Darknet Diaries - 67: The Big House
Episode Date: June 9, 2020John Strand is a penetration tester. He’s paid to break into computer networks and buildings to test their security. In this episode we listen to stories he has from doing this type of wor...k.Thanks to John Strand for coming on the show and telling your story.SponsorsSupport for this episode comes from LastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.Sources How a Hacker’s Mom Broke Into a Prison—and the Warden’s Computer Video: How not to suck at pen testing John Strand Video: I Had My Mom Break Into Prison
Transcript
Discussion (0)
You ever drive by a prison or juvenile correction facility and see the prisoners outside in the yard?
Am I the only one who immediately starts looking at ways they can escape?
Seriously, I've parked and stared at prison fences multiple times when I was young,
looking at how high the fence goes, examining the razor wire on top, watching the
gate. And these gates are typically doubled up. You can go in the first gate and then they close
it behind you and then the second gate opens. They never open both gates at once. And I like
to look up at the guard towers to see if anyone is up there. I'm sure they're looking back down
at me. The windows of a prison are typically too small for a human to squeeze through. They
like to be really narrow within a brick wall and the fences are usually doubled up. If you can get
over one, there's just another one that you need to climb over, which gives the guards enough time
to notice you climbing over one and stop you from getting over the second. Getting out or in through
these barriers seems impossible.
But get ready, because in this episode,
we're going to test the security of a prison.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes
personal information from hundreds of data brokers' websites and continuously works to
keep it off. Data brokers hate them because Delete.me makes sure your personal profile
is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for my
name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to
get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. Use code darknet.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. Give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their
webcasts to get some world-class training. That's blackhillsinfosec.com. blackhillsinfosec.com.
So as a teenager, what was life like for you?
So I actually think I had a great childhood.
This is John Strand.
My mom was awesome.
My dad was a crazy pain in the ass. He got addicted to opiates after a back surgery.
And periodically, he'd go running through the house in his underwear,
screaming that the walls were bleeding.
And I know that people would look at that and be like, oh, that's terrifying.
But that was hilarious.
And I just absolutely loved it.
I lived out in the middle of the woods.
We had a dial-up modem on the computer.
I spent a lot of time motorcycling and mountain biking and kind of getting in the middle of the woods, played a lot of guitar.
My dad was in bands growing up.
My mom was just super great to be around.
So all told, yeah, my childhood was pretty fantastic.
That's not to say there wasn't some interesting things that happened,
but overall, I wouldn't have changed or traded anything for the world.
He grew up near the Black Hills,
which is a mountain range that spans between South Dakota and Wyoming.
His dad did some kind of technician-type type work where he troubleshot industrial electronic devices.
And from there, John was exposed to computers and started to like it. Through his teenage years,
he had a computer at home and got more and more into it, just learning how to do stuff with it.
While living out there near the Black Hills, he also had a sister.
My sister was a pain in the ass.
She's about three years younger than me.
And she spent our entire childhood trying to make my life miserable.
So if there was ever any girl that I liked, she would make sure to shout at this girl in the hallway, you know, my brother likes you, which pretty much guaranteed that.
And my crippling obsession with computers and playing guitar pretty much guaranteed that I didn't date in high school.
So she was just kind of a pain all the way through.
John wasn't always the sweetest kid himself.
He would sometimes act out and get in trouble.
I went to a Catholic high school and my mom was the food service director.
What does that consist of, the food service director?
Oh, she was the head lunch lady, right?
You know, the hairnet, the whole thing.
She was ordering the food, keeping the employees going at the school.
You went to, yeah, all the way through school.
She ran the food service program.
And when I got to high school, we were in line and we were getting ready to get some food.
And for some reason, I got this idea that I was going to read the menu like an old Southern
Baptist bully pulpit, like pastor. So I was like, praise Jesus. Today, we're going to be having
chicken fried steak. And then we're going to have a side of peas, everybody. Can I get a hallelujah?
