Whether you are a company or individual, at some point you will dispose of electronic devices (smartphones, laptops, desktops) and here’s why you need to make sure you dispose of them securely.
On April 11th 2017, the State of Ohio Office of the Inspector General released a damning report on how inmates at the Marion Correctional Institution (MCI) managed to build two computers, connect them to the Ohio Department of Rehabilitation and Correction (ODRC) network, download pornography, create fake credit cards loaded with illicitly obtained tax refunds. They also found bitcoin wallets and articles about making home-made drugs and plastic explosives. You couldn’t make this story up.
There is a common saying “Where there’s a will, there’s a way”. In the case of MCI you just need some determined inmates, access to recycled hardware, security policies that are not regularly reviewed, the lust for money and pornography and plenty of free time. Clearly they had plenty of the latter.
The full report is here – http://watchdog.ohio.gov/Portals/0/pdf/investigations/2015-CA00043.pdf but in case you don’t have time to read the full 50 page report, my summary is here;On July 3rd 2015, a Websense (now Forcepoint) alert reported a computer operating on the ODRC network had exceeded its daily internet usage threshold. It took until July 27th to locate two homemade unauthorised computers hidden in the ceiling space and connected to a switch operated and owned by the correctional institute.
Many correctional institutes/prisons operate schemes to rehabilitate or educate inmates and the MCI operated such a scheme (RET3) which employed offenders to disassemble out-of-date computer hard drives and other obsolete technology items. When a company disposes of hardware after a three year depreciation period or when you dispose of your mobile phone after a two year contract, to many people these items are far from obsolete. Hardware recycling is big business and is also a big responsibility, whether that is the company disposing of the assets, the company responsible for the recycling or destruction or you as a person thinking about selling an old mobile phone on eBay. Remember – one man’s trash is another man’s treasure.
Using this “trash” was just the starting point for the inmates who bypassed all ODRC’s security policies. The inmates used common techniques such as shoulder surfing to access account passwords and read articles from Bloomberg Business on tax refund fraud describing how a criminal with valid Social Security numbers, dates of birth, bank account information, addresses and an internet connection can illicitly obtain tax refunds loaded onto prepaid cards.
There was a complete lack of asset audit controls for the recycled computer equipment and it was very easy for the inmates to build 2 new computers out of the 93 that were donated to the MCI RET3 programme. What was more amazing was how the inmates could freely move the equipment 1,100 feet across the prison bypassing all security check points along the way. The inmates conducted attacks against the ODRC network using proxy machines that were connected to the inmate and department networks and attacked the Department Offender Tracking System (DOTS) to create user accounts. The irony of offenders using the offender tracking system portal as a gateway to the outside world made me smile – a lot!
I’m not going to tell you how the inmates accomplished what they did technically, but a partial list of the software they used is below. It’s all freely available and it is used by security professionals around the world for good purposed. In the wrong hands though, it can be used for ill gain. Once the inmates had squirreled away enough recycled equipment to build 2 new computers, they used the software below to access a secure network and then get to the outside world. The hacking part was probably easier than assembling the hardware, moving it halfway across the prison, hiding it in the ceiling and connecting it to the switches and power supply. These inmates had some resolve.
Just remember this story when you are disposing of hardware and make sure you either do a thorough job of it or entrust it to a company that will ensure it is securely wiped or destroyed.
- CC Proxy – proxy server for Windows
- Cain – hacking tool for recovering passwords
- Zed Attack Proxy (ZAP) – tools to find security vulnerabilities
- Wireshark – Open source packet analyser
- Nmap – network discovery and security auditing
- ZenMap – security scanner for NMap
- SoftEther VPN Server – Open source multi-protocol VPN software
- OpenVPN – Open source VPN software
- Jana Server – Multi-platform web proxy
- AdvOr Tor browser – Like TOR, but better for anonymity and speed
- Paros – Java based proxy that helps in assessing the vulnerability of web applications hacking tools used for Man-In-The-Middle attacks
- Webslayer – hacker tool designed to brute force web applications
- Cavin – small portable editor to encrypt and decrypt text
- THC Hyrdra – fast hacking/network tool for cracking logons
- Kali Linux – actually one of my favourite operating systems which is used for penetration testing