SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow3997
Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a "cybersecurity advisor" firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement's response to a break-in.
Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and evidently no one anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail. In a statement issued yesterday, state officials apologized to Dallas County, citing confusion over just what Coalfire was going to test:
"The scope is everything," Roseblatt explained. If the scope is only vaguely defined, "you could find yourself exposed to legal liability."
Coalfire's Justin Wynn and Gary Demercurio, who are still in jail [Update: They appear to have made bail on Thursday], have been charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000, and they are scheduled to appear for a preliminary hearing on September 23—in the same courthouse they were caught breaking into.
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday September 17 2019, @10:44PM
Interesting questions. IANAL also.
1) First of all, if the hiring agency (apparently the state) has the authority to test the local agency (the county's) security, there is no crime at all. Mens rea wouldn't enter into it. Although there might be a question as to what burglary tools they possessed and whether they were in fact authorized to be in possession of them. A licensed locksmith is expected to own a lockpick set. I'd imagine in some jurisdictions a private investigator might have cause. We used to have them when I worked in security in the truck. But under what color of authority were the pen testers authorized to possess them? (And yeah, free country and all. But possession of burglary tools without a compelling reason is often a crime. And yes, locksport would be a defense to have them in your home or in a car if you're traveling to a competition IMVVVHO). If they're in possession of contracts authorizing them to physically penetrate even then they can at least have a reason, if not then not. There might be some level of thinking that they were in fact authorized when they weren't but I don't think that quite gets to mens rea. I could be wrong. And I also wonder what kind of burglary tools they were.
2) Entrapment is the enticement to break the law when the defendant would not otherwise have done so. Holding themselves out to be penetration experts (even white hat) is not a defense, any more than a prescriber who deals opioids on the side gets off the hook because they're a prescriber - if anything it should make them know better. This either isn't a crime because they had sufficient authorization to do so or it is one.
3) I'm curious to know that myself. A little research says that Dallas County is within the statewide fifth district court jurisdiction. I could easily see someone at the state level hiring a firm to test security and then the security firm doing the physical work where the circuit court judges are - at the county courthouses. (But there may be other entities there as well like Federal or municipal courts who haven't authorized the work.)
4) Very true.
5) Physical penetrations are part of many testers' offered services. However, as noted by someone else who has done the work, it should have been very clearly defined in their scope of work that they would carry out physical penetrations and where those would be and a time range of when they would be. It should also have had a officials listed as a contact person who knew of the penetration dates and times, and also preferably someone with enforcement as well (aka State Police or the equivalent) that could be called by the sheriffs or bailiffs - whomever is responsible for law enforcement in the court building itself - to verify the bona fides. That way they might not have seen any jail time at all. This sounds more like a firm that wanted to play cops and robbers and got surprised when the real cops took them seriously.
This sig for rent.