Security researcher details how mom helped break into prison computer network

[Shawn Knight]

In brief: “Penetration tester.” It’s a unique job title, for sure, but for John Strand, it’s an accurate description of what he does for a living. Companies and organizations hire ethical hackers like Strand to probe their networks, testing their defenses before nefarious-minded individuals or groups can exploit vulnerabilities for personal gain.

Strand usually conducts these tests on his own but as he shared during last week’s RSA Conference in San Francisco, for a 2014 job, he enlisted the help of an accomplice that the target never saw coming: his mother.

A South Dakota correctional facility enlisted Strand’s help to test its digital security but he threw them a curveball by sending his 58-year-old mother Rita to the prison. Posing as a state health inspector complete with phony credentials, she was able to infiltrate the prison without arousing suspicion and plug “Rubber Duckies” – malicious USB drives – into computers throughout the facility.

The drives beaconed back to Strand and his colleagues, giving them a way into the penitentiary’s network.

Alarmingly enough, Rita encountered zero resistance. She was even able to get in with her cell phone and was left to roam the prison without an escort. Worse yet, at the conclusion of her “inspection,” the prison director invited her to his office to discuss how to improve food service practices. She handed over another malicious USB drive with a “helpful self-assessment checklist” on it – really, a malicious Word document that granted Strand access to the boss’ computer.

“Prison cybersecurity is crucial for obvious reasons,” Strand said. “If someone could break into the prison and take over computer systems, it becomes really easy to take someone out of the prison.”

Even more concerning is the fact that stories like this aren’t all that uncommon in the pen tester community. David Kennedy, founder of the pen testing firm TrustedSec, told Wired they do similar jobs all the time and rarely get caught. “If you claim to be inspectors, auditors, someone of authority, anything is possible,” Kennedy added.

Masthead credit: Prison by MemoryMan. USB drive by SK Herb.

Permalink to story.

https://www.techspot.com/news/84250-security-researcher-details-how-mom-helped-break-prison.html

 

[TomSEA]

In a way, that doesn't surprise me at all she was able to get away with that. Businesses and government entities are so focused in on being traditionally computer hacked or phished, the thought of someone walking through the door and plugging in USB's would never cross their minds.

Exceptional lesson learned here.

 

[ckm88]

Why am I not surprised? Using the construction hat and clipboard trick still works wonders.

 

[marstont]

They had some very very loose security, they should be going through a metal detector upon entry each time.

 

[Lionvibez]

Having a clipboard and some confidence does take you far.

 

[PEnnn]

"We were expecting the enemy from the east, and they came from the north...."

 

[toooooot]

I just thought of something. Toughest doors dont stop robbers if there is nobody ever to catch them.
Prisons with top of the art equipment arent secure when the stuff isnt trained.
Workers must be trained, always. And the more they are trained the higher quality service they can provide.
That uncovers another problem, there arent that many people that are good teachers.

 

[wiyosaya]

Who knew some TV shows actually reflect reality??? IMO, it is incredible that something like this can, and does, happen in real life.

 

[stewi0001]

Who knew some TV shows actually reflect reality??? IMO, it is incredible that something like this can, and does, happen in real life.

Yea, it was reminding me of Burn Notice.

 

[stewi0001]

An important part that Shawn left out from the Wired article

In fairness, it was Rita Strand's idea. Then 58, she had signed on as chief financial officer of Black Hills the previous year after three decades in the food service industry. She was confident, given that professional experience, that she could pose as a state health inspector to gain access to the prison. All it would take was a fake badge and the right patter.

So she already had the experience to pull it off.

 

[Uncle Al]

And to think, we are farming out so many of these "services" like jails and prisons to contractors that are more worried about their bottom line than their responsibilities. Some 45% of services to the military are the same way ...... and we don't seem to worry about their lack of security ..... unless you were the poor fool that hired Snowden or recruited Manning ....... once again, experience is the best teacher, but are we learning from the lessons?