CEO Of Security Company Behind Unorthodox Penetration Tests Wants To Know Why His Employees Are Still Being Criminally Charged

from the sheriff-determined-to-show-state's-court-who-the-biggest-dick-is dept

A couple of months ago, security researchers performing a very physical penetration test of an Iowa courthouse were arrested for breaking and entering. They were also charged with possessing burglar's tools, which they did indeed possess.

The employees of Coalfire Security said they had been employed by the state's judicial branch to test physical accessibility of courthouses. They had paperwork granting them permission to perform "physical security assessments" at multiple locations. While nothing specifically instructed the security testers to break into buildings, nothing in the documents suggested this was forbidden either. All it told the testers to do was to attempt to gain access to documents, internal systems, and areas closed off to the public.

A statement from the judicial branch suggested there had been some sort of misunderstanding and it apologized to the law enforcement officers for the "confusion" caused by this unorthodox penetration test. That apparently wasn't enough for sheriff's department and local prosecutors who moved ahead with felony charges.

Coalfire Security didn't have much to say when the news first broke, but the company has now issued a lengthy statement [PDF] that accuses the Dallas County Sheriff of turning a routine security test into a battle of wills between his office and the state's judicial branch.

[Coalfire Security employees Gary] Demercurio and [Justin] Wynn proceeded to purposefully trip the alarm to test law enforcement's response time. When they arrived, [Coalfire CEO Tom] McAndrew said, the deputies seemed delighted to be shown the tools and tactics the Coalfire employees used to enter the building.

McAndrew blamed the men's arrest on the arrival of Dallas County Sheriff Chad Leonard on the men's arrest, saying he failed to "de-escalate" the situation, as the deputies already on site were ready to let the men go.

"Sheriff Leonard failed to exercise common sense and good judgment and turned this engagement into a political battle between the State and the County." McAndrew wrote. "I was stunned that the next morning the issues were not resolved and were actually amplified when bail was set as $100,000."

Prosecutors have performed a slight bit of de-escalation, at least. The felony charges have been dropped, but the researchers are still facing misdemeanor trespassing charges. This prosecution continues despite the judicial branch's statement backing up the arrested men's story that they were hired to test courthouse security.

Sheriff Leonard's needless escalation began during the arrest and continued forward past that point. Emails obtained by the Des Moines Register show Sheriff Leonard refused to release the security employees when their story checked out and further aggravated the situation by promising to give a heads up to other law enforcement agencies who might be interested in capitalizing on some trouble-free arrests.

A police sergeant called one of the state employees, who confirmed what the men said: that this was a legitimate contract and that the men should be let go, according to the email.

"I advised them that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in of this building," [Sheriff] Leonard wrote in the email.

Leonard wrote that he then called the state employee to tell him his contractors had been arrested and that he didn't have the authority to authorize this.

The state employee disagreed and asked Leonard not to tell other sheriffs, wrote Leonard, who said he responded by saying he was going to tell every sheriff.

It sounds like some "law is the law" bullshit being pushed by Sheriff Leonard, who isn't going to let anyone get away with security research in his jurisdiction. Coalfire's CEO wants to know if Iowans are OK with this.

If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to protect citizens honest? This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job. I believe that citizens of Iowa would benefit from using their resources to fix vulnerabilities, protect their data, and secure their public buildings rather than waste time and taxpayer money on this criminal pursuit.

Joke's on all of us. This is already happening elsewhere. Security researchers constantly face the possibility of arrest, prosecution, or civil lawsuits just for doing their jobs. That this penetration test involved a physical break-in doesn't make it any less legitimate. The court system apologized for the misunderstanding, but good deeds apparently aren't going to go unpunished in this county.

Filed Under: breaking and entering, courthouse, iowa, penetration testing, security researchers
Companies: coalfire security

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Michael, 7 Nov 2019 @ 5:36am

    purposefully trip the alarm to test law enforcement's response time

    Let's just point out that the guy making all of the noise here was also the one with the response time that was so horrible that other officers arrived, found the suspects, identified they were not actually burglars, and were talking with them about how the broke in and they tools they use.

    Can we start by firing him for being incompetent at his actual job?

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.