It was around 12:30 a.m. on Wednesday morning, and Justin Wynn and Gary
Demercurio were in a bit of a tight spot. Specifically, the two were being
arrested on the third floor of Iowa?s Dallas County courthouse.

But Wynn and Demercurio weren?t there to steal the only evidence linking them to
some unnamed crime. Rather,reports theDes Moines Register
[] , the two had been hired by the state court administration to attempt to obtain
?unauthorized access? to court documents using ?various means.?

The two men work as physical penetration testers, or pentesters, for the
cybersecurity companyCoalfire []and were simply doing
their job. Unfortunately, that message somehow got lost in translation.

Specifically, theRegisterreports that the state court administration now claims
it ?did not intend, or anticipate, those [security testing] efforts to include
the forced entry into a building.?

What is and is not off limits ? something typically referred to as in or out of
scope ? during both digital and physical pentests is often a hot-button issue.
That the scope of an engagement is often carefully negotiated ahead of time
makes sense. After all, you wouldn?t want the security company you hired to test
your payroll system kidnapping your CEO and demanding he hand over the digital

Coalfire?s website includes a detailedpenetration testing section
enumerating the various services offered by the company and detailing what a
pentest entails.

?Throughout the engagement, we provide ongoing status reports, immediate
identification of critical ?risks, and knowledge transfer to your technical
team,? reads the company?s site. ?At the end of the ?process, we ensure you have
a complete understanding of the exploitable vulnerabilities in your environment
and recommended remediation strategies.?

Physical penetration is a common practice, and is not outside of the industry
norm. One such pentester, who goes byJek Hyde on Twitter
[], often details her various escapades online with
the permission of the targeted client (her Twitter account is worth a follow).

All of this seemed to be lost on the local law enforcement, however. Both Wynn
and Demercurio have been charged with possession of burglary tools and
third-degree burglary. A $50,000 bond adds injury to the insult of being caught
on the job.

But hey, at least the Dallas County courthouse now knows that its alarm system

Original Article :