Cybercrime—from inside an Ohio prison
Plenty of companies have smart, resourceful IT teams that diligently support their organization’s computers and networking operations. But I’m not sure how many of them could pull off the technological tricks that a group of inmates at Ohio’s Marion Correctional Institution did.
From e-waste to identity theft
According to local news reports that blew up over the internet last week, at least five prisoners built a pair of working PC out of parts scavenged from e-waste as part of a program designed to teach computer skills by having inmates break down end-of-life computers and recycle the parts. The inmates smuggled the PCs to a training room, hid them in the ceiling and then ran wiring to connect to the prison network.
But that’s only the beginning of the story, which was disclosed to the public in a recent report. The big score came as the inmate IT ops team (I don’t know if they called themselves that, but I definitely hope they did) managed to connect the devices to the Ohio Department of Rehabilitation and Correction’s network. And from there they were off to the races.
Apparently, the inmates looked over the shoulder of a prison employee to steal his password. Once in the system, they attempted to use the machines for a number of cybercrimes, including identity theft of another inmate serving a long sentence, applying for multiple credit and debit cards in his name. One of the inmates even used the computers to send text messages to his mother, telling her where to go pick up the fraudulently obtained cards!
The scheme was discovered when the correction networks support team got an alert that a device “exceeded a daily internet usage threshold.” The login was registered to an employee who wasn’t scheduled to work on the days in question. But while that discovery came in July of 2015, only now is the incident coming to light, a development that is causing a fair amount of consternation in the Ohio prison community.
Surprising, or not so much?
Frankly, though, TechWatch doesn’t particularly care about the possible lapses in Ohio’s prisons. I’m more interested in how these prisoners came up with and executed their scheme.
Ohio Inspector General Randall J. Meyer told reporters, “It surprised me that the inmates had the ability to not only connect these computers to the state’s network, but had the ability to build these computers.”
At first I was surprised, too. This kind of pirate ingenuity might have challenged a corporate IT team, I thought. But as I considered the story, I realized that in 2017, building PCs, connecting to the networks and hacking into protected systems is no longer that difficult—especially for folks who have already shown they’re not very interested in playing by the rules.
Heck, we all know maintaining cybersecurity can incredibly difficult, even if we didn’t think real threats could come from inside a prison! If that’s not a wake up call for security professionals everywhere, I don’t know what is.