And of course, the entire lunchroom is like going through and they're like, they're like dropping on
the floor. I've got a couple of my friends speaking in tongues and I'm just like doing this whole thing. And all of a sudden I get
the sharp shooting plane on the back of my head. And I like, I wake up and I'm on the floor and
there's brother Anthony, um, who was a very formative person in my life. He was our, he was
our algebra teacher. Um, he was this monk and he was standing over me with a
cane and he goes, I don't find that amusing, Mr. Strand. And in my field of vision, I see brother
Anthony above me with his cane because he clearly hit me in the back of the head with his cane.
And then my mom comes into view and she goes, hit him again, brother. So that was kind of,
I've had people contact me whenever I've told brother. So, you know, that was kind of, you know,
I've had people contact me whenever I've told that story. And they're like, that's child abuse, and that's not okay. But I want to make it clear, I probably deserved it. But no,
Brother Anthony was just a very hard, hard nosed person, but he was very fair,
except, of course, the rampant abuse.
John finished high school, went to university and got a degree in political science.
He had a hard time finding a job with that kind of degree, but a computer consulting
company recognized his skills with computers and offered him a job.
And while there, he really got to sink his teeth into computers and fell in love with
the security side of things.
And so he went to work for a defense contractor doing cybersecurity for years.
And this really gave him incredible
exposure to the threat landscape and security and penetration testing so much that he became a SANS
instructor and actually taught hacking techniques, penetration testing and offensive countermeasures.
Some pretty gnarly stuff. But he quit his job as a defense contractor, moved to South Dakota in the
middle of the economic collapse of 2008
and decided, what the hell, it's time to start a pen testing company.
John called his pen testing company Black Hills Information Security.
Since he was teaching penetration testing at SANS, this is what he felt best at.
So Black Hills started doing penetration testing for customers
who wanted to see if a hacker could get into their building or network or computers. John was good at the technical aspect of it, but there's
a lot more to running a business than just doing the technical work. So he got some help from the
people who supported him and believed in him most of all, his family. Yeah. So when I started Black
Hills Information Security, it was my sister who was doing report editing because I'm a horrible writer. And my mom actually started out with the finances, helping my wife and I get started making sure the finances for the company were set up properly. And that's created problems over the years. Like, for example, if I'm at a conference with Ed Skotis and Mike Poore. These are a couple of his friends who also have great stories themselves,
and I should probably get them on the show one day.
But these three friends got together in Vegas and decided to let loose.
And we end up doing two dinners.
Like, I remember they took me out to Bradley Ogden Steakhouse in Vegas,
which was stupid expensive.
And then Mike said, I feel bad about this.
We're going to go out and we're going to have sushi for dessert.
And it was something like $350 for both the meals. It was insane.
Now, when you go to a conference for work, you can expense it, right? The company will pay for
it because meals are included in your travel, right? But his mom is the CFO. She looked at
these charges. She calls me up. She goes, I saw the credit card statement from last night.
I got these charges. What happened? Did you take a group of people out to eat? And I'm like, no, I didn't take a group of people out to eat. She goes, it was just you? And I'm like, well, yeah, that was my portion. I was eating with some other people. And she goes, how much did you eat? And I'm like, well, it was just two meals. It was just a steak and then some sushi. And then I promptly got the riot act about being just really derelict in my duty of running a company.
Got off the phone sweating because my mom just kind of chewed my butt.
And then I get a call from my sister.
And she's like, I just got off the phone with mom.
I can't believe you spent that much money on two meals for yourself in one night.
What were you thinking? Okay. Then I hang up with her. And then my wife calls. And she's like, I just got done
talking with your sister. And you are not allowed to go out to eat with Mike Poore and Ed Skotis
ever again at the same time. So it just kind of cascaded.
All right, let's hear some of John's penetration testing stories, because I love hearing all the tactics and methods people use to get into places. John's penetration testing consisted
of either going on site to see if he can sneak into a building or testing the network to see
if he can hack into it through a computer. And he was doing some odd business with some company for
a while. And one day they called him up just to pick his brain on something. You know, they called
me up one day and they said, hey, we got an air base. We got a classified facility in the middle of the
space and we want you to break into it. Do you have any ideas how you would actually get to the
point where you could get into and touch a network jack that would have a classified network?
