Tweet
Quick Backstory:
Two penetration testers working for Coalfire were carrying out an engagement for The State of Iowa to test the physical security of government buildings. They accessed one building in Dallas County, IA after hours and purposefully tripped the alarm to assess how quickly law enforcement would arrive. They showed their papers to the responding Sheriff's Deputies, but the Dallas County Sheriff highlighted the fact that they broke into a County-owned building, not State-owned, thus being outside of the terms of the engagement, and he arrested the two Coalfire employees.
The charges were ultimately dropped by the prosecution in January, but this case seems to be the first of its kind, at least one that had as much coverage as this did. I could see this being a highly referenced case for physical penetration testers - and their lawyers - as we move forward.
As someone who is not a physical pentester, what went wrong here? Was it a County Sheriff who felt like his jurisdiction was being encroached by the State? Was it insufficient language in the contract between Coalfire and Iowa? Or was it a miscommunication of the terms of engagement between Coalfire and DeMercurio and Wynn?
Bonus question: Why in the world would you break into a government building at night to test the response of the Sheriff's Department, who had no prior knowledge of the assessment, and who carry loaded weapons?
References:
https://krebsonsecurity.com/2020/01/...heir-security/
https://www.desmoinesregister.com/st...es/4611574002/
https://arstechnica.com/information-...wa-courthouse/
Two penetration testers working for Coalfire were carrying out an engagement for The State of Iowa to test the physical security of government buildings. They accessed one building in Dallas County, IA after hours and purposefully tripped the alarm to assess how quickly law enforcement would arrive. They showed their papers to the responding Sheriff's Deputies, but the Dallas County Sheriff highlighted the fact that they broke into a County-owned building, not State-owned, thus being outside of the terms of the engagement, and he arrested the two Coalfire employees.
The charges were ultimately dropped by the prosecution in January, but this case seems to be the first of its kind, at least one that had as much coverage as this did. I could see this being a highly referenced case for physical penetration testers - and their lawyers - as we move forward.
As someone who is not a physical pentester, what went wrong here? Was it a County Sheriff who felt like his jurisdiction was being encroached by the State? Was it insufficient language in the contract between Coalfire and Iowa? Or was it a miscommunication of the terms of engagement between Coalfire and DeMercurio and Wynn?
Bonus question: Why in the world would you break into a government building at night to test the response of the Sheriff's Department, who had no prior knowledge of the assessment, and who carry loaded weapons?
References:
https://krebsonsecurity.com/2020/01/...heir-security/
https://www.desmoinesregister.com/st...es/4611574002/
https://arstechnica.com/information-...wa-courthouse/
Comment