2- gatekeeper.bop.gov
3- gatekeeper2.bop.gov
4- locator.bop.gov
5- inmateloc.bop.gov
25- mail.bop.gov
26- mail2.bop.gov
82- nkisss.bop.gov
83- email.bop.gov
84- sallyp.bop.gov
85- team.bop.bov
86- bware.bop.gov
87- citrix.bop.gov
155- bop-medweb.bop.gov
I have a feeling though that bankes.com's information is out of date for some of these names. Anyway, a ping sweep of subnet 130 for one particular day showed these hosts up:
1,2,3,4,5,6,7,8,9,10,11,12,14,25,26,82,83,84,85,86,87,92,93,155,156
Keep in mind that just because a machine pings as being up, it may not actually be, and vice versa. The 'sallyp' listed above might be a reference to what I believe is the BOP's Intranet, called Sallyport, however, sallyp.bop.gov and sallyport.bop.gov do not resolve from the BOP's outside DNS server. But, I know that it probably exists as an internal name since sallyport.bop.gov is listed as the top referrer in the Geocities stats for this project. Also, doing a traceroute to some of these machines shows that the gateway is bopgov-gw.customer.alter.net (157.130.59.38).
NMAP scans of some of these machines are listed below:
Interesting ports on (206.138.130.1):
(The 1020 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
137/tcp filtered netbios-ns
593/tcp filtered http-rpc-epmap
707/tcp filtered unknown
Remote OS guesses: Cisco 3600 running IOS 12.2(6c), Cisco router running IOS
12.1.5-12.2(6a), Cisco IOS 12.1(5)-12.2(7a)
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
IPID Sequence Generation: All zeros
--------------------------------------------------------------------------------------------------------------
Host gatekeeper.bop.gov (206.138.130.2) appears to be up ... good.
Initiating Connect() Scan against gatekeeper.bop.gov (206.138.130.2)
Adding open port 113/tcp
Adding open port 53/tcp
Adding open port 80/tcp
OSIN- If this is www.bop.gov, I'm not sure why they're running DNS on it (port 53). I would think running a DNS service on your main webserver is a bad idea.
--------------------------------------------------------------------------------------------------------------
Host locator.bop.gov (206.138.130.4) appears to be up ... good.
Initiating Connect() Scan against locator.bop.gov (206.138.130.4)
Adding open port 80/tcp
--------------------------------------------------------------------------------------------------------------
Host inmateloc.bop.gov (206.138.130.5) appears to be up ... good.
Initiating Connect() Scan against inmateloc.bop.gov (206.138.130.5)
Adding open port 25/tcp
Adding open port 80/tcp
--------------------------------------------------------------------------------------------------------------
Interesting ports on (206.138.130.6):
Port State Service
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp filtered http
8080/tcp filtered http-proxy
--------------------------------------------------------------------------------------------------------------
Interesting ports on (206.138.130.10):
Port State Service
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp open http
8080/tcp filtered http-proxy
--------------------------------------------------------------------------------------------------------------
Interesting ports on mail.bop.gov (206.138.130.25):
(The 5 ports scanned but not shown below are in state: closed)
Port State Service
25/tcp open smtp
--------------------------------------------------------------------------------------------------------------
Scan 1:
Interesting ports on Nsabawebserv.bop.gov (206.138.130.82):
Port State Service
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
80/tcp open http
8080/tcp open http-proxy
OSIN- Several months later I went back and scanned this IP. The scan revealed an entirely different setup:
Port State Service
80/tcp open http
443/tcp open https
1494/tcp open citrix-ica
8080/tcp open http-proxy
OSIN- Note the secure webserver. After visiting it via Tor it was for a service called i-bopnet. The fact that it is running Citrix shows that it may have some administrative function.
--------------------------------------------------------------------------------------------------------------
Scan of 155:
22/tcp open ssh
80/tcp open http
443/tcp open https
990/tcp open ftps
--------------------------------------------------------------------------------------------------------------
OSIN- Thus far, the 130 subnet is the only external subnet I've been able to confirm that is assigned to the BOP. Of course I'm making an assumption that they are assigned all of it. But subsequent searches on ARIN's search function shows adjacent subnets are assigned to entities not associated with the BOP.
