Law enforcement agencies must behave as if lives depend upon the security of police computer networks, because they do. Agencies simply must understand that poor network security is something which poses immediate and great risk to officers, witnesses, confidential informants, suspects, ongoing investigations, and all those at other agencies with whom we share information, on local, county, state, tribal and federal levels.
Our point is simply that law enforcement agencies can no longer afford to act as if network security is a low-priority. And they must recognize that no one is immune to stupidity or bad security. No one.
Among the things we’re looking at over here at PLI is the complete shambles that is security on police networks. You’ll remember that we covered the basics back in some of our early podcasts (here and here for example) and we’ve spoken about it at conferences. Now we have an opportunity to go a little further, with the recent attacks against law enforcement computer systems.
It started, as we mentioned last week (before I went on vacation) with attacks by the LulzSec criminal hacking group on websites controlled by InfraGard. The response by some InfraGard groups was to shut down their sites until they could beef up security.
Yesterday, Lulz upped the ante, with a press release entitled Chinga la Migra (consult your Spanish-speaking resources – this is a family-friendly blog, but the phrase is a disparaging remark about immigration officials) in which the group announced that it had infiltrated the network of the Arizona Department of Public Safety.
LulzSec said in the release:
We are releasing hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement. We are targeting AZDPS specifically because we are against SB1070 and the racial profiling anti-immigrant police state that is Arizona.
The documents classified as “law enforcement sensitive”, “not for public distribution”, and “for official use only” are primarily related to border patrol and counter-terrorism operations and describe the use of informants to infiltrate various gangs, cartels, motorcycle clubs, Nazi groups, and protest movements.
We won’t comment on the value of the intelligence leaked (there is a good analysis available at BoingBoing, but will comment that it is highly distressing to see many entries such as this (redacted) one:
Steven XXXXXXXXX #XXXX
Highway Patrol Division
Address: 84## S. XXXXXXXXXXXX, XXXXXXXX, Az #####
Wife: Sxxxxxxx XXXXXXXX ([and her personal email])
Cell phone: 928-###-####
Home phone: 928-###-####
While LulzSec is carrying on like this, and despite a high-profile arrest of a purported member of LulzSec, others in the group are mocking efforts to capture them. Certainly this is a geographically and organizationally distributed threat which will make a law enforcement rollup problematic. Speaking of this, today The Guardian (UK) published an analysis, in which it states
LulzSec is not, despite its braggadocio, a large – or even coherent – organisation.
(read the original chat logs, upon which the Guardian’s analysis was based, here)
As this story was still breaking, the hacking group Anonymous posted to its twitter account:
The post pointed towards a page claiming to be a list of information about officers from Peru’s National Police force.
What Is To Be Done?
We’re riding the line here: we’re unwilling to provide information of use to criminals seeking to attack. We’re similarly hesitant to remain quiet while agencies around the country continue to ignore the issue. Dave has always asked our podcast guests how common are the threats facing network security, and all our guests and I have said that the attacks are constant, constantly evolving. The attacks on AZDPS are only the first in a series.
We’re working on how to give specific advice that goes beyond the usual crap spewed by pundits on CNN, and get to some down and dirty specifics. If you are an agency just thinking about this now, you’re years behind. We want to help you recover, fast.
This is not just a question of new passwords. This is a question about device configuration, policy and management, of Internet policies, of policies about use of MDTs and other mobile devices; cell phones, tablets etc. It is about sensible and sustainable policies regarding officers’ use of social media. It is about fundamental network configuration and management, and an awareness of the issues.
What We Are Doing
Dave and I have now committed to talking about these issues as often as we can: on the blog, on the podcast (when we get that back up on the air); at LawOfficer.com and in Law Officer Magazine, at conferences…Anyplace we can discuss it.