By Anthony Berrios
Blog Post #10
A man by the name of John Strand is a penetration tester for Black Hills Information Security. As a pen tester, he was hired by an organization to test the security of a South Dakota correctional facility. But instead of going in himself, he did something that most likely hasn’t been done before. He sent his own mother. To provide some background, John’s mother in question Rita just recently became a chief financial officer for Black Hills after spending three decades in the food service industry. She expressed to her son John that she wanted to break in somewhere, so of course he had to grant his mother’s wishes. Rita had confidence, and plenty of professional experience, but she was certainly no hacker. Although, John knew that she could pose as a state health inspector, and with the right credentials, make her way inside the prison.
Since Rita had no technical experience, the digital pen test side had to be done remotely. To do this, Rita was given a USB flash drive that would plug into the prisons devices and give John an his team access to the prison’s systems remotely. After sending in her mother and waiting for almost an hour, John still hadn’t heard back yet. At this point John is feeling idiotic for sending his mother with no pen testing or IT hacking experience whatsoever into an environment such as this.
All of a sudden John an his teams laptops start flashing frantically. Rita had been successful. Their laptops had started creating web shells that gave them access to the prison’s computer network from the comfort of the local cafe they were sitting at just miles down the road. What is truly astounding is that Rita was given no trouble at all as she entered the prison. She pretended to check the kitchen for health risks and even made her way to the server room where she planted the USB drives all with no supervision or anyone watching her.
The real surprise however happens when the Warden calls Rita into his office for advice on the prison’s food service practices. This is where Rita’s past experience in the food industry really shined. She was able to walk him through it all and even handed him a flash drive that she told him contained a self assessment checklist that the prison could look over before inspectors visited. What the warden didn’t know is that the checklist was really a Word document swarmed with malware that instantly took access of his computer.
This is a remarkable story because it shows how important pen testers are to improve the security of not only prisons for important buildings and companies all over the country. Also, it’s not every day that an untrained pen tester is able to successfully infiltrate a prison’s network.
PC Security & News 