Iowa Drops Trespassing Charges Against Penetration TestersProsecutors Back Down After Misunderstanding Led to Arrests
Iowa prosecutors have dropped trespassing charges against a pair of penetration testers who were contracted to test the electronic and physical security of three judicial facilities.
The men - Justin Wynn of Naples, Florida, and Gary DeMercurio of Seattle - were working on behalf of Coalfire, a cybersecurity consultancy based in Westminster, Colorado.
The pair were arrested early in the morning of Sept. 11, 2019, after sheriff's deputies spotted them on a surveillance camera after they had gained access to the Dallas County Courthouse in Adel, Iowa.
The ensuing mess saw the men get booked on felony, third-degree burglary charges. They spent a night in jail despite producing a valid penetration testing contract, which was supposed to be a "get out of jail free" document.
What might have been a short, awkward but subsequently dismissed mix-up, however, rolled on for months after Dallas County Sheriff Chad Leonard dug in his heels, asserting that the court system's contract with the men was illegal, and so they had broken the law.
Subsequently, the charges against the men were downgraded to trespassing, and a trial date was set for this April.
Now, however, those trespassing charges have finally been dropped, the Des Moines Register reports.
Coalfire has issued a statement also confirming that Dallas County Attorney Charles Sinnard will drop the charges.
"Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges," according to Coalfire's statement. "The arrests raise national awareness on the quiet war being waged against cybercrime, and the critical role red team penetration testing plays in defending the integrity of public and private sector commerce."
The mishap that led to the men's arrests sounded alarms at penetration testing firms, which feared that future engagements might go down a similar path. Penetration testing contacts typically have very careful wording to prevent these types of scenarios from unfolding.
The arrests also triggered lawmaker inquiries. Iowa's Senate Government Oversight Committee held a hearing on the situation on Oct. 4, 2019, with then Iowa Supreme Court Chief Justice Mark Cady apologizing "for diminishing public trust and confidence in the court system."
Republican State Sen. Amy Sinclair said the hiring of an outside company to break into courthouses created "significant danger, not only to the contractors, but to local law enforcement and members of the public."
Wynn and DeMercurio had wide latitude to conduct a variety of security tests, according to a copy of their penetration testing contact, which was obtained by Ars Technica.
On Friday, security blogger Brian Krebs posted a video interview with the pen testers as well as Coalfire CEO Tom McAndrew, who collectively confirmed the details of their engagement, delivering an inside view of situation.
The contract included scope for application and network penetration tests, as well as a variety of social engineering attacks, including phishing and physical access tests at the Dallas County Courthouse, one in Polk County as well as the Judicial Branch Building.
The penetration testers accessed the Dallas County courthouse by using a plastic cutting board to undermine a lock, Ars Technica reported in November 2019. The alarm eventually tripped, and police arrived.
The contract allowed for the testers to use various means to open doors, but not to force one open. Wynn and DeMercurio found an open door, but then locked it and opened it again with the cutting board, Ars reported. That discrepancy was cited by the sheriff as being sufficient for him to detain the testers. The men were also accused of tampering with the alarm system, which they denied. According to the contract, the alarm system was off limits.
New Guidelines for Pen Tests
How did this testing engagement go so wrong?
To answer that question, Iowa's Supreme Court hired a law firm, Faegre Baker Daniels, to investigate. The law firm issued a 21-page report on Oct. 9, 2019, outlining trouble spots.
First, law enforcement organizations in Dallas and Polk counties were not notified in advance that physical penetration tests were set to occur, the report says. Also, there seemed to be confusion over whether Iowa's State Court Administration had legal authority to allow for physical testing at courthouses outside of business hours, as well as what the scope of those tests could entail.
The firm recommended that the SCA "confer with sheriffs, other local officials or other state supervisors that could be affected by a security assessment, especially of a mixed-use or jointly administered building."
The contract also received no legal review before being implemented. The law firm contended that the contract contained language that would likely be familiar to anyone in the cybersecurity field, but which would likely lead to misunderstanding among those without technical expertise.
As a result of the findings, Iowa's Supreme Court issued new policies, the Des Moines Register reported on Oct. 10, 2019. The rules reportedly mandate that all penetration testing contracts must undergo a legal review before being finalized, and that law enforcement must be notified before a scheduled test is due to take place. In addition, the new rules reportedly ban physical security tests being conducted outside of business hours, or physically breaking into buildings.