Penetration Tests, Prison Security, And Mothers

Questioning authority is important part of avoiding social engineering attacks.


There is always an interesting sounding presentation at RSA that looks like it might be a good blog post topic just based on the title. This year it was “I Had My Mom Break Into A Prison Then We Had Pie” by John Strand of Black Hills Information Security.

A pen test is short for a penetration test. They can take various forms from trying to log in to a system they shouldn’t, to trying to get into a building. This is known as a physical pen test, which might involve things as simple as looking for open windows at night. But one common type of pen, and the relevant one here, is whether someone can get into the building and do damage during working hours: get past the guards, through any locked doors, and so on.

John said that this has become a bit stylized these days since everyone is a bit too conservative. The pen testers don’t want to try something novel and perhaps risky. The companies don’t really want to know just how bad their security is, they want to pass the test. Common approaches are things like posing as a Subway delivery (complete with uniform, boxes of sandwiches, and so on). At the last RSA I attended, I remember someone saying ladders are great, since people will open the door and hold it for you since you have your hands full.

But, as John said, “consistency is cheap…but consistency is mediocre.”

On the other hand, you don’t want to terrify the organization since “fear is not a good pedagogical tool.” You want to show the company who has hired you what can happen, but without saying something like “I’m going to break into your computer systems, the CEO’s computer, read his personal emails…” Their reaction will not be “great,” it will be “never hire Black Hills Security again.”

Rita is John’s (then) 58-year old mother. Three things John told us about Rita that are relevant:

  • She used to be a school food service director and was the superintendent for all the cafeterias in all the schools in a school district.
  • She became the CFO of Black Hills Information Security.
  • After reading lots of reports on breaking into companies, she really wanted to try to do a pen test herself.

So Rita wanted to try it. So John suggested the Subway Sandwich thing, or something simple.

“That will never work,” Rita said.


“Do I look like a sandwich artist?”

She looks at the details of the prison they’re supposed to break into and says, “I’ll get in five minutes! I’m going to show up and I’m going to be a health inspector.”

Remember, she’s been through hundreds of health inspections. She knows how they’re done.

“I’ve got the clipboard, I’ve got the sheets, I’ll give them a full health inspection and I’ll plug in your USB sticks and it won’t take long. In and out in less than an hour.”

So they made up a suitable official-looking badge. Rita printed out a few copies of the actual forms the health inspectors in the area used. Rita is not technical so they didn’t want her trying to hack any computer systems. They just gave her a bunch of USB thumb-drives that when plugged in would phone home so that they knew they had successfully compromised another computer. Apparently, the word for these is “rubber duckies” although I never noticed John use the phrase in his presentation—I got that from the Wired article on the presentation that came out the day before he even gave it.

So here’s the setup. John and his colleagues are going to stay at a coffee shop. His Mom will take the car, drive to the correctional facility, she’d do the assessment, and they would wait with their laptops, and wait for the beacons to come back as soon as she started plugging stuff in. She drives off, and for half an hour…nothing. No phone calls, no beacons. John is starting to panic since he doesn’t have a car and it is too far to walk.

Suddenly, Ben, his colleague says, “She must be okay.”

“How do you know she’s okay?”

“We are getting shells.”

Fifteen minutes later, another connection. Fifteen minutes after that, they get a connection from the computer of the director of the correctional facility. “Not only was Mom successful, Mom was a badass.”

She shows up eventually, not having bothered to call to say she was out and safe.

“Mom, what happened? Tell me about it?”

“Well, they actually only got an 82 on their overall score. The refrigerator wasn’t set at the proper temperature, I noticed that their sinks weren’t clean. They didn’t have any bleach…anywhere.”

“But…but…what about the assessment?”

“Oh yes, the assessment. I almost forgot.”

“So what happened?”

“I showed up, went to the front gate, said I was a health inspector there for a surprise health inspection.”

So they asked her where she needed to go and she said she needed access to the employee rest area, also employee offices since sometimes people leave food waste in trash cans that they shouldn’t, “and I also need to look at your NOC. I need to get in there to make sure the temperature is correct, the humidity is correct.”

She recorded audio the whole time and apparently you can literally hear the guy jingling his keys to open up the network closet. Then he says “you good?” and walks away.

It turns out what had happened is that she’d done the whole health inspection, and then forgot why she was there! She had to go back to places to plug in the USB sticks. She’s almost done, and the director calls her into her office. So she goes over the whole health inspection, and all the problems, and what needs to be fixed.

At the end, the director says, “Is there any way we could prepare for this better?”

Rita says, “Yes. On this USB drive is a document with a self-assessment questionnaire…” pwned!

They wrote a version up as a case study. From then on, they would often get clients who would say, “We want a self-assessment, but you can’t use Rita.”

John looped back to his opening where he said a lot of clients didn’t want to try new things. They didn’t want to use Rita because they knew it was going to work.

“This gets into a question of authority, and how we handle authority. My Mom had the background, the training, and she handled herself with authority. People almost never want to question authority. My Mom never once got challenged. We need to, number one, do a better job of training people to challenge. And, number two, if you are in a position of authority and somebody challenges your authority, how about you don’t blow up.”

Another lesson John had was to treat users with respect since nobody likes being talked down to, and they can tell. “Let me give you an example. We are good at security, here at RSA. You’re probably at the pointy end of the spear of IT security. People who aren’t are good at other things, accounting, math, crochet. They are good at something else because they put their time and effort into that. Don’t be like ‘The IT Crowd’ and treat your users as idiots.”

Use stories not statistics
Think about how you would get across the idea that people need to be more comfortable challenging everyone, even people with authority. You could have lots of statistics about how easy it is to get around people who don’t, or something like that. Or, you could tell a story that makes the point. Like this presentation did.

Another good story
Another great and memorable story was the one I wrote about in my post Some Real Russian Hacking. Two hackers are challenged by a TV channel to hack one of their producers while she at a conference they are all attending in Moscow. The end of the story (there is video) is the producer interviewing the two on the show and they show her a little flag…before admitting that they bought it with her credit card, after using her Uber account to get to the flag store, and after tweeting out using her blue-checked ID.

Leave a Reply

(Note: This name will be displayed publicly)