31
Jan 20

Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security

On Sept. 11, 2019, two security experts at a company that had been hired by the state of Iowa to test the physical and network security of its judicial system were arrested while probing the security of an Iowa county courthouse, jailed in orange jumpsuits, charged with burglary, and held on $100,000 bail. On Thursday Jan. 30, prosecutors in Iowa announced they had dropped the criminal charges. The news came while KrebsOnSecurity was conducting a video interview with the two accused (featured below).

The courthouse in Dallas County, Iowa. Image: Wikipedia.

Gary DeMercurio, 43 of Seattle, and Justin Wynn, 29 of Naples, Fla., are both professional penetration testers employed by Coalfire Labs, a security firm based in Westminster, Colo. Iowa’s State Court Administration had hired the company to test the security of its judicial buildings.

Under the terms of their contract (PDF), DeMercurio and Wynn were permitted to impersonate staff and contractors, provide false pretenses to gain physical access to facilities, “tailgate” employees into buildings, and access restricted areas of those facilities. The contract said the men could not attempt to subvert alarm systems, force-open doors, or access areas that require protective equipment.

When the duo’s early-morning Sept. 11 test of the security at the courthouse in Dallas County, Iowa set off an audible security alarm, they followed procedure and waited on-site for the police. DeMercurio and Wynn said when the county’s sheriff deputies arrived on the scene just a few minutes later, they told the officers who they were and why they were there, and that they’d obtained entry to the premises via an unlocked door.

“They said they found a courthouse door unlocked, so they closed it from the outside and let it lock,” Dan Goodin of Ars Technica wrote of the ordeal in November. “Then they slipped a plastic cutting board through a crack in the door and manipulated its locking mechanism. (Pentesters frequently use makeshift or self-created tools in their craft to flip latches, trigger motion-detected mechanisms, and test other security systems.) The deputies seemed impressed.”

To assuage concerns they might be burglars, DeMercurio and Wynn produced an authorization letter detailing the job they’d been hired to do and listing the names and mobile phone numbers of Iowa state employees who could verify their story.

After contacting some of the court officials listed in the letter, the deputies seemed satisfied that the men weren’t thieves. That is, until Dallas County Sheriff Chad Leonard showed up.

“The pentesters had already said they used a tool to open the front door,” Goodin recounted. “Leonard took that to mean the men had violated the restriction against forcing doors open. Leonard also said the men attempted to turn off the alarm—something Coalfire officials vehemently deny. In Leonard’s mind that was a second violation. Another reason for doubt: one of the people listed as a contact on the get-out-of-jail-free letter didn’t answer the deputies’ calls, while another said he didn’t believe the men had permission to conduct physical intrusions.”

DeMercurio and Wynn were arrested, jailed, and held for nearly 24 hours before being released on a $100,000 bail. Initially they were charged with felony third-degree burglary and possessing burglary tools, although those charges were later downgraded to misdemeanor trespass.

What initially seemed to Coalfire as a momentary lapse of judgment by Iowa authorities quickly morphed into the surreal when state lawmakers held hearings questioning why and how someone in the state’s employ could have so recklessly endangered the safety and security of its citizens.

DeMercurio and Wynn, minus the orange jumpsuits.

Judicial Branch officials in Dallas County said in response to this grilling that they didn’t expect Coalfire’s physical penetration testing to be conducted outside of business hours. State Sen. Amy Sinclair was quoted as telling her colleagues that “the hiring of an outside company to break into the courthouses in September created ‘significant danger, not only to the contractors, but to local law enforcement, and members of the public.'”

“Essentially a branch of government has contracted with a company to commit crimes, and that’s very troubling,” lamented Iowa state Sen. Zach Whiting. “I want to find out who needs to be held accountable for this and how we can do that.”

Those strong words clashed with a joint statement released Thursday by Coalfire and Dallas County Attorney Charles Sinnard:

“Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges,” the statement reads. “Those interests are best served by all the parties working together to ensure that there is clear communication on the actions to be taken to secure the sensitive information maintained by the judicial branch, without endangering the life or property of the citizens of Iowa, law enforcement or the persons carrying out the testing.

