Iowa officials claim confusion over scope led to arrest of pen-testers

by
Sean Gallagher
from Ars Technica - All content on (#4QQ3R)
Dallas_County_Courthouse-800x598.jpg

Enlarge / The Dallas County, Iowa, courthouse, the site of a penetration test gone wrong. (credit: By Iowahwyman - Own work, CC BY-SA 3.0)

In a post to the Iowa Judicial Branch website today, a spokesperson for the state's court administration released redacted images of the documents associated with the security tests that landed two penetration testers in jail earlier this month. The "rules of engagement" document for the contract shows that the state court administration did request a physical security assessment from the security firm Coalfire. State officials say that Coalfire's employees interpreted the documents differently than they had. But it would appear that the real problem behind the arrest of Coalfire's team is a turf war between state and county officials-and whether the state judicial administrators had cleared the security tests with local authorities.

In the post, the Iowa Judicial Branch spokesperson wrote:

Coalfire and State Court Administration believed they were in agreement regarding the physical security assessments for the locations included in the scope of work"yet, recent events have shown that Coalfire and State Court Administration had different interpretations of the scope of the agreement. Together, Coalfire and State Court Administration continue to navigate through this process.

State Court Administration has worked with Coalfire in the past to conduct security testing of its data and welcomed the opportunity to work with them again. Both organizations value the importance of protecting the safety and security of employees as well as the integrity of data.

State Court Administration apologizes to the sheriffs and boards of supervisors of Dallas County and Polk County for the confusion and impact these incidents have caused.

The document showed that the state authorized Coalfire's team to "perform lock-picking activities to attempt to gain access to locked areas." But the document also stated the testers should "talk your way into areas" and allowed for "limited physical bypass."

Read 4 remaining paragraphs | Comments

index?i=MCINuZA-0Oc:2ER8g-vopvc:V_sGLiPB index?i=MCINuZA-0Oc:2ER8g-vopvc:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments