Budapest Post

Cum Deo pro Patria et Libertate
Budapest, Europe and world news

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

Iowa paid a security firm to break into a courthouse, then arrested employees when they succeeded

A pair of security workers at a prominent cybersecurity company are contracted by the state of Iowa to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

They are arrested in the course of doing their jobs. The charges still have not been dropped, despite admissions by the state of a miscommunication with county authorities.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts to test voting facilities in advance of the 2020 presidential election may put security professionals at risk.

The state of Iowa contracted with a prominent cybersecurity company to conduct “penetration tests” of certain municipal buildings in September, particularly courthouses.

In September, two employees of the company were arrested in the course of doing their jobs. The charges still have not been dropped.

The incident has sparked concern across the cybersecurity industry, including worries that ramped-up efforts by many firms to test facilities, including voting and election facilities in advance of the 2020 presidential election, may put security professionals at risk.


A common test, an uncommon outcome

A penetration test, often referred to as a “pen test,” is an assessment conducted by a security firm meant to root out technical and physical security flaws that could put data at risk. This can include testing servers to see whether sensitive data can be stolen electronically, or testing facilities to see whether someone could easily break in and gain access to sensitive data or equipment. Pen testers are paid to attempt to break into corporate or government facilities, computers, devices and data centers.

On Sept. 9, Justin Wynn and Gary Demercurio, employees of pen testing firm Coalfire, were attempting to circumvent the security system at a courthouse in Dallas County, Iowa, to gain entry using those “other means.” The pair had already successfully tested two other courthouses, and they’d had positive interactions with authorities there, according to the company’s CEO, Tom McAndrew.

At the Dallas County courthouse, the pair found a door left propped open, McAndrew told CNBC. They closed the door, then attempted to open it again, tripping an alarm in the process.

The protocol in this type of situation is to wait for authorities to arrive, McAndrew said, which Wynn and Demercurio did. At that point, they had a friendly interaction with sheriff’s deputies, he said. The deputies examined their paperwork and credentials. But when a sheriff arrived, they were arrested on burglary charges. They spent a night in jail, and the company had to bail them out.

“It’s not totally unusual to have police involved,” in a pen test, but it is unusual for security professionals to get arrested, McAndrew said.

Even more surprisingly, the two employees are still facing charges in Dallas County, despite having a clear contract outlining that they were hired by the state’s judicial branch to break into the building. McAndrew believes it “might be unprecedented” for contractors arrested during a pen test to face charges.

Local prosecutors could not immediately be reached for comment, and an inquiry to the Iowa governor’s office was not immediately answered.

According to local news reports at the time of the arrest, there appeared to be a miscommunication between the state, which contracted for the pen test, and the county, which had jurisdiction to monitor security at the courthouse. But this should not have been relevant to the issue of whether a crime occurred, McAndrew said.

“I don’t know why they didn’t let them go. They were remanded to jail. We had thought the state was going to work out these issues with the county. Once we were told the charges were going to be reduced and not dropped, we were shocked that this was happening,” McAndrew said.

Iowa Supreme Court Justice Mark Cady apologized to a state Senate committee for the incident last month, according to the Des Moines Register. But some legislators complained that the tests may have posed some sort of “danger” to the public, according to reports.

Coalfire had been engaged with the Iowa Supreme Court for pen testing since 2015, according to an investigation of the incident. A service order allowed for typical pen test services including “tail-gating” — attempting to enter facilities behind an authorized employee with access to all building areas — and “non destructive lock-picking.”


Alarm in the cybersecurity field

These tests are very common, explained David Kennedy, founder and CEO of Binary Defense and Trusted Sec, a cybersecurity consulting firm that also conducts penetration tests.

“I’ve had a lot of discussions with owners of organizations that do this kind of work that are kind of freaking out about this,” Kennedy said. “You look at your job, and the protections you have in place. We try our best to make sure you are getting the full authorization. It’s really a shame these folks were trying to help that facility get better with security.”

Kennedy said that he was arrested in the course of conducting a sanctioned pen test involving an insurance company in 2017. He said his interaction with authorities was positive, and like the Coalfire workers in Iowa, he carried documentation outlining why he was there and for whom he was working. In Kennedy’s case, the police called the phone numbers provided by the company that had contracted with his firm, and ultimately received reassurance that the pen test had been requested.

“We are all watching this very closely, and we are concerned,” Kennedy said.

Casey Ellis, founder and chairman of cybersecurity crowd-testing service Bugcrowd, which deals in organized pen tests for corporations and government agencies, said he sees parallels in Dallas County’s reaction in corporations that are new to pen tests, especially successful ones.

