Hats off to them...
That took some balls, and skillz.
We are impressed by five prisoners in the US who built two personal computers from parts, hid them behind a plywood board in the ceiling of a closet, and then connected those computers to the Ohio Department of Rehabilitation and Correction's (ODRC) network to engage in cybershenanigans. Compliments are less forthcoming from …
They weren't really good at it, just slightly better than the Prison's staff. Something as simple as implementing port-lock-downs, 802.1x or just keeping ports unplugged unless actually needed would have stopped them cold.
A prison is unique in that the IT staff would be aware of every single MAC address of every machine that should be on the network, at least in the areas where prisoners might be. They should be setting up a monitoring system that screams in their face every time the MAC changes on a port, and if it isn't tied to a work order, someone should go investigate.
Setting something like that up is fairly trivial, I did it in a weekend using FreeBSD, nagios, and radiusd on an old Pentium-3 system that was rusting away in a closet. I get an email every time a machine is plugged into a different port, or a new system is added to the network, even over wireless. Any new device is dropped onto a non-routing VLAN and can only access a read-only ftp server hosting OS install files, patches, and some packages (FTP is in read-only mode, files are modified via rsync on another interface). It wouldn't take much more for the prison's IT staff to do the same.
"Because spoofing a MAC address is impossible right?"
They'd have to spoof an authorized mac and somehow get the real system offline (Otherwise the systems would just start throwing errors and effectively disconnect themselves), and even then, they'd have to get around the fact that the switch would still yell at the admin about the fact that it is on a different port. So even if they do duplicate both the mac, and somehow connect it to the same port, someone is going to notice that their computer no longer has connectivity.
"yep and your little system fails on 2 counts:
1. Mac spoofing
2. Current trend for devices to randomize the MAC."
I take it you don;t know how 802.1x actually works... Reason 1 would be prohibitively difficult to pull off without anyone noticing. As for the second one, if a device pops up on a network that doesn't possess a valid token, the device will be quarantined until the device receives a new token by way of an Authentication back-end. Granting of the token by the authenticator can be done on something as basic as mac address (by far the most common on wired networks) but can be based on any authentication mechanism that the connecting OS has a supplicant for and the switch is able to relay back to the authentication server. I've implemented 802.1x using everything from basic mac address to usernames/password to certificates to manual approval by an authorized admin.
The switch doesn't care what is used to authenticate the conencting client, so long as the authentication server responds back with an AUTHORIZED packet, and expiration for the authorization, and an optional VLAN assignment that the client belongs on. Otherwise the systems is just left on a quarantine VLAN that, usually, doesn't route to anything (Some places allow packets to route out on that VLAN to build a 'guest network' without allowing the system to see packets from secured networks, obviously a prison wouldn't allow that). So if they do implement something a little more than mac based auth, then the system will be sitting there with nothing to do but talk to the authentication server (until an admin notices a weird machine on the network and kills the system).
A place like a prison, where security is key, it would be likely that they'd use the mac to authenticate the system to the network, but would only get them access to the authentication network until their system can convince the authentication server to grant them greater access.
The problem with 802.1x is that a surprising number of sysadmins seem entirely ignorant of what it is, how it works and how to use it. Although the protocol was originally designed for wired switches, as a way of verifying that the computer connected to a switch port is the correct one, it got adapted for use with wireless networks, employing a users' login credentials to clear a particular machine for use on the network (and issuing it with an appropriate key). Its seamless, reliable and pretty bulletproof...but people are still messing with MAC addresses and the like.
What's a bit sad about this article is that all this effort and expertise were used to get Internet access and the puerps used it for illegal/shady activities. That's obviously why they're in jail in the first place -- misplaced talent.
You seem to forget management. Your ideas are good, but when management don't give you the time to do such things and ignore you when you point out security issues, then you can only do what they allow you to do. If the business decides it wants all ports available so they can easy plug in a device, then you make them all available. Its what you're paid to do. If you don't like it because it's a security issue, then you leave and go elsewhere, hopefully in a copy where management actually respects IT.
"Setting something like that up is fairly trivial, I did it in a weekend using FreeBSD, nagios, and radiusd on an old Pentium-3 system that was rusting away in a closet."
exactly. Yet, THE PRISON WAS USING A MICROSOFT "SOLUTION". While THAT was in place, the cybercrooks "got away with it".