Matthew Linholm, an attorney representing DeMercurio and Wynn in the case, said the justice system ceases to serve its crucial function and loses credibility when criminal accusations are used to advance personal or political agendas.

“Such a practice endangers the effective administration of justice and our confidence in the criminal justice system,” Linholm told The Des Moines Register, which broke the news of the dropped charges.

While the case against Coalfire’s employees has rallied many in the cybersecurity community around the accused, not everyone sees this dispute in black-and-white. Chris Nickerson, a digital intrusion specialist and founder of LARES Consulting, said in a Twitter post Thursday that “when a company puts us in harm’s way due to their poor planning, failed sales education, inadequate project management and deplorable contract management…We shouldn’t celebrate them. We should hold them accountable.”

Asked to elaborate, Nickerson referred to a recent podcast which touched on the arrests.

“The things that concern me about this situation are more of the pieces of safety that exist across how the industry instruments doing these types of engagements,” Nickerson said. “They seem very, very reasonable and obvious once they become obvious but until then they’re completely foreign to people.”

“It’s really on the owners of the organization to educate the customer of those potential pitfalls,” Nickerson continued. “Because there isn’t a good standard. We haven’t all gotten together and institutionalized the knowledge that we have in our heads and dump it down to paper so that someone who is new to the field being tasked with this can go through and say, ‘Hey, did you ask them if the city versus the state versus the building owner and the real estate people…are all of these people in lock step?'”

Coalfire CEO Tom McAndrew seemed to address this point in our interview Thursday, saying there were two unique aspects of this particular engagement. First, although the client in this case said they did not want Coalfire to make local law enforcement aware of the ongoing engagement prior to testing the physical security of the site, it was clear after the fact that state officials never did that on their own.

More importantly, McAndrew said, there was ambiguity around who actually owned the buildings that they were hired to test.

“If you’re doing a test for the state and you walk into the building and it’s the courthouse and you’re doing a test for the court system, you’d think that they would have jurisdiction or own it, and that turned out not to be the case in this scenario because there’s some things the state owns and some things the county owns, and that was something we weren’t aware of as we did some of this work,” he said. “We didn’t understand the nuances.”

Asked what Coalfire has learned from this ordeal, McAndrew said his company is likely to insist that local, state and even federal law enforcement be informed in advance of any penetration tests, at least as far as those engagements relate to public entities.

“When we look at the contracts and we look at who’s authorized to do what…typically, if a [chief security officer] says test these IP addresses, we would say okay that’s enough,” he said. “But we’re questioning from a legal perspective at what point does that need to have legal counsel review.”

McAndrew said it’s probably time for experts from various corners of the pen testing community to collaborate in documenting best practices that might help others avoid a repeat of the scenario in Dallas County.

“There’s no standard in the industry,” he said. “When it comes to these sorts of issues in red teaming — the legal challenges and the contracts — there’s really nothing out there. There are some things that can’t be undone. There’s the mugshots that are out there forever, but even as we get the charges dropped, these are permanently going to be in the federal database. This is a permanent thing that will reside with them and there’s no legal way we’re aware of to get these charges removed from the federal database.”

McAndrew said while he remains frustrated that it took so long to resolve this dispute, he doesn’t believe anyone involved acted with malicious intent.

“I don’t think there were any bad people,” he said. “Everyone was trying to do the right things — from law enforcement to the sheriff to the judges to the county — they all had the right intentions. But they didn’t necessarily all have the right information, and possibly people made decisions at levels they weren’t really authorized to do. Normally that’s not really our call, but I think people need to be thinking about that.”

Tags: , , , , , , , , , , , ,

73 comments

  1. Simple typo:
    “there’s no legal way we’re aware of to get these charges removed form the federal database”

    Should be “FROM”

    Very interesting article.

  2. Wonder why they say the mug shots are out there forever. The companies that put up those mugshots, I thought, were supposed to take them down if proper procedures and documentation is provided. In the last few years several of the owners of these mug shot websites who failed to take down the photos, and tried to extort money for doing so, have been criminally prosecuted. So what am I missing?

