Two security professionals who were arrested in 2019 after performing a licensed security assessment of a county courthouse in Iowa will receive $600,000 to settle a lawsuit they brought alleging wrongful arrest and defamation.
The case was brought by Gary DeMercurio and Justin Wynn, two penetration testers who on the time were employed by Colorado-based security firm Coalfire Labs. The lads had written authorization from the Iowa Judicial Branch to conduct “red-team” exercises, meaning attempted security breaches that mimic techniques utilized by criminal hackers or burglars.
The target of such exercises is to check the resilience of existing defenses using the varieties of real-world attacks the defenses are designed to repel. The principles of engagement for this exercise explicitly permitted “physical attacks,” including “lockpicking,” against judicial branch buildings as long as they didn’t cause significant damage.
A chilling message
The event galvanized security and law enforcement professionals. Despite the legitimacy of the work and the legal contract that authorized it, DeMercurio and Wynn were arrested on charges of felony third-degree burglary and spent 20 hours in jail, until they were released on $100,000 bail ($50,000 for every). The costs were later reduced to misdemeanor trespassing charges, but even then, Chad Leonard, sheriff of Dallas County, where the courthouse was situated, continued to allege publicly that the boys had acted illegally and ought to be prosecuted.
Reputational hits from these kinds of events may be fatal to a security skilled’s profession. And naturally, the prospect of being jailed for performing authorized security assessment is sufficient to get the eye of any penetration tester, not to say the purchasers that hire them.
“This incident didn’t make anyone safer,” Wynn said in a press release. “It sent a chilling message to security professionals nationwide that helping [a] government discover real vulnerabilities can result in arrest, prosecution, and public disgrace. That undermines public safety, not enhances it.”
DeMercurio and Wynn’s engagement on the Dallas County Courthouse on September 11, 2019, had been routine. Just a little after midnight, after finding a side door to the courthouse unlocked, the boys closed it and let it lock. They then slipped a makeshift tool through a crack within the door and tripped the locking mechanism. After gaining entry, the pentesters tripped an alarm alerting authorities.