And the offenders were THEN DETECTED AND CAUGHT when that Micro-shaft "solution" was swapped out for a (apparent) REAL one.
They would have had to splice into the cables, as the pic alludes to, port should have flapped or went down temporarily, unless they possibly rigged clips that could bite thru each 1 of the 8 wires after they carefully stripped it back? Either way I'm pretty sure they did not just plug into p16, the security would have shut down a rouge mac immediately. I would love to see the log from this switch, it should speak volumes of the red flags that were glazed over.
It does take some balls. It only takes one person with the knowledge to build the computers. All that is needed is the Case, M/B, CPU, RAM, a network cable, a hard drive, and the means to install the O/S. Everything else is already available on the M/B.
Given that the prisoners were already disassembling computers, reversing the process to build them is simple. Getting access to the network switch to do the deed is about the hardest part, or it should have been. That suggests that there was a network physical security failure, and that somebody's posterior should have been very sore from the punishment inflicted.
You did read the bit about their prison job was disassembling computers?
All they needed - except the network switch - was ready to hand.
The means to do it was provided by the prison's IT staff with their laid-back cushy job attitude, that figured we built it so "What could go wrong?"
I'm guessing that had they not been so greedy, they'd still be at it. I suspect that was the character flaw that got them in there to start with.
They are probably the kind of asshat that breaks into innocent people's bank accounts and other facilities. So no, and I hope the people concerned pull their act together and protect at least people like me (for you the salutory lesson of losing all of the money in your bank account will be good) from these creatures.
It is not funny. It is not admirable, and I'd like to know what the offender profiles are for those concerned.
and if the IT hadn't migrated from MS Software!
The Inspector General was alerted to the issue after ODRC's IT team migrated the Marion Correctional Institution from Microsoft proxy servers to Websense. Shortly afterwards, on 3 July 2015, a Websense email alert reported to ODRC's Operation Support Centre (OSC) that a computer operating on the network had exceeded a daily internet usage threshold.
My emphasis.
Don't buy all your SW from one source, choose the most suitable packages.
Don't buy all your SW from one source, choose the most suitable packages.
That's far too sensible. It's more fun to observe that abandoning Microsoft clearly has advantages whatever way you look at it, and if you want to pour some lighter fuel on the debate you then express a preference for one alternative. Do it in all caps and then sit back.
(no, I can't be asked right now, but be my guest)
:)
Anything server from Microsoft is useless in my view. I only consider them good for Desktop and I only consider Linux* (*Your distro of chose) good for server work as it does what is expected of it**.
** Also applies to *BSD (FreeBSD, NetBSD, OpenBSD and so on).
Anything server from Microsoft is useless in my view
Aww, come on, is that the best you can do? WTF happened to a good old rant, the sort of all-caps-with-foam-dripping-from-the-mouth stuff we could have a good laugh at? Where have these people gone? Or can't they handle being part of the entertainment.
Honestly, kids these days ..
:)
I've never been the caps lock type, too much time on the IRC in the past where such behaviour got one banned from the channel from hours to days.
Those people you speak of have left the internet to do other things. I think it's mostly cocaine and opioids and other such things if they do drugs at all (many don't). Some return, most don't return I guess (there is no study into this, so guesses go wild).
Some views on this subject are interesting.
https://www.dailydot.com/unclick/i-quit-the-internet-for-4-years/
**Example of a professional Microsoft rant....**
I have a very nice email from microsoft tech support explaining why they have DELIBERATELY changed the 2016 office software to loose attachments.
Double clicking on a word attachment in outlook opens the file in word, but puts the file in a temp directory .......8 levels down.
so when you do a save , guess where it goes?
and when you quit outlook...... guess what happens to the "temp" folder.
the explanation goes on to point out,.......
but notice how we have made the "one-drive service" very easy to use for saving your documents., the functionality is by design.. Please use one drive.
Anything server from Microsoft is useless in my view.
Me thinks you are a tad arrogant, I have a mix of Windoze and linux at home and I've got a problem
My broadband maxed out, first thought was one of those bloody windoze systems has "got" something. But after disconnecting the various system it turns out the culprit is my Debian video recorder.
