This week, we’re going to take a look at a story that–after a long and mind-bending road–finally came to a conclusion recently. One where two penetration testers from the security firm Coalfire, were hired to break into an Iowa courthouse and then arrested when they completed the job. This story has been covered in great detail by small security blogs and large news agencies alike, so instead of reviewing the situation one more time, I’ll let you take a second to review the official/popular reporting yourself.

Coalfire, Official Video Conference (link)

Coalfire, Official press release (link)

CNBC (link)

Portswigger (link)

ZDNET (link)

arsTechnica (link)

techdirt (link)

After you’ve familiarized yourself with the situation, what I’d like to focus on here are some of the questions that have surfaced from all of this. Questions like: How do firms protect employees? Specifically against permanent charge records? Against the fear of going to prison? How about if a client provides wrong addresses or building criteria? There are a lot of important questions coming from a space that isn’t well established.

This is going to be a somewhat quick article, but the overall goal is to prompt the questions and see what kind of ideas people have. Coalfire is certainly working these concerns right now, but they also apply to the broader community.

These techs now have an immovable criminal charge on their permanent record.

For Gary and Justin, this is an unfortunate and currently static problem. Both of those security professionals, even from operating entirely within the law, now have a permanent criminal charge on their Federal record, and according to the Coalfire CEO, there is currently no way for this record to be modified. In this line of work, regardless of whether the contract is a cleared one (government security work) or not, having a criminal record is often an instant disqualifier. Due to the heavy reliance on ethical judgment because of how easy it is to commit a crime in this domain, job candidates are very quickly dropped the second a potential employer finds out about a record; they won’t take the time to look into what happened. If these two security professionals, who have operated legally and ethically their entire career, need to get a job in the future, they are in for a major challenge? This is wrong, how do we correct the record, and if that really is a lost cause, what preventative measures do we take in the future?

How do we handle a client providing wrong IPs or bad ‘no-strike’ information?

In my opinion, this is the most significant concern to a non-federal penetration testing company. When you go on engagement, the client will be required to provide strike ranges, and often no-strike ranges. Strike ranges are those addresses and physical locations that should be targeted, and no-strike ranges are those which should under no circumstance be attacked. In this case, the official Coalfire contract that was signed by the client stated three days that operations could not be conducted due to Supreme Court business. If someone makes a mistake and provides the IP address of another business, and then Coalfire or another firm were to break into that company, how is that situation handled legally? Jack from the DarkNetDiaries podcast series has reported two other instances of this, and in one of those the victim actually said they were trying to get a test approved and took the report happily, but this does happen and it’s not always a clean outcome like that. What specific vetting needs to happen prior to engagement, and by who? Legally speaking, how do we transfer risk to the client, and protect the firm from bad targeting information?

For smaller firms that can’t pay quarter-million-dollar bail, how do employees remain protected?

Arrests do happen. The way that testers often get official proof that they completed a job is to trigger the alarm system in a building and then get an official police report from the police when they show up. They will show their freedom letter of course, but in this case, they may still be arrested. While Coalfire says they’ve never been handcuffed, this is certainly something that happens among other companies. For one of those other companies that might be smaller, and cant pay a quarter-million-dollar bail, how do employees go out to a job site with 100% confidence that they will come home to their own bed that night? Even further, how can that small business ensure they have employees to work contracts if some of their top people are sitting in a jail cell for an undeterminable amount of time. It’s fortunate that Coalfire could pay the bail, but this isnt always going to be the case, and the question is how do we protect people and business? Maybe the answer here is some sort of insurance, but quite frankly, this is uncharted territory and that insurance policy hasn’t been drafted before.

Charges were never filed against Coalfire, they were filed against Gary and Justin.

It’s worth focusing on the fact that both testers on this job were charged as civilians, and not as employees of Coalfire. There may not be a clear answer to this, but how can we legally ensure through some documentation that if a penetration tester is arrested, they are arrested as an employee so that the situation can be legally scoped to the business. To the earlier point about immovable criminal records, if we can move those records to the business, and not on the individuals that may solve the issue. Maybe the question is how does the get-out-of-jail-free letter need to be drawn up to arrive at this destination? If a cook serves bad food to a patron of their restaurant, they won’t potentially be sued, the business will. This is a uniquely applicable concern.

Summary

There are a lot of open questions, and most of them involve legal guidance, but for someone on the technical or even managerial side of the house, all of these items are of serious and immediate concern. Penetration testers need to be able to go into an engagement with confidence, and with the show that was put on after this job, all of that previously (misguided) confidence, is now out the window. Coalfire said this doesn’t deter them from going on future engagements, and the probability of another event is relatively low, but these are life-altering concerns.