Check the scope: Pen-testers nabbed, jailed in Iowa courthouse break-in attempt

 In Biz & IT, Policy

Check the scope: Pen-testers nabbed, jailed in Iowa courthouse break-in attempt

Serving the Technologist for more than a decade. IT news, reviews, and analysis.
The Dallas County, Iowa courthouse, the site of a penetration test gone spectacularly wrong.

Enlarge / The Dallas County, Iowa courthouse, the site of a penetration test gone spectacularly wrong. (credit: By Iowahwyman – Own work, CC BY-SA 3.0)

Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a “cybersecurity advisor” firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement’s response to a break-in.

Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and evidently no one anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail. In a statement issued yesterday, state officials apologized to Dallas County, citing confusion over just what Coalfire was going to test:

State court administration (SCA) is aware of the arrests made at the Dallas County Courthouse early in the morning on September 11, 2019. The two men arrested work for a company hired by SCA to test the security of the court’s electronic records. The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building. SCA apologizes to the Dallas County Board of Supervisors and law enforcement and will fully cooperate with the Dallas County Sheriff’s Office and Dallas County Attorney as they pursue this investigation. Protecting the personal information contained in court documents is of paramount importance to SCA and the penetration test is one of many measures used to ensure electronic court documents are secure.

The case is an example of the legal risks faced by security testing firms, particularly when the scope of such tests is vague. Even the most basic electronic security tests, when done outside of the bounds of a contractual agreement, could land the testers in trouble, as Ars reported when Gizmodo reporters attempted to phish Trump administration and campaign figures in 2017.

Read 3 remaining paragraphs | Comments

Iowa court officials authorized “various means” to check county court’s security.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt