Security → Convicted hacker attend IT class.. and hacks prison networks

DailyMail | 2 March 2013

quote:

---

One of Britain’s most notorious cyber criminals hacked into a prison computer system from inside jail – after he was allowed to join an IT class.

Nicholas Webber, 21, jailed for five years in 2011 for masterminding a multi-million-pound internet crime site, triggered the security scare during a lesson.

The prison, HMP Isis in South London, blamed his teacher, Michael Fox, who was employed by Kensington and Chelsea College. He was banned from the prison but the college cleared him of committing any security breaches at a disciplinary hearing last March.

However, he was made redundant when no alternative work could be found for him.

On Friday, Mr Fox, from Bromley, Kent, began a claim for unfair dismissal, arguing that it wasn’t his decision to put Webber, the son of a former member of Guernsey’s parliament, in his class. He says he had no idea he was a hacker.

At a hearing at Croydon Employment Tribunal, Mr Fox accused the college of not doing enough to find him another job. ‘The perceived problem was there was a tutor who had been excluded by the prison and charged with allowing a hacking expert to hack into the prison’s mainframe,’ he said.

In a statement, the college’s business development director, Shanie Jamieson, said: ‘He [Mr Fox] did not feel he had done anything wrong as the student concerned was in his view a convicted computer hacker and should not have been allowed in his classroom.’

Webber was only 17 when he created an internet forum for computer hackers with the potential to fleece up to £15million from individuals and firms.

A court was told he set up GhostMarket after leaving £24,000-a-year Bradfield College, Berkshire, where he got into trouble for deleting friends’ detention records from the school computer.

GhostMarket – dubbed a global ‘crimebook’ with 8,000 members worldwide – gave tips on how to create computer viruses, harvest credit card data and use it to pay for goods on eBay, as well as offering to sell details of 100,000 stolen credit cards.

Police have documented £473,000 losses from 3,500 of the cards, but estimate they could have been used to steal £15million.

Webber, of Southsea, Hampshire, who once boasted online that he was ‘probably the most wanted cyber criminal just now’, also used stolen details to buy computers, video games, iPhones and iPods worth £40,000, and to pay for stays in luxury hotels.

---

Source/full article: »www.dailymail.co.uk/news ··· tem.html

The bulk of the blame should fall onto the prison IT staff. Why was there a connection from the training room to the prison internal network in the first place ? It probably was the most convenient way to hook the training computers up to the Internet. Convenience and security are often at odds with each other.

Even in home environment it's advised to a have separate "guest" network with very limited functionality. Those IT guys, who allowed it to happen, are obviously clueless...

And lack of reasonable risk assessments...

I think even bigger question is why are they still running mainframe? :/

I've heard people call the system case of their PCs a 'mainframe'. I wouldn't be surprised if the reporter or prison's P.R. spokesman meant the prison education network's server.

Here's another article about this: »www.net-security.org/sec ··· ecurity)

If the statement from the Prison Spokesperson is true (closed education network with no possible access to the Internet or other prison systems) why was the teacher of the training class fired ?

I also find the "at the time of this incident" part of the quote amusing. Does that mean they suspended those security measures and the prison education network is now wide open ?


The quote of the Prison Spokesperson first confirms that there was an incident and then goes on to claim that it would have been impossible. That doesn't give it much credibility.

Of course we don't have any details. Perhaps there was something that the IT teacher did that bridged the closed education network to the rest of the prison ?