    • DelilahTheSober

      My understanding is that arrest records are basically permanent. Especially when you are charged, even if those charges are later dismissed for any reason, the record of arrest still remains active somewhere in the e-world.

      My boyfriend has a serious criminal history and when I did my own internet searching (I have a legal background as a paralegal) to make sure he wasn’t keeping any secrets from me, I was able to find arrest records going back 25 years online. These weren’t super easy to find, but the information was stored in publicly available government-owned databases that can be accessed for free online by anyone who knows where to look for them.

      My understanding (this has happened to a few friends of mine) is also that later on in life, when you apply for any job that requires a high level security clearance, things like prior arrests (even when you aren’t actually charged with a crime) can show up in these background searches.

      Lastly, just as an example, if I type in my boyfriend’s first, middle and last name and do a Google search, the first listing shown is for extreme details regarding a case in which he was convicted and then he filed an unsuccessful criminal appeal, and nothing about the case was newsworthy or particularly significant – but the listing is for a criminal court database that can be accessed for free by anyone online without registering or giving any kind of documentation.

      • Could you give an example or link to some of these these publicly available databases?

      • “My boyfriend has a serious criminal history and when I did my own internet searching (I have a legal background as a paralegal) to make sure he wasn’t keeping any secrets from me . . . ”

        And I sincerely hope that once your boyfriend found out about your distrust in him that he immediately became your “ex-boyfriend” and got the hell away from you as fast as he could. Nobody needs to be exposed to that kind of paranoia and distrust from another person.

        • You say “paranoia and distrust”. I say due diligence. With the number of women abused by their partners, I think she was smart to investigate who she was sharing her life with. Based on her findings, she was obviously right.

          If a potential employer ran a background check on you, would you “get the hell away from them as fast as you could”?

          • “You say “paranoia and distrust”. I say due diligence. With the number of women abused by their partners, I think she was smart to investigate who she was sharing her life with. Based on her findings, she was obviously right.”

            Yes, paranoia and distrust. A wonderful pair of attributes to base a relationship on. I stick by what I said. Hopefully the “boyfriend” got out of the unhealthy relationship with this woman before it got worse. And it would have.

            “If a potential employer ran a background check on you, would you “get the hell away from them as fast as you could”?”

            No, I wouldn’t for the simple reason that a “potential employer” would inform me that they would be doing a background check to see if there was anything in my past that would make me unemployable. I highly doubt they’d sneak onto the internet and do it behind my back like DelilahTheSober did with her “boyfriend”.

            • Seriously? Before she got worse in what way? Asking her significant other whether there’s anything he should tell her before she gets a job with security clearance? Asking him if there’s any substance to his rape and murder of his first wife?
              Yes, she was sensible to find out, and they likely had a discussion about it.
              But if he’s got prior for extreme violence, for example, then the first time he’s hit her would be far more significant and far harder for him to talk his way out of, vs if she didn’t know he had prior.
              You must have some very odd ideas about repeat offenders.

      • I do not understand why arrest records should be public ?
        So anybody who is arrested in error will be marked for life ?

        Another situation where the US legal system completely fails.

        The other big failure is that justice is 2nd to everything. In civilized countries, evidence is evidence no matter how obtained. Justice trumps any procedural mistakes any time.

        • The value of arrest records existing is that the US government can’t hide its mistakes. Based on those records, people can seek compensation for their suffering.

          It’s much better than a system in which everything is secret, including court proceedings and sentences. The public has a right to know what evil the government does in our name.

          Anyone who misuses public records to discriminate in employment or romance should be chastised. But the system is good for preventing government abuses.

          • Kenny Blankenship

            I don’t know if I agree with that. Background checks serve a purpose if they’re used properly and not abused. If you ran a daycare for children aged 5 – 15, would you hire someone who was a convicted sex offender? If you did, how many parents would let their children go to your daycare?

