John Strand breaks into things to make a living. As a penetration tester, he is hired by organizations to attack their defenses and help uncover weaknesses before real bad guys find them. Typically, Strand tackles these missions himself or employs one of his experienced colleagues at Black Hills Information Security. When he was preparing for a pen test at a correctional facility in South Dakota in July 2014, he took a decidedly different path. He sent his mother.
To be fair, it was Rita Strand's idea. Then, 58, she signed last year as Black Hills chief financial officer after three decades in the food service industry. Because of this work experience, she was confident that she could pretend to be a state health inspector to gain access to the prison. All it took was a badge and the right chatter.
"She came up to me one day and said," You know, I want to break in somewhere, "says Strand, who reports on the experience at the RSA cybersecurity conference in San Francisco this week." And it's my mother, so what should I do? I say?"
This is not as easy a call as it sounds. Penetration testers always say that you can get astonishingly far with just a clipboard and some confidence, but a beginner's run in a state correctional facility is just daunting. And while pen testers are contractually allowed to penetrate a customer's systems, tensions can escalate quickly if caught. Two pen testers who broke into a Iowa courthouse as part of their work recently spent 12 hours in prison after meeting with local authorities.
Rita Strand's mission would also be hampered by her lack of technical expertise. A professional pen tester can evaluate a company's digital security in real time and attach back doors that are tailored to what they have found in the respective network. Rita was chilled by the health inspector, but she wasn't a hacker.
To get her in the door, Black Hills made Rita a fake badge, business card, and "manager" card with John's contact information. Assuming she had come in, she would then take photos of the facility's access points and physical security features. Instead of letting her try to hack computers herself, John Rita equipped what are known as rubber duckies, malicious USB sticks that she would plug into any device she could. The USB sticks would return to their colleagues in Black Hills and give them access to the prison's systems. Then they could remotely edit the digital side of the pen test while Rita continued her killing spree.
"It is very uncomfortable for most people when they do this for the first time," says Strand. "But she was all ready to go. Cyber security in jail is vital for obvious reasons. If someone could break into jail and take over computer systems, getting someone out of jail will be really easy."
On the morning of the pen test, the beaches and some colleagues drove to a cafe near the prison. With a preparatory caramel roll and a piece of pecan cake, they set up a war room with laptops, mobile hotspots and other equipment. When everything was stopped, Rita went to jail alone.
"It takes off and I think in the back of my head that this is a really bad idea," says Strand. "She has no experience with pen tests. No experience with IT hacking. I said:" Mom, if it gets bad, you have to pick up the phone and call me immediately. "
Pen testers typically try to get in and out of a facility as quickly as possible so as not to raise suspicions. But after 45 minutes of waiting there was no sign of Rita.
"It's going to be about an hour and I'm panicking," he says. "And I think I should have considered it because we were all in the same car, so I'm in the middle of nowhere in a cake shop and have no way of getting to her."
Suddenly, the Black Hills laptops started to blink before activity. Rita had done it. The USB drives she had planted created so-called web shells that gave the team in the café access to various computers and servers in the prison. Strand remembers a colleague who shouted, "Your mother is fine!"
In fact, Rita had made no resistance at all in prison. She told the guards at the entrance that she was doing a surprising health inspection and not only did she enter, but also let her keep her cell phone, which she used to record the entire operation. In the kitchen of the facility, she checked the temperatures in the fridges and freezers, pretended to be spotting bacteria on the floors and counters, searched for expired food and took photos.
But Rita also asked to visit the employees' work and break areas, the prison network operations center, and even the server room – all supposedly to look for insect, humidity, and mold. Nobody said no. She was even allowed to roam the prison on her own so that she had enough time to take photos and plant her rubber duckies.
At the end of the "inspection," Prison Director asked Rita to visit his office and suggest how the facility could improve their catering practices. She had some concerns that spanned decades on the other side of health inspections. Then she gave him a specially prepared USB drive. The state had a helpful self-assessment checklist, she told the director, which he could use to identify problems before an inspector showed up.
The Microsoft Word document was infected with a malicious macro. When the prison chief clicked, he accidentally gave Black Hills access to his computer.
"We were just amazed," says Strand. "It has been an overwhelming success. And there is a lot for the security community to do about fundamental weaknesses and the importance of politely challenging authority for institutional security. Even if someone says they are an elevator inspector or a health inspector or whatever, We have to do better by asking people questions. Don't accept blindly. "
Other pen testers emphasize that Rita's story, while extraordinary, strongly reflects her daily experience.
"The physical aspects of things and what you can say are incredible. We are constantly doing similar work and are rarely caught," said David Kennedy, founder of TrustedSec, a pen testing company, who first heard an abbreviated version of Strand's story at Derbycon security conference that Kennedy chaired. "If you claim to be inspectors, auditors, or authority figures, anything is possible."
In 2016, Rita died of pancreatic cancer; She never had the opportunity to do another pen test. Strand declined to say which prison his mother had entered, only that it was now closed. But their efforts made an impact. "The prison has made security improvements through the pen test," says Strand. "I also think that it also improved their health program."
This story originally appeared on wired.com.