Computer security experts always emphasize that the first barrier to any attack is the common sense of the users; if doors and windows are closed it will always be more difficult to enter to rob. This is what computer scientist John Strand wanted to demonstrate with the help of her mother, Rita, who sneaked into a prison and allowed her to ‘hack’ her armed with the two best lock picks available: a USB and confidence in herself.
Strand owns Black Hills Information Security, a security company, while his mother, who had worked as a cook for 30 years, served as CFO. Black Hills was specialized in pentesting (penetration tests), an activity that consists of attacking the company that hires its services to find flaws that could be used by real criminals before they have the opportunity. What he did not count on was that it was a 58-year-old woman who managed to access the very office -and computer- of the director of the prison for which they worked.
John Strand told a conference how his mother posed as a health inspector to sneak into a prison and test her safety
The expert recounted all this in a lecture entitled ‘I made my mother sneak into a prison. Then we had a cake. ‘ The idea was to demonstrate the importance of the human element in the security of companies and organizations and for this he resorted to this anecdote starring his mother.
The idea, in fact, came to Rita herself, who also chose prison as her target among all Black Hills clients. Taking advantage of her experience as a cook, she would pose as a health inspector, since she had experienced dozens of visits.
They chose the date -a Friday, July 5, to take advantage of the lack of staff since Thursday is a national holiday-, they created a false card, armed their mother with a folder and several infected USB sticks and took position -and cake- in a nearby coffee shop. Rita got into the car in the direction of this institution (which Strand only reveals that it closed years later).
“As he was leaving I remember thinking it was not a good idea,” reveals Strand. And when they didn’t hear from Rita 45 minutes later, he was convinced they were going to get in trouble. However, soon after they began to see that they could access computers and servers. Suddenly a new one appeared: that of the prison director. “My mother was not only successful; she was the host.”
The three-quarters of an hour delay had their explanation when Strand’s mother showed up at the base of operations 90 minutes after leaving her (“she didn’t even bother to call us from the parking lot or something; she just showed up”): she got in so much in the role of an inspector who forgot that she was doing a penetration test and had to return to areas where she had already been – and analyzed as an expert in Health – to introduce malicious USBs.
Otherwise, everything had gone smoothly. She even she was able to pass with her phone, so she had the possibility to record the process. She just came, she said she was an inspector and they asked her what she had to do with it. Nothing suspicious: employee work areas, garbage, refrigerators, and … the Web Control Center. “Come this way, ma’am.”
Of course, they let her do her job without interruption. When finished, the director met with her in her office and asked if there was any way to prepare for an inspection in the future. “Yes, there is a document on this USB.” The document, of course, was a Word file with a macro that allowed access to the computer that was running it.
In Strand’s view, the key was that her mother had experience (she went so far as to inform the director of the sanitary deficiencies of her prison), but above all, authority and “people never question authority.” “She was not a technical savvy person, she was not a hacker, but she knew there is a fundamental problem with trust.” The computer scientist considers it important that we can question authority and, if we are in a position of authority, let this happen.
The trial was so successful that Black Hills began to include it in their presentations and it was normal for companies to hire her services, but on the condition that they did not hire Rita. The reason? Simple: she would get in. Unfortunately, shortly after her brief experience, she was diagnosed with pancreatic cancer and she later passed away, becoming a security advocate and the ‘hacker’ who successfully attacked a prison and then had a cake.