UPDATE on 1/31/20: This case has been resolved. See our follow-up here: Coalfire Pentesters 'Exonerated,' Charges Dismissed
The pentesters who were arrested after breaking into an Iowa courthouse may soon have criminal records because local officials are refusing to drop charges.
And their boss, Coalfire CEO Tom McAndrew, is going off about the case and criticizing the local sheriff.
Pentesters charged with crimes
New developments in the case are what led the CEO to express his frustration:
"The ongoing situation in Iowa is completely ridiculous.... After the Iowa Supreme Court Chief Justice apologized and admitted mistakes were made, I was expecting all charges to be dropped."
Instead, charges were simply reduced from burglary felonies to criminal trespass misdemeanors. And that made the CEO extremely upset:
"I do not consider this a 'win' for our employees, and Coalfire will continue to support and aggressively pursue all avenues to ensure that all charges are dropped and their criminal records are purged of any wrongdoing.
As seen in the statement of work that was made public online, our employees were simply doing the job that Coalfire was hired to do for the Iowa State Judicial Branch, a job similar in nature to one we did three years ago for the Iowa State Judicial Branch and have done hundreds of times around the world for similar clients."
Background: Our previous story on the arrest of pentesters Justin Wynn and Gary DeMercurio touched a nerve among cybersecurity professionals.
Coalfire CEO explains how pentesters arrest played out
In his statement, Coalfire CEO McAndrew takes us back to the nights of September 10 and 11 when his pentesters were doing their thing.
"Our work included the testing of the physical security of county courthouses and judicial buildings. The specific locations were given to us by our client, documented in our statement of work, and confirmed multiple times, through email and phone conversations.
After gaining access to the Judicial Branch Building, our employees were in communications with our client at the state level to let them know of their successful entry. They even left a business card on the desk of an employee. The following morning a state employee acknowledged the entry stating, 'I guess I owe you a congratulations.'
The day after the successful entry into the Judicial Branch Building, the employees walked up to the main entrance of Dallas County Courthouse around midnight. Our employees could have simply walked in through the front door since it was open—however, they chose to close and lock the door, so they could provide the state of Iowa with insights on ways that potential criminals could gain access.
Our employees, being of the highest caliber and committed to delivering the best results on the project, chose to give the county the benefit of the doubt and test the courthouse as if they had found it in a secure state, which it was not.
After gaining access through the locked door, our team intentionally tripped the alarm in order to test the security response, which was an objective of the project. After setting off the alarm in the Dallas courthouse, Mr. Wynn and Mr. DeMercurio stayed at the courthouse to meet County law enforcement responding to the alarm.
When the initial law enforcement arrived, there were no issues as the team explained what they were doing and presented our engagement letter along with identification. As the team waited for a deputy to verify their credentials, they then showed the remaining officers how entry was made along with some of the tools and tactics that could have been used, much to the deputies' delight, which I believe would be evident if video of the response was made publicly available.
The team was ready to leave after one of the deputies returned the authorization letter to them and stated: 'You guys should be all good to go.'"
And this is where McAndrew's post starts to get personal and critical:
"It was at that point that the local sheriff, Chad Leonard, arrived at the Dallas Courthouse. Despite the authorization letter, his deputies onsite already having verified our team, and State employees urging their release, the local sheriff proceeded to arrest Mr. Wynn and Mr. DeMercurio.
Failing to de-escalate the issue and bring in State/County politics, Sheriff Leonard communicated in an email 'that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in.' Leonard also added that a state employee asked him not to tell other sheriffs about the incident to ensure the operation continued at other locations, but that he was going to tell every sheriff.
I don't know why he reacted the way he did. I've never met or spoken to Sheriff Leonard. Perhaps he didn't like being tested without his knowledge or that our team found major security concerns at the facilities he was protecting.
Sheriff Leonard failed to exercise common sense and good judgement and turned this engagement into a political battle between the State and the County. I was stunned that the next morning the issues were not resolved and were actually amplified when bail was set as $100,000. My priority has always been for the safety of our employees, and we immediately engaged legal support and posted a $100,000 bond to get our team out of jail and get them home."
And that is how McAndrew sees it now: that his employees are caught in a battle between state officials who ordered the pentest and local officials who are upset they knew nothing about it.
Iowa Judicial Branch investigation into pentesting case
The Iowa Judicial Branch, known as the State Court Administration (SCA), hired a legal firm to investigate this pentester case and recently released its report. Among the findings:
- The State Court's IT Director, IT Manager, and Information Security Officer were all involved in developing the scope of the agreement.
- They had proposals from three vendors: Coalfire, Protiviti, and ConvergeOne/GreyCastle.
- All three of the proposals included mentions for various forms of physical pentesting. After Coalfire was selected, they mentioned the scope in a state meeting:
"...[at] the Judicial Technology Committee meeting and the minutes of that meeting reflect a report on 'Intrusion Testing': Red Team Testing: IT has engaged the services of Coalfire to perform a Red Team Test on our facilities. The testing will include tests with physical intrusion, social engineering and network vulnerabilities. Coalfire will not take advantage of any weaknesses, but rather point out areas of improvement. We have previously used Coalfire for a Red Team Test, which will give us a good opportunity to see areas we have improved upon since the last test."
Confusion around pentest terminology
The law firm doing the investigation for the state uncovered confusion:
"In this matter, FaegreBD found that non-technical professionals did not know about the full spectrum of tools and techniques that might be used by a Red Team. FaegreBD found that the highly technical professionals involved in planning the 2019 assessment understood that Red Teaming could involve aggressive techniques such as 'lock-picking' a building, by-passing alarm systems, and entering a guarded building at night."
And beyond this lack of understanding, investigators found a failure to anticipate this type of situation:
"Perhaps the greatest shortcoming we found was a failure to take into account the potential impact of the assessment on third parties, specifically the counties."
In other words, the state approved the pentesting and the counties didn't know about it, so now the pentesters are going to pay for it.
The investigation says it found "no deception or ill-intent" of any kind in this case.
Pentester criminal charges unprecedented
If these things are true—that there was no deception or ill-intent—why are the pentesters still being charged?
Coalfire's CEO says as far as he knows, this case is unprecedented. And it is dangerous.
"This is the first time that the authorization letter and verbal calls from our client have not resulted in the immediate release of our employees. Frankly this matter is unprecedented within the tight-knit security industry and to our knowledge, no physical security professional has been arrested and officially charged while executing a contract.
The fact that this case is still ongoing is a failure of the criminal justice system in Iowa. I am also concerned that the close working relationship between the Sheriff, District Attorney, judges, and local politics involved may have potential conflicts of interest and impede a fair trial.
If what is happening in Iowa begins to happen elsewhere, who will keep those who are supposed to protect citizens honest? This is setting a horrible precedent for the millions of information security professionals who are now wondering if they too may find themselves in jail as criminals simply for doing their job."
Finally, after the play by play of the night in question and the criticism of the local sheriff, Coalfire's CEO finishes his post by making a personal plea for what he believes is right.
"I am a Navy veteran of 20 years who continues to serve in the Navy Reserves because I believe in our great country. Unfortunately, today I'm embarrassed by the way our employees have been vilified, one of which is a former Marine Corps officer, for doing the job they were paid to do. I'm ashamed that no one has had the courage to step up and do what is right. People appear to be more concerned about their own jobs or the political repercussions.
Drop the charges, purge their records. These men are unsung heroes, not criminals."
So what do you think? Could this case have a chilling effect on pentesters, red teams, or cybersecurity professionals in other roles? And based on what we know, should the pentesters still be facing charges?
Please share your view below.