Prison Break

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
This is a real life puzzle that I'm trying to get my head around.

In a prison, communications with the outside world such as internet access are generally prohibited or tightly controlled. Consequently, PCs may have any wireless adapter removed and USB ports disabled or severely limited.

We need to network some computers with another computer in a secure location elsewhere in the prison. We just need to send some small data packets occasionally, or even just once a day.

Suggestions so far include: taking a screenshot of every computer at the end of each day (my favorite) or some sort of arrangement with a 'registered' USB drive. I am wondering if using a non-standard wireless connection (essentially incapable of accessing the internet) might be some sort of option; note that it has to be physically constrained and not just limited by a software firewall.

Ideas, people?
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,914
Location
USA
I don't fully understand the requirements so please excuse my suggestion if it doesn't make sense. Could you implement something using the Zigbee protocol or Z Wave? It is technically a standard but I'm unsure if one could rig up something to get you on the internet. Given that you mentioned a prison, I imagine thick concrete and/or metal walls might make wireless challenging.

How much data do you need to transfer? I don't understand the screen capture piece of your puzzle. Would it be a screen capture of a text doc or something?
 

Chewy509

Wotty wot wot.
Joined
Nov 8, 2006
Messages
3,348
Location
Gold Coast Hinterland, Australia
I assuming QLD?

Then both QPol and QLD Corrective Services should both have and should be able to provide to you the relevant ISM (Information Security Manuals). These manuals should contain the relevant polices and procedures for IS located on prison grounds including provisioning and usage.

Otherwise I know ASD has their ISM online available: https://www.cyber.gov.au/ism

As for a possible solution?

If none of the computers/PCs in question require Internet access and none are located in areas accessible by prisoners, then simply create a private LAN that is air gaped from any router/service that can connect to the Internet. Possible cable options include running fibre in clear conduit ensuring all connectors are clear/transparent. (Clear conduit will avoid any conduit become places where items can be hidden, and using fibre makes it harder for patching into/MITM of the cable to occur). Also ensure all switches in use are capable (and are provisioned) to authenticate at the MAC layer (802.1X) so that foreign network devices are allowed on the LAN. (I personally wouldn't bother with wireless in this situation). And if using Windows, ensure NLA is enabled on all connections.

If you want to keep all PCs air gaped, then using an IronKey with a software solution (Windows GPOs will get you pretty far in this) that can restrict installation/setup of USB devices may be another option as well.

Also, FYI in QLD, prisoners can and do have access to PCs with limited Internet access. (so the threat model does change slightly).
Source: QLD Prisoners Handbook
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
Superficially, Zigbee seems a little too similar to 2.4GHz WiFi to pass the sniff test.

Z-Wave looks extremely interesting, particularly given the lower 900MHz frequency and greater range to start with. Has to be at least double the range through heavy walls, maybe more. So far, I couldn't find anyone working out how to access the internet with it - the purpose is more to create a private network, which of course is what we want in this scenario. Current security seems adequate, depending on implementation (Yale screwed up).

Z-Wave 700 seems super impressive with ultra low power and 4 hops up to a theoretical max of 400m range.

The Aeotec Gen7 implementation appears to shore up the security and supposedly boosts maximum hop range to 800m!

One snag is that all the hubs I can find also have a WiFi AP built in, so that would have to be behind a wall somehow. A much bigger snag is that you have to develop all the software yourself; I believe you are limited to a comm port simulation under Windows unless you can work with Z/IP (and I don't know who is).

Handy, I'm trying not to give too much away here, but each PC manages equipment through a comm port connection. It logs events, and we would like to be able to view those logs from outside the prisons. There is not much data, hence the joke about a screenshot - not practical because it would need a camera.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
Chewy, yes. :)

Really great advice, thanks. I would definitely prefer a cabled solution, but I wonder how how hard that might be to organize in this environment? Everything would have to be done by the prison's own contractors and that is likely to take a very long time and be very expensive, not to mention the extreme level of specification required to prevent them screwing up. Nevertheless, I will be exploring this.
 

sechs

Storage? I am Storage!
Joined
Feb 1, 2003
Messages
4,709
Location
Left Coast
Isn't the easiest solution to just build a Faraday cage around the prison? ;)

Unless there's a worry that the "users" may be able to tap into it, wired is the way to go. Any wireless solution would be unwieldy or nonstandard, or both.
 

time

Storage? I am Storage!
Joined
Jan 18, 2002
Messages
4,932
Location
Brisbane, Oz
Quick Update

The prison was designed to have WiFi, but it's not in use. No successful business case to date involving WiFi, given that security relies more on physical barriers than configuration.

Also, internal walls are kinda thick and filled with concrete, so range would be severely compromised.

Cellular (3G/4G) needs to be a) in a secure location and b) outside the prison core. This is because 3G devices inside the core interfere with cellular scans to locate contraband phones, etc. But we can have a 3G antenna on top of the roof, for example.

Fibre optic isn't necessary; they are happy to use copper network cable inside special reinforced conduits. This is by far the preferred solution, as long as it connects to our own 'network' and definitely not the internal security or corporate networks.

There is a conflict between legislated rules that restrict any kind of internet access or even data access, and a perceived need to stop long term inmates losing all touch with social changes, the outside world, etc. In other words, the world changes so fast these days, being off-the-air for years can seriously disorientate someone and jeopardize their reintegration into society. Failure in rehabilitation inevitably leads to recidivism and both a financial and social cost for society. So quite a balancing act for the prison administrators.
 
Top