Five inmates from the Marion Correctional Institution (MCI) built two computers from spare parts, hid them in the ceiling of a training room closet, and used them to hack into the prison’s network.
Their actions were discovered in July 2015, when the prison’s IT staff switched internal proxy servers from Microsoft to WebSense (now part of Forcepoint).
These servers, designed to monitor and report suspicious traffic, immediately started reporting issues.
Prison IT staff started receiving weird alerts
In the beginning, MCI admins received reports that the user account, belonging to a prison contractor, was exceeding daily traffic quotas. While other employees had also surpassed their daily traffic threshold, the problem was that these reports were coming in the days when that employee was off duty.
Things got weirder a few days later when admins received reports that the same employee was attempting to avoid the traffic monitoring proxies.
At this point, the prison’s IT staff decided to investigate further. Their suspicion that something was wrong was confirmed moments later when they traced back the traffic to a computer with the name “-lab9-“, a name inconsistent with the prison’s internal computer naming scheme.
Computers hid in a closet’s ceiling
The prison staff started an investigation and tracked suspicious network traffic to port 16 of a switch located in the prison’s P3 training room.
When they got to the switch, IT staffers followed the network cable plugged into port 16 to a nearby closet, and up into the ceiling. Removing the ceiling tiles, prison employees found two fully-working computers, placed on two pieces of plywood.
Inmates used parts from prison’s recycling program
According to a report released yesterday by the Ohio Department of Rehabilitation and Correction’s (ODRC), the agency says it identified the five prisoners who built the PCs.
The five inmates managed to build their two PCs because they were part of the prison’s Green Initiative program where they worked in trash management and electronics recycling.
Inmates hacked prison network
A forensic analysis of the hard drives found in the two PCs found legitimate software, hacking tools, and traces of illegal activities. According to the Office of the Ohio Inspector General, the two hard drives contained:
Searches of inmate information through the ODRC Departmental Offender Tracking System (DOTS).
Accessing of inmate data via DOTS.
The issuance of passes for inmates to gain access to multiple areas within MCI.
A Bloomberg Business article on tax refund fraud.
Submissions of five credit card applications in the name of other inmates (data they obtained from DOTS).
Conversations with family members. CC Proxy – a proxy server for Windows. Cain – hacking tool for password recovery. Zed Attack Proxy (ZAP) – vulnerability scanner. Wireshark – network traffic packet analyzer. NMap – network mapping and security auditing tool. ZenMap – security scanner and GUI for NMap. Webslayer – hacking tool for launching brute-force attacks JanaServer – multi-platform proxy server. Yoshi – email spamming tool. AdvOr Tor Browser – a variation of the Tor Browser. THC Hydra – password cracking tool. Cavin – editor for encrypting and decrypting text. Paros – Java-based proxy server and MitM tool. 3CXVoip Phone – free VOIP tool for Windows. VirtualBox – virtual machine software with Kali Linux installed. TrueCrypt – full-disk encryption tool. CC Cleaner – tool for system optimization, privacy, and cleaning. VideoLan – multimedia player Clamwin – antivirus phpBB – open-source forum software SoftEther VPN OpenVPN Custom-crafted software
According to investigators, the inmates used these tools to capture network traffic, move laterally in the prison’s network, crack passwords for active user accounts, and use these accounts to access the prison’s network.
They used this access to collect personal information for other inmates, apply for credit cards in the names of other inmates, and issued passes for other inmates.
Prison staff shares some of the blame
Following the discovery of these tools and inmates actions, the ODRC moved the suspects to other institutions in November 2015.
The Office of the Ohio Inspector General also found that MCI staffers were also at fault. First for failing to supervise inmates (who built two frickin’ computers while in prison), and second for failure to force employees to change passwords every 90 days.
The findings from this investigation have been forwarded to the
Marion County Prosecutor’s Office and the Ohio Ethics Commission for consideration of any punishments.