This company was asking him for tips on how to break into an active military base. Now, typically, these things
are extremely well guarded, better guarded than a prison for sure, with armed guards, sometimes just
at the perimeter of the base, checking everyone who enters to see if they belong. It's intense
to the point you might even be shot at. But John thinks about this for a moment and has an idea
about how he can get inside a secured area of the base.
And I'm like, yeah, get arrested.
And they're like, what do you mean?
I'm like, well, if you're trying to break into a military base and you get arrested,
there's a possibility you might actually end up in a room that has a network jack that might be on a classified network.
And they're like, are you willing to try that?
I'm like, sure.
How bad can that be?
There were a couple people at this military base that knew John was coming.
After all, they hired him to do a penetration test
on the building.
They didn't know what John's plan was
and how he'd get in,
but they knew the operation could go wrong really fast.
So they gave John some duress words.
These are words that if he got in too much trouble, he could tell
the military officers and they'd stop harassing him and they'd know to report this to the higher
ups. It was a sort of ticket to safety if all goes wrong. So John starts memorizing these duress
words and it was something like Sasquatch, Pineapple, Porcupine. Some combination of words
that makes no sense unless you know that these are the duress
words. So John loads up his gear, the tools and devices that he would be able to use once he gets
inside the military base so he can plug in and prove that he had access to this classified network.
John heads to the base. There was nobody at the front gate, so we just drove in.
There was a common public area to this base, but then once he got in, he saw an area that was clearly off-limits.
You needed to have permission to get into that area.
The classified part, they had a fence, and then they have like a perimeter of gravel going all the way around it.
And then of course the parking lot had big signs that were like no salute zones.
And I figured I would try to walk up to the gravel, which had pressure sensors underneath it.
He starts walking across the gravel.
This was a restricted area, and he was clearly not authorized to go to.
He's hoping he's triggering some sort of alarm, where someone sees him on camera and comes and gets him.
But if not, plan B is just to keep on walking into the classified part of the space.
And sure enough, a whole bunch of really, really twitchy 18-year-olds showed up with fully automatic weapons.
I laid down on the ground and I was told, when you lay down, put your hands immediately behind your back, across your ankles, and just wait.
And they're going to throw you into a car. So I'm laying on the ground.
And they immediately shoved the back of the rifle in the back of my head really hard.
And it hurt a lot.
And then they handcuffed me.
But that wasn't bad.
What was bad is they immobilized me by grabbing the handcuffs and lifting up.
So they lifted me up off the ground grabbing the handcuffs and lifting up.
So they lifted me up off the ground by the handcuffs, which dislocated my shoulder.
And still to this day, I have this huge scar where years later I had to have a ladder to repair the damage to my shoulder.
I already had a weak shoulder from a high school injury, and that just tore my arms right out of socket.
And they threw me into the car and I'm screaming out my duress words, right? You know, it's like pineapple, porcupine, Sasquatch, whatever the
other word was. And they're like, he's freaking delusional. And I could hear him like, we think
this guy's on drugs. Um, so they threw me into a room. Sure enough, there was a network Jack
and it was part of a classified network. But the whole time I'm like, I'm a contractor.
I was hired and these are my duress words.
And they brought in the right people and I was able to let go.
And they were like, good job.
So was that fun?
And I was like, it wasn't fun at all.
It took me a long time to recover.
So, yeah, that's, you know, I don't, I never really did a physical pen test against a military facility that involved firearms again. Thank you. and hijacking, and ransomware. SpyCloud exists to disrupt cybercrime with a mission to end
criminals' ability to profit from stolen data. With SpyCloud, a leader in identity threat
protection, you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections. Get your free Darknet exposure report at
spycloud.com slash darknetdiaries. The website is spycloud.com slash darknetdiaries.
