Life changing risks pentesters take to help you boost security (cont.)
28.07.2020

Part II

The worst case scenario for the pentesters was to spend an hour or two in a cell while all things got sorted out. But this time it was different. The sheriff accused them of trespassing and claimed that they should be arrested for burglary. As the police escorted them away, handcuffed, they still weren’t too much nervous.

Gary and Justin were interrogated in different rooms. Any paperwork, which at that time had already been identified and verified, they presented to the police didn’t seem to pull them out of trouble.

All their tools which they needed for the courthouse security testing were called burglary tools and the testers got charged not only for burglary but for the possession of burglary tools. Gary could get through one of the contacts they had to prove their job was legal. The contact said that in the morning the things would be sorted out, that he would speak to some people.

Their company – Coalfire – didn’t respond due to late hour. In a few minutes the pentesters would already have to wear orange jumpsuits as real inmates. They both were put in a cell with other convicts. The next day they had an appointment to see the judge in the very courthouse they broke into, only now they were escorted there by the officers.

The very courthouse that they broke into last night and now they’re sitting in the courthouse waiting to see the judge.

As the judge didn’t believe a word Gary told her claiming that she was a state employee, and this was not the way things should happen at the state (meaning pentesting).

What was going through Gary’s head is the thought that there was a judge in front of him – judges weigh the details whether they are true or false, that’s their job – but this judge seemed to have dealt with people and liars for so long, she could no longer tell the difference between somebody who was innocent and telling the truth wholeheartedly and somebody who was a liar.

$5,000 was the sum to pay so that the testers could be bailed out. Moreover, the county prosecutor waited for his turn to add something and instead of making things clear he said that the bail was not enough and should be raised. There was no state representation who was to be there in the morning to speak for the testers. There was nobody there to defend Justin or Gary. The three contacts on their get-out-of-jail-free card did not come like they said they would. And for Coalfire it wasn’t enough time to get there.

Shortly after the judge realised that was actually her courthouse, and “automatically” she raised the bail up to $50,000.

As they went back to their cell even inmates were totally sure the pentesters were innocent.

At that point they were looking at seven years in prison.

Finally, they could get through to Coalfire, and the company bailed them out for $100,000 – $50,000 each and began to look for help. At home they got individual lawyers to work with the case and figure out why it wasn’t even a contract dispute but only them two involved, everything seemed pretty terrifying.

The local news had the story on. The news actually stated that the Judicial Branch did hire them but only to check the security of their electronic records, and not to break in. The case investigation was lasting a few months.

The State Judicial Branch who claimed that they didn’t know a physical assessment was going to happen, but then Coalfire outlined in the contract to show them that a physical assessment was approved.

They had each state’s objection or evasion fought and covered by the paragraphs of the perfect contract created considering all the issues.

And then the huge thing surfaced – county and state were not the same matter. The county’s sheriff, judge and prosecutor were pointing at the state that ordered to conduct a penetration test on the country courthouse. The county had every right to take them for criminals as they were unaware of what the state’s authorities were allowing.

A third party investigation was launched. As findings and a decision should be made based on some precedence, it was really hard to come to any conclusion in this case, as it was definitely a rare one.

The lawyer interpreted the situation as lawful because the state is a legitimate tenant of the county property and could take measures to ensure its safety.

The county prosecutors weren’t alright with such an outcome and kept objecting, whereas it became a real problem for Gary and Justin to explain every client they were going to conduct a test for what exactly happened in Iowa.

Senator Amy Sinclair said, “The hiring of an outside company to break into the courthouse in September created significant danger not only to the contractors but to local law enforcement and members of the public.”

Senator Zach Whiting said, “Essentially, a branch of government has contracted with a company to commit crimes and this is very troubling. I want to find out who needs to be held accountable for this and how we can do that.”

Meanwhile, the investigation was completed, and it stated that the state had jurisdiction to hire Coalfire and implement the testing. The results were presented to the county prosecutor.

The felony charges were reduced to misdemeanor trespassing charges. But of course it wasn’t an option for the pentesters. The fight with the county took another 4 months.

On the 30th of January, 2020, the charges were dropped against Gary and Justin, and the pentesters became free men again. Only towing criminal records and charges for burglary behind them. From now on they will always be the testers who got arrested for felony.

As darknetdiares.com fairly emphasises the wrongful situation – an organisation should deal with the lawsuit if any activity is conducted on its behalf. Why do people who work for it get penalised? They only do their job.

Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.