Security consultancy went outside scope of contract, claims sheriff

Dallas County Courthouse in Adel, Iowa

Charges against two security consultants who were contracted to make a physical security test at an Iowa courthouse in September have been reduced from burglary to criminal trespass.

Coalfire, the security consultancy whose two workers, Justin Wynn and Gary DeMercurio were arrested, wants to see all charges dropped rather than simply reduced.

Wynn (29, per local reports) and DeMercurio (43) were conducting a penetration test at the courthouse shortly after midnight on September 11.

The pair were initially charged with burglary and possession of burglary tools – charges that were later dropped to criminal trespassing.

“Our employees were doing the job that Coalfire was hired to do for the Iowa State Judicial Branch,” Coalfire said after the mid-September arrests.

However, Dallas County Iowa Sheriff Chad Leonard maintains that he acted properly in arresting the two infosec workers who “went outside the scope of their contract”.

The state of Iowa had hired Coalfire to test courthouse security. A key aspect of the case is whether the state judicial system had the right to authorize a physical pen test for a building owned and operated by the county.

“Our courthouses belong to the county, not to the state,” Leonard told The Daily Swig, adding that there was confusion and miscommunication between the company [Coalfire] and the state about what was permissible.

Licensed to hack?

According to Coalfire, Wynn and DeMercurio were testing the physical security of the Dallas County Courthouse and associated buildings at the time they were arrested by a local sheriff.

Earlier on the fateful day, the two security workers had gained access to the judicial buildings through an open door. The team locked the door and “intentionally tripped the alarm in order to test the security response”.

The pair, who had stayed in the courthouse to meet county law enforcement responding to the alarm, were arrested when the sheriff arrived, despite having presented a letter authorizing their work from the Iowa State Judicial Branch. According to Coalfire, a Judicial Branch employee also provided verbal verification of the approved job.

Leonard told The Daily Swig that the duo presented a 28-page contract as if it was a “get out of jail free” card. But what they had done “went way outside the scope of the contract”.

For one thing, the test was supposed to take place in normal operational hours but took place after midnight.

Secondly, the two infosec pros had picked the locks of four courthouse doors and videotaped the contents on a judge’s desk, according to Leonard.

Leonard – who said he’d received hate mail and abuse from sections of the infosec community – explained he had no desire to lock people up for doing their jobs, but the two Coalfire employees had “taken it too far”.

“They went way outside scope of a boilerplate contract,” he concluded.

‘Pawns in the dispute’

In its statement, Coalfire said the incident was the first it had experienced where an authorization letter has not resulted in the immediate release of their employees. It had also portrayed the arrests as arising from a political dispute between the state (which hired them) and the county over the physical security of the court building.

“Mr Wynn and Mr DeMercurio were acting as professionals carrying out their state-authorized obligations focused on improving the security of the Judicial Branch,” Coalfire said.

“It is unacceptable that they are now pawns in the dispute between the state and the county related to governance of the court buildings. Our concern is that common sense is not prevailing in this case. The fact that this case is still ongoing is a failure of the criminal justice system in Iowa.”

Coalfire warned that the incident could set a dangerous precedent for infosec professionals who face a heightened risk of being treated like criminals simply for doing their jobs.

In a statement published late last month, Coalfire’s chief executive, Tom McAndrew, said that the firm will “continue to support and aggressively pursue all avenues to ensure that all charges are dropped and their criminal records are purged of any wrongdoing”.

“Our employees were simply doing the job that Coalfire was hired to do for the Iowa State Judicial Branch, a job similar in nature to one we did three years ago for the Iowa State Judicial Branch and have done hundreds of times around the world for similar clients,” McAndrew said.

“Our work included the testing of the physical security of county courthouses and judicial buildings. The specific locations were given to us by our client, documented in our statement of work, and confirmed multiple times, through email and phone conversations,” he added.

Dangerous precedent

The case has caught the attention of many in the pen testing community, not least because of its possible implications on people doing software security testing or taking part in bug bounty programs.

Katie Moussouris, chief executive of LutaSecurity and an expert in setting up bug bounty programs, commented on Twitter: “The term ‘legal safe harbor’ bandied about by bug bounty platforms is anything but safe for freelance hackers who are just trying to follow the rules [and] get paid.

“Good for the pen testers at @coalfire that they are being cared for by their company’s legal team w[ith] full CEO backing,” she added.

The issue is of significance beyond the US.

For example, the UK’s Computer Misuse Act 1990 is seen by industry critics as dangerously broad, giving rise to concerns that some aspects of security research that are legal elsewhere in the world might be unlawful in the UK.

Locally-based firms including NCC Group, Context Information Security, and others are lobbying to help clear up this uncertainty by reforming UK computer crime law, as covered by a recent episode of SwigCast.

YOU MIGHT ALSO LIKE Los Angeles Superior Court hacker handed 12-year sentence