Computer security experts always emphasize that the first barrier to any attack is the common sense of the users; if doors and windows are closed it will always be more difficult to enter to rob. This is what the computer scientist John Strand wanted to demonstrate with the help of his mother, Rita, who sneaked into a prison and allowed him to ‘hack’ her armed with the two best lockpicks available: a USB and confidence in herself.
Strand owns Black Hills Information Security , a security company, while her mother, who had worked as a cook for 30 years, served as CFO. Black Hills specialized in pentesting (penetration tests), an activity that consists of attacking the company that hires its services to find flaws that could be used by real criminals before they have the opportunity. What she did not count on was that it was a 58-year-old woman who managed to access the very office – and computer – of the director of the prison for which they worked.
The expert recounted all this in a lecture entitled ‘I made my mother sneak into a prison. Then we had a cake. ‘ The idea was to demonstrate the importance of the human element in the security of companies and organizations and for this he resorted to this anecdote starring his mother.
The idea, in fact, came to Rita herself, who also chose prison as her target among all Black Hills clients. Taking advantage of her experience as a cook, she would pose as a Health inspector, since she had experienced dozens of visits.
They chose the date -a Friday, July 5, to take advantage of the lack of staff since Thursday is a national holiday-, they created a false card, armed their mother with a folder and several infected USB sticks and took position -and cake- in a nearby coffee shop. Rita got into the car in the direction of this institution (of which Strand only reveals that it closed years later ).
“As he was leaving I remember thinking it was not a good idea,” reveals Strand. And when they didn’t hear from Rita 45 minutes later, he was convinced they were going to get into trouble. However, soon after they began to see that they could access computers and servers . Suddenly a new one appeared: that of the prison director. “My mother was not only successful, she was the host.”
The three-quarters of an hour delay had their explanation when Strand’s mother showed up at the base of operations 90 minutes after leaving her (“she didn’t even bother to call us from the parking lot or something; she just showed up”): she got in so much in the role of inspector who forgot she was doing a penetration test and had to return to areas where she had already been – and analyzed as an expert in Health – to introduce malicious USBs.
Otherwise, everything had gone smoothly. He was even able to pass with his phone, so he had the possibility to record the process. She just came in, said she was an inspector, and they asked her what she had to do with it. Nothing suspicious: employee work areas, garbage, refrigerators and … the Network Control Center . “Come by, ma’am.”
Of course, they let him do his job without interruption. When finished, the director met with her in his office and asked if there was any way to prepare for an inspection in the future. “Yes, there is a document on this USB.” The document, of course, was a Word file with a macro that allowed access to the computer that was running it.
In Strand’s opinion, the key was that his mother had experience (she even informed the director of the sanitary deficiencies of her prison), but, above all, authority and ” people never question authority .” “She wasn’t a tech savvy person, she wasn’t a hacker, but she knew there’s a fundamental problem with trust.” The computer scientist considers it important that we can question authority and, if we are in a position of authority, let this happen.
The trial was so successful that Black Hills began to include it in their presentations and it was normal for companies to hire her services, but on the condition that they did not employ Rita. The reason? Simple: it would sneak in. Unfortunately, shortly after her brief experience she was diagnosed with pancreatic cancer and later passed away, becoming a security advocate and the ‘hacker’ who successfully attacked a prison and then had a cake.