Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

'How a Hacker's Mom Broke Into Prison -- and the Warden's Computer' (arstechnica.com) 25

An anonymous reader quotes Ars Technica: John Strand breaks into things for a living. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them. Normally, Strand embarks on these missions himself or deploys one of his experienced colleagues at Black Hills Information Security. But in July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack. He sent his mom.

In fairness, it was Rita Strand's idea. Then 58, she had signed on as chief financial officer of Black Hills the previous year after three decades in the food service industry. She was confident, given that professional experience, that she could pose as a state health inspector to gain access to the prison. All it would take was a fake badge and the right patter. "She approached me one day and said 'You know, I want to break in somewhere," says Strand, who is sharing the experience this week at the RSA cybersecurity conference in San Francisco. "And it's my mom, so what am I supposed to say...?"

To help get her in the door, Black Hills made Rita a fake badge, a business card, and a "manager's" card with John's contact info on it. Assuming she got inside, she would then take photos of the facility's access points and physical security features. Rather than have her try to hack any computers herself, John equipped Rita with so-called Rubber Duckies, malicious USB sticks that she would plug into every device she could. The thumb drives would beacon back to her Black Hills colleagues and give them access to the prison's systems. Then they could work on the digital side of the pen test remotely while Rita continued her rampage.

It's a fascinating story, though Strand also points out that "Prison cybersecurity is crucial for obvious reasons.

"If someone could break into the prison and take over computer systems, it becomes really easy to take someone out of the prison."
This discussion has been archived. No new comments can be posted.

'How a Hacker's Mom Broke Into Prison -- and the Warden's Computer'

Comments Filter:
    • by pz ( 113803 )

      This presentation is wholly worth the time to watch/listen (mostly listening). It speaks to a number of important themes for social engineering and interacting with the world at large.

      First, do what you know. The woman in question had worked as a lunch lady at a school for 25 years and had participated (on the receiving end) in many, many health inspections. Health inspectors are expected to make surprise inspections. The woman was able to properly impersonate a health inspector because she could have e

  • LOL (Score:5, Interesting)

    by nospam007 ( 722110 ) * on Monday March 02, 2020 @07:37AM (#59786752)

    They can't control that, YouTube has thousands of videos where photographers are hassled by multiple prison guards and the warden, because they film the prison from outside, from public access, a perfectly legal activity.

    They deem that 'suspicious' and call the cops which then have to educate them about the law.

    Just google "1st amendment audit prison", it's hilarious.

  • News for nerds (Score:4, Informative)

    by nospam007 ( 722110 ) * on Monday March 02, 2020 @07:43AM (#59786770)

    Unfortunately the lady died 4 years ago and the prison no longer exists, but nonetheless it's educational.

  • Re: (Score:2, Offtopic)

    Comment removed based on user account deletion
    • Hackers are able to social engineer themselves into anything, except the pants of somebody they desire.

      Only those that forget if you want to penetrate a system, you must understand and exploit the OS controlling it, not the one controlling you.

    • That's funny. I actually wonder how people with any social engineering experience do vs the population in general. For me, that's was true until I learned how to talk to ladies when I was about 30 years old. When I learned, I *really* learned. I got to be very good at getting dates, after being very bad at it for a long time.

      Which means there is hope for any nerds who don't know how - there actually are principles one can learn, very effective principles which work. They work even if you're a scrawny, fu

      • Serious question - do you think you learned or your brain / social maturity reached a place where it was more natural / desirable?

        Or are the two so intertwined it's impossible to pull them apart?

        Or third way to ask - could you have taught and learned yourself 15 years earlier, or do you think it wasn't physically possible / there was no interest from the 15 year old you ?

        • It was very much specific things I learned. Just like learning a programming language or anything else.

          While self-confidence is very important, I learned and developed very specific, concrete ways to get the relevant self-confidence. There was practice just like you would practice when learning a new technology. Life experience also helped with self-confidence, but the learned methods of developing confidence were key.

          The one thing about it that was NOT simply learning in that way was intentions, what one

        • Richard Feynman used direct observation to teach himself quite rapidly how to score pretty much any woman he wanted to. Granted he was a few dozen IQ points above most of us nerds.

Whoever dies with the most toys wins.

Working...