Feb 282012
 

Springfield officials say the personal information of about 2,100 citizens may have been obtained by hackers when the city’s website was “compromised” Feb. 17, a Friday.

Some functions have been turned off on the city’s website, springfieldmo.gov, as authorities investigate the apparent breach, said city spokeswoman, Cora Scott.

Read more on News-Leader.com

A statement posted yesterday on the city’s web site says:

City Website Compromised

The City of Springfield’s public-facing website (springfieldmo.gov) was compromised Friday, Feb. 17 and certain functionality has been turned off to secure the site while authorities investigate.

Officials are taking steps to notify approximately 2,100 individuals whose personal information may have been obtained when the site was breached. To reduce risk of harm from this incident, these individuals will receive a letter by mail offering a one-year subscription with an identity theft protection company.

The site passed a Feb. 8, 2012 Payment Card Industry (PCI) security scan, however, the City is looking into the vulnerability and modifications have been made to the website to prevent further incidents from compromising any information in the future.

No additional details can be released while the investigation continues. As required by State statute, the City has notified the Attorney General’s Office of this incident.

Those needing assistance with functions currently inaccessible on the site may call 417-864-1010. Media with questions – please call 417-864-1009.

The hack appears to be the work of hackers who identify themselves as Kahuna and CabinCr3w, and is part of #OpPiggyBank. In a statement accompanying the release, they write:

Small Redacted Sample Of Data Taken From Police Database

Data Contained Is Online Police Reports (OPR) and Misc Warrant And Summons Data
All Data That Could Cause Problems To Civilians Has Been Redacted, As It Contains Social Security Numbers, Addresses, and Other Personal Information Of Citizens..now some cake

The data they acquired reported includes:

OPR_PERSONS – 6071 Entries
AGE,C_PHONE,DOB,EMAIL,EYE_COLOR,H_ADDRESS,H_CITY,
H_PHONE,H_STATE,H_ZIP,HAIR_COLOR,HEIGHT,ID,M_ADDRESS,M_CITY
,M_STATE,M_ZIP,NAME,PERSONSID,RACE,ROLE,SEX,SKINTONE,SSN,SUS_DESC
,W_PHONE,WEIGHT,

WARRANTS – 15,887 entries

ACCYON,AGE,BRTHDT,CITY,CTCDNO,CTCDSC,DFADRS,DFNAME,EMPLYR,EYESCL,
HAIRCL,HEIGHT,JRSDCT,MNFSTN,MNLSTN,MNMIDN,NMSFX,OFCRNO,OFNDT,
OFNSLC,OFNSTM,PDCASE,RACECD,RADYON,RELCON,SEXCOD,STCODE,TCKTNO,
TKINFO,VILCOD,VILLD*,VILSDS,VLOCNO,VLRPPD,WEIGHT,WRISDT,WRNTYP,
WRTBND,WTYPTX,ZIPCD*,ZIPCD2

OPR_BUSINESS – 408 entries
ADDR,ID,NAME,PHONE

OPR_VEHICLE- 1041 entries
COLOR,EXIST_DAMAGE,ID,LICENSE_NO,LICENSE_YEAR,LOCKED,MAKE,MODEL,
NAME,PARKED,ROLE,SPEC_FEATURES,STATE,STYLE,TYPE,VALUE,
VEHICLE_YEAR,VEHICLEID,VIN

SUMMONS – 284,618 ENTRIES
ACCYON,CTCDNO,CTCDSC,DSN,JURISDICTION,OFNSDATE,OFNSLOC,OFNSTIME,
PDCASE,RADYON,TICKETNO,VILCOD,VILSDS,VLOCNO,VLRPPD

That’s a lot of personally identifiable information and it’s not clear why only 2,100 are being notified if one database alone had over 6,000 entries including Social Security numbers and the warrants database had almost 16,000 entries.

None of those details were reported on the city’s web site or in the media coverage of the incident. The hackers have posted some redacted proof of hack. As they have in the past, they have opted to not expose citizens’ personal information.

Feb 092012
 

Hackers who have previously targeted police department or law enforcement-related web sites have struck three more sites in the past few days – one in Texas and two in Alabama:

The Alabama Department of Public Safety (dps.alabama.gov) was hacked by @cabincr3w and w0rmer. Seven spreadsheets with information on sex offenders and limited information on the victims and the crimes, as well as a database listing offenders’ car make, model, and license plate number were all dumped on the Internet. Inspection of the spread sheets indicates that no names were dumped, but it might be possible to recognize particular cases of child sexual abuse or rape by the dates of the arrests and the description of the crime and victim’s age if a case had been reported in the media or occurred in a small town. Similarly, while offenders names were not included in the data dump, their vehicle information and license plate number were. It’s not clear whether the hackers also acquired other files or databases that would enable identification of what appear to be unique IDs. Their paste provides a list of tables they found.

