Prisoners built two PCs from parts, hid them in ceiling, connected to the state's network and did cybershenanigans
And they would have got away with it too, but for... Websense
We are impressed by five prisoners in the US who built two personal computers from parts, hid them behind a plywood board in the ceiling of a closet, and then connected those computers to the Ohio Department of Rehabilitation and Correction's (ODRC) network to engage in cybershenanigans.
Compliments are less forthcoming from the State of Ohio's Office of the Inspector General, which published its 50-page report [PDF] into this incident yesterday, following a lengthy investigation.
The Inspector General was alerted to the issue after ODRC's IT team migrated the Marion Correctional Institution from Microsoft proxy servers to Websense. Shortly afterwards, on 3 July 2015, a Websense email alert reported to ODRC's Operation Support Center (OSC) that a computer operating on the network had exceeded a daily internet usage threshold. Further alerts, seven regarding "hacking" and 59 regarding "proxy avoidance," reported that the user was committed to network mischief.
From there the search for the miscreant began, and once the login credentials used were found to be be illicit, the ODRC's IT employees attempted to find the unauthorised computer by locating the network switch it was connected into.
An incident report filed on the discovery, included in the Inspector General's, noted:
On the above date and time I was following up on information received from OSC IT department. I had been told there was a PC on our network that was being used to try and hack through the proxy servers. They narrowed the search area down to the switch in P3 and the PC was connected to port 16. I was able to follow the cable from the switch to a closet in the small training room. When I removed the ceiling tiles I found 2 PCs hidden in the ceiling on 2 pieces of plywood.
The computers were cobbled together from spare parts which prisoners had collected from Marion Correction Institution's RET3, a program that helped to rehabilitate prisoners by getting them to break down old PCs into component parts for recycling.
Forensic analysis of the computers completed by the Ohio Inspector General revealed that the users exploited their access to the ODRC's systems to issue passes for inmates to gain access to multiple areas within the institution. They also used the Departmental Offender Tracking System to steal the personal information of another inmate and use those details to successfully apply for five credit cards.
Additional forensics by a more technical team reported finding "a large hacker's toolkit with numerous malicious tools for possible attacks. These malicious tools included password-cracking tools, virtual private network (VPN) tools, network enumeration tools, hand-crafted software, numerous proxy tools, and other software used for various types of malicious activity."
In addition to the above, the forensics team found "self-signed certificates, Pidgin chat accounts, Tor sites, Tor geo exit nodes, ether soft, virtual phone, pornography, videos, VideoLan, and other various software," in addition to evidence that malicious activity had been occurring within the ODRC inmate network.
They reported: "Inmates appeared to have been conducting attacks against the ODRC network using proxy machines that were connected to the inmate and department networks. It appears the Departmental Offender Tracking System portal was attacked and inmate passes were created. Findings of bitcoin wallets, stripe accounts, bank accounts, and credit card accounts point toward possible identity fraud, along with other possible cybercrimes."
Ultimately, five inmates were identified as being involved with the hidden computers, and have been separated and moved to other correctional facilities. More details on their conspiracy and the others involved in it are again available in the Inspector General report. It's a cracking yarn.
In response to the report, ODRC said it appreciated "the time the Inspector General's office has taken to conduct these investigations and we have already taken steps to address some areas of concern. We will thoroughly review the reports and take any additional steps necessary to prevent these types of things from happening again.
"It is of critical importance that we provide necessary safeguards in regards to the use of technology while still providing opportunities for offenders to participate in meaningful and rehabilitative programming." ®