Hats off to them...
That took some balls, and skillz.
We are impressed by five prisoners in the US who built two personal computers from parts, hid them behind a plywood board in the ceiling of a closet, and then connected those computers to the Ohio Department of Rehabilitation and Correction's (ODRC) network to engage in cybershenanigans. Compliments are less forthcoming from …
They weren't really good at it, just slightly better than the Prison's staff. Something as simple as implementing port-lock-downs, 802.1x or just keeping ports unplugged unless actually needed would have stopped them cold.
A prison is unique in that the IT staff would be aware of every single MAC address of every machine that should be on the network, at least in the areas where prisoners might be. They should be setting up a monitoring system that screams in their face every time the MAC changes on a port, and if it isn't tied to a work order, someone should go investigate.
Setting something like that up is fairly trivial, I did it in a weekend using FreeBSD, nagios, and radiusd on an old Pentium-3 system that was rusting away in a closet. I get an email every time a machine is plugged into a different port, or a new system is added to the network, even over wireless. Any new device is dropped onto a non-routing VLAN and can only access a read-only ftp server hosting OS install files, patches, and some packages (FTP is in read-only mode, files are modified via rsync on another interface). It wouldn't take much more for the prison's IT staff to do the same.
"Because spoofing a MAC address is impossible right?"
They'd have to spoof an authorized mac and somehow get the real system offline (Otherwise the systems would just start throwing errors and effectively disconnect themselves), and even then, they'd have to get around the fact that the switch would still yell at the admin about the fact that it is on a different port. So even if they do duplicate both the mac, and somehow connect it to the same port, someone is going to notice that their computer no longer has connectivity.
"yep and your little system fails on 2 counts:
1. Mac spoofing
2. Current trend for devices to randomize the MAC."
I take it you don;t know how 802.1x actually works... Reason 1 would be prohibitively difficult to pull off without anyone noticing. As for the second one, if a device pops up on a network that doesn't possess a valid token, the device will be quarantined until the device receives a new token by way of an Authentication back-end. Granting of the token by the authenticator can be done on something as basic as mac address (by far the most common on wired networks) but can be based on any authentication mechanism that the connecting OS has a supplicant for and the switch is able to relay back to the authentication server. I've implemented 802.1x using everything from basic mac address to usernames/password to certificates to manual approval by an authorized admin.
The switch doesn't care what is used to authenticate the conencting client, so long as the authentication server responds back with an AUTHORIZED packet, and expiration for the authorization, and an optional VLAN assignment that the client belongs on. Otherwise the systems is just left on a quarantine VLAN that, usually, doesn't route to anything (Some places allow packets to route out on that VLAN to build a 'guest network' without allowing the system to see packets from secured networks, obviously a prison wouldn't allow that). So if they do implement something a little more than mac based auth, then the system will be sitting there with nothing to do but talk to the authentication server (until an admin notices a weird machine on the network and kills the system).
A place like a prison, where security is key, it would be likely that they'd use the mac to authenticate the system to the network, but would only get them access to the authentication network until their system can convince the authentication server to grant them greater access.
The problem with 802.1x is that a surprising number of sysadmins seem entirely ignorant of what it is, how it works and how to use it. Although the protocol was originally designed for wired switches, as a way of verifying that the computer connected to a switch port is the correct one, it got adapted for use with wireless networks, employing a users' login credentials to clear a particular machine for use on the network (and issuing it with an appropriate key). Its seamless, reliable and pretty bulletproof...but people are still messing with MAC addresses and the like.
What's a bit sad about this article is that all this effort and expertise were used to get Internet access and the puerps used it for illegal/shady activities. That's obviously why they're in jail in the first place -- misplaced talent.
You seem to forget management. Your ideas are good, but when management don't give you the time to do such things and ignore you when you point out security issues, then you can only do what they allow you to do. If the business decides it wants all ports available so they can easy plug in a device, then you make them all available. Its what you're paid to do. If you don't like it because it's a security issue, then you leave and go elsewhere, hopefully in a copy where management actually respects IT.
"Setting something like that up is fairly trivial, I did it in a weekend using FreeBSD, nagios, and radiusd on an old Pentium-3 system that was rusting away in a closet."
exactly. Yet, THE PRISON WAS USING A MICROSOFT "SOLUTION". While THAT was in place, the cybercrooks "got away with it".
And the offenders were THEN DETECTED AND CAUGHT when that Micro-shaft "solution" was swapped out for a (apparent) REAL one.
They would have had to splice into the cables, as the pic alludes to, port should have flapped or went down temporarily, unless they possibly rigged clips that could bite thru each 1 of the 8 wires after they carefully stripped it back? Either way I'm pretty sure they did not just plug into p16, the security would have shut down a rouge mac immediately. I would love to see the log from this switch, it should speak volumes of the red flags that were glazed over.
It does take some balls. It only takes one person with the knowledge to build the computers. All that is needed is the Case, M/B, CPU, RAM, a network cable, a hard drive, and the means to install the O/S. Everything else is already available on the M/B.
