Iowa officials claim confusion over scope led to arrest of pen-testers

The Dallas County, Iowa, courthouse, the site of a penetration test gone wrong.
Enlarge / The Dallas County, Iowa, courthouse, the site of a penetration test gone wrong.

In a post to the Iowa Judicial Branch website today, a spokesperson for the state’s court administration released redacted images of the documents associated with the security tests that landed two penetration testers in jail earlier this month. The “rules of engagement” document for the contract shows that the state court administration did request a physical security assessment from the security firm Coalfire. State officials say that Coalfire’s employees interpreted the documents differently than they had. But it would appear that the real problem behind the arrest of Coalfire’s team is a turf war between state and county officials—and whether the state judicial administrators had cleared the security tests with local authorities.

In the post, the Iowa Judicial Branch spokesperson wrote:

Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work…yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process.

State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.

State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.

The document showed that the state authorized Coalfire’s team to “perform lock-picking activities to attempt to gain access to locked areas.” But the document also stated the testers should “talk your way into areas” and allowed for “limited physical bypass.”

The rules of engagement also dictated that the state authorities said they would not notify law enforcement of the penetration test.

A section of the "Rules of Engagement" document for Coalfire's engagement with the Iowa Judicial Branch.
Enlarge / A section of the “Rules of Engagement” document for Coalfire’s engagement with the Iowa Judicial Branch.

There are some areas where confusion may have arisen in the agreements signed to authorize the test. The “Social Engineering Authorization” signed by the Iowa Judicial Branch’s information security officer, chief information officer, and infrastructure manager stated that attempts to gain access to data:

…may include any of the following:

  • Impersonating staff, contractors, or other individuals
  • Providing false pretenses to gain physical access to facilities
  • “Tailgating” employees into facilities
  • Accessing restricted areas of facilities

Tasks that shall not be performed include:

  • Alarm subversion
  • Force-open doors
  • Accessing environments that require Personal Protective Equipment

At 12:30am on the morning of September 11, penetration testers Justin Wynn and Gary DeMercurio were caught with lock picks inside the Dallas County courthouse by Dallas County Sheriff’s Department officers. They presented documents showing they had authorization from the state; the officers contacted state officials on the document, who verified that the test was authorized. But they arrested Wynn and DeMercurio anyway and charged them with burglary.

Wynn and DeMercurio are free on bail and have waived an initial hearing. They still face charges, despite state officials’ apology to county officials.

https://arstechnica.com/?p=1571011