https://www.coalfire.com/News-and-Events/Press-Releases/Coalfire-CEO-Tom-McAndrew-statement
Westminster, CO -- October 29, 2019 -- The ongoing situation in Iowa is
completely ridiculous, and I hope that the citizens of Iowa continue to push for
justice and common sense. Today, we found out that charges against Justin Wynn
and Gary DeMercurio, the two Coalfire employees at the center of the Dallas
County Courthouse incident on September 11, 2019, have been reduced from felony
accusations of Burglary in the third-degree and possession of burglary tools to
criminal trespass.
I do not consider this a "win" for our employees, and Coalfire will continue to
support and aggressively pursue all avenues to ensure that all charges are
dropped and their criminal records are purged of any wrongdoing. After the Iowa
Supreme Court Chief Justice apologized and admitted mistakes were made, I was
expecting all charges to be dropped.
As seen in the statement of work that was made public online, our employees were
simply doing the job that Coalfire was hired to do for the Iowa State Judicial
Branch, a job similar in nature to one we did three years ago for the Iowa State
Judicial Branch and have done hundreds of times around the world for similar
clients.
Active penetration testing, including physical penetration testing, is a best
practice and a common engagement. We identify issues and risks before criminals
find them. Oftentimes the risks are systems issues, sometimes the risks are as
simple as finding a broken door that would allow a person with malicious intent
to enter a secure area unnoticed. Our mission is to help our clients secure
their environments and protect the people that work for them, their customers,
and the confidential information they maintain. In this case, we were helping to
protect the residents of Iowa.
Our work included the testing of the physical security of county courthouses and
judicial buildings. The specific locations were given to us by our client,
documented in our statement of work, and confirmed multiple times, through email
and phone conversations.
After gaining access to the Judicial Branch Building, our employees were in
communications with our client at the state level to let them know of their
successful entry. They even left a business card on the desk of an employee. The
following morning a state employee acknowledged the entry stating, “I guess I
owe you a congratulations.” The day after the successful entry into the Judicial
Branch Building, the employees walked up to the main entrance of Dallas County
Courthouse around midnight. Our employees could have simply walked in through
the front door since it was open - however, they chose to close and lock the
door, so they could provide the state of Iowa with insights on ways that
potential criminals could gain access. Our employees, being of the highest
caliber and committed to delivering the best results on the project, chose to
give the county the benefit of the doubt and test the courthouse as if they had
found it in a secure state, which it was not.
After gaining access through the locked door, our team intentionally tripped the
alarm in order to test the security response, which was an objective of the
project. After setting off the alarm in the Dallas courthouse, Mr. Wynn and Mr.
DeMercurio stayed at the courthouse to meet County law enforcement responding to
the alarm. When the initial law enforcement arrived, there were no issues as the
team explained what they were doing and presented our engagement letter along
with identification. As the team waited for a deputy to verify their
credentials, they then showed the remaining officers how entry was made along
with some of the tools and tactics that could have been used, much to the
deputies’ delight, which I believe would be evident if video of the response was
made publicly available.
The team was ready to leave after one of the deputies returned the authorization
letter to them and stated: “You guys should be all good to go.” It was at that
point that the local sheriff, Chad Leonard, arrived at the Dallas Courthouse.
Despite the authorization letter, his deputies onsite already having verified
our team, and State employees urging their release, the local sheriff proceeded
to arrest Mr. Wynn and Mr. DeMercurio.
Failing to de-escalate the issue and bring in State/County politics,
Sheriff Leonard communicated in an email "that this building belonged to
the taxpayers of Dallas County and the State had no authority to authorize
a break-in." Leonard also added that a state employee asked him not to
tell other sheriffs about the incident to ensure the operation continued
at other locations, but that he was going to tell every sheriff.
I don’t know why he reacted the way he did. I’ve never met or spoken to
Sheriff Leonard. Perhaps he didn’t like being tested without his knowledge
or that our team found major security concerns at the facilities he was
protecting.
Sheriff Leonard failed to exercise common sense and good judgement and
turned this engagement into a political battle between the State and the
County. I was stunned that the next morning the issues were not resolved
and were actually amplified when bail was set as $100,000. My priority has
always been for the safety of our employees, and we immediately engaged
legal support and posted a $100,000 bond to get our team out of jail and
get them home. I spoke with the team immediately after their release and
promised to do everything I could to get this resolved. I intend to keep
my promise.
Coalfire has done hundreds of these types of engagements, typically
finding open doors, unconcealed passwords, and other items that criminals
can use to exploit organizations. Our teams are often stopped by law
enforcement or security personnel during these tests. When this occurs,
the authorization letter is presented. This is the first time that the
authorization letter and verbal calls from our client have not resulted in
the immediate release of our employees. Frankly this matter is
unprecedented within the tight-knit security industry and to our
knowledge, no physical security professional has been arrested and
officially charged while executing a contract.
Mr. Wynn and Mr. DeMercurio were acting as professionals carrying out
their state-authorized obligations focused on improving the security of
the Judicial Branch. It is unacceptable that they are now pawns in the
dispute between the state and the county related to governance of the
court buildings. My concern is that common sense is not prevailing in this
case. The fact that this case is still ongoing is a failure of the
criminal justice system in Iowa. I am also concerned that the close
working relationship between the Sheriff, District Attorney, judges, and
local politics involved may have potential conflicts of interest and
impede a fair trial.
If what is happening in Iowa begins to happen elsewhere, who will keep
those who are supposed to protect citizens honest? This is setting a
horrible precedent for the millions of information security professionals
who are now wondering if they too may find themselves in jail as criminals
simply for doing their job. I believe that citizens of Iowa would benefit
from using their resources to fix vulnerabilities, protect their data, and
secure their public buildings rather than waste time and taxpayer money on
this criminal pursuit.
Coalfire is cooperating fully in the ongoing investigation. My hope is
that the officials involved in this case will appropriately consider the
context in which the actions of our employees were performed and the
ongoing dispute between the state and the county related to governance of
the court buildings.
I have known both Gary and Justin for many years, and they are good people
who have dedicated their lives to making the world a safer place. Gary and
Justin, arguably our best physical pen testing team at Coalfire, choose to
place themselves in harm’s way each and every physical test that they
perform. They test the people who are supposed to keep citizens safe to
ensure that they are doing their jobs. Yes, occasionally there are dangers
associated with that as they must deal with law enforcement that may or
may not understand what is happening. However, being the consummate
professionals that they are, they are skilled in defusing situations and
making them non-confrontational, much like they did on this engagement as
no officer pulled a weapon of any sort.
I am a Navy veteran of 20 years who continues to serve in the Navy
Reserves because I believe in our great country. Unfortunately, today I’m
embarrassed by the way our employees have been vilified, one of which is a
former Marine Corps officer, for doing the job they were paid to do. I’m
ashamed that no one has had the courage to step up and do what is right.
People appear to be more concerned about their own jobs or the political
repercussions.
Drop the charges, purge their records. These men are unsung heroes, not
criminals.
About Coalfire
Coalfire is the trusted cybersecurity advisor that helps private and
public-sector organizations avert threats, close gaps and effectively manage
risk. By providing independent and tailored advice, assessments, technical
testing and cyber engineering services, we help clients develop scalable
programs that improve their security posture, achieve their business objectives
and fuel their continued success. Coalfire has been a cybersecurity thought
leader for nearly 20 years and has offices throughout the United States and
Europe.
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
