From pen-test to penitentiary: Infosec duo cuffed after physically breaking into courthouse during IT security assessment

Updated Two men hired to assess a court record system's computer security were arrested Wednesday – after they were caught physically sneaking into a courthouse.

According to the Des Moines Register today, infosec pros Gary Demercurio and Justin Wynn were cuffed by deputies in Iowa, USA, after they tripped an intruder alarm at a Dallas County courthouse.

The two men, who now face burglary charges, said they were attempting the break-in as part of a penetration test the county court had paid their employer, security biz Coalfire, to perform against the court's electronic records system.

In other words, the ethical hacker duo were pen-testers just trying to get physical access to computers managing or storing court records as part of a planned security probe.

Here's where things jump the tracks. The Dallas County court officials fully acknowledged they hired the two experts to test the security of their IT system. The bureaucrats were, however, unaware the tests could also involve physical break-ins, it is claimed.

"The two men arrested work for a company hired by [the state court administration, or SCA] to test the security of the court’s electronic records," Iowa's judicial branch said in a statement on the matter.

"The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building."

Those familiar with pen-testing procedures were quick to point out just what a colossal failure had to occur to create these sort of circumstances.

Perhaps they should’ve carried a copy of their contract in their back pocket. I learned that from a pentester 15 years ago. If they’re pentesters, this really sucks.

— Waffles b4 pancakes (@realmonsino) September 12, 2019

So, while it seems that the whole thing will be settled shortly, as of Thursday the two men remain in police custody – a court date is reportedly set for September 23 – on $50,000 bond. Coalfire has yet to respond to requests for comment. ®

Updated to add

"We have performed hundreds of assessments for similar government agencies, and our employees work diligently to ensure our engagements are conducted with utmost integrity and in alignment with the objectives of our client," a spokesperson for Coalfire told us Thursday evening.

"However, we cannot comment on this situation or any specific client engagements due to the confidential nature of our work and various security and privacy laws. Additionally, we cannot comment on this specific case as it is an active legal matter."