Another AZDPS Breach; Defending Police Networks

Posted on 29 June 2011 by

2


Last week we talked about the need to secure police networks. This week the dicsusion will continue, but first we should note that it appears the Arizona Department of Public Safety has suffered another breach – or at the least, that a second tranche of stolen documents has been published.

The second tranche, which we have not yet reviewed, purports to contain highly personal documents and details about officers at the AZDPS.

The file names are telling – things such as

"Addresses for Wedding - Baby Shower.xls"
boys,dogs,xmas2007 016.jpg
Ride and rachel face 013.JPG
Scanned Mortgage Documents.pdf

would presumably contain the personal information and images about and of police personnel and civilians.

What makes me hopping mad is the fact that such files could exist on a police network at all. This is an affront to common sense and a breach of all security considerations.

Of course, this kind of crap exists on our machines as well – don’t get me wrong.

I’ve heard commanders at agencies around the country stating that the biggest complaint their patrol officers have is that, “You can’t get Angry Birds on the MDT”; and I know that in some agencies, “secure” computers (such as those used to connect to NCIC) are running unauthorized software.

Police agencies routinely ignore even the most fundamental of security safeguards, using un-protected WiFi hotspots that connect back directly behind the firewall of the network.

I wouldn’t trust any single document important to me to reside on a police network – I assume it’s been compromised as soon as it is created.

Like this:

Right now, as you read this, there are cops out there thinking that I am releasing sensitive information, but the fact of the matter is that the only people who believe that this is sensitive are those who have refused outright to educate themselves about the real and prevelant security threats out there, who refuse to acknowledge that these threats must be addressed.

If we don’t discuss this, the only people confident that they are secure are the ignorant.

And let’s make no mistakes about the cost of wrong here: these computer criminals not only don’t care about you and your family, they actively wish you harm.

From today’s release:

Yes we’re aware that putting the pigs on blast puts risks their safety, those poor defenseless police officers who lock people up for decades, who get away with brutality and torture, who discriminate against people of color, who make and break their own laws as they see fit. We are making sure they experience just a taste of the same kind of violence and terror they dish out on an every day basis. Our advice to you is to quit while you still can and turn on your commanding officers before you end up in our cross hairs next, because we’re not stopping until every prisoner is freed and every prison is burned to the ground.

Are their goals stupid? Sure. To quote a rightfully popular tee-shirt, “Don’t like the cops? Next time you’re in trouble, call a crackhead. But whether these goals are stupid, the means by which these loosely affiliated groups are striking is undeniably dangerous.

And unfortunately, undeniably easy.

Yesterday the Department of Homeland Security, through discussion with a journalist at InformationWeek, made local-news-anchorman-sincere statements about how important this is. Their response has been to publicize the list, from think-tanks SANS and MITRE, of the “CWE/SANS Top 25 Most Dangerous Software Errors“, which builds on the Common Weakness Enumeration and therein you can see the immediate problem: common weakness enumeration?

Are you forkin’ kidding me? Why not put it in Serbo-Croat?

You’re targeting people who don’t know that an unprotected, unencrypted WiFi hotspot leading into the core of a police network is a bad idea. You’re going to enumerate the twenty five most dangerous software errors? Good luck with that, mate, let us know how it’s working out for you.

In my agency, we use reasonably good password conventions, have reasonably good segregation, run reasonably decent anti-malware, use intrusion detection and prevention, have a firewall, and reasonably cover the most basic of security safeguards, so I believe that we are, say, three to five seconds more secure than the agency down the street from us. As Josh Corman at The 451 Group reminds us, “you don’t have to swim faster than the shark, you have to swim faster than your friend.”

But most of America’s smaller – and even some of the larger – agencies are woefully unprotected by even the most basic of protections. This is stupid and short-sighted.

This week we will discuss some basics, and give links to some resources. Stay with us.

[The dog days of summer came early this year; I’ve been on vacation and Dave has spent the past few weeks in various trainings, this week being mobile device forensics (something he’ll be writing about, no doubt, here). But we’re just getting back into the swing of things]