Category Archive: Uncategorized

Cybercriminals Mostly Prefer Skype Messaging

But cybercrime gangs worldwide are increasingly using encrypted peer-to-peer chat platforms for their communications outside online underground forums, new study finds.

When cybercriminals take their conversations outside their underground forums, their favorite mode of communication is Skype, according to a study of global cybercriminal operations.

Skype, which does not encrypt messaging end-to-end like some of the newer-generation messaging apps such as WhatsApp, Jabber, Telegram, and Signal, ranks at the top-most identified messaging platforms, according to FlashPoint, which studied the number of times cybercriminals in the Deep and Dark Web mentioned the use of messaging services over a four-year period. While they couldn’t confirm why Skype got the most love, the researchers theorize that it’s because the well-known messaging application now bundled with most Microsoft software is the most readily available and convenient way to communicate.

Leroy Terrelonge, Flashpoint’s director of Middle East and Africa Research and director of Americas Research, says he and his team wanted to see where cybercriminals go to communicate and drill down on their deals and hacking operations after first meeting in their online forums. “Yes, they are meeting in [online underground forums]: that serves as a vital way to bring people together. But the really meaty conversation where they go to [discuss] targeting is not happening in forums, but in different messaging applications,” he says.

Cybercriminals around the world also tend to follow and emulate what Russian-speaking cybercrime groups do. Russian-speaking cybercrime is considered the most sophisticated, and Flashpoint noted that there’s a large adoption of the nonencrypted ICQ messaging platform around the world. ICQ traditionally has been heavily used by Russian cybercriminals, although Skype has bumped it from the number one slot in those groups.

“Russian-speaking actors … sit at the top of the food chain,” and cybercriminals in other regions look to them for the latest communications tools, as well as to communicate and collaborate with them, Terrelonge says.

Flashpoint investigated four years of data it had collected via its Deep Web and Dark Web monitoring, and found that Skype in 2016 landed in the top five-most mentioned messaging platforms in communities that speak Russian (#1) English (#1), Spanish (#2), Arabic (#2), French (#2), Chinese (#3), and Persian/Farsi (#3). Skype overall was used much less within Chinese-, French-, and Persian-speaking cybercrime communities, however.

“Skype, which is not considered to be a very secure messaging platform is still used across many different language communities as one of the top five messaging apps,” Terrelonge says.

Most of the regions are trending toward adopting end-to-end encrypted messaging as well. The shift began sometime after Edward Snowden’s leak of documents from the National Security Agency (NSA) that illustrated the agency’s surveillance capabilities: “In general, across all [groups], there was a move from 2012 to 2016 away from less secure to more secure messaging,” Terrelonge says.

The new generation of encrypted messaging apps is much easier to use, he says, than the old days of non-user friendly interfaces that were “clunky.”

Among the Russian-speaking groups, the top five mentioned messaging apps in 2016 were Skype (38.72%); Jabber (24.77%); ICQ (21.05%); Telegram (7.26%); and Viber (4.47%). Jabber (45.84%) topped the French-speaking list, while WhatsApp (27%) and Skype (25%) topped the Arabic-speaking one; Telegram (88.5%), the Persian-speaking one; and Jabber inched up to number two behind Skype in the English-speaking cybercrime community, with 11.75%, followed by ICQ (9.81%), and Kik Messenger (5.63%). Chinese-speaking groups mosty use the less-secure QQ (63.33%), followed by WeChat (35.58%); Skype (0.44%); WhatsApp (0.22%); and Jabber (0.31%), according to the Flashpoint report.


via:  darkreading

Save pagePDF pageEmail pagePrint page

7 Ways Hackers Target Your Employees

One employee under reconnaissance by cyberattackers can put your whole business at risk. Where are they being targeted, and what should they know?

Cybercriminals are testing the strength of your organization’s defensive wall, looking for the one crack they need to launch their attacks. Oftentimes that flaw isn’t a “what,” but a “who.”

