Check the scope: Pen-testers nabbed, jailed in Iowa courthouse break-in attempt

Enlarge / The Dallas County, Iowa courthouse, the sight of a penetration test gone spectacularly wrong.By Iowahwyman – Own work, CC BY-SA 3.0

Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a "cybersecurity advisor" firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement's response to a break-in.

Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and no one evidently anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail. In a statement issued yesterday, state officials apologized to Dallas County, citing confusion over just what Coalfire was going to test:

State court administration (SCA) is aware of the arrests made at the Dallas County Courthouse early in the morning on September 11, 2019. The two men arrested work for a company hired by SCA to test the security of the courts electronic records. The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building. SCA apologizes to the Dallas County Board of Supervisors and law enforcement and will fully cooperate with the Dallas County Sheriffs Office and Dallas County Attorney as they pursue this investigation. Protecting the personal information contained in court documents is of paramount importance to SCA and the penetration test is one of many measures used to ensure electronic court documents are secure.

The case is an example of the legal risks faced by security testing firms, particularly when the scope of such tests is vague. Even the most basic electronic security tests, when done outside of the bounds of a contractual agreement, could land the testers in trouble, as Ars reported when Gizmodo reporters attempted to phish Trump administration and campaign figures in 2017.

Josh Rosenblatt, a MRead More – Source