Security researcher details how mom helped break into prison computer network
Quality social engineeringBy Shawn Knight 10 comments
In brief: "Penetration tester." It's a unique job title, for sure, but for John Strand, it's an accurate description of what he does for a living. Companies and organizations hire ethical hackers like Strand to probe their networks, testing their defenses before nefarious-minded individuals or groups can exploit vulnerabilities for personal gain.
Strand usually conducts these tests on his own but as he shared during last week's RSA Conference in San Francisco, for a 2014 job, he enlisted the help of an accomplice that the target never saw coming: his mother.
A South Dakota correctional facility enlisted Strand's help to test its digital security but he threw them a curveball by sending his 58-year-old mother Rita to the prison. Posing as a state health inspector complete with phony credentials, she was able to infiltrate the prison without arousing suspicion and plug "Rubber Duckies" - malicious USB drives - into computers throughout the facility.
The drives beaconed back to Strand and his colleagues, giving them a way into the penitentiary's network.
Alarmingly enough, Rita encountered zero resistance. She was even able to get in with her cell phone and was left to roam the prison without an escort. Worse yet, at the conclusion of her "inspection," the prison director invited her to his office to discuss how to improve food service practices. She handed over another malicious USB drive with a "helpful self-assessment checklist" on it - really, a malicious Word document that granted Strand access to the boss' computer.
"Prison cybersecurity is crucial for obvious reasons," Strand said. "If someone could break into the prison and take over computer systems, it becomes really easy to take someone out of the prison."
Even more concerning is the fact that stories like this aren't all that uncommon in the pen tester community. David Kennedy, founder of the pen testing firm TrustedSec, told Wired they do similar jobs all the time and rarely get caught. "If you claim to be inspectors, auditors, someone of authority, anything is possible," Kennedy added.