(Update: in response to a query from this blog, they state that they did acquire such files but chose not to dump them:

@PogoWasRight @CabinCr3w Yeah but we arent gonna post that shit! We are exposing the flaw not the names of the innocent!
— FBI HaZ A File on ME (@Anonw0rmer) February 10, 2012

The hack was announced yesterday on Twitter. DPS’s web site has been offline since then.

In a second hack, announced today on Twitter, @CabinCr3w and w0rmer attacked the Texas Department of Public Safety (www.txdps.state.tx.us) although they didn’t dump any sensitive information. The Dallas Police Department and Texas Police Chiefs Association had previously been hacked.

In the third breach, the City of Mobile Police Department in Alabama’s web site was attacked by CabinCr3w, Kahuna, and w0rmer. In a statement accompanying a limited and redacted data dump, the hackers write:

We at the Cabin have been monitoring your recent racist legislation in an attempt to punish immigrants as criminals. The authorities in the state of Alabama are now able to question people suspected of being in the country illegally and hold them, and officials are able to check the immigration status of students in public schools. We will not idly stand by as this happens. You complain about immigrants costing the state money, however, you do not care about spending the same money to protect your own legal citizens. You say you have no money for immigrants but that’s because you are cutting money from programs everywhere including those which reduce crime. You will be feeding those funds into the soon to be too big to scale prison system. Cutting spending only shifts the cost from preparedness and healthy economy to more crime and suffering. Cutting spending does not cut cost.

[…]

We targeted your police and government servers, and as a result of this journey through the nether of your servers, we have stumbled across a treasure trove of data belonging to people in the state of Alabama. Unlike you, we are not criminals. We believe in protecting citizens’ personal data. Because of your police being lazy when it comes to data security, we have acquired the following information of over 46,000 citizens of the state of Alabama:

Full Legal Names
Social Security Numbers
License Plate Numbers
Date of Births
Phone Numbers
Addresses
Criminal Records

This was not our desire, or our goal. Your police administrators have made a terrible mistake and put the lives of Tens of Thousands of people in jeopardy. Because of the possible cost of lives and money to regular citizens, we are deleting this data and are seeking to make it known that you not only have shown zero regard for immigrants, but for the very citizens that live in the great state of Alabama.

One of the hackers, Kahuna, also pointed out that the department had failed to detect the breach, even days later:

Even if the Mobile Police Department has been busy and didn’t manage to notice that police departments are under cyberattack, why on earth were they storing so many SSNs without encryption?  Although I imagine that the people of Alabama will be more ticked off at the hackers than their own law enforcement, they really should be demanding answers as to why so much personal information was not adequately secured.

As of the time of this posting, the department does not appear to be aware that it has been hacked as the server is still online.  I sent them an inquiry asking for a response to the breach and will update this entry if I get a response.

Update 1: The Mobile PD was notified of the breach by DataBreaches.net via their contact form.  When there was no response and the site was still up hours later, this blogger called them to make sure they understood that they had been hacked and that the information remained vulnerable.

Update 2: As of Friday morning, their site is still online. I hope they have secured the vulnerable database, but have received no response from them to the email and phone notifications by this blog.

Update/Correction 3:  The city claims it was not the police department server that was hacked but the city webmaster’s server and that the database was from an amnesty program. They claim that all the data were public information.  Social Security Numbers?  Really?

Feb 082012
 

A few more law enforcement-related web sites were hacked this past week, to add to the growing list:

Travis Crum reports that the West Virginia Chiefs of Police Association site was hacked and officers’ data dumped online:

The Federal Bureau of Investigation is looking for the people responsible for leaking the home addresses, home phone numbers and cellphone numbers of every police chief in West Virginia, according to the president of a statewide police chiefs organization.

William Roper, president of the West Virginia Chiefs of Police Association, said his organization’s website was compromised Monday by a group associated with Anonymous, an international hacker group with a stated mission of protecting free speech and fighting anti-piracy laws.

The subgroup, which calls itself “CabinCr3w,” posted the personal information of more than 156 police officers, including current and retired police chiefs, to a public website.