So careful who you blame...
@Dagg, I've come to the conclusion that Linux isn't for Desktop. That's just my view after using it as such for 14 years. During that time the progress has been painfully slow and it is now good five to eight years behind Microsoft Windows and Apple MacOS. The reason why it isn't popular is clear, it isn't competitive as a desktop Os on the market. If it was, it would be used.
Mobile is different thanks to Google (Alphabet).
I was speaking about Microsoft Windows server. I don't know for sure how progress has been going on it for the past 14 years, but I don't think its an ideal environment to use due to how its structured on the system level (with hard drive a:, b: and so on). Servers need a different set-up since they are doing a different thing. I guess in all Microsoft environment it can be useful, unless you use something else for a gateway and firewall to connect to the internet.
I have found that Microsoft Windows 10 is highly useable as a Desktop (but I'm no fan of it). But I'll keep my server FreeBSD or Linux, that's not going to change.
Hat tip: If you are using Microsoft Windows shared folder network (also known as samba) you can access remote computer hard drive by typing in ${drive letter} into the address bar on that computer. Example; \\192.168.0.4\F$ - Type in user and password and you got access to all the files, read-write access included.
The article and report say "Microsoft Proxy Server". The last version of MS Proxy 2.0 was released in... 1997. Maybe they meant ISA? Or TMG? Either way, all are old products, and none of them has built in per-use quota management, which is really what caught the perps, so I'm not sure you can have a dig at Microsoft.
That was a major point I noticed. The MS software was (as usual) unable to detect a security hole (likely because it's own internal functionality needs the same holes, die to sloppy coding on MS' part). Immediately upon switching to a competent product exposed the security violation. There's an important lesson to be learned here. The prison could only have done a worse job by running IBM software/systems.
The quote from the report:
"They narrowed the search area down to the switch in P3 and the PC was connected to port 16. I was able to follow the cable from the switch to a closet in the small training room."
So it wasn't simply a port; they managed to run a cable directly from a switch somewhere. Maybe a comms cab in a cupboard, locked door but accessible from the ceiling? I've not had time to read the report yet but will later to see if there's clarification.
One thing I'm wondering though; how did they manage to sneak out an entire monitor or 2 on which to use said PCs? You can cobble together the other parts and sneak them in pockets (with the exception of the mainboard, but that is thin so can fit down pants). You don't need a case for the PC to run. But how did they get a screen out?
The closet was in a training room - perhaps the training used isolated computers? Convince someone the monitor was "bad", get a replacement from the recycling place, and quietly shift the "bad" monitor up into the hidden site, and convince the guards that it'd been removed already. Guards would see one working monitor per computer, no extra gear laying around, and conclude that the information was valid. Schedule it for a shift change and the guard near end of shift would see the monitor come in, but, hey, its almost time to go home, he wouldn't follow the prisoner to ensure the bad one was swapped out properly..he'd tell his replacement. Replacement comes on duty, and he's told "we took the bad one out already, you must've still been at your shift briefing", with some forged documents...they know the guard isn't going to follow up - what use would a monitor be without a computer, after all?
don't need to schedule for guard shift changes. just have something to blackmail the guard with.
I worked with a guy who was an X prison guard once. He told me about the kinds of stuff prisoners will do to the guards. One example, a prisoner begs a guard to mail something to his nephew, like a birthday card, "I want to get it to my nephew before his birthday and the prison mail system is too slow." The guard is suckered in, does a one-time favor, and mails it outside the prison. Just a simple birthday card, right? Well, it got a cancellation mark from OUTSIDE the prison on it during the mailing, and it was quietly sent BACK to the same prisoner, who now has PROOF that the guard did something that could get him fired... and the next request is "get me some booze" or "get me some drugs" or "look the other way while we XXX" because it's the guard's F'ing JOB on the line, now...
so yeah, how do prisoners get away with this stuff? Well, it's like *THAT*
One thing I'm wondering though; how did they manage to sneak out an entire monitor or 2 on which to use said PCs?
