Black Hat The two penetration testers whose arrest and imprisonment made headlines last year are finally sharing their story, and it is a doozy.
Florida man Justin Wynn and Seattle resident Gary DeMercurio, both pentesters at infosec shop Coalfire Systems, said the ordeal they experienced in Iowa last September could have been avoided had they just done a better job of documenting the scope of their audit in writing.
That and not running into an ornery sheriff. A favorable judge died suddenly, too, mid-case.
The pair were performing a routine penetration test at the Dallas County courthouse at night when they tripped an alarm, were collared by deputies, and, ultimately, charged with felony trespassing – a crime that can lead to up to seven years behind bars.
Part of the problem, the two professional attackers told the Black Hat online conference today, was the imprecise terms of the penetration tests Coalfire was hired to perform at the request of the US state of Iowa.
Communication, communication – and politics: Iowa saga of cuffed infosec pros reveals pentest pitfallsREAD MORE
The two noted that, though, there was some boilerplate language in the contract that limited testing to daytime business hours – 6am to 6pm – they were led to believe by officials early on that the state wanted them to pay specific attention to security late at night.
"The reality of that story is when they came to us, they only wanted physical pentesting at night after hours," said DeMercurio. "The lesson learned from this is: record your calls."
After three nights of successful tests, the pair were approached by deputies after triggering an intruder alarm at the courthouse after midnight.
"We were hoping an alarm goes off and we receive a police response," recalled Wynn.
"Misguided hope," added DeMercurio.
Initially, the team said the plod were actually rather cordial with the pair, asking for tips, and swapping stories.
"The reason we stuck around [after tripping the alarm] was because we were having a really good interaction with law enforcement," said DeMercurio. "Then that mood suddenly switches."
What changed the mood, the pair said, was the arrival of Dallas County Sheriff Chad Leonard, who brushed aside the paperwork they produced, as evidence they were performing a legit security audit for the state, and ordered the pair be arrested on felony charges. Although the sheriff accepted the duo were professionals on a job, he was unappreciative of the state ordering a penetration test of his county courthouse without checking beforehand. "The state had no authority to authorize a break-in of this building," Leonard wrote in an email after the arrests.
Crucially, despite the charges ultimately being dropped when common sense prevailed, both DeMercurio and Wynn now have a felony arrest record that shows up during background checks. This is particularly annoying for professional pentesters, who will be subject to numerous checks in the course of their work.
The six months leading up to the end of the case, the pair claim, featured a showcase of incompetent officials who contributed to a legal farce. This, they say, included the sheriff refusing to acknowledge he checked their paperwork in court, and a low-level judge who insisted that if any test had been authorized of the courthouse, she would have personally been informed.
"I say, 'ma'am, the sheriff verified that we were sent by the state last night'," DeMercurio recounts of his initial court appearance. "And I look over at the sheriff and he is sitting with a big grin on his face not saying a word."
Later, an effort to dismiss the case was set back when Iowa Supreme Court Justice Mark Cady, seemingly an advocate for the pair, suddenly died at the age of 66. Eventually, the charges against the two were dropped, partly due to an outcry from the security community.
Now, the two advocating for laws that will prevent any other pentesters from similarly falling through the cracks of the legal system. "We want to get a good Samaritan law passed so that this doesn't happen to anyone else," said DeMercurio. "There is a family here that we all are part of, and they came to our rescue." ®