter.
DeMercurio: [When] you start getting on the state and county level, not only do you have the laws and provisions that you’re talking about in place, but you also have the politics that are involved as well. And whether or not they [the state] have the authority to enforce security in that [county] building is different in Iowa than it is in a different state. Whether or not you have the ability to go into that building after midnight, is that set by the county or is that set by the state? Typically it’s set by whomever is employing the people within that building, which is what we were under the assumption of when doing this. However, the sheriff did not share that opinion and Iowa recently passed a law [that] the county owns… the property and [has] the control of the building. But that still doesn’t answer the question of what do you do for state employees?... They wouldn’t arrest a [state] judge if he came in there to get a computer, so why were we arrested? So again, you’ve got all these legal questions and there’s no answer for it because there was nothing ever written and it’s something that’s completely different than anything that’s ever happened.
What has been the reaction of your peers in the industry as they’ve followed this case? Have you had their support?
Wynn: I think industry-wide people were very concerned… Going back to the good Samaritan law, I mean, if [a pen tester] “fat fingers” an IP address and then you test the wrong client, you don’t want to go to jail for that, nor should you because you’re doing that in good faith. You’re not trying to break into the other organizations, so I think everyone is very concerned.
We had absolutely phenomenal support from the industry. The infosesc family came together and rallied for us. They put on AwarenessCon [a physical and virtual event designed to expose people in the region to the merits of offensive pen testing] in that small town in Iowa where we got arrested, and everyone was very proactive in reaching out to us and offering support through the entire time. So that was wonderful to see it really made us feel part of the community.