[…]

The hackers also posted the e-mail addresses and usernames of the association’s members. However, they were not able to gain access to the members’ passwords, Roper said.

The group posted apparent passwords for each of the association’s members, but they did not work Tuesday night.

Read more in The Charleston Gazette.

The Dallas Police Department was hacked Sunday.  In a statement on the hack,  CabinCr3w and W0rmer refer to a police officer who was placed on leave last month after he reportedly crashed his car while driving while intoxicated. The hackers write, “The police claim there (sic)  are here to enforce the laws, to protect the people while hypocritically violating them on a daily basis themselves.”  The data dump included 23 userids, e-mail addresses, and plain-text passwords as well as 21 first and last names with employee ID numbers and hire dates.

In Wisconsin, the Wisconsin Chiefs of Police Association web site was hacked Monday by CabinCr3w, Kahuna & W0rmer. They did not dump any personal information but did dump an administrative login and password. Operating independently, another hacker, Visi0nZ, had posted three logins/passwords as well as 540 e-mail addresses from the same organization the previous day.

The hackers note that all police departments should consider themselves targets:

All over the world people are starting to stand up for their rights and fight against the machine. These people ARE people, people with rights, people with the will to stand up against what is wrong in this world, people who are willing to quit their jobs, leave their homes and spend day after day practicing their right to protest and fight against what they are not happy with. These people have come under constant oppression by police departments around the world, they have had their rights stripped from them, their freedom pulled from them and we have had enough of it. We will NOT stand by and watch these public servants that WE pay with our hard earned money, abuse, arrest and torture our people anymore. EVERY police department is at risk, and will remain that way until police departments start taken notice as to whom they work for. They do not work for corporations, bankers, or governments, they work for the people and we are the people. Expect US!

Feb 042012
 

There have been a number of  law enforcement-related web sites hacked since last June. Some of those hacks —  like those involving the Arizona Department of Public Safety, BART, International Association of Chiefs of Police, Boston Police Patrolmen’s Association, Baldwin County Sheriff’s office in Alabama,  Coalition of Law Enforcement and Retail (C.L.E.A.R.), the California Statewide Law Enforcement Association, and the New York State Association of Chiefs of Police  — have previously been noted on this blog. But there have been a new rash of such hacks this past week:

Police Department Hacks

One of the hacks this week involved the  Salt Lake City Police Department. I reported on that hack earlier this week.

In addition to SLCPD, the same group of hackers also attacked the Syracuse Police Department; 39 usernames and plain-text passwords were dumped on Pastebin.  Brian Skoloff and Denise Lavoie of Associated Press report that the individuals are those who have the ability to alter the web site. Connellan also stated that no private information about officers or citizens was accessed.   In a statement accompanying the data dump, the hackers, @CabinCr3w and @ItsKahuna on Twitter, indicate that the department was targeted because of its handling of allegations of sexual abuse by Bernie Fine:

Targets: Texas PD and Syracuse
Why: Insufficient effort
———-Evidence:
http://www.syracuse.com/news/index.ssf/2011/12/former_auburn_police_officer_n.html
http://usnews.msnbc.msn.com/_news/2011/11/29/9095160-syracuse-police-knew-of-sex-abuse-allegations-against-coach
http://fur.ly/0/Moreofthesame
Judgment: We must troll you

The Texas Police Association was also hacked, reportedly because of it provided paid leave to an officer who allegedly had child pornography on his computer. In the same data dump, the hackers write:

Dear Texas Police Dept,

Paid administrative leave should be reserved for injured cops, cops with pregnant wives, and cops who declare themselves conscientious objectors to a raid. Not a kiddie porn collecting cop. It looks as if Texas PD hasn’t improved since the cousin of the PD, the Texas Youth Commission was caught with rape rooms.

The data dump posted by the hackers included 787 police officers’ names, usernames, plain-text passwords, agencies and addresses; some of the addresses were reportedly home addresses. In response to the hack, Erwin Ballarta, Executive Director of the Texas Police Association, was quoted as saying,”This is very serious, not just from the standpoint of law enforcement, but for every private citizen out there as far as their privacy.”

Yesterday, one of the hackers involved let the TPA know that they still had not adequately secured their site:

The reasons behind the defacement of the City of Newark and Newark Police Department sites was not as clear in terms of specific impetus, while the defacement of the Boston Police Department news site (BPDnews.com) indicates a continuation of animosity over the treatment of protesters in the Occupy Boston movement.

