Two court-hired pentesters accused of intrusion; what would have happened if they hadn’t had permission to perform the tests?

Ethical hacking experts report the arrest of two security specialists hired to evaluate a US court’s IT infrastructure; according to the reports, the two experts were caught while trying to physically access the court’s systems.

Justin Wynn and Gary Demercurio, the two information security specialists involved, were arrested by police in Iowa, US, after they set on an alarm while attempting to carry out the intrusion.

According to police reports, the two individuals argued that the intrusion was part of a penetration testing process that the court had requested from security firm Coalfire. In turn, this company hired the defendants, who now face charges of attempted robbery. In short, the hackers mention that they were only doing the work for which they were hired; the defendants had already collaborated with Coalfire on other ethical hacking services.

However, the Dallas County Court has another version. Although officials acknowledge that the company was in fact hired to conduct a series of information security tests, they also note that Coalfire never reported them hat part of the process was to try to physically compromise its systems.

“The company was hired to try to access court records through hacking activities in order to find potential security vulnerabilities. We were not informed that these attempts included physical intrusions”, says a statement from the court.

The two defendants have been in the custody of the law since last week; a court hearing has been scheduled for September 23th, while the law established a $50k USD bond for both investigators.

In this regard, the firm states that “on previous occasions we have worked with government agencies; our collaborators carry out the requested services with the utmost integrity and with attachment to the needs of customers; because of our privacy policy, and as part of the ongoing investigation, that’s all we can comment on for now.”

Specialists in ethical hacking at the International Institute of Cyber Security (IICS) believe that it is possible for those involved to evade time in prison, as long as the company can demonstrate that physical intrusion is part of its process of penetration tests.