It could be that the BOP heavily utilizes the Justice Department's JCN system, which stands for Justice Consolidated Network. According to their own website, the Justice Department runs the network in which several entities such as the DEA, FBI, and Marshall's Service use. ARIN lists these IP ranges associated with the Justice Department:
* 149.101.0.0-149.101.255.255 (This appears to be their main class. The Justice Deptartment website is located in this range as well as several other entities. Some more interesting subnets are 1,22,26,35,45. Note that I have not extensively investigated this IP range)
* 192.58.200.0-192.58.203.255
* 12.27.236.192-12.27.236.223 & 12.21.173.192-12.21.173.223 (Although this was listed as part of the US Dept of Justice, it appears the main group which controls these two IP ranges is the GC HIDTA, which is a group meant to reduce drug trafficking in Gulf Coast states.
* 12.109.145.96-12.109.145.127, 12.18.169.32.12.18.169.63, 12.109.44.128-12.109.44.159, 12.104.64.176-12.104.64.183, & 12.11.252.96-12.11.252.127 (Also listed as US Dept of Justice, the main contact is listed as being BeaSystems.com. It appears this domain is no longer valid)
It may be that the JCN system is actually the one on which SENTRY access is provided. More on SENTRY is listed below.
In 2002 the Department of Justice Inspector General conducted an evaluation of the security for the ITS-II system. They summed up their findings as this:
"Our review disclosed that security controls need improvement to fully protect the ITS II from unauthorized use, loss, or modification. Specifically we found vulnerabilities in the areas of life cycle; authorize processing; system security plan; personnel security; physical and environmental protection; production, input/output controls; contingency planning; hardware and systems software maintenance; data integrity; incident response capability; identification and authentication; logical access controls; and audit trails."
OSIN- In some cases accounts on the machines had blank passwords or default passwords still set. You can read the findings section of the report at http://www.usdoj.gov/oig/reports/BOP/a0304/findings.htm, but I also include it on this page in case it disappears off the Internet. But, from that report we learn a few details about the ITS-II system itself. One is that the ITS-II system is actually a combination of Windows and Unix systems. At the time this report was filed the BOP was using Windows NT on the main Windows systems. It could be they may have upgraded the systems to XP or Windows 2003 Server, but I came across a job posting for the BOP in which the requirements stated that Windows NT was still being utilized in the BOP (although this job probably had nothing to do with ITS-II). Anyway, three of the machines are mentioned by name in the report- BOPCOF and BOPCO1 (probably both are Windows machines) and BOPNNM (Unix; I'm not sure which flavor). I'm also not sure of their function within the ITS-II system.
From the BOP's own directive which covers the ITS-II phone system (4500_004) it states that there is a test account on the ITS-II system (see Chapter 4555, page 7, section J, or page 98 of the pdf). The test user account has the format "T00000-***" in which '***' is the site SENTRY code. It appears to allow the administrator the ability to test money transfers from the inmates commissary accounts and their telephone accounts. Anyway, I was puzzled about what the SENTRY code might be, and then I found under the BOP's HR directive, 3000_002, on page 33 this line:
"For institution positions, this is a three digit alpha field utilizing the SENTRY code for that location."
OSIN- Could it be that the three-letter identifier used for each of the BOP's facilities' directories on their website and the SENTRY code are one in the same? If so, then an example is in order. FCI Cumberland's three-letter identifier on BOP's website is 'CUM' (BOP, you guys really need to change this code for Cumberland). If that is the SENTRY code for FCI Cumberland, then one might expect a test user account called "T00000-CUM" to be found on one of FCI Cumberland's ITS-II related machines.
"CS manages and operates two certified and accredited common user data processing facilities: the Justice Data Center-Washington (located in Rockville, Maryland), and the Justice Data Center-Dallas (located in Dallas, Texas). A Help Desk is also provided for technical assistance, problem reporting, and corrective action. The two data processing facilities provide a processing capacity of 2,197 millions of instructions per second (MIPS) and contingency back up for each site to support 100% Central Processing Units (CPU), 100% Direct Access Storage Devices (DASD), and 100% front end processing requirements."
CS serves over 80,000 mainframe customers worldwide, providing a wide range of computer related services:
* IBM and IBM compatible mainframe processing platforms using OS/390 and
VM/ESA operating systems with logical operating partitions creating
secure processing environments.
* Interactive, on-line, and batch information processing and customer
service assistance 24-hours a day, 7-days a week with monthly
utilization reports on service costs.
* Contingency capabilities commensurate with customer mission
requirements.
* Access to multiple hardware and software utilities with on-site and
off-site storage and retrieval of backup media.
In 2003 the Justice Department's Inspector General filed a report about the SENTRY program in which the security had only low vulnerabilities. However, that same report gives an overview of the SENTRY program. You can read the original at this page. Oddly, they had no link to the findings page for this report, but utilizing the same format as the one for their report on the ITS-II, just substitute the 'exec.htm' for 'findings.htm' in the previous link. Anyway, SENTRY is written in COBOL with over 700 routines. At http://www.usdoj.gov/oig/reports/BOP/a0325/back.htm we learn that SENTRY contains the following modules:
- State Billing. Tracks how much to bill other states for using BOP
facilities.
