Prosecutors have dropped criminal charges against two security professionals who were arrested and jailed last September for breaking into an Iowa courthouse as part of a contract with Iowas judicial arm.
The dismissal, which was announced on Thursday, is a victory not only for Coalfire Labs, the security firm that employed the two penetration testers, but the security industry as a whole and the countless organizations that rely on it. Although employees Gary DeMercurio and Justin Wynn had written authorization to test the physical security of the Dallas County Courthouse in Iowa, the men spent more than 12 hours in jail on felony third-degree burglary charges. The charges were later lowered to misdemeanor trespass.
The case cast a menacing cloud over an age-old practice thats crucial to securing buildings and the computers and networks inside of them. Penetration testers are hired to hack or break into sensitive systems or premises and then disclose the vulnerabilities and techniques that made the breaches possible. Owners and operators then use the information to improve security.
“Im very glad to hear this,” said a professional pentester when I told him the charges were dropped (he prefers to use only his handle: Tink). “Clients and security firms have an obligation to protect their pentesters and consultants. Pentesters are not criminals. Pentesters help organizations protect against criminals.”
Attempts to reach Dallas County Attorney Charles Sinnard after hours were unsuccessful.
Get out of jail free
DeMercurio and Wynn were arrested in the early hours of September 11 after a dispatcher with the Dallas County sheriffs department observed the men wandering through the closed county courthouse with dark backpacks. When sheriffs deputies confronted the men shortly afterward, they produced a letter—known as a get-out-of-jail-free card in pentesting parlance—that said they had been hired by Iowas State Court Administration to assess the security of its physical and network security. Deputies were friendly and interested as DeMercurio and Wynn explained how they used a lock-picking device to bypass a locked front door.
When Sheriff Chad Leonard arrived on the scene, things took a decidedly more adversarial tone. Leonard said he was unaware of any such arrangement and, furthermore, he said the State Court Administration lacked the authority to permit the after-hour entry of county property. The pentesters spent more than 12 hours in the county jail until they were released on $100,000 bail ($50,000 for each). In the days to follow officials discovered that the pentesters had also performed physical penetration tests on the Polk County Courthouse and Judicial Building.
The turf war between Dallas County and state officials was only one of the things complicating the case. The other issue was the legal agreement Coalfire signed with the State Court Administration. The full agreement was broken into three separate documents that contained confusing and contradictory terms describing the work to be performed. An initial service order outlined a plan to conduct “Physical Attacks” against the Dallas County courthouse and two other buildings, but in later forms, the pentesting activities were described as “Social Engineering.” There was also conflicting language about whether the pentesters were authorized to use lock-picking gear and whether they were permitted to test physical security after hours.
After learning of the pentesting contract, Dallas County Attorney Charles Sinnard reduced the charges, but despite there being no support for criminal intent, he continued to prosecute the two men. In a statement Coalfire issued on Thursday, officials wrote:
[contf] [contfnew]
arstechnica
[contfnewc] [contfnewc]