Employees only need to download a bad attachment, click a malicious link, or give attackers one piece of information they need to break in. Security is a business-wide responsibility.

“Companies need to realize if their employees are picking up the phone and answering emails, they are making security decisions every day that can affect the company,” says Michele Fincher, COO for Social-Engineer, Inc. “They don’t realize how many good decisions employees need to make to be secure.”

Addressing the importance of security during annual training sessions isn’t enough, says Fincher. “If you only talk about it once a year, you’re doing the staff a grave disservice.”

Social engineering attacks also make it harder to differentiate legitimate from malicious activity. In the past, cybercriminals needed more technical skills to launch attacks. These days, they can wreak havoc with social network browsing, phone calls, and emails. They can conduct surveillance without raising red flags.

As Social-Engineer, Inc. CEO Chris Hadnagy explains, “There’s no bar for entry for an attacker.”

Here are seven common strategies attackers use to target employees. Share these with your teams to inform them of today’s dangers and where hackers may be hiding.


via:  darkreading

Save pagePDF pageEmail pagePrint page

The Human Factor: The unspoken threat in cybersecurity

How can a CISO best negate the threats that BYOD and mobile devices pose to their organization?

Ever since there have been humans, there have been human errors – and some of them have been whoppers (like the Japanese trader’s “fat finger” trading error that cost his company $600 billion). Doing tasks that they really don’t understand, or mistakenly pushing a button or pulling a lever, people are the root cause of 90% of air traffic control errors, over 50% of factory equipment failures after maintenance, 37% of downtime at pharmaceutical firms, and in one of the biggest flubs of all time, human error nearly destroyed Kansas.  

Such errors can destroy a company, too – by allowing hackers access to sensitive data. Trying to detect and deflect such attacks is often fruitless; the solution security officers need to concentrate on is a prevention-based one.

It seems that there is a correlation between human error and an employee’s lack of understanding of what a job entails – a problem that is responsible for tens of billions of losses for companies every year. And it also appears that the more complex a job or system is, the greater the level of human error. So it should come as no surprise that human error, negligence, a lack of understanding of what they are supposed to do, and similar human failings are responsible for more than a third of data breaches, according to a Ponemon Institute study. Computer systems today are extremely complex, and the way organizations operate today – from focusing on detection of breaches and outage issues to encouraging employees to bring their own devices to work – only increases the chances that someone at some time will make a mistake, one that could prove fatal to the organization.

Examples of how errors by workers led to data breaches are rife – and many of them rely on social engineering, spear-phishing, and other e-mail and Internet-based exploits. In 2014, hackers ran a phishing exploit that netted them credential information from as many as 100 eBay employees, that enabled them to get access to the company’s systems – undetected – for months. In 2015, hackers got hold of personal data (including social security numbers) from employees and customers of Anthem Blue Cross and Blue Shield, apparently using social engineering techniques via an e-mail or other communication. And in one of the most infamous breaches of all time, hackers got access to Sony’s network using phishing techniques.  

Phishing and social engineering are far from the only source of human error-related data breaches. BYOD – where companies invite employees to use their own personal devices or laptops in the office, either for convenience or to save money – bring a load of security issues into the office. In 2014, a hacker managed to breach a BYOD service used by UK insurance giant Aviva to invade employee devices, possibly stealing credentials. And of course there are the “run of the mill” mobile device security issues; thousands of new mobile malware strains appear every day, and in fact, according to a major security study, some Android devices are coming with the malware pre-installed, making the work of hackers easier and more convenient than ever. And since nearly half of employees who use their devices for work don’t even think about about security as an issue, BYOD-friendly organizations could easily find themselves experiencing “perfect storm” security crisis at any time.