        • Wait, I don’t know if I agree with you on that either. I do agree if your case is dismissed, or expunged then so should your any indication of your arrest. However, making arrests and convictions public have proven to be a value tool in background checks for repeat offenders. Does there need to be a system reform, probably. Hiding, an arrest record just doesn’t sit well.

  3. Nicholson is very knowledgeable but not with the parties involved, hence his comments. Below, SANS Newsbite editorial comment by Skoudis from September.

    Skoudis wrote, “… given the high level of experience of the pen test company involved here, as well as the local players, I suspect that local politics may be involved in this particular situation.”
    https://www.sans.org/newsletters/newsbites/xxi/73

  4. There’s no doubt they were clueless. Look at the median age of those senate critters. It’s over 70. There must be some term limits so that we don’t have a geriatric circus there like we have now.

    • The problem is not the age of the government officials but the fact it is government, PERIOD.
      Coming from someone like yourself living in your mama’s basement your comment is not unexpected. Thankfully geniuses like you are not in charge.

      • Mr. Morningstar

        A genius like you should have a solution to this ‘government problem’. Let me guess: less government. There are places with less government. None you want to live in.

        • Not less government, well run efficient government. Government is necessary, but by its very nature it becomes unmanageable to the point that the left hand does not know what the right hand is doing. (See what I did there) There should be a mandatory review to keep things functioning efficiently, to prevent duplication of services, waste and fraud but they don’t do it because government wants to protect itself from cutbacks. This is one of the reasons they strive to use every penny in their budget every year lest they be given less the next year. It’s not a business and does not care about profit or efficiency because after all, it’s “only tax money”.

      • “Coming from someone like yourself living in your mama’s basement …” Why the gratuitous personal attack?

        • Because it’s the only way he knows how to have a disagreement with someone.

          I blame Facebook.

        • Maybe it was uncalled for but when someone smugly attacks people based on age alone it seems justified. The younger generation is known for this attitude. Because no one else suggested his comment was inappropriate I decided to step in and call him out. Being older does not make you incompetent.

  5. …we used to call it a “get out of jail feed card” (apologies to the makers of Monopoly)

    …technically knowledgeable is not the same as politically knowledgeable is what Skoudis means…

  6. The Sunshine State

    You should have tagged “Kevin Mitnick”, because his the foremost expert in social engineering and getting into buildings without being noticed.

  7. Sat Tara Khalsa

    The State Police of Iowa can, and should, remove and expunge the arrest records via court order. The place where the mugshots are held is the FBI database. The FBI can be contacted and, given a legal expungement request from the issuing authority, remove the record from their database. (and replace it with the picture of the idiot grandstanding sheriff and imbecile state legislators. ) (only the last part is made up)

    Coalfire can call the FBI database division (sorry, I don’t have the number handy), and they will provide all the steps necessary to complete the removal.

    • Could not agree more. My mind was blown by that senators ignorance and misunderstanding.

      • “Could not agree more. My mind was blown by that senators ignorance and misunderstanding.”

        Why? Why would anyone’s mind be blown by the general incompetence of politicians and government employees? Honestly, I’m more amazed that people keep voting for bigger and bigger government, even there is no one who hasn’t experienced on multiple occasions, the total ineptitude of every facet of government and its freeloaders, politicians.

    • Won’t happen. The FBI and local LEO’s can expunge the records, but the biometrics (face, fingerprints etc) will stay in the databases forever “just in case.”

  8. Once the client advised them they “did not want Coalfire to make local law enforcement aware of the ongoing engagement prior to testing”, Coalfire should have said NO. The outcome could have been far worse than a false arrest.

  9. I bet no one’s going to be pentesting the Iowa State Courts again which means it’s wide open for cybercriminals.

  10. Odd comments from the Coalfire CEO near the end of the video about a “disservice” because the company wasn’t charged and the individuals didn’t get charged as employees.

    A company can’t be charged with burglary, and being an employee makes zero difference to being charged as an individual.

    The CEO could have been charged with conspiracy (presuming prior knowledge of the security test), but again only as an individual. Companies don’t get criminal records, people do.

  11. The original narrative on this was that the contract explicitly forbade them from testing during non-business hours. Is that true? If so, wondering if these guys had too much to drink during the day.

    If not true, still seems sketchy to do physical penetration testing, after hours, with explicit knowledge that local law enforcement was not notified or aware.

    Seems like a breakdown of common sense for pretty much everyone involved.

    • That would depend on what you’re testing for really. After-hours security is generally different than business hours-security.
      Locked doors are different.
      Alarm settings are different.
      Response times are different.
      And so on.

  12. Looks like they didn’t want to do anything but go through the motions.

    Limiting testing to business hours only is ridiculous, as anyone who wanted to do harm would certainly try to gain access or alter records when there are fewer people there.

    The grandstanding Sheriff and grandstanding senator are as much the problem as anything. Both should be involuntarily retired.

  13. Good article. Like your follow-up.
    Interesting comments. Agreed with the one that says Iowa State is now open to physical theft/ intrusion to their data. Easiest way to make a copy is to be next to a machine. And they found an open door. That’s just as bad as leaving your database unencrypted. Basically an open door.
    And remember citizens United, corps are ” people”, supposedly they can be arrested. Never seen it, but, if they do wrong, they can be stopped. But, will the tea party Russian alliance permit it?

  14. This seems like basic human psychology/game theory at play. The pentesters found an egregious flaw (unlocked door). This would be a major embarrassment for the enforcement cement agency in charge of protecting the building, which would be the same county Sheriff office that were the first responders. This now becomes a play on how well you can take criticism and/or reputational/monetary blowback. The lead County official may have seen the writing on the wall, the report would contain embarrassing detail (unlocked door) and in turn had to try to find holes in the contract, every bit would help delegitimize their findings.

    This seems like an exercise in incentives alignment. The state did want to test the county enforcement agency tasked with protecting the courthouse, but via an independent entity. Maybe if the pentesters had not disclosed all the information (unlocked door) to the agency they were tasked to test, they may have not got this amount of adversity.

  15. It’s a good thing the County Sheriff isn’t trigger-happy…

    • Brian Fiori (AKA The Dean)

      The two pentetsers are also lucky they aren’t black. Maybe local law enforcement wouldn’t have acted with any restraint.

  16. only in a retarded country la USA something like this can happen and 100k paid to be free. It was obvious just a misunderstanding of the contract and those guy didin’t had any criminal intent , this could have been easily solved friendly between the contract parties

  17. 1. There’s no point in pen-testing if you tell the target how and when they will be tested. 2. The fact that the pen-testers got caught implies two things : (a) the testers were incompetent and/or (b) at least some of the target’s defenses are working.

    • Kenny Blankenship

      — “There’s no point in pen-testing if you tell the target how and when they will be tested.” —

      That is completely false. The target is very involved in the planning. They don’t call a company, request a pentest, and then just wait to get a report. There is a lot of planning that goes into it – to which the target company is heavily involved. What is the scope? What is the timeline? What areas are excluded from testing? Will this include Social Engineering? Is it going to be a physical pentest? Web application pentest? The target company has to know or at least define how, when, and what will be tested.

      • True to a point. If you are going to pentest and you tell everyone it is happening, they will be watching for the attack, so you don’t actually get a real test of security.

        Some people of course should know, but that information would not be disseminated beyond the upper levels of management/leadership, else it is not a valid test.

        • That’s not what was being discussed. That should go without saying. “Hey, Incident Response team, we’re planning on sending a phishing email on Friday, we want to test how you respond”. Of course you’re not going to do that. What was being discussed was the target company’s involvement – which also should go without saying. They most definitely will be involved during the planning.

    • The pen-testers intentionally tripped the alarm system and waited for first responders to arrive on the scene, where they then explained the situation and gave a step-by-step rundown of their tactics. The only incompetence comes from the sheriff who failed to understand the scope of the project and from the senator who failed to effectively communicate with the security company and local government.

    • Kenny that is False! one of the preliminary requirements of pen testing is defining a scope; which can include time, system to be tested and what not to test. etc

    • False, Drone!!! One of the preliminary stages of pen-testing is to determine the scope; which may include time, systems to test and systems not to test etc .

