Remember that security probe that ended with a sheriff cuffing the pen testers? The contract is now public so you can decide who screwed up
Both sides have different interpretations of the rules
The infosec duo cuffed during an IT penetration test that went south last week are out of jail, though not necessarily out of the woods.
Both Florida man Justin Wynn, 29, and Gary Demercurio, 43, of Seattle, are out on bond following their arrest in the small hours of last Wednesday on burglary allegations.
If you need a quick catch up: Wynn and Demercurio, of computer security biz Coalfire, were hired by the US state of Iowa to test the IT defenses of its court system. During such tests, contractors typically play the role of hackers trying to break into an organization's networks or offices to steal or tamper with data and equipment, and then draw up a report on their findings and methods so that the customer can plug any gaps in its security.
As part of this assessment process, the pair decided to physically slip into the county courthouse of Dallas, Iowa, at night and see what equipment they could access. However, both were nabbed by county sheriff Chad Leonard, who accused the duo of third-degree burglary. It is claimed that even though the professionals told Leonard they were on a job, and put him in contact with a state official who said the men should be set free, the lawman detained them nonetheless.
"I advised them that this building belonged to the taxpayers of Dallas county and the state had no authority to authorize a break-in of this building," Leonard wrote in an email obtained by the Des Moines Register.
Wynn and Demercurio were booked into jail, and released later that day after posting bail and without any formal charges filed. An attorney for Demercurio told El Reg this evening that prosecutors in the US state have yet to announce whether they will pursue charges against the infosec pair.
For his part, Wynn seems to be taking the affair in his stride...
*whistles inconspicuously*— Red Team Wynns (@RTWynns) September 12, 2019
Earlier today, the Iowa Judicial Branch and Coalfire issued a joint statement setting out their separate versions of events leading up the collaring of Wynn and Demercurio in the early hours of September 11. Contracts and other paperwork describing the probe were also publicly shared for all to see, albeit with redactions.
Coalfire said it believed, from the wording of its contract, that its employees were allowed to physically break into the courthouse as part of the $75,000 IT penetration test Iowa had commissioned. However, the court officials said they had a different interpretation of the penetration test contract: while it was agreed that physical penetrations were authorized, officials didn't agree with Coalfire on the scope of these probes.
The primary rub right now seems to be that the contract states that all tests must be carried out during business hours – 6am to 6pm Mountain Time, Monday to Friday – though this can be varied with a change order. There is no sign of such a change order in the released paperwork, though all of the appendices are missing from the bundle, so if one exists, it may be in there somewhere. Remember that Wynn and Demercurio were nabbed at shortly after midnight.
As such, the police in Dallas County were not made aware by the state of Iowa of any potential late-night break-ins, leading to the pair's arrest, though we're not sure the sheriff would have let the men go even if he had been warned of the state-commissioned penetration test.
"Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work," the two sides said in their joint press release, which includes the contracts and other materials.
"Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement.
"Together, Coalfire and State Court Administration continue to navigate through this process. To that end, the Iowa Judicial Branch and Coalfire will each be conducting independent reviews and releasing the contractual documents executed between both parties.
"State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data."
So, essentially, it seems, the state's court administrators were under the impression the Coalfire team would only try to enter its offices, in order to access computers on the network, during the day. Demercurio and Wynn, however, were under the impression they could make their move at any hour.
The rules of engagement, for what it's worth, allow for "limited physical bypass" at three locations, including the Dallas County Courthouse: think tailgating clerks through doors, picking locks, and so on. This may or may not cover sneaking in at night while in possession of, as the sheriff alleged, burglary tools.
Look, clearly these guys aren't burglars: judging by the above statements, this is a pen-test during which the rules got lost in translation. Likely, we will not have the full story until prosecutors decide on whether to press charges, and the two infosec bods are at liberty to share their side of the story. ®