如何侵入监狱的系统?安全测试黑客派出了亲妈

2019年10月26日
评论
547

How a hacker’s mom broke into prison—and the warden’s computer

如何侵入监狱的系统?安全测试黑客派出了亲妈

John Strand breaks into things for a living. As a penetration tester, he gets hired by organizations to attack their defenses, helping reveal weaknesses before actual bad guys find them. Normally, Strand embarks on these missions himself or deploys one of his experienced colleagues at Black Hills Information Security. But in July 2014, prepping for a pen test of a South Dakota correctional facility, he took a decidedly different tack. He sent his mom.

约翰·斯特兰德(John Strand)作为渗透测试员,以攻破系统为生。各大组织聘用他来攻击他们的防御体系,好发现它们的弱点。通常,需要斯特兰德亲自执行渗透,或至少从Black Hills Information Security派遣一位经验丰富的同事。但是在2014年7月,他为南达科他州的做侵入测试时,他采取了截然不同的方法——请出了自己的妈妈

In fairness, it was Rita Strand’s idea. Then 58, she had signed on as chief financial officer of Black Hills the previous year after three decades in the food service industry. She was confident, given that professional experience, that she could pose as a state health inspector to gain access to the prison. All it would take was a fake badge and the right patter.

公平地说,这是丽塔·斯特兰德(Rita Strand)的想法。时年58岁的她在餐饮服务业工作了三十年后,成为了Black Hills的首席财务官。鉴于专业经验,她很有信心,自己可以假扮州健康署的官员物理黑入监狱。所需要的只是一枚假徽章和正确的言行谈吐。

“She approached me one day and said ‘You know, I want to break in somewhere,” says Strand, who is sharing the experience this week at the RSA cybersecurity conference in San Francisco. “And it’s my mom, so what am I supposed to say?”

“她有一天向我走来,说’你知道,我一直想黑入某个地方。’”本周在旧金山举行的RSA网络安全会议上,斯特兰德分享了他的故事,“那是我亲妈,我能怎么办?”

That’s not as easy a call as it might sound. Penetration testers always say that you can get amazingly far with just a clipboard and some confidence, but a novice run at a state correctional facility is just plain daunting. And while pen testers are contractually permitted to break into a client’s systems, if they’re caught, tensions can escalate quickly. Two pen testers who broke into an Iowa courthouse as part of their job recently spent 12 hours in jail after a run-in with local authorities.

尽管按照合同,两名渗透人员的侵入行为是被授权过的,但如果他们被蒙在鼓里(事先知晓暗访者,暗访就失去了价值)的安保人员当场抓住,紧张局势可能会迅速升级。有两名测试员在工作时潜入爱荷华州的法院,在与地方当局发生冲突后被判入狱12小时。

Rita Strand’s mission would also be complicated by her lack of technical expertise. A professional pen tester would be able to assess an organization’s digital security in real time and plant back doors tailored to what they found on the specific network. Rita had the health inspector guise down cold, but she was no hacker.

丽塔·斯特兰德(Rita Strand)的使命还因缺乏必要技术而变得更加复杂。专业人员能够实时评估数字安全性,并在特定网络中发现为他们量身定制的后门。丽塔有丰富的经验,但不是从事黑客的经验。

To help get her in the door, Black Hills made Rita a fake badge, a business card, and a “manager’s” card with John’s contact info on it. Assuming she got inside, she would then take photos of the facility’s access points and physical security features. Rather than have her try to hack any computers herself, John equipped Rita with so-called Rubber Duckies, malicious USB sticks that she would plug into every device she could. The thumb drives would beacon back to her Black Hills colleagues and give them access to the prison’s systems. Then they could work on the digital side of the pen test remotely while Rita continued her rampage.

为了帮助她,Black Hills为丽塔制作了假徽章,名片和带有斯特兰德联系方式的“经理人”卡。如果她成功潜入,需要拍下环境和建筑结构。斯特兰德并没有试图从外入侵任何计算机,而是为妈妈配备了所谓的Rubber Duckies——可插入所有设备的恶意USB记忆棒。拇指驱动器将把信标传回Black Hills,并允许他们访问监狱的系统。然后,他们可以远程进行数字部分。

“For most people, the first couple of times they do this they get really uncomfortable,” Strand says. “But she was all ready to go. Prison cybersecurity is crucial for obvious reasons. If someone could break into the prison and take over computer systems, it becomes really easy to take someone out of the prison.”

斯特兰德说:“对于大多数人来说,第一次从事这样的工作,会感到非常不舒服。但是她适应性很好。出于明显的原因,监狱网络安全至关重要。如果有人可以黑入监狱并接管计算机系统,那配合越狱就很容易了。”

The morning of the pen test, the Strands and some colleagues carpooled to a café near the prison. Over a preparatory caramel roll and slice of pecan pie, they set up a war room of laptops, mobile hot spots, and other gear. When everything was set, Rita drove off to the prison on her own.

计划开始执行的早晨,斯特兰德和同事乘车前往监狱附近的一家咖啡馆。准备好焦糖卷和山核桃饼,打开笔记本电脑、移动热点和其他装备,把那里当做临时作战室。一切准备就绪后,丽塔独自驱车前往监狱。

“She takes off, and I’m thinking in the back of my head that this is a really bad idea,” Strand says. “She has no pen testing experience. No IT hacking experience. I had said, ‘Mom, if this gets bad you need to pick up the phone and call me immediately.'”

