Inmate allegedly obtains personal information about prison workers
Technorati Tag: Security Breach
Date Reported:
11/06/08
Organization:
Plymouth County (MA)
Contractor/Consultant/Branch:
Plymouth County Sheriff's Department
Plymouth County Correctional Facility (PCCF)
Location:
Plymouth, Massachusetts
Victims:
"current and former prison workers"
Number Affected:
"about 1,100"
Types of Data:
"names, dates of birth, Social Security numbers, home addresses and telephone numbers"
Breach Description:
"BOSTON (WBZ) - A former inmate of the Plymouth County Correctional Facility is accused of hacking into a prison computer and distributing personal information of workers to other inmates."
Reference URL:
United States Department of Justice
WBZ CBS News
Computerworld
The Register
Report Credit:
United States Department of Justice
Response:
From the online sources cited above:
BOSTON, MA - A former inmate of the Plymouth County Correctional Facility in Plymouth, Massachusetts was arrested late yesterday in North Carolina, on an Indictment charging him with damage to the prison’s computer network and identity theft.
[Evan] There is no mention of how the unauthorized access was detected or how the investigation led to the arrest of an alleged culprit.
The inmate is alleged to have obtained the password to a prison management program and to have made available to other inmates a report listing the names, dates of birth, Social Security numbers, home addresses and telephone numbers of over 1,100 current and former prison personnel.
[Evan] Who designed this network and who is responsible for information security? I cannot think of any good reason for not completely isolating inmate access from the rest of the prison network (including the "prison management system"). This was probably an incident just waiting to happen. Bad guys with time on their hands are going to find a way around the "system". Many of the inmates have been finding ways around the system their entire lives.
United States Attorney Michael J. Sullivan, Warren T. Bamford, Special Agent in Charge of the Federal Bureau of Investigation - Boston Field Division and Sheriff Joseph D. McDonald of Plymouth County, announced today that FRANCIS G. JANOSKO, age 42, was charged in an Indictment with one count of intentional damage to a protected computer and one count of aggravated identity theft.
JANOSKO was indicted on October 29, 2008 which was unsealed late yesterday afternoon following his arrest in North Carolina.
The Indictment alleges that while JANOSKO was an inmate at the Plymouth County Correctional Facility in Plymouth County, Massachusetts, the prison provided inmates a computer so they could research legal matters.
[Evan] I suppose they (inmates) have the "right" to such things.
To maintain computer and prison security, the prison attempted to restrict the inmates’ access to legal research and nothing else.
[Evan] It baffles me.
As configured, the computer prevented inmates from accessing the Internet, e-mail, other computers on the prison's networks, or even other computer programs on the legal research computer.
The Indictment further alleges that despite these restrictions, JANOSKO figured out how to use the legal research computer for purposes other than legal research, by several methods including exploiting a previously-unknown idiosyncrasy in the legal research software.
[Evan] "idiosyncrasy" = "bug".
Using a thin client that was connected to a prison server, the prisoner was able to access an employee database by exploiting a bug in legal research software made available to inmates.
[Evan] Loading the legal research software on an isolated machine (meaning on an isolated network, NOT on a server on the administration's network, isolated through the use of terminal services or Citrix) might have been a better design choice.
As a result, the Indictment alleges, between October 1, 2006 and February 7, 2007, JANOSKO configured the prison's computer network to provide himself, and other inmates, access to programs other than the legal research program, and to access and provide inmates access to a report that listed the names, dates of birth, Social Security numbers, home addresses and telephone numbers, and past employment history of over 1,100 current and former prison personnel.
Janosko also managed to obtain the username and password to a prison management program, and to access the internet to download videos and digital photographs of prison employees, inmates and aerial shots of the prison.
If convicted of the computer charge, JANOSKO faces up to 10 years of imprisonment, to be followed by up to 3 years supervised release, a fine of up to $250,000 or twice the gain or loss (whichever is greater) and restitution to Plymouth County, Massachusetts.
If convicted of the identity theft charge, JANOSKO faces an additional mandatory 2 years of imprisonment and one year of supervised release.
The investigation was conducted by the Federal Bureau of Investigation - Boston Field Division, with considerable assistance from the Plymouth County Sheriff’s Department.
The details in the Indictment are allegations. The defendant is presumed to be innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
According to The Boston Globe, Janosko was arrested in 2005 on child pornography charges after investigators discovered nude photos of children on his cellphone. It was the third time he faced such charges,
He was listed as a Level 3, or high-risk, sex offender in Massachusetts in 2005.
[Evan] I found an online news article from The Patriot Ledger that depicts Janosko's arrest in 2005, but I could not find him listed in the Massachusetts Level 3 Sex Offender database or the North Carolina Sex Offender and Public Protection Registry.
Commentary:
The potential implications of this breach are pretty scary. Current and former prison officials don't only face an increased risk of financial-related identity theft, but they face an increased risk to their personal safety. It seems that this breach could have been foreseen and should have been avoided.
