What are you willing to do to successfully complete the project? Don't sleep at night, send your family on vacation so they don't distract you, drink gallons of coffee and energy drinks? There are better options. Cloud4Y tells the amazing story of a cybersecurity analyst. John Strand, who had received a contract to test the prison system, chose the person who was ideal for the role of pentester: his own mother .
John Strand specializes in penetrating various systems and assessing their security. Its services are used by various organizations that want to identify weaknesses in their own defenses before these security holes are discovered by hackers. Typically, Strand performs the penetration tasks himself or involves one of his experienced colleagues from Black Hills Information Security. But in July 2014, while preparing for manual testing at a correctional facility in South Dakota, he made a rather unexpected decision. He sent his mother to complete the task.
The idea to get involved in such an adventure belongs to Rita Strand herself. About a year before the events, when she was 58 years old, she became the chief financial officer of Black Hills, and before that she worked in the food service industry for about three decades. With such impressive professional experience, Rita was confident that she could pose as a health inspector to infiltrate the prison. All that was required was a fake ID and the right pattern of behavior.
“She came up to me one day and said, ‘You know, I want to break into something,’” Strand says. “How could I say no to her?”
Pentesting is not as easy as it seems. Penetration testers always say that just looking confident can get you incredible results, but letting a newbie into a state correctional facility is a scary experiment. And although hired pentesters are usually allowed to penetrate client systems, problems can arise if they are caught. Two pentesters who broke into an Iowa courthouse as part of a previously negotiated deal spent 12 hours in jail after being caught. Then there was a trial, long proceedings, and only recently it all ended. It was good for the guys, although they were pretty nervous.
Rita Strand's task was complicated by a lack of technical knowledge. A professional pentester can assess an organization’s digital security in real time and immediately establish a backdoor that matches the vulnerabilities found in a particular network. Rita could portray an arrogant health inspector, but she was not a hacker at all.
How the pentest went
To help Rita get in, she was given fake documents, a business card, and an "executive" badge with John's contact information. Once inside, Rita was expected to photograph the facility's access points and physical security features. Instead of forcing the older woman to hack into any computers, John provided the mother with so-called “Rubber Duckies”: malicious flash drives that she could connect to any device. The flash drives established contact with her colleagues from the Black Hills and gave them access to prison systems. They then performed other computer operations remotely while Rita continued to operate inside.
“Most people who do pentesting for the first time are very uncomfortable,” Strand said. “But Rita was ready to go. Cybersecurity in prison is critical for obvious reasons. If someone can break into a prison and take over computer systems, it's really easy to get someone out of prison."
On the morning of the pentest, Strand and his colleagues gathered in a cafe near the prison. While their order was being prepared, the guys assembled a working system with laptops, mobile access points and other equipment. And when everything was ready, Rita went to prison.
“When it came out, I thought it was a really bad idea,” Strand recalls. “She has no penetration experience, no IT hacking experience. I said, “Mom, if things get bad, you need to pick up the phone and call me right away.”
Pentesters usually try to spend as little time on site as possible to avoid unnecessary attention and suspicion. But after 45 minutes of waiting, Rita still did not appear.
“When about an hour passed, I started to panic,” smiles John Strand. “I blamed myself for the fact that I should have foreseen this while we were traveling in the same car, and now I’m sitting in the middle of nowhere in a cafe, and I have no way to get to it.”
Suddenly, Black Hills laptops started beeping with activity. Rita did it! The USB bookmarks she installed created so-called web shells that gave the team in the cafe access to various computers and servers inside the prison. Strand recalls one co-worker shouting, “Your mom is okay!”
In fact, Rita encountered no resistance at all inside the prison. She told the guards at the entrance that she was conducting an unscheduled medical inspection, and they not only let her through, but also left her a mobile phone, with which she recorded the entire procedure for entering the facility. In the prison kitchen, she checked the temperatures of refrigerators and freezers, pretended to check for bacteria on counters and shelves, looked for expired food and took photographs.
Rita also asked to inspect the staff's work and recreation areas, the prison's network operations center and even the server room - all supposedly to check for insects, humidity levels and mold. And no one refused her. She was even allowed to wander around the prison alone, with plenty of time to take tons of photos and plant USB bookmarks wherever she could.
At the end of the “inspection,” the prison director asked Rita to visit his office and make recommendations on how the institution could improve its food services. Thanks to her extensive experience in the field of nutrition, the woman spoke about some problems. She then handed him a specially prepared flash drive and told him that the inspectorate had a useful self-assessment checklist and that he could use it to troubleshoot current problems. The flash drive contained a Word file infected with a malicious macro. When the warden opened it, he gave Black Hills access to his computer.
“We were just dumbfounded,” Strand says. “It was a stunning success. Cybersecurity officials now have something to say about the fundamental flaws and weaknesses of the current system. Even if someone claims that he is a health inspector or someone else, it is necessary to better verify the information. You can’t blindly believe what they say.”
What's the result?
Other pentesters who know this story believe that although Rita’s success is largely a lucky coincidence, the situation as a whole reflects their everyday experience well.“The results of using little lies and physical aspects can be incredible. We do similar jobs all the time and rarely get caught ,” agrees David Kennedy, founder of penetration testing firm TrustedSec. “If you claim to be an inspector, an auditor, an authority figure, then everything is allowed to you.”
Rita never participated in penetration tests again. And John Strand still refuses to say which prison his mother entered. He assures that it is now closed. But the team's efforts have had a significant impact on the security organization, Strand says. And he adds jokingly: “I also think that our test has improved the level of healthcare in the organization.”