What’s a CISO to do? Well, the natural response among most security officers – especially when they have been targeted – is to take inventory and see where the breach came from, and how to close up the “hole” that allowed the data breach to occur in the first place. And since, as we’ve seen, most of these breaches are due to human error, there are some specific responses that promise to limit the damage.:

1. Just Don’t Click

When in doubt, that is. Many organizations have educational programs that stress over and over the dangers of clicking on suspicious links, or opening attachments. Sandboxes, firewalls, and anti-virus programs check incoming data six ways ’till Sunday. And in some companies, IT managers send out fake phishing messages in order to see whether employees have learned their lessons. Between the security systems and employees’ self restraint, phishing/social engineering exploits that use links or rogue script in attachments should be a thing of the past.

But as we see, they aren’t. Hackers keep up with the times, and they are able to slip malware code into files that sandboxes won’t catch; the malware is programmed to hide itself while it’s in the sandbox – and if the attack is a zero-day exploit (as most exploits today are), there is no way a signature-based anti-virus program will prevent a hack. And many phishing exploits are cleverly hidden in e-mail messages that employees would swear look legitimate.  

2. Best BYOD Practices?

By allowing -in many cases requiring – employees to use their own devices at work, IT security teams automatically increase their workload by a large amount. Now they are responsible not only for the security of their network, but for the security of the devices that connect to the network. To prevent breaches, organizations have developed acceptable use protocols: What apps can be installed on a device, what apps cannot be used, how and when to connect to social media, etc. In addition, many organizations require the use of encryption for organization communications and connections.

Which is all well and good – except for the fact that enforcing such policies is more difficult than enforcing network security. After all, the device belongs to the employee, who paid good money for it (or at least got it from the company for business and personal use). And while a really dedicated employee might be at his or her desk for 60 or more hours a week, there are still plenty of other hours in which they will be able to use their devices out of view of network personnel. Can a CISO guarantee that an employee won’t accidentally copy a file or sensitive data from an enterprise-approved app to their Facebook page?

3. Mobile Mess

Related to BYOD is the whole phenomenon of using mobile devices for work-related purposes, especially for e-mail and text messaging. While having access to the office – and managers having access to employees – at any time is certainly convenient, the risks of mobile in this context are high. Two-factor authentication to access apps could help, but it won’t prevent copying mistakes as described above. In addition, devices are vulnerable to many kinds of hacks that could allow cyber-criminals to attack devices. Text messages, for example, could include links to rogue sites that download malware on a device and implement key-logging techniques to steal credentials. The problem is so bad in fact that NIST, the National Institute of Standards and Technology, NIST, recommends dumping SMS as an authentication method, because it is too easy to hack.

Is this the best CISOs can hope for? It is, if they plan to fight hackers who have already gotten credentials, or are attempting to do so via a phishing/social engineering/malware attack. If hackers can beat sandboxes, a long-time venerable technology that organizations rely on to protect them, they can beat a company’s best educational efforts, penalty programs, or security protocols. The methods by which employees can slip up are just too many and too easy, and organizations cannot rely on such arrangements.  

What has to be implemented is a system that keeps threats away from employees and the IT system altogether. Network segregation goes beyond sandboxing; not just checking files and connections for rogue activity, but actually executing code and making connections in an isolated environment. If a problematic connection or file attempts to execute, it will do so – in a virtual container that keeps the executed code or connection way from the real network until it’s purpose is clear. If the connection or code checks out – and does what it is supposed to do, based on its profile – then it is allowed to move forward. And if not, it just gets rejected, kept away from the IT system altogether. Network segregation can also be used to isolate devices, keeping them from passing malware or copying data from an IT system. Thus, the threats of mobile and BYOD are obviated as well. With a system like this, CISOs can rest a little more easily, knowing that they did their best to plug up the many “security holes” that are a feature of the human experience – and of human employees.


via:  itproportal

Save pagePDF pageEmail pagePrint page

Businesses increasing encryption efforts

Cyber security threats have done their part in encryption adoption among businesses.

Businesses are increasingly adopting encryption strategies, according to a new report by Thales. More than four in ten (41 per cent) of respondents in the report said their organisation has an encryption strategy that is applied ‘consistently’, across the enterprise.

