County Pays $600,000 To Pentesters It Arrested For Assessing Courthouse Security (arstechnica.com)
- Reference: 0180691940
- News link: https://it.slashdot.org/story/26/01/29/2147207/county-pays-600000-to-pentesters-it-arrested-for-assessing-courthouse-security
- Source link: https://arstechnica.com/security/2026/01/county-pays-600000-to-pentesters-it-arrested-for-assessing-courthouse-security/
> Two security professionals who were arrested in 2019 after performing an authorized security assessment of a county courthouse in Iowa [1]will receive $600,000 to settle a lawsuit they brought alleging wrongful arrest and defamation. The case was brought by Gary DeMercurio and Justin Wynn, two penetration testers who at the time were employed by Colorado-based security firm Coalfire Labs. The men had written authorization from the Iowa Judicial Branch to conduct "red-team" exercises, meaning attempted security breaches that mimic techniques used by criminal hackers or burglars.
>
> The objective of such exercises is to test the resilience of existing defenses using the types of real-world attacks the defenses are designed to repel. The rules of engagement for this exercise explicitly permitted "physical attacks," including "lockpicking," against judicial branch buildings so long as they didn't cause significant damage. [...] DeMercurio and Wynn's engagement at the Dallas County Courthouse on September 11, 2019, had been routine. A little after midnight, after finding a side door to the courthouse unlocked, the men closed it and let it lock. They then slipped a makeshift tool through a crack in the door and tripped the locking mechanism. After gaining entry, the pentesters tripped an alarm alerting authorities.
>
> Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter -- known as a "get out of jail free card" in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building. DeMercurio and Wynn spent the next 10 or 20 minutes telling what their attorney in a court document called "war stories" to deputies who had asked about the type of work they do. When Sheriff Leonard arrived, the tone suddenly changed. He said the Dallas County Courthouse was under his jurisdiction and he hadn't authorized any such intrusion. Leonard had the men arrested, and in the days and weeks to come, he made numerous remarks alleging the men violated the law. A couple months after the incident, he told me that surveillance video from that night showed "they were crouched down like turkeys peeking over the balcony" when deputies were responding. I published a much more detailed account of the event [2]here . Eventually, all charges were dismissed.
[1] https://arstechnica.com/security/2026/01/county-pays-600000-to-pentesters-it-arrested-for-assessing-courthouse-security/
[2] https://arstechnica.com/information-technology/2019/11/how-a-turf-war-and-a-botched-contract-landed-2-pentesters-in-iowa-jail/
Sounds like (Score:2)
Small town Sheriff Leonard was the person who left the side door unlocked.
Overreaction, but also poor planning (Score:2)
Their "get out of jail free" letter is so vague as to be useless; the biggest thing is it doesn't say anything about what buildings they could access. And it turned out that the state organization who hired them didn't have authority to grant them access to county-owned facilities (which I believe would also be the case in my state). It also sounds like both the testing company and the state agency failed in how the contracts were written. Really, while not surprised a state agency wrote a bad contract, a t
Likely to happen a LOT more often... (Score:2)
Centers for Medicare has *demanded* frequent penetration testing to be performed by all healthcare organizations that store digital patient records, as part of their new security rule.
You can read all about it here:
[1]https://www.federalregister.go... [federalregister.gov]
NATURALLY, I expect Hospital Management, and other pointy haired bosses to not understand the new requirements, and to flip out when the mandated penetration testing happens, that their own compliance officers and IT staff coordinated.
[1] https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information
I expected better (Score:2)
Sure, they've been wrongfully arrested but I expected better than "a few minutes" before tripping an alarm. Clearly they needed better recce before playing Couching Tiger, Hidden Dragon in the middle of the night. On a job like this you don't just walk in unprepared. You observe the place, walk in under a false pretext and take note of all the systems they may have, you research every single bit of kit you see on the walls. Only then, when you have a solid plan, you proceed with the objectives.
Re: (Score:2)
Are you saying you read the article as if they'd intentionally tripped the alarm? 'cos no, that's not what happened.