- Security: How can a computer attack like the one at Torrejón Hospital be avoided?
Computer security experts always insist that the first barrier to any attack is the common sense of the users; if doors and windows are closed, it will always be more difficult to steal. This is what the computer scientist John Strand wanted to demonstrate with the help of his mother, Rita, who slipped into a prison and allowed her to hack her with the two best picks available: a USB and self-confidence.
Strand is the owner of Black Hills Information Security , a company dedicated to security, while his mother, who had worked 30 years as a cook, worked as CFO. Black Hills was specialized in pentesting (penetration tests), an activity that involves attacking the company that hires its services to find failures and that could be used by real criminals before they have the opportunity. What I didn't have was that it was a 58-year-old lady who managed to access the very office - and computer - of the prison director they worked for.
The expert told all this in a lecture entitled 'I had my mother sneak into a prison. Then we had a cake. ' The idea was to demonstrate the importance of the human element in the security of companies and organizations and for this he turned to this anecdote starring his mother.
The idea, in fact, came to Rita herself, who also chose the prison as a target among all Black Hills clients. Taking advantage of her experience as a cook she would impersonate a health inspector, since she had lived dozens of visits.
They chose the date - on Friday, July 5, to take advantage of the lack of staff since Thursday is a national holiday - they created a fake card, armed their mother with a folder and several infected USBs and took a position - and cake - in a coffee shop nearby. Rita got into the car in the direction of this institution (of which Strand only reveals that it closed years later ).
"While leaving I remember that I thought it was not a good idea," Strand reveals. And when 45 minutes later they had no news of Rita, he was convinced that they were going to get into trouble. However, soon after they began to see that they could access computers and servers . Suddenly a new one appeared: that of the prison director. "My mother was not only successful; she was the host."
The three-quarter-hour delay was explained when Strand's mother appeared at the base of operations 90 minutes after leaving her ("she didn't even worry about calling us from the parking lot or something; it just appeared"): she got so much In the role of inspector he forgot that he was doing a penetration test and had to return to areas where he had already been - and analyzed as an expert in Health - to introduce malicious USB.
For the rest, everything had gone like silk. It could even happen with your phone, so you had the possibility to record the process. He just arrived, said he was an inspector and asked what he had to do. Nothing suspicious: the work areas of employees, garbage, refrigerators and ... the Network Control Center . "Stop by, ma'am."
Of course, they let him do his job without interruption. When he finished, the director met her in his office and asked if there was any way to prepare for an inspection in the future. "Yes, in this USB there is a document." The document, of course, was a Word file with a macro that allowed access to the computer that executed it.
In Strand's opinion, the key was that his mother had experience (he came to inform the director of the sanitary deficiencies of his prison), but, above all, authority and " people never question authority ." "I was not a person with technical knowledge, I was not a hacker, but I knew there is a fundamental problem with trust." The informant considers it important that we can question the authority and, if we are in a position of authority, let this happen.
The test was so successful that Black Hills began to include it in its presentations and it was normal for companies to hire their services, but on the condition that they did not employ Rita. The reason? Simple: he would sneak in. Unfortunately, shortly after his brief experience he was diagnosed with pancreatic cancer and died some time later, becoming a security defender and the 'hacker' who successfully attacked a prison and then took a cake.
According to the criteria of The Trust Project
Know moreEvents: A dangerous individual who kidnapped his son two months ago in Valencia was arrested in Malaga
'BLACK' CARDS The National Court grants 12 days of prison permission to Rodrigo Rato
CourtsCarme Forcadell will leave prison three days a week to take care of her mother