Add1son.com

A place for pondering, planning and projects

Threat model analysis: inmates with homebrew equipment

One of the first headlines that came across my feed today read as the title of this post does, “Investigation finds inmates built computers and hid them in prison ceiling”. Archive.org Link

Immediately after reading this the following thoughts went through my head

  1. How could IT be so unaware of these ethernet lines running directly into their own networking infrastructure?
  2. How did they get caught?

    The answer to the 1st question is easily found when looking at the photo used in the article to describe the state of the cabinets that housed what I can only assume to be the core network switches that looked like a rats nest of copper cable.The second question however is somewhat answered in the article itself, It states “Authorities say they were first tipped off to a possible problem in July, when their computer network support team got an alert that a computer “exceeded a daily internet usage threshold.” When they checked the login being used, they discovered an employee’s credentials were being used on days he wasn’t scheduled to work.”Very interesting that this would be the only alert that would pop for this type of an intrusion. This lead to the thought of “well they must not have had access to that type of information that would allow them to spoof their employee credentials based off of who was scheduled to work?”

    The article goes on to say that “The Ohio Inspector General says investigators found an inmate used the computers to steal the identity of another inmate, and then submit credit card applications, and commit tax fraud. They also found inmates used the computers to create security clearance passes that gave them access to restricted areas.”

    In my mind this means that if these inmates had access to the internet why didn’t they just learn to figure out how to check the employee schedule or at least scribble down on hand what people they saw working and correlate their logins as such. Given the fact that they were using an employee login, we can only assume that this required a password auth as it wouldn’t make sense for a login prompt to just allow you to identify as any user without verifying that you are that user. This means that at some point they had to of acquired the credentials of an employee and used those credentials to login to access the internet. Even just monitoring the patterns of use should have tipped off the network administrators to this long before noting that an off the clock employee was using the system. Another idea would be to limit access to correlate to times worked which would be a strange arbitrary change to implement but could be easy if the time card / scheduling service was able to export a .csv.

This type of negligence is just incredible to see especially on a network that is dealing with something as potentially dangerous as fugitives getting access to SCADA systems or lock / unlocking doors via a web console.

The article goes into detail speaking of the idea that “lax security” allowed the inmates to get the computer equipment to their respective cells. Computers aren’t getting any larger and with a platform such as the Raspi or the Raspi Zero the profile of these things are going to continue to dwindle down until you may not be able to stop them from being transferred in and out of a facility. This means that network security should be an even higher concern and proper IPS / IDS implementation will be needed along with vlan integration and other network security practices in order to keep the network safe. Hell even then, what if your inmates start building a meshnet in which they communicate with decentralized technology, what then? It just reminds me that we truly ain’t seen nothing yet.

Edit: After finding an additional article they uploaded a full .pdf of the report which is most likely what got this news coverage.