What’s also interesting as that for the first time since Thales started making these reports (12 years), business unit leaders have more influence on these things than IT operations.

Looking at the figures, the report states that two thirds (67 per cent) use one of two routes: They either perform on-premise encryption, or send the data into the cloud, where it’s encrypted using on-premise generated keys.

Almost four in ten (37 per cent) said their businesses turn over complete control of keys and encryption processes to cloud providers.

“The accelerated growth of encryption strategies in business underscores the proliferation of mega breaches and cyberattacks, as well as the need to protect a broadening range of sensitive data types,” commented Dr Larry Ponemon, chairman and founder of The Ponemon Institute.

“Simply put, the stakes are too high for organizations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy. Encryption and key management continue to play critical roles in these strategies.”

It’s also interesting to learn that a third (31 per cent) are either using, or plan on using HSMs (Hardware Security Modules), together with the BYOK deployments (Bring Your Own Key). A fifth (20 per cent) said the same for CASB (Cloud Access Security Broker) deployments. Both HSM and CASB usage is expected to double in the next year, up from 12 to 24 per cent.


via:   itproportal

Save pagePDF pageEmail pagePrint page

McAfee LinkedIn page hijacked

Now deleted updates to the hijacked business page link attackers to a Twitch hack in 2016.

On Sunday evening, the LinkedIn page for McAfee was hijacked by a single person or an unknown number of individuals who apparently watched Twitter for reactions. The business page was defaced with random remarks, and at one point made a passive reference to a Twitch hack in 2016. (See update at the bottom of this story.)


The LinkedIn defacement happened around 9:30 p.m. EST on Sunday evening. McAfee recently announced some changes to the company, including a return to its original name after being acquired by private equity firm TPG.


How the individual(s) obtained access to McAfee’s LinkedIn account is unknown, though someone claiming a connection to the incident says the key was recycled passwords.


Once word of their defacement started to spread however, those responsible for the hijacking watched Twitter for reactions and made comments on the McAfee LinkedIn page in response.

They also changed the company logo to a well-known meme after it was referenced on Twitter.

Another update to the hijacked McAfee LinkedIn page (deleted shortly after being posted) referenced a Gmail account used during the takeover of a Twitch account in 2016.

At the time BlackDotATV was compromised by someone during a broadcast. Taunting the channel owner, Dominik “Black^” Reitmeier, the person responsible told him to email the Gmail account for instructions on how to secure his account.

Salted Hash reached out to McAfee for comment, and we’ll update this story when they respond.

We reached out the referenced Gmail account as well. The person who responded claimed they were previously part of OurMine, a group that claims to be a security company, but promoted their services by compromising other high-profile social media accounts.

The person said Sunday’s McAfee hijack was possible due to recycled credentials, and that two-factor authentication was not enabled on the account. McAfee, the person said, was “a small hack, the first of many.”

“They’re going to gradually get bigger and bigger. Keep an eye on the twitter accounts of many high-profile companies, that’s all I’ll say.”

The takeover lasted for just over half-n-hour, until LinkedIn pulled the whole McAfee page. However, the changed logo propagated to many staff accounts, and were still present even after the business page was removed.


Shortly after this story was posted, a person going by the handle “Monarch” contacted Salted Hash with additional information. This individual also goes by “Monarch” on OGFlip, the forum reporting that LeakedSource was raided by law enforcement earlier this year.

After some conversation, Monarch put us in touch with the person who is claiming credit for the McAfee hijacking. This individual, who asked that they not be named, said the McAfee LinkedIn hijacking started out as an attempt to take over a two-letter Twitter account.

The Twitter takeover failed, but the password originally believed to be linked to the account turned out to be the person’s LinkedIn password. Salted Hash will not name the two-letter account, or the person who owns it. However, their password was discovered in the LinkedIn data breach records.

It was the compromised LinkedIn password that enabled the McAfee hijacker access, as the victim’s LinkedIn account was listed as an administrator on the McAfee company page.

