Ohio Prison IT Security from the Inside

by 5MEODMT6APB

Prison is not a nice place.  It is an environment suited for predators, fighters, and schemers.  Intellectual prowess only gets one so far in here.  The ability to observe and adapt is one's best tool.

I have spent a lot of time observing what comes naturally to me: IT security.  To put it mildly, the Ohio Department of Rehabilitation and Corrections has a lot of opportunities for improvement.

The most apparent failure is the culture of the IT department throughout the state.  Due to budget constraints, there are only a handful of employees to manage the IT infrastructure of 20-something prisons.  The management theory appears to be reactive instead of proactive due to limited resources.  The dedicated on site IT staffer is poorly trained and not security conscious.

One would think in a prison setting that security would be a prominent theme when deploying new assets, but it seems to be an afterthought.

Staff and most inmate computers are physically segmented on their own networks.  Most inmate-used computers are for educational purposes of one sort or another.  In most cases, they are on their own domained environment and authenticate a general purpose account to a DC.  Group Policy is employed to limit local access and prevent configuration changes.  In addition to GPO, a software program named Fortres is used to secure the desktop.  Two major implementation flaws exist in this setup:

1.)  Fortres can be defeated by opening the config files in edit.com and corrupting them.  Much more simple:

2.)  The local administrator account is left enabled with a blank password.

In fact, the XP image used by ODRC on inmate computers contains a blank password for the local admin account.  No real security threat exists by having open access to a segmented network computer, but it demonstrates the culture.

Interestingly, the law library computers run a live Debian distribution that has been customized by LexisNexis for access to their web-based law research system.  These computers are connected to a VLAN which ultimately touches the Internet via an Internet-facing proxy server that is set to "Deny All Bidirectionally Except".  It allows traffic to LexisNexis and to a secured section of ohiomeansjobs.com, both of which serve compartmentalized resources.  Any attempts to influence redirects or otherwise access resources not permitted by the proxy fail at the network level.  ICMP traffic is also denied to both internal and external resources.  Overall, the law library and job assistance computers are secure and only subject to local vandalism.

ODRC has recently contracted with (((JPay))) to install terminals in the recreation and housing areas of the prison.  These terminals allow for civilians to correspond with inmates via jpay.com.  The implementation of these terminals, however, is patently insane in this hacker's opinion for the following reason: they are connected to the operational staff network.  JPay and ODRC apparently bank their security for these terminals on software called SiteKiosk, which runs on top of the Windows 7 desktop, but under jmailinmate.exe, which is the JPay software.  The SiteKiosk software works at a low level to prevent the jmailinmate.exe program from losing focus or being closed, among other tasks like managing updates and desktop security.  If jmailinmate.exe hangs, the Windows dialog box appears and prompts the user to force close or wait.  If a force close is executed, the terminal is effectively stuck and secured at a JPay splash screen.  Pressing escape at this splash screen brings up a "service personnel administration login" which is nothing more than a SiteKiosk password prompt.  To my knowledge, this password has not been compromised.  It won't be long, however, as one is offered as many attempts as they like.

Finally, the most glaring flaw is that during reboot, which occurs frequently because the terminals are constantly at issue and are restarted either remotely or by the SiteKiosk software, there is an approximately three minute time frame where Windows has booted but SiteKiosk is loading and starting services.  The long time frame is likely due to disk fragmentation, huge log files, and poor configuration.  During those three minutes, one can bring up the sticky keys context menu.  From there, drilling up to the "Control Panel" is a two-click task.  Clicking on "Network Neighborhood" populates with every single staff operational computer.  From there, proper permissions and resource security are the only things stopping a major incident.  This particular hacker was, as we say in prison, STD - scared to death to continue on any further.  If previous performance is any judge, resource security is likely haphazard and pieceworked.

Lastly, one can click on external links in the Windows hung application dialog box, which returns a customized SiteKiosk-branded DNS error.  DNS appears to be handled by a hosts file or through a proxy.

Cell phones are a major contraband issue in the Ohio prison system.  The poor security of inmate used desktops only eases unmonitored communication with the outside through the use of USB cellular modems.  No electronic countermeasures such as hidden femtocells or jammers have been observed to thwart smuggled cellular devices.

Overall, security is a joke inside the Ohio prison system as demonstrated recently by an inmate placing a ladder on the fence of a maximum security prison in Mansfield and climbing over.  There is a massive drug problem fueled by enormous profits for both inmates and guards and a culture of laziness and passing the buck which prevails.

Perhaps this article will spur competency and a realization that inmates are not as stupid as they may appear at first glance.

Shouts to onestein, Aganthorp, Shrub Art, and flow. Late.