Last year in September, two pen testers Justin Wynn and Gary Demercurio, who work for the firm coalfire, were arrested for felony charges by the authorities when they were just doing their job. They had been appointed by the state on a contract basis to check the physical and technical security of the courthouse premises.
Pen testers or Penetration testers are security professionals who are appointed to check for any security vulnerabilities by practice testing. A part of their job is to break into clients’ homes to check if sensitive data or equipment can be accessed along with to break into their network systems to check for technical vulnerabilities.
When the pair was arrested, they had already conducted successful tests on two courthouse premises. They were carrying the required verification document that authorized their break-ins. During the testing at Iowa courthouse, the pair’s attempt caused a ring in the alarm, which alerted the authorities, and they were arrested on charges of burglary by the sheriff.
The issue came up recently because the testers went public with the story only recently. The arrest clearly indicated miscommunication on the part of the authorities. They had shown their documents to the sheriff, but they still got arrested and even had to spend the night in jail.
Although they were state-appointed pen testers, Iowa county had jurisdiction over the security matters. So, the case went ahead, and they were charged with felony charges. The charges were later dropped in January 2020.
According to Wynn, being security professionals has made them encounter the police several times during their work-life, but they had never been arrested. He says that the type of work they are involved in involves them in police suspicion. But once their documents are verified, everything else also becomes pretty clear.
About the work, Wynn revealed that they were working one month prior on the project. This project involved external and internal network penetration testing, wireless penetration testing, etc. for which they were required to break into the Iowa courthouse.
Wynn said that the case came down to a jurisdictional dispute. The Iowa county tried to assert its authority and claimed that the state has no right to run these types of security tests on the courthouses. He further says that they were unnecessarily dragged into the process. It was kind of between the state and the county. They were just thrown under the bus.
About the ethical hacking practices, DeMercurio said that when security professionals work within the given scope and do what they should be doing, that is, they work with good faith, then they shouldn’t be prosecuted. The matter went somewhat out of hand because of the politics involved between the state and the county, and the testers were just held as collateral.
According to Wynn, they got immense support from the industry. Their arrest marked an unprecedented event that must not have happened. The Infosec community came for their support. Field experts around the country also opposed their prosecution by the county.