Headless systems that they could connect to from the inmate area? The systems were in a false ceiling, not a place where you would usually be able to go and sit to view a monitor. For the system in the inmate area they would initially probably needed just Putty to get to their hidden systems. And apparently they had found some of the tools they needed on disks of systems they were taking apart, so that they could bootstrap their toolkit.
Thank you, Stoneshop. Indeed, why would you park a monitor in the ceiling when you would have to sit on a ladder, or get into the ceiling, to use it?! Far more likely the remote access, or a mobe, but also consider a secret KVM cable drop from the illicit host and you use it from the keyboard, screen, and mouse of the nearby "legit" system? Guard coming, switch to the safe host, once clear, switch back. So easy and cheap.
And as to the network connection; if those are home runs from a router, then you can piggyback any number of extra hosts on that wire, no problem, other than having your MAC addr and traffic view-able from any monitoring of it, or if the connections are individually secured. It also would have been safer to host a WiFi hotspot in the overhead, with remote power or a timer to keep it offline while not in use. If not, then you could hijack two spare pairs of wires in an Ethernet run (many have four pair, but only use two), and have it double back several times in another area so you can have time to spot anyone searching for your rig via the wiring. Still, what a great hack!
At school I was taught to use an apostrophe to pluralise initialisms. I suppose it came from the now near outmoded practise of using an apostrophe to abbreviate words (although some examples are in common use, e.g. "it's" as in "it's hot today").
I'm not saying it's correct, it's just that that's what we were taught to do back then, so I have a lot of tolerance for that type of apostrophe usage.
Glad to hear somebody else who was taught about using apostrophes when pluralising capitalisations. I was taught this at school, but none of the youngsters here seem to have heard of that.
I was also taught to use full stops after each letter in an abbreviation, but this seems to be almost universally outmoded practice nowadays.
Nowadays, I would just write "PCs in the ceiling", but when I was at school I would have written "P.C.'s in the ceiling" (and then the teacher would have asked me what a PC was, because they weren't even a thing when I was at school)
Lovely...here in the states, a "Billion" is actually 1,000 million...or 1 to the 9th. On the other side of El Pondo, its 1 to the 12th, which to Americans, is a trillion...but, a trillion in the UK is..1 to the 18th, putting us further out of sync. As if we don't already argue over "color" versus "colour"?
"Lovely...here in the states, a "Billion" is actually 1,000 million...or 1 to the 9th. On the other side of El Pondo, its 1 to the 12th, which to Americans, is a trillion...but, a trillion in the UK is..1 to the 18th,"
Cough. 1 to the 9th, 1 to the 12th & 1 to the 18th are all 1.
but when I was at school I would have written "P.C.'s in the ceiling"
Incorrect. At best ambiguous - the apostrophe there is indicating the absence of the letter I.
If per se, I know a man named Peter Chris Zumble, and he likes to be called by his initials, and he is hiding in the ceiling, then "P.C.'s in the ceiling" makes sense, otherwise it does not.
> I was taught this at school, but none of the youngsters here seem to have heard of that.
Possibly because the school of thought and prevalent practice on that one has changed in the meanwhile. Some people argue that the apostrophe is redundant as the initials already imply missing characters, and it causes confusion with the possessive case, which does use an apostrophe (although that wasn't always the case, as wasn't always the case that the apostrophe replaced a missing letter, usually 'e' in the possessive).
Either way, both PC's and PCs are correct plurals. I prefer the latter, although personally I tend to avoid pluralised acronyms in the first place so I would have just written "computers" or so.
I will have to agree with that. Plus do not get me started on El Reg not capitalizing Internet, when you bloody well know that it is the correct usage. There, I removed any apostrophes from my text.
Also, might I take a moment and mention that my most favorite Frank Zappa work is Apostrophe ('). Thank you, and have a great googly moogly day!
At school I was taught to use an apostrophe to pluralise initialisms..
Well, you were taught wrong. The Apostropher Royal will get you if you keep this up.
I suppose it came from the now near outmoded practise of using an apostrophe to abbreviate words (although some examples are in common use, e.g. "it's" as in "it's hot today")
Those are called contractions, and nowhere near "near outmoded", they're used all over the place!
