Iowa hired a cybersecurity firm to do penetration testing, then arrested its workers

Cal Jeffrey

TS Evangelist
Staff member

In one of its tests back in September, two Coalfire employees found a door at the Dallas County Courthouse wide open. They entered the building and intentionally set off an alarm to test law enforcement response, which was part of the job. As per the company’s policy, the security workers waited for the police to show up to show them their paperwork proving they were hired to check the security of the building.

Initially, the first deputies on the scene checked their documentation and said they were “good to go.” However, the local sheriff arrived within minutes and arrested them. The employees were charged with third-degree felony burglary and possession of burglary tools. They spent the night in jail, and Coalfire posted their excessive $100,000 bail the next day.

The company and its workers expected the state to drop the charges quickly since it had a contract to do pen testing at the courthouse, but it has boiled in to what appears to be a dispute between jurisdictional officials.

"Failing to de-escalate the issue and bring in State/County politics, Sheriff Leonard communicated in an email 'that this building belonged to the taxpayers of Dallas County and the State had no authority to authorize a break-in.'"

According to Coalfire, the incident was caused by the state not being on the same page as Coalfire in the scope of the contract, and the local sheriff not being clued-in on the job.

“Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work,” said the firm in a press release back in September. “Yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement.”

At the time, Coalfire was confident that it could work out the misunderstanding by coming together with officials to discuss the confidential details of the contract. However, the charges were only reduced to criminal trespassing instead.

In a statement, Coalfire CEO Tom McAndrew said, “The ongoing situation in Iowa is completely ridiculous, and I hope that the citizens of Iowa continue to push for justice and common sense. Today, we found out that charges against [our] employees at the center of the Dallas County Courthouse incident … have been reduced from felony accusations of Burglary in the third-degree and possession of burglary tools to criminal trespass.”

“I do not consider this a “win” for our employees, and Coalfire will continue to support and aggressively pursue all avenues to ensure that all charges are dropped and their criminal records are purged of any wrongdoing,” McAndrew added.

"My hope is that the officials involved in this case will appropriately consider the context in which the actions of our employees were performed and the ongoing dispute between the state and the county related to governance of the court buildings."

The ramifications of this incident are far broader than just a beef between Coalfire and state officials. If the employees are not exonerated on all charges, it could have lasting effects on whether other security firms that do pen testing choose to take jobs with state and municipal authorities.

Hopefully, the issue will be settled without the need for further litigation. It would seem that the sheriff, in this case, made a bad call, and it probably would not hold up under a jury trial, but it should not go that far.

“Sheriff Leonard failed to exercise common sense and good judgement [sic] and turned this engagement into a political battle between the State and the County,” McAndrew said. “I spoke with the team immediately after their release and promised to do everything I could to get this resolved. I intend to keep my promise. The fact that this case is still ongoing is a failure of the criminal justice system in Iowa.”

Permalink to story.

 

yRaz

Nigerian Prince
Lol. I hate to get political, but that's Iowa State education for ya!

But, in all seriousness, this is a failure of the state to communicate with local police and the country sheriff about testing. This will never hold up in court, especially since they had paperwork to show the authorities about the contract.

It was probably just an over zealous sheriff trying to flex his power.

"Here is what you're doing wrong"
"You're under arrest for our incompetence"
"Great, you just set precedence for making contract penetration testing illegal for, you know, asking us to show you how bad your security was"
 
  • Like
Reactions: lazer

kapital98

TS Guru
Lol. I hate to get political, but that's Iowa State education for ya!

But, in all seriousness, this is a failure of the state to communicate with local police and the country sheriff about testing. This will never hold up in court, especially since they had paperwork to show the authorities about the contract.

It was probably just an over zealous sheriff trying to flex his power.

"Here is what you're doing wrong"
"You're under arrest for our incompetence"
"Great, you just set precedence for making contract penetration testing illegal for, you know, asking us to show you how bad your security was"
A major problem with this article is the only source is Coalfire. There are many practical implications, but if this was legit this would either be thrown out on motions or else be an easy win at a jury trial. It would be politically suicidal for the sheriff and DA's office.

This is akin to a wife beater being the only source of information. It was all her fault! [Or an oil company explaining why an oil fire isn't so bad for the environment.]

This is also why there are defenses to burglary (like, having permission to be at the premise). It would have been nice to have at least one statement by local authorities to measure if this story really is BS or Coalfire is correct.

--

For all we know, Coalfire could be covering a PR nightmare by having criminals on their team. Would you trust a security firm who actively committed felonies while on their payroll?
 
  • Like
Reactions: magdziam

Eldritch

TS Maniac
Iowa : Hires cybersecurity experts. Gives them access. Then annoys the hell outta them with some bureaucratic nonsense.
Do you want ransomwares gridlocking your entire system, cuz that's how you get 'em ransomwares.
But seriously, this is really unacceptable to punish a contracted employee doing his job esp when the contract is with the jurisdictional govt itself.
What's next, arrest of demolition crews for destruction of property?
 

loading88

TS Member
Lol. I hate to get political, but that's Iowa State education for ya!
You do realize that Iowa is ranked in the top 10 for education institutions across the country right?

On point of the topic, they should have reported the incident; not set off an alarm costing tax payers money to falsify an emergency to prove a point. Heck if you pull an alarm and someone is injured because of it in California you serve 3 years in a state prison. But yeah, going directly to a felony is a bit much.
 
  • Like
Reactions: Jeff Re

Uncle Al

TS Evangelist
I wouldn't be at all surprised to discover down the road that state/county is targeted for all kinds of hackers ... and it will serve them right! Amazing in this day and age that people in this level of politics don't do any better job than coordinating their actions .... they should submit the entire bunch to the same level of criminal investigation for malfeasance & nonfeasance .....
 
  • Like
Reactions: rub900

wiyosaya

TS Evangelist
Does the fact they got in through a backdoor and could set off the alarms mean that the security staff, for which the sheriff is responsible, failed. Therefore they just found a vulnerability within the sheriff's domain? Am I getting this right?
Interesting perspective, but not unwarranted, IMO. Perhaps the sheriff arrested them to save face.
 

MilwaukeeMike

TS Evangelist
Someone take that sheriff's badge away from him. He has obviously let his given authority go to his head.
Not to be cynical here, but can you imagine the reaction if the Sheriff showed up to arrest a couple guys who broke into a govt building and then let them go because they had some documentation that said they were 'just testing the security' ?

"Sorry we broke into the vault Sheriff - we weren't going to steal anything, just testing out your response times - we're gonna leave now." No decent Sheriff lets them go.

However, you'd expect this to be cleared up with a simple phone call. Sheriff calls the mayor's office or whatever and it's all fixed.

My guess is the Sheriff assumed they were criminals, the Coalfire guys were probably rude and being d!cks and the Sheriff got mad and decided to throw his weight around gave em the handcuffs and a night in jail.
 

cliffordcooley

TS Redneck
My guess is the Sheriff assumed they were criminals
Yes because he totally ignored the fact they were [I'm assuming] registered cybersecurity firm. That should have given him pause to step back and ask why. Instead he goes in guns blazing with handcuffs in hand. He totally gives law enforcement a bad name. I despise law enforcement that thinks they can pass the buck to the judge. They in general don't care who or how badly they hurt someone. In their mind it is always take it up with the judge. I for one don't blame them for being d!cks, when it is obvious the sheriff was showing his ***.
 

ED1492

TS Rookie
Sounds like the Sherrifs office or the town needs a lesson in the consequences of Ransomware to soften their posistion. Seems in the end the town will have to pay out a large sum to satisfy the enevitable judgement awarded by a jury that has it's head in the clear!