How a hacker's mom got into prison and infected the boss’s computer

What are you ready for the successful completion of the project? Do not sleep at night, send your family on vacation so that they do not distract you, drink coffee and energy in liters? There are options and abruptly. Cloud4Y tells the amazing story of a cybersecurity analyst. John Strand, who received a contract to test the security system of correctional facilities, chose a man who was ideally suited for the role of a pentester: his own mother .

John Strand specializes in penetrating various systems and assessing their security. Its services are used by various organizations wishing to identify weaknesses in their own defense before these security holes are discovered by hackers. Typically, Strand performs penetration tasks himself or connects one of his experienced Black Hills Information Security counterparts. But in July 2014, in preparation for manual testing at a penitentiary in South Dakota, he made a very unexpected decision. He sent his mother to complete the task.

The idea to get involved in such an adventure belongs to Rita Strand herself. About a year before the events, when she was 58 years old, she became the financial director of Black Hills, and before that she worked in the field of catering for about three decades. With such impressive professional experience, Rita was confident that she could impersonate a health inspector to enter the prison. All that was required was a fake identity and the right behavior pattern.

“Once she came up to me and said:“ You know, I want to penetrate somewhere, ”Strand says.“ How could I refuse her? ”

Pentest is not as simple as it seems. Penetration testers always say that with just a confident look you can achieve incredible results, but letting a newbie in a state correctional facility is a frightening experiment. Although usually hired pentesters are allowed to enter the client’s systems, problems may arise if they are captured. Two pentesters who entered the Iowa State Courthouse as part of an earlier contract spent 12 hours in jail after being caught. Then there was a court, long trials, and only recently it was over. Good for the guys, although they were shook their nerves pretty much.

Rita Strand's task was complicated by a lack of technical knowledge. A professional pentester can evaluate the digital security of an organization in real time, and immediately install a backdoor that matches the vulnerabilities found in a particular network. Rita could portray an arrogant health inspector, but she was not a hacker at all.

How was the pentest

To help Rita get inside, they made fake documents, a business card and a badge of the “leader” with John’s contact information. After penetrating inside, Rita was supposed to photograph the institution’s access points and physical security facilities. Instead of forcing an aged woman to hack into any computers, John supplied his mother with the so-called Rubber Duckies: malicious flash drives that she could plug into any device. Flash drives made contact with her Black Hills counterparts and opened them access to prison systems. Then they remotely performed other computer operations while Rita continued to operate inside.

“Most people who do the pentest for the first time are very uncomfortable,” Strand said. “But Rita was ready to go. Cyber ​​security in prison is crucial for obvious reasons. If someone can infiltrate a prison and take over computer systems, getting someone out of prison will be really easy. ”

On the morning of Pentest's day, Strand and his colleagues gathered in a cafe near the prison. While preparing their order, the guys put together a working system with laptops, mobile access points and other equipment. And when everything was ready, Rita went to jail.

“When she got out, I thought it was a very bad idea,” Strand recalls. “She has no penetration experience, no IT hacking experience. I said: "Mom, if everything goes bad, you need to take the phone and call me immediately."

Pentesters usually try to spend as little time on the site as possible to avoid unnecessary attention and suspicion. But after 45 minutes of waiting, Rita never showed up.

“When about an hour passed, I began to panic,” smiles John Strand. "I reproached myself for having to foresee this while we were driving in the same car, and now I am sitting in the backwoods in a cafe, and I have no way to get to it."

Suddenly, Black Hills laptops began to beep. Rita did it! The USB bookmarks she installed created the so-called web shells, which gave the team in the cafe access to various computers and servers inside the prison. Strand recalls that one of his colleagues shouted: "Your mother is fine!"

In fact, Rita did not meet any resistance at all inside the prison. She told the security guards at the entrance that she was conducting an unscheduled medical inspection, and they not only missed her, but also left her with a mobile phone with which she recorded the entire procedure of penetrating the object. In the prison kitchen, she checked the temperature in the fridges and freezers, pretended to check for bacteria on the shelves and shelves, looked for expired products and took photographs.

Rita also asked to examine the working areas of employees and recreation areas, the prison’s network operation center, and even the server room - all this supposedly to check for insects, humidity and moldiness. And no one refused her. She was even allowed to roam the prison alone, giving plenty of time to take a bunch of photos and set up USB bookmarks wherever possible.

At the end of the “inspection”, the director of the prison asked Rita to visit his office and give recommendations on how the institution could improve catering. Thanks to her wide experience in the field of nutrition, the woman talked about some problems. Then she handed him a specially prepared flash drive and said that the inspection has a useful checklist of questions for self-assessment and that he can use it to fix current problems. On a flash drive was a Word file infected with a malicious macro. When the prison director opened it, he gave Black Hills access to his computer.

“We were just stunned,” Strand says. “It was an overwhelming success. Cybersecurity representatives now have something to say about the fundamental shortcomings and weaknesses of the current system. Even if someone claims to be a health inspector or someone else, you need to better verify the information. You cannot blindly believe what they say. "

What is the result

Other pentesters who know this story believe that Rita’s success is more a coincidence, but the situation as a whole well reflects their everyday experience.

“The result of applying a little lies and physical aspects can be incredible. We do similar work all the time and seldom find ourselves exposed, ” agrees David Kennedy, founder of TrustedSec Penetration Testing. “If you claim to be an inspector, auditor, authority, then you are allowed to do anything.”

Rita never again participated in penetration tests. And John Strand now refuses to say which prison his mother went to. He assures that now it is already closed. But the team’s efforts have had a significant impact on security organization, Strand says. And jokingly adds: "I also think that thanks to our test, the level of healthcare in the organization was increased."

What else can be useful to read on the Cloud4Y blog

→ How the bank “broke”
→ Personal privacy? No, they didn’t hear
→ The web at the bottom of the glass, or what combines American whiskey and science
→ Diagnostics of network connections on a virtual EDGE router
→Anonymization of data does not guarantee your complete anonymity.

Subscribe to our Telegram channel so as not to miss another article! We write no more than twice a week and only on business.