“Oftentimes, when offensive testing is being done, there can be a big overreaction that someone has gone out there and demonstrated impact,” Ellis said. Hackers trying to test vulnerabilities in corporations also have faced legal action as a result of their efforts, something the industry has tried to put legal frameworks around, he said.

Ellis said the incident in Iowa spurred his company to “double-down” on a project it had launched in 2018 called Disclose.io, an open-source project meant to outline guidelines for disclosing vulnerabilities while creating “safe harbor” protocols for researchers looking to disclose vulnerabilities.

Ellis said he is worried about how the incident may limit the reach and effectiveness of pen testers, especially as election and voting facilities are under increasing scrutiny in the runup to the 2020 election.

“People that build systems, whether they can be computer networks or they can be physical buildings, it has a primary function, and the people building it aren’t necessarily thinking about security,” Ellis said. “I can only see the need for this accelerating.”

AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
Newsletter

Related Articles

0:00
0:00
Close
Polish MEP: “Dear Leftists - China is laughing at you, Russia is laughing, India is laughing”
Western Europe Records Hottest June on Record
BRICS Expands Membership with Indonesia and Ten New Partner Countries
Elon Musk Founds a Party Following a Poll on X: "You Wanted It – You Got It!"
China’s Central Bank Consults European Peers on Low-Rate Strategies
France Requests Airlines to Cut Flights at Paris Airports Amid Planned Air Traffic Controller Strike
Poland Implements Border Checks Amid Growing Migration Tensions
Emirates Airline Expands Market Share with New $20 Million Campaign
Amazon Reaches Milestone with Deployment of One Millionth Robot
Yulia Putintseva Calls for Spectator Ejection at Wimbledon Over Safety Concerns
House Oversight Committee Subpoenas Former Jill Biden Aide Amid Investigation into Alleged Concealment of President Biden's Cognitive Health
Amazon Reaches Major Automation Milestone with Over One Million Robots
Extreme Heat Wave Sweeps Across Europe, Hitting Record Temperatures
Meta Announces Formation of Ambitious AI Unit, Meta Superintelligence Labs
Robots Compete in Football Tournament in China Amid Injuries
China Unveils Miniature Insect-Like Surveillance Drone
Marc Marquez Claims Victory at Dutch Grand Prix Amidst Family Misfortune
Germany Votes to Suspend Family Reunification for Asylum Seekers
Budapest Pride Parade Draws 200,000 Participants Amid Government Ban
Southern Europe Experiences Extreme Heat
Xiaomi's YU7 SUV Launch Garners Record Pre-Orders Amid Market Challenges
Jeff Bezos and Lauren Sanchez's Lavish Wedding in Venice
Russia Launches Largest Air Assault on Ukraine Since Invasion
Massive Anti-Government Protests Erupt in Belgrade
Iran Executes Alleged Israeli Spies and Arrests Hundreds Amid Post-War Crackdown
Hungary's Prime Minister Criticizes NATO's Role in Ukraine
EU TO HUNGARY: LET THEM PRIDE OR PREP FOR SHADE. ORBÁN TO EU: STAY IN YOUR LANE AND FIX YOUR OWN MESS.
Hungarian Scientist to Conduct 30 Research Experiments on the International Space Station
NATO Members Agree to 5% Defense Spending Target by 2035
NATO Leaders Endorse Plan for Increased Defence Spending
U.S. Crude Oil Prices Drop Below $65 Amid Market Volatility
International Astronaut Team Launched to Space Station
Macron and Merz: Europe must arm itself in an unstable world
Germany and Italy Under Pressure to Repatriate $245bn of Gold from US Vaults
Iran Intensifies Crackdown on Alleged Mossad Operatives After Sabotage Claims
Trump Praises Iran’s ‘Very Weak’ Response After U.S. Strikes and Presses Israel to Pursue Peace
Oil Prices Set to Surge After US Strikes Iran
BA and Singapore Airlines Cancel Dubai Flights Amid Middle East Tensions
Trump Faces Backlash from MAGA Base Over Iran Strikes
Meta Bets $14 B on Alexandr Wang to Drive AI Ambitions
FedEx Founder Fred Smith, ‘Heart and Soul’ of the Company, Dies at 80
Chinese Factories Shift Away from U.S. Amid Trump‑Era Tariffs
Pimco Seizes Opportunity in Japan’s Dislocated Bond Market
Labubu Doll Drives Pop Mart to Status as China’s Most Valuable Toy Maker
Global Coal Demand Defies Paris Accord Goals
United States Conducts Precision Strikes on Iran’s Nuclear Sites
US strikes Iran nuclear sites, Trump says
Telegram Founder: I Will Leave My Fortune to Over 100 of My Children
16 Billion Login Credentials Leaked in Unprecedented Cybersecurity Breach
Senate hearing on who was 'really running' Biden White House kicks off
×