Hackers also released an audio file of a conference call between the FBI and Scotland Yard in which the participants discussed Anonymous-related prosecutions. The call reportedly took place on January 17.  How the hackers obtained the file is a matter of significant interest. Were they actually on the call or intercepting it, or did they somehow acquire a copy of the audio file that someone had downloaded? They  published an e-mail they had obtained that provided the date, time and password needed to access the call, raising the tantalizing question as to whether they were on the call.  The FBI is investigating the incident.

Lawyers

Police departments were not the only law enforcement-related sites hit this week in the U.S. The law firm of Puckett & Faraj was also attacked over the Haditha killings of civilians. This week, the Marine who was the leader, cut a deal that left essentially means no one has been tried for murder.  In a tweet concerning the hack, @Anon_Central announced:

Another lawyer, Vale Krenik, was also attacked, and numerous documents from his files were also dumped publicly. In a statement accompanying the data release, @CabinCr3w, @Doxcak3 and @itsKahuna write, “We have taken notice to your blatant disrespect for your title as a lawyer, you have abused your power as a lawyer and used it for anything but good. … again when cries arent heard Anonymous steps in.”

Non-U.S. Hacks

The hacks are not confined to U.S. agencies. In the U.K., www.police.co.uk was hacked by @just_network,  who dumped 17 names, usernames, and plain-text passwords for members of the Grampian Police on Pastebin.  In response to a query by this blogger as to whether other police department subdomains of that site had also been hacked, @just_network replied, “Yes, I did. :),” but offered no explanation as to why he or she had dumped the Grampian data. Nor did @just_network respond to a query as to whether other departments’ personnel information would be dumped.

And in Greece, the Ministry of Justice took its site down after hackers defaced it with a video.

Comment: 

Frankly, the hackers are making law enforcement look foolish and/or incompetent in terms of their web site security.  Although many of these hacks have not resulted in public dumping of personal information, some have, and even those that haven’t have resulted in personal information being in the hands of  others.  Those who suggest the hackers are bluffing when they claim to have acquired data are needlessly increasing the risk that personal data will be exposed on the Internet.  In the case of the SLCPD, such suggestions are also disingenuous because this blog notified the SLCPD earlier in the day that the hackers had announced that they had deleted all the data after it was suggested to them by this blogger.

All law enforcement agencies have been aware that they are being targeted since last year.  Isn’t it time for them to do a better job of securing their sites? Although it’s commendable that in many cases, these public-facing servers do not provide access to the departments’ more sensitive files, can any citizen feel safe proving crime tips through a web site if the departments cannot really protect the privacy and security of the submitter’s data?

Image credit: © Jakub Jirsák | Dreamstime.com

 

Feb 032012
 

Hacktivism raises all kinds of ethical issues.  In an unusual move, hackers responsible for the hack of the Salt Lake City Police Department have deleted their copies of some of the files they had acquired from the PD’s web site.

In announcing the hack on Tuesday, the hackers  known as Kahuna and CabinCr3w indicated that their motivation was a bill proposed in the Utah legislature by Sen. Karen Mayne that would have criminalized possession of graffiti tools with the intent to deface property.

Although they acquired files containing citizens’ personal information, the hackers did not dump any of those data on the Internet, repeatedly asserting that they would not dump it and had no desire to do anything that would harm “innocents.”  A paste with over 1,000 officers’ names, usernames, titles, e-mail addresses, and hashed passwords was publicly dumped, however.

The bill, SB 107, was defeated in the Utah Senate yesterday by a vote of 11-17.

This morning, this blogger asked Kahuna whether they would consider deleting the files in light of the Senate’s action.  Shortly thereafter, the hackers agreed to delete the files they held that contained information from those providing crime tips or other information. Their decision was announced on Twitter:

I contacted the Salt Lake City Police Department to ask for a response to this latest development but have received no response by the time of this publication.

Although one of the hackers indicated to DataBreaches.net that they realize that the press and others may not believe their statement that they have deleted files, they reiterated to this blogger that they would not have dumped the data under any circumstances.

DataBreaches.net commends them for not needlessly exposing personal information and for not retaining data that they no longer need as proof of hack.

I realize that there are many who will say that their ethical action doesn’t matter and that they engaged in criminal activity by hacking the SLCPD, but I think it’s important for hacktivists to consider whether they, too, should be showing the kind of restraint Kahuna and CabinCr3w displayed by not needlessly exposing uninvolved individuals’ personal information and by deleting it when it is no longer needed as proof of hack.

Image credit: © Karin Hildebrand Lau | Dreamstime.com