Pre-Pwn3d Websites

Posted on 4 May 2011 by

0


Recently, a professional security researcher named Kevin Finisterre published a paper which has opened some eyes in the vendor and law enforcement communities. It’s entitled Owning a Cop Car and it covers in highly specific detail how Finisterre and his team were able to access, for no money and with no special equipment other than a laptop and some basic understanding of how networks and stock-standard software like Telnet an FTP, a police dash-cam.

Not only were they able to access a dash-cam, they were able to access the dash-cam of a moving squad car, and download streaming and stored video from that camera. When contacted, the vendor denied that there was a problem, told Kevin that what he described is “impossible” and generally behaved badly.

If your blood just chilled a little, you’re understanding the issues.

We at Police-Led Intelligence obviously have a cyber- and technology-bias, but Kevin highlights exactly the kind of problem which is so blatantly important that we’re having a hard time figuring out where to start commenting on it. It’s too much, we think, to cover entirely here.

Today we’ll focus on the first of what will be many articles on law enforcement technology by starting where most people first come into contact with it: The Agency Website. This article ran earlier in the year, but we’ve reprised it here because our audience is now bigger and because Kevin’s hack and the publicity surrounding it brings attention to the issue once more.

In my travels around the country and the Internet, I run across a lot of police department websites of the sort that allow me to conclude two specific things about the agency.

  • One: Somehow, someone in the agency convinced the powers-that-be that having a website is a great idea; but
  • Two: Not such a great idea that anyone would free up funds to make the both fully functional and reasonably secure.

Put another way, the agency sees the advantages of the website (public outreach, community relations, transparency, enhanced dialogue with constituents, a platform from which to address the people, etc, etc) and the agency doesn’t feel it can justify the expense of paying for a well-designed, properly coded site.

Not only is it possible for this to occur, it happens all the time.

This is a growing problem. This ties into another topic that we’ve been considering around PLI central, and which will be covered in a podcast on securing police networks.

Why This Is A Problem
First, citizens within your jurisdiction in increasing numbers check online first – before anything else – when they have questions. An unprofessional 90′s looking website, with frames, blinking text, “hit-counters” and outdated information like, “Welcome to our new, updated home page on the Information Superhighway! Coming soon, you can send short ‘electronic postal messages’, or ‘e-mail’ to the Chief!” tells your constituents that you just don’t get it, or you just don’t care.

Either way, it’s not good.

Second (and for the purposes of this post, more important), you’re probably creating some serious security holes. Here’s a way to discover if that’s true: when security researchers and criminals take down your site and you don’t know about it until they call the media? You’ve created some serious security holes.

A recent example in Kenya demonstrates this well. When hackers and security researchers put discussions of the vulnerabilities on your website and discussion of the fact that there seems to be no one to talk to at your agency about it, your serious security holes are being exploited by people around the world.

Don’t think for one second that this can only happen in Kenya. It’s happened, for example, in Bedfordshire, England and, perhaps more embarrassingly, the UK’s Crime Reduction Website. It’s happened in Dallas. In fact, it’s happened quite a bit around the world.

The Cost Of Wrong
If you’re wrong about the security of your agency website, and you’re hosting it yourself (as is often the case when budgets are tight) then by hosting an insecure website you grant access to your network. Anything you can see can be seen by intruders.

If you host your site on a virtual server somewhere in the cloud, then the damage is mainly reputational – unless you also use your web server as a file server, counting on security through obscurity to defend against intruders downloading your information. If you maintain an “officers only” public Internet site (and you shouldn’t) then any information on it should be considered compromised.

Obviously every situation is different, but my point here is that this requires thought, planning and money to do right. If you do it wrong, you’ll be at least the second person to know about it. Often through the media.

My friend Dave has a great and reliable metric for security. “If you’ve spent more on your user interface then you have spent on security, your security sucks.”

Final Word
While I was writing this, a friend from the information security industry asked me, after his mouth dropped open when I described some of the police websites I’ve seen, how this could possibly be. I don’t think it’s lazyness or stupidity, but rather a range of reasons on a continuum from:

  • a) A police website is not mission-critical, but money is zero-sum (a dollar spent here is a dollar not spent there): therefore we won’t pay for some website at the expense of training/salary/maintenance; to
  • b) “My nephew made the, whatayacallit, homepage for his fraternity/club/band/Bar Mitzvah, so why would we pay some slicksters when he can do it for a lot less money?”; to
  • c) As long as it doesn’t cost anything, go right ahead and have fun with your little Facebook.

The value to the agency of a competent, professional online presence is incalculable, though I will be speaking at the SMILE Conference in Chicago in April, where a lot of people will be offering some pretty specific metrics for success in this field.

Stay tuned.