Five Ohio inmates were caught with a functioning, internet-connected computer in the ceiling that they used for tax fraud, porn and drug recipes.
Last year, a Motherboard editor was roasted by the entire internet for complaining that building a gaming PC was still way too hard. But how hard can building a PC be if a couple of inmates managed to do it in a medium-security prison?
As detailed in a report released today by the Ohio Inspector General's office, five inmates at the Marion Prison managed to build and stash not one, but two internet-connected PCs in the ceiling at the prison. According to Ohio Inspector General Randall Meyer, the inmates had used the computers to steal the identity of another inmate for credit card and tax fraud purposes, as well as to look up pornography and recipes for drugs.
"They were piecemeal computers," Meyer told Motherboard during a phone call. "If you think of a salvage operation, the shell could've been from one computer, the motherboard from another. They were Frankenstein-ed together, but they were fully functional and looked like PCs on the outside."
The inmates' computers were discovered at the prison in July of 2015, but their existence is only being brought to light now due to a failure to report the case immediately to the inspector general after the computers were discovered. Correctional officers at Marion were first tipped off about the computers' existence after Websense, a security platform used by businesses and government, notified system administrators of excessive internet usage by a particular computer on the Ohio Department of Rehabilitation and Correction's network.
Further investigation found that the login information for a retired corrections employee was being used to access the network by a machine called –lab9-, which didn't fit the naming protocol for devices connected to the network. In the following days, systems administrators received alerts detailing dozens of attempts to avoid proxies set up by Websense in attempts to access file sharing sites.
Still, it took about a month before staff at the facility were able to locate the actual devices in the ceiling. This was accomplished by tracing the computers' port number to a network switch located near the room where inmates received PC training.
According to Meyer, the inmates had pieced together the computers by pilfering parts from a computer disassembly program that employed inmates at Marion. The program, now defunct for reasons unrelated to this case, also taught inmates the basic computer skills which were put to use in the assembly of these homebrew computers. Based on a forensic analysis of the devices, their operating systems had been installed on April 1, 2015, meaning the inmates had been using them for nearly four months before their discovery.
Based on the testimonies of the inmates involved with the computers, they were fully functioning when they were brought from the PC disassembly area to the storage closet where they were hidden. The drives used in the computers were obtained from another computer that was used by inmates under supervision.
As one of the inmates described the process to investigators "I imaged the drive…with Acronis…all you gotta do is take that drive, plug it into any computer and it will boot up. I took a network card out of another computer and put it in [the illegal computer], plugged it into the inmate switch. Remote desktop into the computer. And then…bam. I'm on the network."
After running an analysis of the computers' hard drives, it was discovered that the inmates had used them to search through a database of inmates, steal the information of a particular inmate from a different prison, apply for five credit cards using this inmate's identifying information, access to a Bloomberg article on tax refund fraud, as well as issue passes for inmates to gain access to various areas within Marion prison.
Based on the forensic analysis of the devices, the inmates had access to several "malicious tools" to carry out their project, including Cain (a hacking tool for password recovery), Zed Attack proxy (for finding security vulnerabilities), OpenVPN, THC Hydra (a hacking tool for cracking logins), Paros (a pen testing software that can also be used to execute a man in the middle hack), among many others.
"It's like an episode of Hogan's Heroes," said Meyer. "The fact that these inmates were able to take salvaged computer pieces to build two functioning computers and then move them 1100 feet to an administrative portion of the building where they shouldn't have access anyway…it's just not something you'd think would happen in today's correctional facilities."
It's astounding how much these inmates were able to do under surveillance in a medium-security prison, although in the Inspector General's report they inmates were the first to comment on the relatively lax supervision within the prison. Moreover, the rehabilitation program that taught the inmates the computer skills they needed to pull of this feat also gave the inmates a lot of leeway to network their rogue computers.
"The institution was having inmates run cabling for their closed circuit televisions within the institution instead of paying a state of Ohio employee or even a vendor to come and do that," said Meyer. "These guys were self-taught or taught by the institution itself about agile computing and things like that."
Meyer was unable to comment as to whether there was any collusion between prison staff and the inmates while the case prosecution is ongoing. The majority of the inmates involved in the case were serving life sentences and have since been moved to different correctional facilities.