Until McAfee comments, there is no way to prove this person’s claims, but the methodology and the OurMine references made by them were worth noting.

This incident highlights not only the risks in shared admin access on social media, it also serves as a reminder that passwords should be changed if they’ve been compromised. This is also true if there is a chance the password has been compromised by a large data breach like the one LinkedIn experienced in 2012.

Since the compromised records were exposed to the public, the LinkedIn data breach has been tied to several incidents in the years that followed. In many of the cases, it was the usage of recycled credentials that enabled the attackers.



via:  csoonline

Save pagePDF pageEmail pagePrint page

The failure of the missile launch by North Korea may have been caused by US cyber attack

The failure of the missile launch made the North Korea may have been thwarted by a cyber attack powered by the US Cyber Command.

The crisis between the US and North Korea is increasing, Donald Trump warns his military may ‘have no choice’ to strike the rogue state.

According to The Sun, US cyber soldiers may have hacked the control system of the rocket causing the failure of the launch.

The nuclear test ballistic missile exploded within five seconds of the launch, according to the newspaper the US agents have used a stealth malware that caused a massive malfunction.

The launch occurred from near the port city of Sinpo, Kim Jong-un ordered it defiance of President Trump sending a naval task force to the region.

The US naval force in the area, led by the aircraft carrier USS Carl Vinson, is equipped with rockets capable of intercepting missiles, but they were not deployed.

It was a medium-range ballistic rocket, likely a Nodong, the experts highlighted that North Korea is forced to import the high-tech electronics used in its missiles, so it is likely that US hackers compromised the supply chain implanting an undetectable malware.

According to some experts, North Korea is vulnerable to cyber attacks because its scientists have to import electronic hardware.

The experts believe that US cyber units may have detected the launch and sent the instructions to the malware via satellite from the US National Security Agency headquarters in Maryland.

North Korea missile launch failed

Source; The Sun

Fantasy or reality?

A similar attack requests a huge effort in terms of HUMINT and technical activities, but it is perfectly feasible.

“It is perfectly feasible the US brought down this missile.” said Defence analyst Paul Beaver.

“Their cyber warfare capabilities are now highly advanced.

“As soon as military satellites watching Sinpo detected an imminent launch, a team at the National Security Agency would have got to work.”

“It’s possible for them to have sent a signal directly to the missile from Maryland which effectively zapped it out of the sky.”

“North Korea has had a string of launch failures and it may be no coincidence that they have happened as the US went to cyber war.”

President Trump did not comment the Kim’s missile failure.

Analysts believe that Kim will punish military commanders involved in the failed operation.

Kim has a history of punishing failure with terrible retribution, including executing his own officials with anti-aircraft guns.

Giving a look at the North Korea’s military programme we can notice a long series of technical failures, a part of the intelligence community attribute the incident to cyber attacks powered by the US Cyber Command.

Other ballistic tests failed in the last weeks, medium-range North Korean rockets crashed and exploded.

“Last year a Musudan missile fired to mark the anniversary of the birth of Kim’s grandfather Kim Il-sung blew up so soon after take-off it wrecked its launcher.” reported The Sun.

“In November 2015 an attempt to launch a ballistic missile from a submarine ended in failure when the weapon disintegrated under­water.”

“There are many things that can go wrong but it would be impossible to tell from outside if something had affected the internal guidance or control systems.” said Defence analyst Lance Gatling

“It has been openly mentioned that there is a possibility that the North’s supply chain for components has been deliberately infected, and they might never know.”


via:   securityaffairs

Save pagePDF pageEmail pagePrint page

Google quietly takes on LinkedIn with its own job listings site

The company’s new Hire portal is online but not yet functional.

Google has a new job listings site coming online soon, adding yet another site you’ll need to upload your resume to. You can even visit the Google Hire site now, though it won’t let you sign in, yet. According to Axios, Hire will enable companies to post job listings and individuals to search for and find their next job.

