Here’s a tip for some Crime Stoppers in Canada: you’ve been hacked (UPDATED)
April 14: See update and possible correction at the bottom of this post concerning the storage and encryption of tips.
TeaMp0isoN claims that one of the sites they recently “audited” was the web site of Waterloo Crime Stoppers. In a zine about what they describe as a 0day SQLi attack, TeaMp0isoN writes that they found an unprotected ftp directory, the intranet can be accessed simply by logging in, credentials are stored unencrypted, and all of the members have privileges to upload to the ftp_uploads directory. Login credentials (usernames/clear-text passwords) were dumped in the zine.
To explain the significance of what they found, TeaMp0isoN writes:
Now you may be wondering, what is so insecure about this? well good question. If you go to the drop box tab you’ll notice that there is no restriction of what type of file you can upload and anything that you do upload will be on the public FTP Directory. You can access this directory by navigating to http://waterloocrimestoppers.com/ftp_uploads/ (don’t worry it’s public). Now let’s assume we have friends outside our little circle (we don’t) and let’s pretend our friend is a black hat, we will call him Niles
What followed was some examples of how to exploit the above.
The Crime Stoppers site in question was designed by Pixweaver. Further investigation by TeaMp0isoN revealed that other sites designed by Pixweaver also had the same vulnerability, and TeaMp0isoN similarly attacked the Peel Crime Stoppers and Ontario Crime Stoppers sites. As with waterloocrimestoppers.ca, they dumped some of the login credentials and described what they found. The zine has a number of links to other pastes where more data dumps from these three Crime Stopper chapters can be found.
But from my perspective as a privacy advocate, perhaps the most troubling revelations in the zine involve the inclusion of citizen-submitted “anonymous tips.”
As this site did when reporting on the breach involving the NYC Public Advocate, because sensitive information has been dumped, DataBreaches.net is not linking to any of the pastes, but I’m redacting one of the entries to provide readers with a sense of how sensitive some of the material is:
Tuesday, November 26 2013
Name [Redacted by DataBreaches.net] Address [Redacted by DataBreaches.net] Province Postal Code Phone Email [Redacted by DataBreaches.net]
Comments: I dont know where to send this information. I didnt use my real name. But used my real email adress. I have information on a known drug dealer in bowmanville ontario. his name is [First and Last Names Redacted by DataBreaches.net] his girlfriend is [First and Last Names Redacted by DataBreaches.net].
I dont know there adress but a friend of a friend knows them and thwy have guns and drugs in there house mariguana . These people need to be taken off the street . I have attached pictures of [Name Redacted by DataBreaches.net]. He threatened a feiend of a friend to take her life if she ever went to the police. [Name Redacted by DataBreaches.net]’s parents number is [Phone Number Redacted by DataBreaches.net] .
please help .
they are apparently moving to toronto very soon
they have crazy amounts of drugs and money in there house
Can you imagine discovering that your “anonymous” tip has now been publicly revealed and that if the drug dealer googles himself, he’ll see that you reported him?
And while we’re on the topic of “anonymous” tips that may not be anonymous any more, I’d note that although the Crime Stoppers web sites assure tipsters that information submitted through their secure site will be encrypted and forwarded to the head office, it seems that any encryption is only during transmission and does not necessarily apply to storage of the tips.
After discovering that this hack had first been announced on Twitter on April 7, DataBreaches.net e-mailed all three compromised Crime Stoppers chapters last night to alert them that they had been hacked in case they did not know already. They were provided with a link to the zine paste and asked to acknowledge the breach alert. None of the three individuals to whom the email alert was sent has responded as of the time of this publication.
Attempts to call the Crime Stoppers number for Canada resulted in a “Due to technical difficulties, your call cannot go through” message. How ironic is it that this site cannot manage to submit a tip to Crime Stoppers and be sure that they got it?
Earlier today, DataBreaches.net sent an email to the Ontario Police to suggest they call Crime Stoppers to alert them.
Perhaps none of them have responded because they know already. Then again, perhaps they don’t know.
Pixweaver was also sent a courtesy notification with more detailed information about the method of the attack and how to test client sites for the vulnerability. Both those pieces of information were provided by TeaMp0isoN in their zine.
This post will be updated if or when anyone ever responds.
Updated April 14, 2015: Thanks to the help of a Canadian reader who reached someone in IT in another Crime Stoppers chapter who then called the affected chapter(s), and thanks to OpenCERT Canada who also reached out to the affected chapters after I contacted them and told them of the difficulty in getting a response to the hack, the Ontario Chapter of Crime Stoppers responded to my original breach alert email to them. This afternoon, Dave Foster, President of Ontario Crime Stoppers wrote:
I would like to acknowledge the breach of the above noted web sites as you have indicated. Although these sites are important to the Crime Stopper
program, they serve only as posting site for media features and associated
events. The integrity of any tips submitted are completely protected as
they are hosted on a separate encrypted and secured database independent of these sites. We will however make every effort to improve the security of
these posting sites to avoid this happening in the future. We have engaged
security specialists to assist us with this issue.
Note his claim that the integrity of any tips are completely protected and encrypted on a separate server. That seems to contradict the fact that several tips were in the hacked database the hackers dumped online. So I asked Mr. Foster how that happened. Is it the case that some people used another (and non-secure) form on the web site to submit a tip instead of using the Public Engine System form which encrypts the tip? That might explain why there were so few tips in the dumped data, but it’s purely speculative.
DataBreaches.net has received no response to that follow-up inquiry by the time of this publication.
And since the data dump is still available online where anyone can acquire it, I wonder whether they will notify those whose personal information was exposed.
I’ll let someone else ask them that question.