Texas Law Enforcement IT Hit by Criminal Attack, Data Breach

Posted on 2 September 2011 by

12


On 1 September 2011 a cache of some 3GB of data stolen from 28 current and former Texas Chiefs of Police and other police personnel was released on the Internet by people associated with the criminal hacking group known as Anonymous.

Among the data were personal details about the chiefs themselves, their credentials to a range of law enforcement and non-law enforcement systems and resources (from banking and income tax forms, online tax and financial records, pornography sites, and the uncensored contents of their personal and work email accounts.

We know that some of the victims made life incredibly easy for the criminals; for example, some passwords were stored in text files. Thus, when a bad email password was compromised, the hackers got a trove of accounts to play with.

It’s been said that each password recovered from among the 28 victims – the AP reports that one was a former Houston officer mistakenly identified by the hackers as a current Houston Lieutenant-   was worked to death; under the reasonable and correct assumption on the part of the hackers that the paswords were being used repeatedly, it was simply a matter of testing out things like eBay and Amazon and adult sites, as well as plumbing the depths of the agencies’ internal systems.

We believe that these attacks – which like the other attacks on law enforcement throughout the country in the recent past – were preventable and damage could have been limited by basic protections of the sort taken for granted by those in industry and in state and certainly in federal government.

We’ve written at length about this – troubling to point out how serious are the consequences of failure to defend police networks, and will continue to work behind the scenes and publicly to educate law enforcement on the dangers of bad security – of which, in fact, all of us are guilty.

We’ve said before and will say again here: everyone is hackable, everyone has done stupid things. We don’t necessarily blame those victims for their bad security.

We do blame agencies which do not heed the warnings and lessons of these attacks.

As a guide, we recommend that the hacked agencies focus not on the highly embarrassing public release of personal email, lite-pornography and racist jokes.

You’re embarrassed already, moving quickly to attempt to redact what is already in the public domain is futile.

Instead, we recommend that you focus on investigating the extent of the damage caused, and sanitizing infected and compromised systems with security which has a chance of preventing a repeat attack.

If you think they’re done, you’re mistaken. If you think that because your agency was not included in this wave of attacks, you are similarly and dangerously mistaken. The number of compromised credentials is still unknown; as is the number of compromised systems. Last night the Texas Police Chiefs Association website was re-attacked, because those “fixing” the defacement merely replaced the defaced files, leaving the compromise on the server in place.

They’ve told you to “expect” them. We’re curious as to why people don’t.