Penetration testers paid to break-in to Iowa courthouse have charges dropped

Gary DeMercurio and Justin Wynn had been testing the physical security of Dallas County Courthouse when they were apprehended

Two penetration testers paid to test the security of an Iowa courthouse, but arrested when they attempted to break-in, have had their charges dropped.

The pentesters, Gary DeMercurio and Justin Wynn, were employed by a firm called Coalfire Labs. They were testing the physical security of the courthouse on 11^th September 2019 when they were apprehended by security guards and subsequently arrested.

DeMercurio and Wynn had written authorisation to carry out the test on the security of Dallas County Courthouse. The two were charged with third-degree burglary, later downgraded to trespass, after spending 12 hours in jail.

However, the two men found themselves caught-up in the middle of a ‘turf war' between Dallas County and state officials. The two had been hired by Iowa's State Court Administration and had picked the lock of the front door to gain entry. However, they were observed and apprehended by Dallas County police.

Despite having a letter that authorised their break-in, Sheriff Chad Leonard claimed to be unaware of the penetration-test contract. According to ArsTechnica, Sheriff Leonard said that the State Court Administration lacked the authority to permit an out-of-hours entry of Dallas County property, jailing the two men pending charges.

DeMercurio and Wynn spent 12 hours in jail before their bail of $50,000 was raised.

The contract between Coalfire and the State authorities also proved to be less than clear. While the initial plan had involved ‘physical attacks', later revisions only prescribed ‘social engineering'. It was also not clear whether physical attacks entailed lock-picks and whether out-of-hours attacks were covered.

Nevertheless Dallas County persisted in pressing charges, albeit downgraded to trespass, charges that have only been dropped this week following talks between Dallas County representatives and Coalfire.

In a statement released on Thursday, the company said: "Ultimately, the long-term interests of justice and protection of the public are not best served by continued prosecution of the trespass charges."

The company's CEO, Tom McAndrew added that "positive lessons" had been "learned".

Lawyers for the two men arrested were less magnanimous. "Wynn and De Mercurio are relieved that the accusations have been dismissed but are frustrated with the entirety of the process. Law enforcement and prosecutors should appreciate the fact that an arrest for a criminal offense can never be undone, even after the charge is dismissed," they said in a statement.

It continued: "The justice system ceases to serve its crucial function and loses credibility when criminal accusations are used to advance personal or political agendas... This entire ordeal could have been avoided by simply respecting the fact finding that the responding law enforcement officer conducted which verified the work was authorised by the Judicial Branch."

They had, the statement continued, received "unconditional support" from Coalfire, and its CEO McAndrew, and also thanked the "cyber security family".