  18. Crispin Delaware

    ““If you’re doing a test for the state and you walk into the building and it’s the courthouse and you’re doing a test for the court system, you’d think that they would have jurisdiction or own it, and that turned out not to be the case in this scenario because there’s some things the state owns and some things the county owns, and that was something we weren’t aware of as we did some of this work,” he said. “We didn’t understand the nuances.””

    Sounds like these guys didn’t do their due diligence and find out who exactly is the owner of the building. But that wouldn’t be hard to figure out It’s listed right in the contract as the “Dallas County Courthouse” and the “Polk County Courthouse” which would imply to me that those aren’t state facilities but county facilities and I would be asking the contacting party if the counties in question had been informed of the impending pen tests. Especially since the tests included breaking and entering into the buildings.

  19. This is ridiculous. Clearly Coalfire had little if any process associated with their engagement. Reading this it is clear that you could contract with them to penetration test your neighbor’s house and, by the way,
    please don’t “make local law enforcement aware of the ongoing engagement prior to testing the physical security of the site”.

  20. Maybe in the future, governments at all levels who contract for physical pentesting can deputize (after suitable background checks) the testers, so if they are caught red-handed breaking into the server room some dark night, they can present their credentials, and the security guards can call someone listed on them and confirm the testers’ presence a part of official business.

    But nah, that would be too sensible.

  21. So a bunch of corncobs from Iowa hired a pen-test firm, and then got mad when they did their jobs. Makes me embarrassed to be from the mid US.

  22. I like the video method of reporting Brian – VERY INTERESTING!!

  23. One question, the only reason to not have the County Sheriff in the loop is if there is some level of concern as to his ability to maintain confidence in such an exercise. IF, and I do mean IF, that is at issue then they have greater issues in Dallas County to addesss.

  24. One question, the only reason to not have the County Sheriff in the loop is if there is some level of concern as to his ability to maintain confidence in such an exercise. IF, and I do mean IF, that is at issue then they have greater issues in Dallas County to address.

  25. This was a turf war between the sheriff and the office of state courts. The two contractors got caught in the middle.

    Scott, he wasn’t told because as far as the state office is concerned, he doesn’t need to be. That simple.

    Inexcusable that it took this long to clear up.

  26. I think what the public doesn’t understand how much the local governments rely on state funding. Had a buddy work at a local government and his stories shocked me in terms of how much internal politics were going on just in getting an appropriate budget. In his case, the IT department was one of eight departments that were in constant battle with other departments just to get enough budget to run a department. This may create some tension because the state may have decided to under fund them in something.

  27. The situation looks ambiguous to me. What were the consultants supposed to do? Announce to all the county that they would be conducting a security audit, so please refrain from online gambling and watching porn videos while the audit is in progress?
    In fact, I have to wonder if those who screamed the loudest had the most to hide.

  28. The governmental judgement problems in Iowa stem from a common psychotropic toxin in corn leaking into the intestinal track when ingested in whole-ear into the lower digestive system, skipping the upper digestive system. Common side effects include diminished reasoning, delusions of grandeur and a distinct limp, aka “the Iowa shuffle,” caused by flaring of the legs to accommodate one or more ears of corn.

  29. ” McAndrew said it’s probably time for experts from various corners of the pen testing community to collaborate in documenting best practices that might help others avoid a repeat of the scenario in Dallas County.”

    -Totally agree with this comment, quite often security companies are competitors with one another, but is it time for security companies to unite to come up with some real standards instead of the fragmented state we’re in?

    That being said, this comes down to ensuring that the rules of engagement are clear and have been communicated properly (in this case that didn’t happen). What is also interesting about this scenario was that the building was under state and county control which complicates things even more. Many pentests I’ve seen typically are just with a single organization testing their own environment without mixing in another party.

  30. As far as i know in some country like Germany after 5 years all your record will be cleared. So you dont have to worry anymore for finding a new job or sth like that. Dont know how this works in other european countries. Does anybody has any idea? Im doing a project and have to collect some info about this topic.
    Thanks for the help

Leave a comment