Details are rather sparse, but there are already privacy concerns with the public-facing new site, which asks users to sign in with their personal Google account. There have been some speculation (as yet unfounded) that this would allow potential employers to see your entire search history. According to the Daily Mail, Google has denied these claims. We’ve reached out to Google for comment.

Google isn’t the first big company to jump into the job-recruitment arena. Facebook started rolling out support for job listings this past February. Google is facing a pretty crowded market of established players like LinkedIn, Glassdoor and Monster. To succeed, it will need to bring something different and better to the table.


via:  engadget

Save pagePDF pageEmail pagePrint page

FBI Warns About FTP Server Vulnerability

The FBI issued Private Industry Notification 170322-001 to smaller heath care offices about how cybercriminals are using an old method involving an FTP server to gain access to personally identifiable information (PII) about patients. The notification was launched March 22, 2017.

The warning focused on the file transfer protocol (FTP), an early way to share files remotely over the internet. Client programs would directly access servers that understood FTP and exfiltrate requested files. This method was largely made obsolete by more convenient file transfer methods.

However, the FBI cited 2015 research from the University of Michigan, which stated that 1 million FTP servers have been configured to allow anonymous access. And last year, security researcher Minxomat found about 800,000 anonymous FTP services were exposed, Network World noted.

Accessing Information With an FTP Server

Anonymous FTP, as it is called, does not require any authentication before granting access to the files on the system. It has long been recommended that a server with this service host only public files.

But smaller health care offices may use older, less sophisticated systems that could have been either misconfigured or not properly maintained. These offices may also have a limited understanding of what required routine maintenance entails; they could have anonymous FTP enabled by default, as opposed to a larger provider that has upgraded and tweaked its system.

The FBI warned that although the PII on these less sophisticated systems is of value, cybercriminals may just want the network access to carry out their own plans. While the personal health information (PHI) stored on these systems is protected by HIPAA statute and could be used maliciously by bad actors, it’s not the only issue associated with anonymous FTP.

Bad actors could warehouse the files used in malware distribution schemes in these convenient FTP silos, for example. Using these compromised systems in some distributed denial-of-service (DDoS) attacks might be expected as well.

Peter Merkulov, vice president of product strategy and technology alliances for Globalscape, told CSO Online that he doesn’t even use non-anonymous FTP, since it is so dangerous and dated. He doesn’t see it used much these days, and if he does, it is usually an out-of-date implementation — such as a larger office whose forgotten implementation remains up because it just was never removed.

FBI Recommendations

The FBI recommended that health care entities contact their respective IT services personnel to scan office networks for anonymous FTP servers. Should the office have a legitimate use for operating a FTP server in anonymous mode, administrators must ensure that sensitive PHI or PII will not be stored on the server. If the FTP server is not needed, then the prudent course of action would be to shut it down so it can’t be used to create an attack vector.


via:   securityintelligence

Save pagePDF pageEmail pagePrint page

LinkedIn Scam Wants Job Seekers to Hand Over Their CVs

Fraudsters have designed a new LinkedIn scam that uses phishing emails and a fake website to trick job seekers into handing over their CVs.

The scam begins when a user receives a phishing email disguised as a LinkedIn email. In their message, the fraudsters inform the recipient that a company is “urgently seeking for immediate employment” in their region. They urge them to upload their CV to take advantage of the opportunity.

Source: Heimdal Security

Aside from creating a sense of urgency, there’s plenty of factors that give this email away as a fake. The email should originate from “LinkedIn” at a legitimate “” email address. Instead, it comes from “linkedin messages” at the email address info@serv1[dot]cyber-net[dot]bid. (The top-level domain “.bid” mostly designates websites hosting online auctions.) The email also doesn’t properly incorporate other design elements like a footer or connection suggestions that are found in actual LinkedIn emails.

Clicking on the URL or the “Upload Your CV Here” button leads to https://linkedinjobs[dot]jimbo[dot]com, which as of this writing bears a 0/64 Virus Total rating.

