Why Two Pentesters In Iowa Are Facing A Criminal Investigation and Trespassing Charges

Ars Technica’s security editor re-visits the story of two security penetration testers from Coalfire who were arrested one midnight in the county courthouse in Adel, Iowa (population 3,682): They were crouched down like turkeys peeking over the balcony,” Dallas County Sheriff Chad Leonard said in an interview. “Here we are at 12:30 in the morning confronted with this issue — on September 11, no less. We have two unknown people in our courthouse — in a government building — carrying backpacks that remind me and several other deputies of maybe the pressure cooker bombs.” After more deputies arrived, Justin Wynn, 29 of Naples, Florida, and Gary De Mercurio, 43 of Seattle, slowly proceeded down the stairs with hands raised. They then presented the deputies with a letter that explained the intruders weren’t criminals but rather penetration testers who had been hired by Iowa’s State Court Administration to test the security of its court information system. After calling one or more of the state court officials listed in the letter, the deputies were satisfied the men were authorized to be in the building…

When Leonard arrived on the scene, the mood quickly changed. Leonard read the letter and sized the men up. It said the men were authorized to perform “physical social engineering to attempt to gain access” to courthouse systems… The letter also listed tasks that should not be performed, including alarm subversion, force-opening doors, and accessing environments that require personal protective equipment. The pentesters had already said they used a tool to open the front door. Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm — something Coalfire officials vehemently deny. In Leonard’s mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions. The sheriff also said he and his deputies smelled alcohol on the breath of one of the men. (Leonard, who didn’t identify which Coalfire employee it was, said a test later showed the pentester had a blood alcohol content of 0.05, the equivalent of one or two drinks. It is below the 0.08 threshold for an operating while intoxicated conviction.) Leonard promptly had the men arrested on felony third-degree burglary charges…

The charges have since been reduced to misdemeanor trespassing charges. Trial is scheduled for April. Meanwhile, the sheriff’s department in nearby Polk County is conducting a criminal investigation into a September 10 break-in on its courthouse under the same arrangement with the State Judicial Administration…. The get-out-of-jail-free letter “said you won’t manipulate doors,” Leonard said. “Well, they picked four doors. It said they won’t manipulate the alarm system. They went right up to the alarm and tried to shut it off. The biggest issue is they were only supposed to work from 6AM to 6PM. They came out in the middle of the night and broke in.” Equally important, Leonard said, is what he believed to be the overstepping of Iowa officials who retained Coalfire. When the sheriff confronted the men that night, he said: “The State of Iowa has no authority to allow you to break into a county building. You’re going to jail.”