Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday March 03 2020, @08:33AM   Printer-friendly
from the is-that-you-mom? dept.

How a Hacker's Mom Broke Into a South Dakota Prison:

John Strand breaks into things for a living. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them. Normally, Strand embarks on these missions himself, or deploys one of his experienced colleagues at Black Hills Information Security. But in July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack. He sent his mom.

[...] "She approached me one day, and said 'You know, I want to break in somewhere," says Strand, who is sharing the experience this week at the RSA cybersecurity conference in San Francisco. "And it's my mom, so what am I supposed to say?"

That's not as easy a call as it might sound. Penetration testers always say that you can get amazingly far with just a clipboard and some confidence, but a novice run at a state correctional facility is just plain daunting. And while pen testers are contractually permitted to break into a client's systems, if they're caught tensions can escalate quickly.

[...] Rita Strand's mission would also be complicated by her lack of technical expertise. A professional pen tester would be able to assess an organization's digital security in real time and plant back doors tailored to what they found on the specific network. Rita had the health inspector guise down cold, but she was no hacker.

To help get her in the door, Black Hills made Rita a fake badge, a business card, and a "manager's" card with John's contact info on it. Assuming she got inside, she would then take photos of the facility's access points and physical security features. Rather than have her try to hack any computers herself, John equipped Rita with so-called Rubber Duckies, malicious USB sticks that she would plug into every device she could. The thumb drives would beacon back to her Black Hills colleagues and give them access to the prison's systems. Then they could work on the digital side of the pen test remotely, while Rita continued her rampage.

[...] Pen testers usually try to get in and out of a facility as quickly as possible to avoid arousing suspicion.

[...] "It gets to be about an hour, and I'm panicking," he says. "And I'm thinking I should have thought it through, because we all went in the same car so I'm out in the middle of nowhere at a pie shop with no way to get to her."

Suddenly, the Black Hills laptops began blinking with activity. Rita had done it. The USB drives she had planted were creating so-called web shells, which gave the team at the café access to various computers and servers inside the prison. Strand remembers one colleague yelling out: "Your mom's OK!"

In fact, Rita had encountered no resistance at all inside the prison. She told the guards at the entrance that she was conducting a surprise health inspection and they not only allowed her in, but let her keep her cell phone, with which she recorded the entire operation. In the facility's kitchen, she checked the temperatures in refrigerators and freezers, pretended to swab for bacteria on the floors and counters, looked for expired food, and took photos.

But Rita also asked to see employee work areas and break areas, the prison's network operations center, and even the server room—all allegedly to check for insect infestations, humidity levels, and mold. No one said no. She was even allowed to roam the prison alone, giving her ample time to take photos and plant her Rubber Duckies.

At the end of the "inspection," the prison director asked Rita to visit his office and suggest how the facility might improve its food service practices. She ran through some concerns, informed by decades being on the other side of health inspections. Then she handed him a specially prepared USB drive. The state had a helpful self-assessment checklist, she told the director, that he could use going forward to identify issues before an inspector showed up.

The Microsoft Word document was tainted with a malicious macro. When the prison boss clicked, he inadvertently gave Black Hills access to his computer.

"We were just dumbfounded," Strand says. "It was an overwhelming success. And there's a lot to take from it for the security community about fundamental weaknesses and the importance in institutional security of politely challenging authority. Even if someone says they're an elevator inspector or a health inspector or whatever, we need to do better about asking people questions. Don't blindly assume."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by janrinok on Tuesday March 03 2020, @09:05AM (1 child)

    by janrinok (52) Subscriber Badge on Tuesday March 03 2020, @09:05AM (#965915) Journal

    If this had been in a book, people would have poo-poo'ed the whole scenario.

    The fact that somebody actually did it made me laugh out loud. Giving the prison director a thumb drive containing malware was the final masterstroke!

    I guess that a prison in South Dakota has a few questions to answer now...

    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 3, Informative) by takyon on Tuesday March 03 2020, @02:35PM

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Tuesday March 03 2020, @02:35PM (#965988) Journal

    According to TFA, the prison eventually shut down.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]