Located at that site is a web page that provides visitors with the option of submitting their CVs.

Source: Heimdal Security

It’s not a good idea to upload your CV to an unfamiliar website. Heimdal Security junior security evangelist Paul Cucu explains why in a blog post:

“Your CV contains a wealth of personal data which a cybercriminal uses to make a profit at your expense. Phone numbers can be sold for companies doing promotional cold calling. Or, the cybercriminal might call you himself in a vishing attack. In other cases, he might use the information for identity theft, using the companies you worked at or attached references as a cover for fraudulent activities.”

Cucu goes on to note the fraudsters can also use people’s CVs to conduct spear-phishing (and whaling) attacks or to perpetrate other common LinkedIn scams.

To protect themselves against these types of schemes, users should confirm the sender and search for other suspicious indicators before they click on a email link. They should also verify a domain before they upload their personal information to a website.


via: tripwire

Save pagePDF pageEmail pagePrint page

Inmates hid self-built PCs in the ceiling and connected them to prison network

Do you know who has access to your organization’s network? Are you confident that all the users on your network are authorized to access your systems, and have a good idea of what devices have been connected to your firm’s systems?

If so, good for you.

But not all organizations have such tight control over who gains access to their IT infrastructure. One place, however, where you might hope that access would be tightly policed would be in a prison…

However, the Ohio Inspector General’s Office has just published a report revealing that two prison inmates were able to hide their own self-built PCs in the ceiling of a training room *and* connect them to the Marion Correctional Institution’s network.

Prison staff found the PCs back in 2015, but the security breach has only now been made public with the Inspector General’s investigation into the incident.

The first hint for prison authorities that something out-of-the-ordinary was occurring popped up in July 2015, when a security product sent an email alert to IT staff warning that a contractor’s PC connected to the Ohio Department of Rehabilitation and Correction’s (ODRC) network had exceeded its daily internet access quota.

Which was odd, because the contractor in question – Randy Canterbury – only worked Monday through Thursday. And the alert triggered on Friday, July 3 2015.

Two weeks later on Friday July 17, 2015, another alert appeared, again linked to Randy Canterbury’s account, and this time associated with attempts to access proxy avoidance websites.

Deeper investigation identified the computer’s IP address, and that it was unauthorized because its name fell outside of the six numbers assigned to known computers in the PC training area.

Carl Brady, who was responsible for IT support at the institution, takes up the story:

I had been told there was a PC on our network that was being used to try and hack through the proxy servers. They narrowed the search area down to the switch in P3 and the PC was connected to port 16. I was able to follow the cable from the switch to a closet in the small training room. When I removed the ceiling tiles I found two PCs hidden in the ceiling on 2 pieces of plywood.

Lax supervision is being blamed for the inmates’ ability to build computers from parts, sneak them past security checks and hide them in the ceiling.

The inmates were also able to run cables which connected the computers to the prison network without being noticed.

“It surprised me that the inmates had the ability to not only connect these computers to the state’s network but had the ability to build these computers,” Ohio Inspector General Randall J. Meyer told local media. “They were able to travel through the institution more than 1,100 feet without being checked by security through several check points, and not a single correction’s staff member stopped them from transporting these computers into the administrative portion of the building. It’s almost if it’s an episode of Hogan’s Heroes.”

Certainly the inmates’ usage of the computers was audacious, not limiting themselves to downloading software, pornography and guides for making drugs and explosives, but also stealing the identity of another prisoner and submitting fake credit card applications and committing tax fraud.

In all, five inmates have been identified as linked to the hidden computers and moved to other institutions.

If this could happen in a prison where you expect security to be strict, you have to recognize that similar breaches could happen in your own organization. It’s clear, for instance, that the prisoners would have had a much more difficult time pulling off their scheme if they had not managed to ascertain the password of a legitimate contractor – albeit one who didn’t work on Fridays.


via:  tripwire

Save pagePDF pageEmail pagePrint page