By Anthony Berrios
Blog Post #4
2/11/2020
This past September the stat of Iowa hired two security experts to test the physical and network security of its judicial system. While looking into the security of the Iowa county courthouse however, they were arrested and charges with burglary and given bail at $100,000. Seems like an unexpected turn for considering the Iowa state government hired them right? Well this past month Iowa announced that they had dropped the charges.
The two men, Gary DeMercurio, and Justin Wynn, of Naples Fla, are both professional penetration testers and are employed by Coalfire Labs, a security firm based out of Colorado. Iowa had hired Coalfire, and in turn DeMercurio and Wynn, to test the security of its judicial buildings. Under their contract terms, the two were to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, “tailgate” employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force open doors, or access areas that required protective equipment.
All was fine and well until the day the two men decided to test the security of the courthouse on September 11th. An alarm was set off and the police came. Knowing they were under contract, DeMercurio and Wynn waited for the police to arrive so they could explain to them the situation. After explaining the deputies were about to let the two men leave until a Dallas County Sheriff by the name of Chad Leonard showed up. Leonard seemed to think that the two men violated the terms in their contract and hence hauled them off to jail. The charges did in fact end up being dropped because of a massive miscommunication between the county and state officials in Iowa. Iowa’s state government specifically told Coalfire not to alert police about the test. This turned out to be a problem because although the courthouse is a State ran building, it was actually owned by the county, not the state, which had no previous knowledge of a third party security test. Because of this lack of communication on Iowa’s part, the charges were dropped.
This story is important to the security community because it is not uncommon for governments, and big companies to hire third party companies to test their security systems whether it is physical security or online firewalls. This is a normal practice in which both parties agree and benefit from. This story is a good example however of what can happen when not enough people are aware about the security attempt and also terms in the contract are not explicitly clear.
PC Security & News 