Third Breach of AZ police data: Attacks Become More Personal

Posted on 1 July 2011 by


The criminal hacker groups responsible for attacking and releasing information from police websites and computers in Arizona have released a third tranche of data.

As the releases have come, they have become more personal. The criminals are now threatening to bring in more black hat hackers to exploit the released information.

For the third knockout blow against Arizona law enforcement, we decided to get destructive. We’re defacing eight AZ Fraternal Order of Police websites and releasing a master list of over 1200 officer’s usernames, passwords, and email addresses. Additionally we are leaking hundreds of private FOP documents and several more mail spools belonging to FOP presidents, vice presidents, secretaries, a police chief, and the FOP Labor Council executive directory and webmaster whose insecure web development skills was responsible for this whole mess. We’re doing this not only because we are opposed to SB1070 and the racist Arizona police state, but because we want a world free from police, prisons and politicians altogether.

In this batch of emails we found more racist email chain emails, including Springerville’s police chief Mike Nuttal forwarding jokes about torturing “ragheads”. FOP president Brandon L Musgrave was also forwarding anti-muslim emails while also purchasing large amounts of guns, so we’re dumping his paypal and credit card information as well.

As usual, Gizmodo provides good and fast analysis of the breach, showing scans of emails which if genuine are highly embarrassing. Email discussions of how to respond to the breaches themselves, racist and simply inappropriate personal comments about President Obama and immigration policy are among those shown by Gizmodo.

Now, believe me, if you’re a racist or acting inappropriately I don’t seek to cover your butt when I say once again that personal stuff of any kind has no place on a police network. I have no idea whether the stuff coming out is actually from these officers and I make no judgment about them. But we’ve been discussing the need to secure police networks through policies, technologies and processes, and we will continue to do so. It’s a little unclear how much more pressing is the need to do this than to see personal information of police officers (I speak of their passwords, user names and personal data here) floating around out there.

I’ll be speaking on this subject at the SecTor Law Enforcement Operations and Forensics Training track in Toronto this October.

This frank, aggressive talk discusses how law enforcement agencies currently view network security, and why that view sucks. For many years, law enforcement agencies have managed to squeak by without suffering the consequences of terrible patching, stupid provisioning, undeclared network policies and general ignorance when it comes to security. With attacks against government-owned networks on the rise, and the wealth of information stored on police networks, it’s only a matter of time before agencies fall victim to concerted, targeted attacks by organized criminals, gangs and paid hackers. What is to be done? We can start by removing our heads from our butts.