In addition to the above, the forensics team found "self-signed certificates, Pidgin chat accounts, Tor sites, Tor geo exit nodes, ether soft, virtual phone, pornography, videos, VideoLan, and other various software" in addition to evidence that malicious activity had been occurring within the ODRC inmate network.
I'm really not sure how videos, VLC, chat accounts are evidence of wrongdoing; there are plenty of legitimate uses.
US prisons have an incredibly strict lock down on outside communications, at least in part because of the money they make off of phone calls home through the prisons systems. As far as the prison is concerned, pidgin and voip is probably more serious than the porn or a lot of the actual crimes as far as they're concerned
I think VLC is technically illegal in the US because it plays DVDs with DeCSS.
When VLC is outlawed then only outlaws will have VLC?
VideoLan could safely make a no DVD version since that's another thing that's been dropped in the endless quest to make laptops paper thin (and cut costs).
Reminds me of when I used to work at Evesham Micros (remember them?).
In one corner of the warehouse where all the computers were assembled, there was a trio of guys who built the images for each different configuration. As part of that job, they had their own ADSL connection, and agreed to give us a cat5 cable connected to it. Myself and a few friends then cobbled together a computer from spare parts, which I'll admit is pretty easy when you're right next to a warehouse full of them (with practically no inventory control), and hid it behind a desk. Then, in between testing servers going out to customers, we could surf the internet, and watch films when the bosses weren't looking.
It slightly mitigated the soul-crushing boredom of the job.
Its typical American prison-for-profit management mentality:
1. Treat people (prisoners and rank-and-file employees) as animals
2. Internalize that they are not dealing with real people
3. Cut every kind of service and security to maximize profit
4. Shocked, shocked to find that thinking human beings can defeat their lemur-proof security systems
Au contraire. While things might well be different on the other side of the pond, when my parents were in HMP Shotts (for work, not at her majesty's pleasure) one of the guards explained that prisoners wanted to work, and not allowing a prisoner to do so was one of their most effective sanctions. The reason's simple: if you're not working, there's fuck all to do in prison; it's boring staring at your cell wall all day.
Again, while things might be different in the 'States, the prisoners at Shotts were paid for their work (making roadsigns, incidentally). Nowhere near a living wage (after all, they're getting bed and board provided), but some "pocket money" that went into an account that could be redeemed at the prison shop, mainly for things like more luxurious toiletries.
Things are indeed different on the left side of the pond, the 13th amendment specifically allows for slavery in the context of criminal punishment:
"Neither slavery nor involuntary servitude, *except as a punishment for crime whereof the party shall have been duly convicted*, shall exist within the United States, or any place subject to their jurisdiction."
The inmates put together and tested 2 working machines in the salvage area, then moved them to the lab under a pile of rags and garbage in a cleaning cart. They then had an unsupervised afternoon to hook them up, get power to them and set them up for remote access. The IG report is full of FAIL, no one (but the inmates) comes off as being even marginally competent.
802.1x on Windows is a massive PITA. Anyone who promotes it probably has never done it in a Microsoft environment. We had so many problems with it on Windows 7 that we set a Scheduled Task to reboot one PC every five minutes so we could get MS enough data so they could then create a hotfix which you later had to know about to ask for. The PC went into thermal overload after the first week because it had been rebooted so many times. Why every five minutes? We had branches where PCs would suddenly fail 802.1x, had to be rebooted and then would work for a week. It was happening to hundreds of them every week but only once per week. And they were all shut off each night so it wasn't an uptime or heat thing that caused it. Turned out to be a race condition. When we started testing 8.1 the same thing happened and 802.1x left the buildings.
Well when you are not build stuff to code why not. The titles are hiding a junction box witch is a no no. I'm willing to bet that electrical junction box is over crowed too. I know in my home state of California if you run cat cable that is hidden by those types of ceiling titles you need cable trays. Some counties require the cat cable to fire rated if going through ceiling titles like that.
Also looking at that picture it looks like it had a more permanent type of fixed ceiling that was hiding the electrical junction box which is an automatic fail of the of both Canadian and US national electrical code.
"Ultimately, five inmates were identified as being involved with the hidden computers, and have been separated and moved to other correctional facilities."
I predict in a fairly short time there will be 25 inmates of US correctional facilities with these skills, rising exponentially. :) PP