Given that the prisoners were already disassembling computers, reversing the process to build them is simple. Getting access to the network switch to do the deed is about the hardest part, or it should have been. That suggests that there was a network physical security failure, and that somebody's posterior should have been very sore from the punishment inflicted.
You did read the bit about their prison job was disassembling computers?
All they needed - except the network switch - was ready to hand.
The means to do it was provided by the prison's IT staff with their laid-back cushy job attitude, that figured we built it so "What could go wrong?"
I'm guessing that had they not been so greedy, they'd still be at it. I suspect that was the character flaw that got them in there to start with.
They are probably the kind of asshat that breaks into innocent people's bank accounts and other facilities. So no, and I hope the people concerned pull their act together and protect at least people like me (for you the salutory lesson of losing all of the money in your bank account will be good) from these creatures.
It is not funny. It is not admirable, and I'd like to know what the offender profiles are for those concerned.
and if the IT hadn't migrated from MS Software!
The Inspector General was alerted to the issue after ODRC's IT team migrated the Marion Correctional Institution from Microsoft proxy servers to Websense. Shortly afterwards, on 3 July 2015, a Websense email alert reported to ODRC's Operation Support Centre (OSC) that a computer operating on the network had exceeded a daily internet usage threshold.
My emphasis.
Don't buy all your SW from one source, choose the most suitable packages.
Don't buy all your SW from one source, choose the most suitable packages.
That's far too sensible. It's more fun to observe that abandoning Microsoft clearly has advantages whatever way you look at it, and if you want to pour some lighter fuel on the debate you then express a preference for one alternative. Do it in all caps and then sit back.
(no, I can't be asked right now, but be my guest)
:)
Anything server from Microsoft is useless in my view. I only consider them good for Desktop and I only consider Linux* (*Your distro of chose) good for server work as it does what is expected of it**.
** Also applies to *BSD (FreeBSD, NetBSD, OpenBSD and so on).
Anything server from Microsoft is useless in my view
Aww, come on, is that the best you can do? WTF happened to a good old rant, the sort of all-caps-with-foam-dripping-from-the-mouth stuff we could have a good laugh at? Where have these people gone? Or can't they handle being part of the entertainment.
Honestly, kids these days ..
:)
I've never been the caps lock type, too much time on the IRC in the past where such behaviour got one banned from the channel from hours to days.
Those people you speak of have left the internet to do other things. I think it's mostly cocaine and opioids and other such things if they do drugs at all (many don't). Some return, most don't return I guess (there is no study into this, so guesses go wild).
Some views on this subject are interesting.
https://www.dailydot.com/unclick/i-quit-the-internet-for-4-years/
**Example of a professional Microsoft rant....**
I have a very nice email from microsoft tech support explaining why they have DELIBERATELY changed the 2016 office software to loose attachments.
Double clicking on a word attachment in outlook opens the file in word, but puts the file in a temp directory .......8 levels down.
so when you do a save , guess where it goes?
and when you quit outlook...... guess what happens to the "temp" folder.
the explanation goes on to point out,.......
but notice how we have made the "one-drive service" very easy to use for saving your documents., the functionality is by design.. Please use one drive.
Anything server from Microsoft is useless in my view.
Me thinks you are a tad arrogant, I have a mix of Windoze and linux at home and I've got a problem
My broadband maxed out, first thought was one of those bloody windoze systems has "got" something. But after disconnecting the various system it turns out the culprit is my Debian video recorder.
So careful who you blame...
@Dagg, I've come to the conclusion that Linux isn't for Desktop. That's just my view after using it as such for 14 years. During that time the progress has been painfully slow and it is now good five to eight years behind Microsoft Windows and Apple MacOS. The reason why it isn't popular is clear, it isn't competitive as a desktop Os on the market. If it was, it would be used.
Mobile is different thanks to Google (Alphabet).
I was speaking about Microsoft Windows server. I don't know for sure how progress has been going on it for the past 14 years, but I don't think its an ideal environment to use due to how its structured on the system level (with hard drive a:, b: and so on). Servers need a different set-up since they are doing a different thing. I guess in all Microsoft environment it can be useful, unless you use something else for a gateway and firewall to connect to the internet.
I have found that Microsoft Windows 10 is highly useable as a Desktop (but I'm no fan of it). But I'll keep my server FreeBSD or Linux, that's not going to change.
Hat tip: If you are using Microsoft Windows shared folder network (also known as samba) you can access remote computer hard drive by typing in ${drive letter} into the address bar on that computer. Example; \\192.168.0.4\F$ - Type in user and password and you got access to all the files, read-write access included.
The article and report say "Microsoft Proxy Server". The last version of MS Proxy 2.0 was released in... 1997. Maybe they meant ISA? Or TMG? Either way, all are old products, and none of them has built in per-use quota management, which is really what caught the perps, so I'm not sure you can have a dig at Microsoft.
That was a major point I noticed. The MS software was (as usual) unable to detect a security hole (likely because it's own internal functionality needs the same holes, die to sloppy coding on MS' part). Immediately upon switching to a competent product exposed the security violation. There's an important lesson to be learned here. The prison could only have done a worse job by running IBM software/systems.