斯特兰德说:“她走了,我脑海中有个声音反复提醒我,这是一个非常糟糕的主意。她毫无经验,更不懂IT黑客技术。我曾告诫过她,’妈,如果情况恶化,你要拿起电话并立即打给我。’”

Pen testers usually try to get in and out of a facility as quickly as possible to avoid arousing suspicion. But after 45 minutes of waiting, there was no sign of Rita.

测试人员通常会快去快回,以免引起怀疑。但是过了45分钟,丽塔还是没有动静。

“It gets to be about an hour, and I’m panicking,” he says. “And I’m thinking I should have thought it through, because we all went in the same car so I’m out in the middle of nowhere at a pie shop with no way to get to her.”

他说:“快要一个小时了,我很恐慌。而且我想我应该考虑得再周全点,因为我们所有人同乘一辆车过来,所以我们现在无车可用,丧失了机动性。”

Uh-oh

喔喔

Suddenly, the Black Hills laptops began blinking with activity. Rita had done it. The USB drives she had planted were creating so-called Web shells, which gave the team at the café access to various computers and servers inside the prison. Strand remembers one colleague yelling out: “Your mom’s OK!”

突然,Black Hills笔记本电脑开始闪烁。丽塔做成功了。她植入的USB驱动器正在创建所谓的web外壳shell,现在黑客团队可以访问监狱内的各种计算机和服务器。斯特兰德记得一位同事大喊:“你妈没事!”

In fact, Rita had encountered no resistance at all inside the prison. She told the guards at the entrance that she was conducting a surprise health inspection, and they not only allowed her in but let her keep her cell phone, with which she recorded the entire operation. In the facility’s kitchen, she checked the temperatures in refrigerators and freezers, pretended to swab for bacteria on the floors and counters, looked for expired food, and took photos.

实际上,丽塔在监狱内根本没有遇到任何麻烦。她告诉入口处的警卫她正在进行突击的健康检查,他们不仅允许她进场,还让她保留手机,并用手机记录整个过程。在内部厨房里,她检查了冰箱和冰柜中的温度,假装用棉签擦拭地板和柜台上的细菌,寻找过期的食物并拍照。

But Rita also asked to see employee work areas and break areas, the prison’s network operations center, and even the server room—all allegedly to check for insect infestations, humidity levels, and mold. No one said no. She was even allowed to roam the prison alone, giving her ample time to take photos and plant her Rubber Duckies.

但是丽塔还要求查看员工的工作区和休息区,监狱的网络运营中心,甚至是服务器机房,声称那里可能滋生昆虫和霉菌。没有人对她说不。她甚至被允许独自一人操作,给了她充足的时间拍照。

At the end of the “inspection,” the prison director asked Rita to visit his office and suggest how the facility might improve its food service practices. She ran through some concerns, informed by decades being on the other side of health inspections. Then she handed him a specially prepared USB drive. The state had a helpful self-assessment checklist, she told the director, that he could use going forward to identify issues before an inspector showed up.

在“检查”结束时,典狱长邀请丽塔访问他的办公室,并向她征求如何改善机构的饮食服务。有30年餐饮从业经验的丽塔丝毫不怵,侃侃而谈。然后递给他特别准备的USB驱动器。她告诉典狱长,该州有一份特别权威的自我评估列表,他可以自己拷贝一份。

The Microsoft Word document was tainted with a malicious macro. When the prison boss clicked, he inadvertently gave Black Hills access to his computer.

Microsoft Word文档被恶意宏污染。当典狱长点击时,系统失守。

“Dumbfounded”

“傻眼了”

“We were just dumbfounded,” Strand says. “It was an overwhelming success. And there’s a lot to take from it for the security community about fundamental weaknesses and the importance in institutional security of politely challenging authority. Even if someone says they’re an elevator inspector or a health inspector or whatever, we need to do better about asking people questions. Don’t blindly assume.”

“我们傻眼了,”斯特兰德说,“这是一次压倒性的胜利。对于安全社区来说,存在根本上的弱点,有礼貌地挑战权威机构的特派代表,拒绝他们可能危害系统安全的要求,是非常重要的职业常识。有人说他们是电梯管理员或卫生署官员,等等,我们需要好好核对,不要盲目假设。”

Other pen testers emphasize that while Rita’s story is exceptional, it strongly reflects their daily experience.

其他测试人员强调,尽管丽塔的故事非常精彩,但它强烈反映了我们日常经验中的盲点。

“The physical aspects of things and what you can claim is incredible. We do similar jobs all the time and rarely ever get caught,” says David Kennedy, founder of the pen testing firm TrustedSec, who first heard an abridged version of Strand’s story at the Derbycon security conference, which Kennedy ran. “If you claim to be inspectors, auditors, someone of authority, anything is possible.”

测试公司TrustedSec的创始人戴维·肯尼迪(David Kennedy)说:“系统在物理上的漏洞多到令人难以置信,我们一直在从事类似的工作,且很少被抓到。只要你声称自己是检查人员,审计员,权威人士,那么一切皆有可能。”

In 2016, Rita died of pancreatic cancer; she never had a chance to do another pen test. Strand declined to say which prison his mother infiltrated, only that it has since shut down. But her efforts made an impact. “The prison made security improvements as a result of the pen test,” Strand says. “I also think their health program was improved by it as well.”

2016年,丽塔因胰腺癌去世;她后来没有再次尝试渗透。斯特兰德拒绝透露他母亲潜入的是哪座监狱,只是说那间监狱已被关闭了。但是她的努力产生了影响。斯特兰德说:“通过测试,监狱系统提升了安全性。我认为他们的餐饮健康水平也得到了改善。”

小e英语