There have been a number of law enforcement-related web sites hacked since last June. Some of those hacks — like those involving the Arizona Department of Public Safety, BART, International Association of Chiefs of Police, Boston Police Patrolmen’s Association, Baldwin County Sheriff’s office in Alabama, Coalition of Law Enforcement and Retail (C.L.E.A.R.), the California Statewide Law Enforcement Association, and the New York State Association of Chiefs of Police – have previously been noted on this blog. But there have been a new rash of such hacks this past week:
Police Department Hacks
One of the hacks this week involved the Salt Lake City Police Department. I reported on that hack earlier this week.
In addition to SLCPD, the same group of hackers also attacked the Syracuse Police Department; 39 usernames and plain-text passwords were dumped on Pastebin. Brian Skoloff and Denise Lavoie of Associated Press report that the individuals are those who have the ability to alter the web site. Connellan also stated that no private information about officers or citizens was accessed. In a statement accompanying the data dump, the hackers, @CabinCr3w and @ItsKahuna on Twitter, indicate that the department was targeted because of its handling of allegations of sexual abuse by Bernie Fine:
Targets: Texas PD and Syracuse
Why: Insufficient effort
Judgment: We must troll you
The Texas Police Association was also hacked, reportedly because of it provided paid leave to an officer who allegedly had child pornography on his computer. In the same data dump, the hackers write:
Dear Texas Police Dept,
Paid administrative leave should be reserved for injured cops, cops with pregnant wives, and cops who declare themselves conscientious objectors to a raid. Not a kiddie porn collecting cop. It looks as if Texas PD hasn’t improved since the cousin of the PD, the Texas Youth Commission was caught with rape rooms.
The data dump posted by the hackers included 787 police officers’ names, usernames, plain-text passwords, agencies and addresses; some of the addresses were reportedly home addresses. In response to the hack, Erwin Ballarta, Executive Director of the Texas Police Association, was quoted as saying,”This is very serious, not just from the standpoint of law enforcement, but for every private citizen out there as far as their privacy.”
Yesterday, one of the hackers involved let the TPA know that they still had not adequately secured their site:
— Kahuna (@ItsKahuna) February 4, 2012
The reasons behind the defacement of the City of Newark and Newark Police Department sites was not as clear in terms of specific impetus, while the defacement of the Boston Police Department news site (BPDnews.com) indicates a continuation of animosity over the treatment of protesters in the Occupy Boston movement.
Hackers also released an audio file of a conference call between the FBI and Scotland Yard in which the participants discussed Anonymous-related prosecutions. The call reportedly took place on January 17. How the hackers obtained the file is a matter of significant interest. Were they actually on the call or intercepting it, or did they somehow acquire a copy of the audio file that someone had downloaded? They published an e-mail they had obtained that provided the date, time and password needed to access the call, raising the tantalizing question as to whether they were on the call. The FBI is investigating the incident.
Police departments were not the only law enforcement-related sites hit this week in the U.S. The law firm of Puckett & Faraj was also attacked over the Haditha killings of civilians. This week, the Marine who was the leader, cut a deal that left essentially means no one has been tried for murder. In a tweet concerning the hack, @Anon_Central announced:
ANONYMOUS HACKS PUCKETT & FARAJ – 3GB OF PRIVATE EMAILS DETAILING SSGT FRANK WUTERICH WHO MURDERED DOZENS OF UNARMED IRAQI CIVILIANS
— Anonymous Operations (@Anon_Central) February 3, 2012
Another lawyer, Vale Krenik, was also attacked, and numerous documents from his files were also dumped publicly. In a statement accompanying the data release, @CabinCr3w, @Doxcak3 and @itsKahuna write, “We have taken notice to your blatant disrespect for your title as a lawyer, you have abused your power as a lawyer and used it for anything but good. … again when cries arent heard Anonymous steps in.”
The hacks are not confined to U.S. agencies. In the U.K., www.police.co.uk was hacked by @just_network, who dumped 17 names, usernames, and plain-text passwords for members of the Grampian Police on Pastebin. In response to a query by this blogger as to whether other police department subdomains of that site had also been hacked, @just_network replied, “Yes, I did. ,” but offered no explanation as to why he or she had dumped the Grampian data. Nor did @just_network respond to a query as to whether other departments’ personnel information would be dumped.
And in Greece, the Ministry of Justice took its site down after hackers defaced it with a video.
Frankly, the hackers are making law enforcement look foolish and/or incompetent in terms of their web site security. Although many of these hacks have not resulted in public dumping of personal information, some have, and even those that haven’t have resulted in personal information being in the hands of others. Those who suggest the hackers are bluffing when they claim to have acquired data are needlessly increasing the risk that personal data will be exposed on the Internet. In the case of the SLCPD, such suggestions are also disingenuous because this blog notified the SLCPD earlier in the day that the hackers had announced that they had deleted all the data after it was suggested to them by this blogger.
All law enforcement agencies have been aware that they are being targeted since last year. Isn’t it time for them to do a better job of securing their sites? Although it’s commendable that in many cases, these public-facing servers do not provide access to the departments’ more sensitive files, can any citizen feel safe proving crime tips through a web site if the departments cannot really protect the privacy and security of the submitter’s data?