more detail?
would love to know the sophistication of his hack.
was it just holding down the shift key when turning on the client or did it involve some cleverness?
A former prison inmate has been ordered to serve 18 months for hacking the facility's computer network, stealing personal details of more than 1,100 of its employees and making them available to other inmates. Francis G. Janosko, 44, received the sentence earlier this week in federal court in Boston after pleading guilty to …
Yes, he 'hacked' a prison service computer but knowing what I do about public service tech solutions, I very much doubt it was a tough job. Child pornography and harassing an underage girl, however, not quite such a nice move (and best not to advertise your business with those sorts of comments, eh Deneva?)
... that governments across the world create mostly "open" systems, and then blame everyone else for getting access to it?
Why are they not going after the guys who are maintaining their prison servers / clients, and making sure those *idiots* go behind bars. That would server the IT community right, getting rid of nitwits.
OK, the guy should not have paraded the details around, espec to prison folks, but hey, you can't blame him for getting access to poorly secured data...
Guus
I mean, in prison, no internet access, thin client, this is going to be a pretty crap 'hack' I expect - URL manipulation and network topology guessing?
No, that was naughty, he oughtn't have done it, and he oughtn't've shared the results, but by golly it was a bit of mental stimulation at least. I admit I'd probably have done the same once I had realised I could in the smae position. And assuming people won't explore one of the few terrains available to them to explore is hardly responsible security for sensitive data.
TBH if i'm bored and happen to be sitting in front of a computer system, i tend to have a little poke around the network as well out of curiosity over how well set up it is...
if someone was able to gain unauthorised access to sensitive data without having to authenticate, blame the network admins/software provider/whoever set up the system (and if they got someones password, blame the user whose password he got... as well as the idiots who allowed that password to work from inmate computers)
There is a trade off:
- Cheap, insecure system
- Expensive, secure system
People say "Oooh, my PC at home cost £299 from Tesco and I have £10/month broadband, why should a [prison/business/NHS/national identity database] system cost any more?". And it's very hard to sell people on the benefits of security - they say (perhaps correctly) "it's unlikely to be a problem".
And if it _is_ a problem, then it's blamed on the "hacker", or the poor underfunded sysadmin. It's never the fault of the people in charge, who didn't provide funding for a secure system.
A copy of the indictment can be found at http://www.securityprivacyandthelaw.com/uploads/file/Janosko%20Indictment.pdf and has a more detailed description.
Among other things, a piece of paper was found in his cell containing a username and password to the prison management system.
Because it was stated that the servers he accessed were "used in interstate and foreign communications", it became a felony offence.
You see a lot of dumb terminal or remote access setups where you just access a windows machine through rdp or citrix, and are only supposed to gain access to certain applications. I have never encountered a situation where it wasn't possible to easily run other programs... the windows interface and userland apps were never designed with any sort of security in mind, they were mostly inherited from the 9x series of windows and bolted on top of the nt kernel (which by itself had a pretty decent security model).
If they fired the company in charge of network administration, they would probably have to hire the company in the number two position in the original bid who, naturally, would charge more money for their services.
As it stands, said company will most likely fire some low-level tech from their staff, plug the security hole which was exploited, and keep rolling along - business as usual.
Escape key 'cuz - well, what does anyone in a prison want to do?
Most prisons are underfunded, it's no surprise that their network security model would be underfunded. I'd likely prefer that over, oh, I dunno, a massive prison breakout?
Then again, all those prison workers gotta be pissed at their employer, because now they're liable if any kind of identity theft comes out of it, as it was their system that exposed them to risk. Let's see here... we can spend $100,000 on a secure network, or $5,000,000 cleaning up the mess because we didn't.
It's hard to put that kind of perspective into upper management's heads. They always look at the short-term bottom line. When you try to sell them on a $5,000 printer that will last 10 years, they don't understand why you can't just go to office depot and get one that costs $40.
Reuters: In a press conference yesterday, prison governor O. Pensesame denied responsibility for the gaffe and put the blame on a "small criminal element" that had "somehow got into into our prisons and is intent on causing trouble."
Mine's the one with the file in the pocket.
> Janosko was imprisoned in 2006 for a parole violation following a conviction on child pornography charges ..
Is there any verifiable citation for this or are they merely trashing his reputation on top of the hacking charge ?
http://en.wikipedia.org/wiki/State_of_Connecticut_v._Julie_Amero