John is a great penetration tester. He loves the challenge of getting into buildings or using
computers to break into a network. And earlier in his career, he was given the task to break into a building
and gain access to the computers inside. I was meant to get in and take over as many
systems as possible. First things first, he does some passive reconnaissance. This is where he can
investigate ways to get in without any fear of getting caught. One of the things I did is I used
Google Street View to kind of go around the building and I found that there was a window that was open in the Street
View. Wow. Isn't it nice that Google sent someone to this building to take a bunch of photos of it
and then post them publicly? This way, anyone who wants to break in can just use Google Street View
to plan their attack without even leaving home. So I saw that it was open and I figured that it
might be unlocked because a lot
of times windows that are open and closed a lot, they never latch them completely.
So John has a plan and an objective and it's time to suit up.
So my backpack just has my notebook computer, a series of USB thumb drives
with various utilities and tools on it. And that's it. I wasn't wearing like, you know,
like, you know, a black face mask or anything. I was wearing a black fleece and just jeans
because this is one of the things that always bothers me about superhero movies, right?
If you take Batman or you take Daredevil, you know, they always show up to the scene where
they're supposed to do stuff and they do something awesome. Like they, they destroy the
cartel and that's awesome. And I'm always thinking, how the hell did they get there?
Like, did they walk there in their suit? Did they jump across? Cause you can't jump across
buildings the whole time. So my point is you can't dress like a burglar, like while you walk out of
your house. So I just kind of dress in normal clothes. It's just something
I've always done. It's something I know it's a personal preference and style, but a lot of
physical pen testers have like tactical bags and tactical patches and they look somewhat sketchy,
right? And I just prefer to just go with the standard backpack so I don't freak people out
too much. John drives to the building. It's night.
It's dark out. He arrives and looks around. The building is pitch dark. There's no lights on at
all in it. So he walks up to it to try to find that window to break into. All right, breathe now.
Calm the nerves. This is no time to be stressed. It's go time.
So I went up to this window, pushed up. Sure enough, it was unlocked.
And from the ground up to where the bottom of the window was, was right above like mid chest.
OK, so I pushed the window open, but it's kind of a little bit narrow.
So I can't like get my body halfway in and ride it like a cowboy and then go in. I go in kind of head first, like a really clumsy, slightly overweight snake.
And I come in over the window and it's over someone's desk. And as soon as I start slithering
down onto the desk at the point where I can kick my leg out, that's when I kicked the flower pot.
The flower pot flew off the desk and smashed on
the ground, making a loud breaking noise. And now dirt is all over the floor. This instantly added
a whole new level of stress to the already stressful situation. If somebody was in the
building, they might have heard this commotion and come and investigate. But then when my body weight
came down on the desk, the desk was not designed to support my significant girth at the time.
And the whole desk collapsed.
Oh, great.
Even more of a mess.
Even more awful crashing noises.
His intention is never to cause physical damage.
Otherwise, he could just smash a window and get into the building.
But that's not the point of a penetration test.
Breaking flower pots and desks is unprofessional.
But the damage was done.
And John was in the building.
So he stands up, looks at the mess he made.
He feels bad about it.
So what does he do?
I just wrote a note.
Sorry I broke your flower pot.
And I put my name and my phone number.
And I figure it's better to own up for that stuff, like, really, really quickly because the alternative makes it look like you're
trying to skirt around the issue. So I just wrote a letter, put it on there, apologized profusely.
Okay, he's in. It wasn't very elegant, but it's now dark in this office. There's no lights on
anywhere. So option one is to turn the light on. Surely this makes your presence known.
Someone who works there might be driving by and notice a light on and think something's
wrong.
So he chooses option two, a flashlight.
But this might not have been the best idea.
And then I turned on my flashlight and I'm running around plugging in USB drives and
executing malware on as many computer systems as I can.
Now, the horrible thing about this was the lights were off in the building.
I'm running around with a flashlight trying to plug in USB sticks.
And the reason why that's funny is because it's stupid.
If you look across at a building and the lights are on, you're like, okay, someone's there.
If you look across at a building and the lights are off, you're like, no one's there. If you look across at a building and you see a flashlight running like crazy all
over the building, you think time to call the police. And that's what someone did.
The police show up, come into the building with their guns drawn. And I am just kind of sitting
there kind of freaked out. And I'm like, hey, I'm doing a penetration test. Here's my permission to test
memo. I get out of jail free card. And I hand it to them. And they're looking at it and they're
reading it. And they're like, okay, so you're John Strand. I'm like, yeah. Can we see some ID?
I give my driver's license. He's like, okay, okay, good. Good. First guy puts his gun away. The
second guy puts his gun away. And they're like, so what are you doing here? And I'm like, oh,
I'm plugging in these USB drives. I'm taking over these computer systems. And they're like,
how does that work? And I'm like, well, come on, let me show you. And I'm plugging in devices.
I'm using, I don't know. It was like, I think it was con boot. Um, just taking over systems and
dropping malware. And they're like, this is really cool. People pay you to do this. I'm like, yeah.
And they're like, oh, that's neat. We'll have a great evening then. They never bothered to call my point of contact. It was
like, as soon as they saw the piece of paper, it was like, oh, this dude's legit. We're going to
totally let this guy continue doing this pen test. Huh? That is odd, right? Maybe he has a real
innocent face or something, but if I were a cop and I saw the mess and damage caused from climbing in the window, and then saw a guy walking around with a flashlight being all suspicious, yeah, I would definitely call the number on the paper just to make sure, but the cops let him go.
So he turned on the light switch in the office and just kept plugging in USB drives until he got everything
he needed and then turned the lights off and left.
A few years back, John went to a security conference in Atlantic City.
While there, he got a phone call that he'll never forget. I'm in Atlantic City and I'm sleeping and I get a call like two o'clock in Atlantic City. While there, he got a phone call that he'll never forget.
I'm in Atlantic City and I'm sleeping and I get a call like two o'clock in the morning.
And it's from a friend of mine who does some work with law enforcement agencies.
And they were tracking down an individual that had abducted a young girl. And the girl just
happened to be about the same age as my daughter. Okay, it's 2 a.m. and this caller is asking him to help
catch a child kidnapper. I guess it makes sense. You have a much higher chance of catching the
kidnapper in the first 24 hours. So time was of the essence. The law enforcement officers had
already collected a lot of clues by asking the family if they suspected anyone who could have
done this. There was a guy who was known to the family who was a suspect.
So they decided to chat with that person through Skype
where they normally talk with them.
But this gave him another clue.
They knew who the suspect was
because he had changed his Skype icon
to be a picture of this girl crying.
And not only that,
but they were actually able to have a conversation
with this guy over Skype.
And they approached me and they said, is there any way we can track this individual using pen test like techniques?
And one of the techniques that we use all the time in pen testing is you can send a document to someone and you can have that document beacon back through like a cascading style sheet or an image source tag.
So you're not trying to get access to the system. You're just trying to prove that someone opened the document.
So John prepared a document, which when opened would show that person's IP address.
John gave this document to the law enforcement officers working on this and showed them how to
watch for the IP address when it gets opened. So they gave this to the person who was talking with the guy on Skype.
And sent a document to the suspect.
The document was open and then it started beaking back.
Now, geolocation based on IP address is really suspect under the best of circumstances.
But if you have a warrant and you have the source IP address, source port and date timestamp,
you can actually go to an internet service provider and they can tell you exactly where that file was opened. So that's what they did. As soon as law enforcement
officers knew the IP address of the suspect, they already had a warrant. And so they asked the ISP
for the name and location of the person who owns that IP address. The ISP responded right away
with this information. And in this situation, they found it at a motel.
And then shortly right after we started getting a beacon back,
they were able to get the little girl back.
Wow.
What a gnarly way to use social engineering and phishing methods for good.
That kind of changed my philosophy on the offensive versus defensive side of things.
And you could see how these things could be blended for a better defense.
So we could use some offensive tactics to actually do some attribution for attackers as well.
Of course. Yeah, that does make sense. And it's so fascinating to think about ethical
hacking like this. So while the years go on, John continues doing penetration tests for companies
all over the country, and his family continues to help run things on the business side. Again,
his mom is who handled all the finances of this company,
and she was the chief finance officer, CFO.
But his mom was watching what John was doing and got a crazy idea.
So she had been the CFO of Black Hills Information Security for some time,
and she's always reading reports about awesome things that testers do.
I'm telling stories about stuff that I do.
And I still to this day believe doing offensive security
is one of the coolest jobs in the world.
We have exciting lives, right?
It's dynamic and it's interesting.
And she saw that.
And she really wanted to get in and do something. And when we were doing physical
pen testing, she came to me and she goes, I want to do a physical pen test. And she's my mom. I'm
not going to tell her no, right? Cause you know, she might have a monk hit me, but she, she wants
to do this. And I say, mom, you got to come up with a, with a ruse. And I explained to her what
a ruse is. She says, like, I already got it. I'm like, what is it? She goes, food service. I'll go in and I'll do a health, like a food
service inspection and I will get right in. And it just floored me, right? That was a ruse that
we never really thought of. It's a ruse with authority. It's a ruse that's kind of inauspicious,
right? She, my mom at this point was in her 60s, and she shows up.
You're not going to look at her and go, hmm, this lady looks like a hacker.
No, that's not going to happen.
Now, keep in mind that his mom was the food service director at a high school.
So this is actually something she knows a lot about.
She knows food service inside out and backwards, right?
She was a food service director for something like 25 years. So she had been through dozens and dozens of inspections. So she knew how the inspection
process worked. She got the inspection checklist. She got a little badge. She got like an ID.
She knew exactly what everything needed to look like to make it look legit because she had done this so many times.
So he says, OK, mom, let's do this.
Time to pick a target.
So we had a series of physical pen tests that were kind of scheduled that day.
It was the 5th of July and it was on a Friday, which meant that all of the target sites were soft targets. There was very little staff and a skeleton crew on site, and many of the people in authority wouldn't even be there.
So it was a perfect time for this. So myself, Benjamin Donnelly, and my mom all piled in the
car, and off we went to break into a number of locations. They had a few targets that day, a couple of offices,
various facilities, and a prison. And my mom wanted the prison, which was crazy. I thought it was the hardest one to break into. But she's like, no, this won't take me long at all. The
objective of the prison was to establish callback documents and get a shell out of the prison.
Now, a shell in computer lingo is remote access to a computer
through the command line.
So his mom needed to get in
and access a computer
so that she could connect
to John's server.
That way, John and Ben
would be able to safely access
this prison's network
from down the road.
Hmm.
So how can she do that?
John digs into his bag of tricks
and pulls out a USB drive and gives it to her.
The USB drive had a.exe, which just simply dropped an implant on the system.
And then there was also a document, and that document had beaconing on it.
And we said, if you ever get a chance, you plug it in.
If somebody's looking over your shoulder, open the document.
If there's no one looking over your shoulder, run the executable.
Ah, okay. This is clever. Basically, the executable program on that USB drive tries to open a
connection to John's server. And once that connection is open, John can then remotely
control whatever computer ran that program. Now, I might even go so far as to say this isn't even
malware. This is a tool that has the functionality of getting a remote connection to another computer.
It might be used by system administrators of the network to remotely admin a computer.
But in John's case and John's mom's case, they were going to use it to gain remote access to these computers in the prison.
And so John teaches his mom how to use this USB stick to help him get remote access to these computers.
And my mom was totally calm. Like she wasn't nervous about it all. I was more nervous than
she was. So we're all in the same car and we stop at a coffee shop that does like amazing pies. And
Ben and I sit in the coffee shop. His mom gathers up her supplies and gets ready. She had a clipboard, a checklist, and a USB drive. That was it. That was all she had. Oh, she did have her phone. She
was recording audio. We had to record audio of everything that she did too. Again, a clipboard.
Forget about some high-tech gadget that you need to get into a building. A clipboard is the only
weapon you need. Okay, so perfect. She's ready. She loads up the car and drives off, leaving John and Ben at the coffee shop.
Now, keep in mind, they're in a town that they had to travel to in order to do these tests.
So they had one rental car and she just drove off with the only car they had,
leaving Ben and John at the coffee shop to wait.
But not only that, she took John's phone to record the audio. So he doesn't
even have a phone to call anyone with. And the first thing that goes through my head was,
this is the dumbest thing I've ever done. And she's gone.
I honestly, we were so sometimes whenever you get wrapped up in a ruse, you're so excited about that ruse that you don't think rationally about it. You're
like, this is going to work. This is awesome. This is the coolest thing ever. And there's a lot of
times whenever you're doing pen tests from a technical side or a physical side, you're walking
a tight rope. And by the time you get crossed to the other side, you look back at where you,
where you came from and what you did. You're like, that was stupid.
And when she took off, that little voice of doubt started talking in the back of my head saying, this is stupid.
I mean, what could have been the consequences here?
Oh, absolutely.
She could have been arrested.
That absolutely could have been the consequence.
And she's my mom, right?
I know we probably could have gotten her out of prison.
I know that more than likely everything would have been okay.
But just my mom getting arrested just at that point when she started driving away seemed to me like that was, one, a very real possibility.
And two, it's not something I ever want to deal with as a son.
Like my mom gets arrested and I'm the reason she got arrested.
So this could have like easily gone
from a super awesome story to just like a really tragic one very quickly so your blood pressure
starts rising as she drives off yeah and you and it's and and does she do you guys have like a
i don't know a sync up time or like a no can come rescue me after 30 minutes or anything no
dude i gave her my cell phone and I told her,
here's how you start the record function on my cell phone. And she takes our only car and she had to drive like six miles to get to this facility and we're stranded and I don't have
a way of communicating with her. Yeah, it was really scary. John and Ben are in this coffee
shop. They open up their computers and connect to their command and control server.
This is the server that listens for when someone runs that executable on the USB stick.
And that's all they can do to monitor the situation.
They just sit there, looking at this screen to see if any connections were successful.
The facility was about 10 minutes away.
They ordered some coffee and tried to relax.
Lots of coffee.
The next 10 minutes goes by, and they're starting to get worried.
Did she get in?
Did she get stopped?
Was she arrested?
The server shows no activity.
The wait was terrifying. Oh, it's miserable. That was
probably some of the longest, that was probably some of the longest, like 25, 30 minutes I've
ever had in my entire life. Because you're absolutely convinced that she's busted. Because
there's no response, there's no connections. You're in this void of information. So your brain starts
filling in worst possible scenarios. And
yeah, it's just, it's just the waiting was horrible. Another 10 minutes goes by still
nothing. Ben and John are getting more coffee and getting more worried. I can't remember if it was
Ben or it was me, but one of us said, it's okay. She's fine. We're getting shells. So as soon as
we started getting callbacks, as soon as we started getting callbacks,
as soon as we started getting shells, we knew at that very second that my mom was okay.
Right. And they just kept coming. Right. And it was, it was the coolest thing ever.
And then finally, one of the computer systems that called back was actually the director
of that correctional facility. So it was just, it was just this like really euphoric kind of
amazing moment where this, where this oppressive weight was just lifted off of our shoulders.
And then shortly thereafter, about 10 minutes, she shows up and she walks in and we all get around
her. We're like, how did it go? How did it go? How did it go? And she goes, it's fine. It went
really, really well. Like, tell me about it. And she immediately launches into,
did you know that somebody that works there actually went to high school with you? Now,
you were a senior and they were freshmen. I don't know if you would remember them. And I'm like,
I don't care about who I went to high school with, you know, just tell me the story.
And she just walked right up to the front. She said she was with the health department.
It's a surprise health inspection. They let her right in. They asked her what she needed to gain access to. She said,
I need to gain access to the employee workstations to make sure that there's not food or drink there.
And then I also need to get around the food preparation locations. And I also need to gain
access to your nuke. And they were like, what? She's like, nuke your network operations center. And they're like, oh, the knock. Okay. And they walked her to each of those locations and let her go unsupervised. So she was completely free to roam anywhere that she wanted to go. And she chose to give them a full health inspection first. So she started going through, she had a laser thermometer and she was taking temperatures, the refrigerator, by the way, the refrigerator was a bit too warm. It wasn't within
the guidelines of the health department. And she was going through, she found mold in different
places. So she went, she did a full health inspection. Then she started plugging in the
USB drive on computer systems. And because it was the 5th of July, there was hardly anyone there.
