Schneier on Security
A blog covering security and security technology.
« Malware that Forges Bank Statements |
| Computer-Assisted Witness Identification »
October 6, 2009
Don't Let Hacker Inmates Reprogram Prison Computers
You'd think this would be obvious:
Douglas Havard, 27, serving six years for stealing up to £6.5million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written.
He was left unguarded and hacked into the system's hard drive at Ranby Prison, near Retford, Notts. Then he set up a series of passwords so no one else could get into the system.
And you shouldn't give a prisoner who is a lockpicking expert access to the prison's keys, either. No, wait:
The blunder emerged a week after the Sunday Mirror revealed how an inmate at the same jail managed to get a key cut that opened every door.
Next week: inmate sharpshooters in charge of prison's gun locker.
Posted on October 6, 2009 at 2:32 PM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce, this is the funniest thing I've seen all week. Thanks.
He hacked into the .. hard drive ?!
That's ok, because they would've had backups. No, I didn't think so.
@A Nonny Bunny:
He hacked into something that the journalist described as the "hard drive". I've been informed that lots of nontechnical people refer to the computer as the hard drive.
Think of it as decrypting journalese into something actually meaningful.
This all sounds very unlikely. Who wants to bet that the guy set up standard security measures on a newly constructed system, and some incompetent moron panicked?
Uh... that's the "Daily Mirror" which is a tabloid. Who knows what the real story is, could be he changed the password on the communal use machine and thus nobody else could log in.
Several years ago, the prison at which I worked was trying to install a computerized PBX system for inmate calls that would allow better monitoring of the inmates' conversations, control who they called, etc. The prison had a crew of inmates doing the install... and couldn't understand why they couldn't get the new system up.
At about the same time, deputies in a certain middle Georgia sheriff's department used to hand their sidearms over to a county jail trustee for cleaning as they went off shift. A witness informed me they didn't bother unloading first.
He probably hacked into the hard drive using a saw hidden in a cake delivered to him by his girlfriend.
People always say "It's a waste to put a guy like that in jail. They should hire him!" It sounds like they tried to do just that. They gave the guy a job to allow him to use his skills for good, perhaps providing a resume item to help him to get a good job once released. I imagine that having a good job helps prisoners reintegrate into society as productive members and helps keep them from being repeat offenders.
Now obviously there should be a security measure in there; perhaps the software should be verified by an outside source or tested in a controlled environment. Probably the inmate should have very limited access (if any) to central or high-security systems. However, it sounds like a win-win: cost-savings for the state and a rehabilitation opportunity for the inmate. I wouldn't be so quick to laugh it off.
One problem with verifying the source-code by an outside source is that for anything more than trivial software, it takes at least as long to verify as to develop. Those people will have to be paid, so where is that money coming from? Unless, of course, the code reviewers are also prisoners in a work-training program.
No disrespect intended, but it's exactly this kind of "win-win" thinking that leads to many security problems in the first place. Failure to imagine how systems can be used in a malicious or hostile way, or to serve some other end, is why we have so many technological ills.
I search of the Mirror site using Google's site:www.mirror.co.uk and Ranby Prison also shows that prisoners were bringing in drugs using a fishing pole (that was found literally by a guard tripping over it) and that inmates had built a functioning bomb that was deployed against fellow inmates who were Muslim.
This does not sound like a model prison.
Specialist company: geek squad
He stole £6.5 million and only got six years?
It's a small point, but to the best of my knowledge UK prisons don't have gun lockers. Certainly, prison wardens don't routinely carry firearms.
I regard this as a good thing in general; in cases such as Ranby Prison's, a very good thing.
Look on the bright side, at least they didn't outsource the job to a prisoner overseas...
Now if he'd brought forward his release date by a few years, that would have been something.
This sound very close to one of the stories in The Hacker's Challenge series of book about how 2 convicts co-op and gain access to the prison computer through well designed social engineering techniques. Anyone who had read that probably though the prison story was a bit impossible, but if the above story is true. Then life is a lot more real then we presumed it is.
You don't know what really happened. Ignorance abounds in computer security. Back at high school I was accused of hacking after I opened a word document someone had saved on a shared computer.
Thats a dumb thing to do, even a blind rabbit would notice a password change. If you HAVE to do something malicous (instead of being happy you have something better to do than staring at a wall 23 hours a day) at least try to make sure nobody finds out.
FIrst off, hello to another Clive who posted at 6:17 PM,
You might well be right about UK prisons and guns, I don't recal any news items ever mentioning them. And now more and more of the UK prison service is getting "privatised" I would consider it even less likley.
Secondly the original news item and The Register rehash contain to little "real" content to make a judgment on what actualy happened.
As for him stealing 6.5million it's a bit of headline grab estimate.
He and another person where jailed back in 2005 for using CC details supplied from a (supposadly) Russia crime organisation. They used this info to buy goods and then auction them on well known web auction sites. And then according to what was reported at the time send the bulk of the money back to those who supplied the CC details.
However 6.5million is actually a very small amount as a percentage of UK Credit/Bank Card and Internet phishing crime. It just sounds large to us lowley wage slaves 8(
Ranby Prison has it's own page on wikipedia,
Which shows it to be located at "Coordinates : 53.3214°N 0.9982°W" (not sure which cell that is ;) which is near the village of Ranby (near Worksop) in Notts.
Apparently Ranby is a "Catagory C Training Prison", CatC is the lowest risk of "closed prison" inmates and it has more than a thousand at any one time. As such it is effectivly a low security unit designed more for rehabilitation than "durance vile".
It appears that at least one inmate put his "crafts training" to work as the plastic master key he made was out of a prison issue plastic knife (to be fair though he may have "impressioned" the key some "master key" lock sets can be a bit dumb in this respect in that the "master" appears at the first split...)
The Prison was built in the 1970's on the site of an old armed forces accomodation area and some of the original infrastructure is still in use...
Whilst Googling for information on Ranby Prison it poped up a site with the title of,
"Ranby Prison Bed and Breakfast Cheap Hotel Guest House Accommodation"
I had to smile, I know economic times are tough for the UK Government, and every part is required to raise revenue if it can but... ;)
I hope the staff at Ranby Prison have the sense to check their bank and credit card accounts...
I don't know the current situation, but some years ago some state and Federal prisons used inmate programmers to code programs. IIRC one prison project was for the Dept of Agriculture to disburse funds.
I suspect that prisoners are still being used to write and maintain programs for state and Feds.
sounds like a new chapter from those kinda morons who ask you to hack some hotmail account and then blame you as criminal when you didn't. hacker chasers are cheap fucks
He "hacked into the system's hard drive at Ranby Prison, near Retford, Notts. Then he set up a series of passwords so no one else could get into the system."
It sounds like he browsed the hard drive, then set a bios password on the system. And/or setup whole-disk encryption on the hard drive. But this is just a garbage-in-garbage-out guess based on poor reporting.
I know this man personaly he has a iq of 160. I sugest you google him. He's no dummy.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.