Past Breaches:
Unknown
Date Reported:11/06/08
Organization:
Plymouth County (MA)
Contractor/Consultant/Branch:
Plymouth County Sheriff's Department
Plymouth County Correctional Facility (PCCF)
Location:
Plymouth, Massachusetts
Victims:
"current and former prison workers"
Number Affected:
"about 1,100"
Types of Data:
"names, dates of birth, Social Security numbers, home addresses and telephone numbers"
Breach Description:
"BOSTON (WBZ) - A former inmate of the Plymouth County Correctional Facility is accused of hacking into a prison computer and distributing personal information of workers to other inmates."
Reference URL:
United States Department of Justice
WBZ CBS News
Computerworld
The Register
Report Credit:
United States Department of Justice
Response:
From the online sources cited above:
BOSTON, MA - A former inmate of the Plymouth County Correctional Facility in Plymouth, Massachusetts was arrested late yesterday in North Carolina, on an Indictment charging him with damage to the prison’s computer network and identity theft.
[Evan] There is no mention of how the unauthorized access was detected or how the investigation led to the arrest of an alleged culprit.
The inmate is alleged to have obtained the password to a prison management program and to have made available to other inmates a report listing the names, dates of birth, Social Security numbers, home addresses and telephone numbers of over 1,100 current and former prison personnel.
[Evan] Who designed this network and who is responsible for information security? I cannot think of any good reason for not completely isolating inmate access from the rest of the prison network (including the "prison management system"). This was probably an incident just waiting to happen. Bad guys with time on their hands are going to find a way around the "system". Many of the inmates have been finding ways around the system their entire lives.
United States Attorney Michael J. Sullivan, Warren T. Bamford, Special Agent in Charge of the Federal Bureau of Investigation - Boston Field Division and Sheriff Joseph D. McDonald of Plymouth County, announced today that FRANCIS G. JANOSKO, age 42, was charged in an Indictment with one count of intentional damage to a protected computer and one count of aggravated identity theft.
JANOSKO was indicted on October 29, 2008 which was unsealed late yesterday afternoon following his arrest in North Carolina.
The Indictment alleges that while JANOSKO was an inmate at the Plymouth County Correctional Facility in Plymouth County, Massachusetts, the prison provided inmates a computer so they could research legal matters.
[Evan] I suppose they (inmates) have the "right" to such things.
To maintain computer and prison security, the prison attempted to restrict the inmates’ access to legal research and nothing else.
[Evan] It baffles me.
As configured, the computer prevented inmates from accessing the Internet, e-mail, other computers on the prison's networks, or even other computer programs on the legal research computer.
The Indictment further alleges that despite these restrictions, JANOSKO figured out how to use the legal research computer for purposes other than legal research, by several methods including exploiting a previously-unknown idiosyncrasy in the legal research software.
[Evan] "idiosyncrasy" = "bug".
Using a thin client that was connected to a prison server, the prisoner was able to access an employee database by exploiting a bug in legal research software made available to inmates.
[Evan] Loading the legal research software on an isolated machine (meaning on an isolated network, NOT on a server on the administration's network, isolated through the use of terminal services or Citrix) might have been a better design choice.
As a result, the Indictment alleges, between October 1, 2006 and February 7, 2007, JANOSKO configured the prison's computer network to provide himself, and other inmates, access to programs other than the legal research program, and to access and provide inmates access to a report that listed the names, dates of birth, Social Security numbers, home addresses and telephone numbers, and past employment history of over 1,100 current and former prison personnel.
Janosko also managed to obtain the username and password to a prison management program, and to access the internet to download videos and digital photographs of prison employees, inmates and aerial shots of the prison.
If convicted of the computer charge, JANOSKO faces up to 10 years of imprisonment, to be followed by up to 3 years supervised release, a fine of up to $250,000 or twice the gain or loss (whichever is greater) and restitution to Plymouth County, Massachusetts.
If convicted of the identity theft charge, JANOSKO faces an additional mandatory 2 years of imprisonment and one year of supervised release.
The investigation was conducted by the Federal Bureau of Investigation - Boston Field Division, with considerable assistance from the Plymouth County Sheriff’s Department.
The details in the Indictment are allegations. The defendant is presumed to be innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
According to The Boston Globe, Janosko was arrested in 2005 on child pornography charges after investigators discovered nude photos of children on his cellphone. It was the third time he faced such charges,
He was listed as a Level 3, or high-risk, sex offender in Massachusetts in 2005.
[Evan] I found an online news article from The Patriot Ledger that depicts Janosko's arrest in 2005, but I could not find him listed in the Massachusetts Level 3 Sex Offender database or the North Carolina Sex Offender and Public Protection Registry.
Commentary:
The potential implications of this breach are pretty scary. Current and former prison officials don't only face an increased risk of financial-related identity theft, but they face an increased risk to their personal safety. It seems that this breach could have been foreseen and should have been avoided.
Past Breaches:
Unknown
Posts Atom 1.0
Comments