- Financial Responsibility. Tracks how much and when inmates must pay
court-ordered restitution.
- Inmate Discipline. Tracks inmate discipline history and problems.
- Administrative Remedy. Routes information about inmates for internal
investigations.
- Central Inmate Monitoring. Identifies which inmates need special
handling.
- Designations. Assigns inmates to a facility.
- Sentence Monitoring. Tracks all aspects of an inmate's sentence.
Also, from the above link we learn about the generic network typology of SENTRY. Basically, SENTRY users access the system via their GSA Sprint FTS2001 network. They first connect through the BOP's Network Control Center in Washington, DC, then from there through another set of Sprint FTS2001 circuits and local carriers, then finally to the Justice Data Center in Dallas, TX. And at http://www.usdoj.gov/oig/reports/BOP/a0325/app4.htm we learn about SENTRY's authorized users:
Criminal Division
Department of Justice
Drug Enforcement Administration (DEA) - El Paso Intelligence
Drug Enforcement Administration (DEA) - National Drug Intelligence
Federal Bureau of Investigation
Immigration and Naturalization
Interpol Headquarters
Justice Management Division
Office of Pardon Attorney
Office of the Corrections Trustee
Office of the Inspector General
Parole Commission
United States Army
United States Attorneys
United States Marshals Service
United States Marshals Service Transportation
United States Navy
United States Probation Office
United States Sentencing Commission
OSIN- As for the DEA, I'll let you draw your own conclusions as to why El Paso is so important for SENTRY access. But, in that entire list, the organization which stands out like a sore thumb is Interpol. I can't imagine they're part of the Sprint FTS2001 contract, so how are they connecting? In July 2001 at this website we learn that $350,000 was allocated for equipment to connect Interpol to the National Law Enforcement Telecommunications System (NLETS). However, I believe this "Interpol" is actually the United States National Central Bureau of Interpol (USNCB), which acts like a coordinating agency between American law enforcement groups and international police organizations. They are part of the Justice Department. At their mission statement page we learn:
The mission of the US National Central Bureau is to facilitate international law enforcement cooperation as the United States representative with the International Criminal Police Organization (INTERPOL), on behalf of the Attorney General.
The major functions of the USNCB are to:
- Transmit information of a criminal justice, humanitarian, or other law
enforcement related nature between National Central Bureaus of INTERPOL member
countries, and law enforcement agencies of the United States.
- Respond to requests by law enforcement agencies, and legitimate
organizations, institutions and individuals, when in agreement with the
INTERPOL constitution.
- Coordinate and integrate information for investigations of an
international nature and identify those involving patterns and trends of
criminal activities.
OSIN- So, from my research it's clear that the Justice Department and the JCN are critical players in communications for the BOP and even between law enforcement groups within the US and internationally. As for NLETS, from their About Us page they say:
Nlets provides two basic capabilities to its users. First, it is an international, computer-based message switching system that links together state, local and federal law enforcement and justice agencies for the purpose of information exchange. Second, it provides information services support for a growing number of justice related applications. To accomplish this, Nlets supports data communications links to state networks using a commercial frame relay service. All agencies within each state are serviced through this state interface. Federal and international systems operate in much the same manner. The primary Nlets operational site is located within the Arizona Department of Public Safety's facility, with a disaster recovery site located with the Idaho State Police for full continuity of operations in less than thirty minutes.
The user population is composed of all of the states/territories, all Federal agencies with a justice component, and selected international agencies, all cooperatively exchanging data. The types of data being exchanged vary from motor vehicle and driver's data, Canadian "Hot File" records, and INS databases to state criminal history records. Over 34 million messages are transacted each month.
Nlets is a 501(c)(3) not-for-profit organization and is owned and governed by the states. Representatives from each state elect a Board of Directors and Officers annually. They set polices and procedures, define standards, approve members, establish fees, etc. A professional staff is responsible for the day-to-day administration and operations of the system. Membership dues are the primary source of revenue to operate Nlets.
OSIN- NLETS is a so-called 501(c)(3) organization?! I wonder if any information they exchange is permissable in an American court of law? How odd. I've never known any 501 to need such an extensive communications network and a disaster recovery site. Anyway, if anyone else has any more information on the BOP and JCN network, please feel free to share with me. You should easily be able to guess my email address. >:)