September 15, 2019

Men hired to test court security arrested for doing job too well

FG reiterates commitment to security, quality education

The United States law enforcement arrested two men who broke into Iowa’s Dallas County Courthouse this week, despite their insistence that they had been hired to do so by the state court administration.

Illustration for article titled Men Hired to Test Iowa Courthouse Security Arrested After They Did the Job Too Well

Photo: US Department of Agriculture (Flickr)

Early in the morning of Wednesday, September 11, deputies responding to an alarm found the two men with several burglary devices on the third floor of the courthouse. Justin Wynn and Gary Demercurio told officers they had been “contracted” to test the security system, but Dallas County officials said they didn’t know of the arrangement, according to a criminal complaint

As the Des Moines Register reports, authorities soon found out that the men were telling the truth. The state court administration (SCA) had hired them, but it apparently didn’t realise just how far the security agents would go to test the system.

In a statement issued by the Iowa Judicial Branch on Wednesday, the state court administration confirmed it hired the two men to check the security of court’s electronic records and apologized for the clusterfuck, Gizmodo reported.

“The company was asked to attempt unauthorised access to court records through various means to learn of any potential vulnerabilities,” the statement read.

“SCA did not intend, or anticipate, those efforts to include the forced entry into a building. SCA apologizes to the Dallas County Board of Supervisors and law enforcement and will fully cooperate with the Dallas County Sheriff’s Office and Dallas County Attorney as they pursue this investigation.”

An updated statement from the Court issued on Friday says that it is aware of a break-in at the nearby Polk County Historic Courthouse, which “is similar in nature,”

But the SCA is investigating the matter and “has no other information to share at this time,”

Adding that the “State court administration does not condone forcible entry into any building as a part of cyber-security or any other type of testing.”

According to the Register, Wynn and Demercurio are employees of cybersecurity firm Coalfire.

Dallas County Attorney told Gizmodo he couldn’t comment on pending criminal matters. Coalfire also said it could not comment on this case as it is an active legal matter and because it does not comment on client engagements “due to the confidential nature of our work and various security and privacy.”

But Coalfire did say, “We have performed hundreds of assessments for similar government agencies, and our employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client.”

This case shows the challenges that security researchers like Wynn and Demercurio face—difficulties that can disincentive them from doing their job to the best of their ability.

Wynn and Demercurio’s bond has been set at $50,000. They are set to return to the Dallas County Courthouse for preliminary hearings on September 23.