Can security tests affect the criminal record?
Although this is rare, cybersecurity professionals may be arrested for conducting tests on behalf of the U.S. state.
Among many others, some specialists from Coalfire, which, following an agreement with the STATE Court Administration (SCA), conducted security tests on computer systems at the Dallas County Courthouse in Iowa, were arrested at midnight precisely to be put behind bars. An unexpected thing that raises some questions.
It all starts exactly in September 2019. The director of the computer security company, Coalfire, named after Gary Demercurio, who is also a cybersecurity expert, and another consultant named Justin Wynn, have decided to conduct security tests on the court system. This type of test is called an "intrusion test" because it involves attempting to break into a computer system in order to detect potential vulnerabilities and correct them before malicious people discover them and use them for malicious purposes. This kind of test and very common in the field of private organizations especially companies. And sometimes it's during bug premium programs that this is most noticeable.
And as is known during intrusion tests, it is necessary to include physical elements, such as accessing offices or doing so through social engineering, i.e. finding schemes to manipulate people from the names of important information related to access to information systems. And this can highlight several flaws stemming from the very behavior of people working in the organization concerned. And of course that was the case during the Iowa court's trespass test.
For the intrusion test, the specialists as agreed by the terms of the contract that was concluded between the Iowa authorities and the cybersecurity company, everything should start late at night to try to make sure that everything happens in real conditions. As is generally known, cyber criminals tend to attack at night. Prior to the start of the test, the cybersecurity company "reviewed the scope, building by building" to ensure that communication between it and the authorities was in good shape, with regard to access to the building that should be targeted where to be avoided.
Referring to the end of the contract, the company was authorized to use the social engineering technique, posing as two sister personnel to have access to certain areas that were supposed to be restricted in terms of access. This is provided that the alarm systems are not damaged in any way.
"The reaction time (of law enforcement) was the fastest we've ever seen, literally three minutes," Wynn said after the test on Monday or Tuesday night.
After the intervention of law enforcement, everything was fine until the arrival of the Dallas County Sheriff You Chad Leonard.
Experts from the cybersecurity firm were arrested and jailed for nearly 8 p.m. Afterwards, they were taken to the courthouse or the judge did not stop to lecture them. Bail for their release was set at $50,000 per person. A bond, originally set at $7,000, was increased following arguments that Coalfire specialists could escape. The whole protest did not change anything in the judge's decision.
They were charged with burglary and possession of burglary equipment. These charges were upheld to which the property infringement was added. Following a discussion between the CEO of the security company and the Dallas County Sheriff's Office, which took months, the charges eventually dropped.
"The Dallas County Sheriff intended to protect the citizens of Dallas County and the State of Iowa by ensuring the integrity of the Dallas County Courthouse. Coalfire released in an official statement. "It was also Coalfire's intention to help protect the citizens of the state of Iowa by testing the security of information held by the judiciary, pursuant to a contract with the SCA."
And yet the misadventure did not fail to leave traces. Demercurio and Wynn did not emerge unscathed from this whole process because in their criminal record, a mention of a crime was engraved. This is what could unfortunately taint their careers in the future. For this reason, they generally recommend that intrusion testing companies always leave traces of their exchanges between themselves and the organizations that employ them.
Now access an unlimited number of passwords: