I was recently chatting with a pastor talking about how I could contribute my skills to the body of Christ. I had recently returned from Iraq serving with the Army and was between jobs looking for different ways to contribute. I began telling him what I do with Information Security and pen-testing of computer networks. By the end of our conversation, we came up with a great idea, run pen tests on the physical security and computer systems of local churches, starting with his. I obtained a written agreement from him even though I was doing it completely on a volunteer basis and went at it. I explained to him that I did not want him or the rest of the staff to do anything different from what they normal do since it would skew the results he would get. He explained to me that he wanted me to communicate to him what I found and that I would please not use any information unethically. I agreed and walked out of the church not sure what I would get but the “hacker” curiosity was burning in me to start the adventure.
On the drive home I prayed about it, called to a team member of mine and explained what I wanted to do. She of course wanted to help and volunteered some of her time also. I could hear the excitement in her voice as we thought and discussed the possibilities. The next day we drove my Nissan Frontier to the church to begin. We began with the dumpster on the side of the building completely avoiding the parking lot cameras. The cameras had been installed to monitor member’s cars and did not take into consideration the value of a dumpster. Immediately upon opening the dumpster we spotted a banks envelop. I could not believe it!!! It could not have been this easy, could it?? I grabbed the bank envelop and also a piece of paper that at the time I thought contained some e-mails. We later found out this paper had multiple e-mails and user names for their computer systems. We casually drove away to evaluate more in depth what we found. Parked in an empty parking lot, we looked to see what was inside. It was a credit card statement with the credit card number blaring back at me in plain sight. Since the church was good at paying their debt, they had an $8,000 credit limit. The authorized users name was on the slip so I knew who was in charge of the account and a quick search on the churches website told me there job and some other useful information. Needless to say the pen test got even more interesting over the next couple of weeks, but that is not why I am writing this.
Results like these are not uncommon for churches. I could tell you other stories about an unsecured network of a huge church, a small church with a window xp system infected with a bot. I can only speculate as to what it was broadcasting. More than likely spam for Vigara or maybe worse an unchristian like website that we try desperately as Christians to have no part of. This led me to think that maybe churches could use a better understanding of information security and correct common errors that could expose their information and resources.
I guess the first question that maybe some of you are asking is. What information would a criminal want from a church? A short jaunt down creative street and this question can be answered. What would be valuable to a criminal. Credit cards, bank statements, accounts of members who are on a monthly giving program, church budgets, e-mails, addresses, family members, consoling of members, books that pastors may be working on, and sermons are just the beginning. All of this could have some monetary value. Seems too easy to answer this question, yet many churches do not make directed attempts at protecting their information.
How hard would it be to get this information? In all honesty, obtaining that information is not hard at all. A black hat hacker could get this information in no time simply because many churches do not even add an encryption on their wireless networks. While visiting a local church I found their wireless network completely exposed to the outside world. In a few minutes I had run nmap on it, found the server and the available open ports. I could of easily, in a short time, found an unpatched vulnerability started a shell with metasploit, opened a backdoor with netcat and am convenience that I could of pwned it in an hour or so. I did not take this any further because I did not have the permission to do so, but I informed the church of what I could have done if the Holy Spirit firewall did not stop me.
Surprisingly, I find that many churches have physical security of some form or other such as cameras in the church or an actual security team of volunteers of the congregation. However, simple things such as locking the door to the server room or placing their trash in a secure location are overlooked. In one church I walked by the server room on a Sunday and just opened the door. I slid into the room to see if anyone would say anything to me and as I expected nothing happened. I stood in there and admired there Cisco routers for a while looking at the beautiful blinking lights before I simply slid out and continued on my way to service. I will in defence of one church say I tried the same thing there and was quickly asked if I could be helped. No thank you I said and quickly carried on, as a strange look was given to me by the person who asked.
So what does all this mean? Simply put I think it’s about education. Maybe that is an oversimplified statement since anyone in computer security knows that education does not necessarily mean compliance however it’s a start. I would hope that black hat hackers would not steal information from a church but I know better. I know that in this sinful world people try to take advantage of other people. If it is a little harder to get information from a church because of an encrypted wireless router then maybe education does help. If a church staff knows that hey I need to update my antivirus and make sure that my m$ (jab at microsoft) operating system is up to date so when I download .jpgs for Sundays service slide presentation; I don't get some zombie infected code that wreaks havoc on all users of our God fearing network. Well maybe education can help a little. If it means that adding a few more ASCII letters to your password of Jesus Saves in order to prevent unauthorized access to your computer saving valuable information, maybe education is not such a bad idea. So what I am asking some of you to do is go back to your churches and educated people on this issue. Let your pastors know that you work in the IT industry or you are concerned about your church and church member’s information. Hey maybe they will let you do a pen-test? That could be fun. If so give me a shout I would love to help. God bless