And then she
went back to the front desk. She talked to the person, said she was done. They said that the
director wanted to talk to her, which of course my mom said that at that point I started getting
nervous. I'm like, I bet you did. She sits down with the director and the director's like, so how
do we do? My mom gave her the score and said, this is your overall score that you got. And the
director asked, is there a way that we could kind of prep for this in the future,
kind of do a self-check?
My mom's like, absolutely.
On this USB drive, we have this document with a self-checklist that you can fill out.
Here you go.
Open it up.
And sure enough, she got the director to open up the file.
They clicked it and got a reverse connection out of that network on the director's computer. Oh, wow. That's incredible. Well, the prison was very surprised with this
report. They did not think somebody would be able to break into their prison at all. And I don't
think they ever expected someone to get access to the computers after that. So when they heard all
this, they were shocked.
But they realized people weren't following procedure. I mean, number one, nobody confirmed
she was who she said she was. They didn't call the food health inspection office to ask if there
was a legit inspection plan for today. And number two, they allowed her to go into places that she
shouldn't have been able to go, like the Computer Network Operations Center, and they let her plug USB drives into computers there and run an executable program? That's a big no-no that
someone should have noticed and said, whoa, whoa, whoa, whoa, whoa, who are you? So a prison had to
clean up all these failures on top of cleaning up the mold and other stuff she found. Unbelievable.
I think the reaction to this, there's a couple of things,
you know, one talking about it at DerbyCon. And then I also talked about it at RSA was really
kind of a cathartic bit of closure because my mom shortly thereafter that was diagnosed with
pancreatic cancer and she passed away after nine months of fighting it. And it's one of those really amazing stories
that kind of highlights who this person was
and what they did and the way that they looked at the world
that I think overshadows all the bad things
that fighting cancer had with it.
And my mom was incredibly dedicated to our company. I remember
she tried to work all the way through when she was fighting cancer. And about two days before
she died, she called me over to the house. We all went over and we had dinner. And she goes,
I forgot the password to my computer. And I basically got into the computer and handed it
over to her. And she got to the password change screen and she hands it to me and she goes, you need to set a password now. And I'm like, why?
She goes, I'm not going to need this computer anymore. And she died less than 48 hours after
that. So the cool thing is, you know, I have this, I have a lot of great stories about my mom, but
this is one of those stories that is, it sums her up completely, um, being fearless, um, just,
you know, being very good at everything that she does and, you know, just being dedicated,
uh, to kind of what we did as far as a company. And it was just really cool to have that,
uh, something that I can hold on to instead of, you know, thinking about all the bad things the last nine months. Can you talk about that superhero picture? So my mom's dying and she,
she, I actually have it here. I unpacked my bags from RSA. So she found this picture of me and it's
whenever I'm like, I don't know, four years old and I'm in blue jeans, black boots, and I've got my red underwear on the outside of my jeans.
And I'm wearing this blue corduroy jacket and then the Superman cape because I wanted to be Superman.
And my mom always kind of told me I was going to end up either a superhero or in prison.
She said, there's no place in between for you. And growing up, I always had this prison picture that was drawn by my godfather in my hallway or the hallway right outside of my bedroom.
And she would always kind of point that out. You know, you could either end up in prison
or you can end up being Superman. And always being a little kid, I always loved Superman.
And she calls me over when she's like, just before we put her on morphine, because as soon as we put her on morphine, we lost, you know, I lost my mom as soon as we put her on morphine.
As her mind just kind of went away.
And she pulls out this Superman cape, the actual Superman cape from when I was three or four years old, like the Superman cape that she made.
She hands it to me and she says, I'm glad you chose wisely. A big thank you to John for sharing your story with us.
John, you are certainly a superhero.
And your mom is a legend.
This show was created by me, the Eula Violator, Jack Recider.
Original music this episode created by the lone operator,
Andrew Merriweather,
editing help from the net cat, Damien,
and our theme music is by
the ever-sounding Breakmaster Cylinder.
And even though,
when someone reports a security problem,
some companies will just send
a cease and desist letter
instead of actually patching their servers,
this is Darknet Diaries. Thank you.