While there is lots of news reporting about the attacks against a server hosting the websites and files of more than 70 US law enforcement agencies over this past weekend, in lieu of saying, “we told you so,” we thought we would look at some of what happened to provide a learning experience from it.
Please see our Top 5 Things Cops Must Do To Secure Their Networks. Now. post from last month.
First, for those who have not heard, hackers supporting the criminal movement Antisec (it is likely that there is overlap of those making this post and members of the hacker groups calling themselves Anonymous and Lulzsec) has posted files it says come from its successful exploitation of a computer server hosting law enforcement data.
Note: The last paragraph has been updated to clarify and correct. In earlier versions, we called Antisec a group; movement is more accurate. Thank you to a commenter, below, and two others who wrote us to correct our characterization.
The group describes the attack as retaliatory:
In retaliation to the unjust persecution of dozens of suspected Anonymous “members”, we attacked over 70 US law enforcement institutions defacing their websites and destroying their servers. Additionally, we have stolen massive amounts of confidential documents and personal information including email spools, password dumps, classified documents, internal training files, informant lists, and more to be released very soon. We demand prosecuters immediately drop all charges and investigations against all “Anonymous” defendants.
In addition to the obvious cyber security issues, which we have previously addressed, there are some serious security concerns here which must be taken seriously.
Let’s put the citizenry first: Antisec said that it is releasing a “list of hundreds of snitches who made ‘anonymous’ crime tips to the police.” As we said earlier, defending those who come to the police for help is a primary mission-critical priority of police agencies. We have failed.
Second, the group said that it has taken “Hundreds of internal police academy training files.” I could make some sarcastic remarks but the fact is that basic police tactics, strategies and training materials are now in the hands of criminals.
Third, the group claims that the data also “contained jail inmate databases and active warrant information.” These are public record, and ironically, the group is redacting the name and address info in them to “demonstrate how those facing the gun of the criminal injustice system are our comrades and not our adversaries.”
Finally, we point out that releasing the names, addresses, Social Security Numbers, telephone numbers and credentials of hundreds and hundreds of law enforcement personnel is of tremendous concern to law enforcement and to the citizens these officers are sworn to protect.
I give a real example here:
#### Hwy. Y
Gerald, MO 63037
That entry comes from a paste dump which contains almost a megabyte of data it says was taken from the Missouri Online Training Academy database (mosheriffs.com; the site was down as we went to press, but you can view a cache from Google).
In this dump, we see some very horrible things.
First of all, after a rough overview of the file contents by PLI today, it seems that most of the cops listed used stupid passwords of the sort every fifth grader is warned not to use. We saw:
- Simple English words (my favorite is “underpaid“, but “doggypoo” is a runner-up)
- Proper names (like, “amanda” – I bet you a 12-pack of ice-cold Dr Pepper that that is the guy’s wife’s or child’s name. Same for those guys whose passwords are “hailee“, “junie“, “charley“, “jennifer“…you get the idea.)
- Sequential numbers (“123456” was the password of one guy, who had a .mil address – we understand that the military knows something of security, so this is doubly galling. Either the guy didn’t know better, or decided that since law enforcement networks are not classified, they’re not important. Either way, shame on him)
- Many, many people using their name and badge number. “Deputy508“; “lt102“. Oh, and the officer whose password was, “trooper“.
We’ll say again: this is serious. It must be taken seriously. Or your stuff will be taken at great risk to you, your family and loved ones, and the people you protect.
Later in the day Monday, apparently in response to public statements made by a sheriff’s officer representative in one of the news stories we linked to above (which claimed that the “most” the hackers got was email addresses and no sensitive information or documents), a new pastebin dump was published with further purported personal information on the spokesman and his family, and purported copies of his email communications.
Having been contacted by several people sympathetic to the motivations and/or acts of Anonymous, we’ve decided to open this conversation to the views of some of these writers. We believe truly in freedom of speech, and therefore welcome the discussion. Discussion, mind you, is not a rant, and is not random propaganda or someone’s manifesto. We’ll say if you’d like to join the conversation, let’s do it, and if we disagree let’s not be disagreeable. We reserve the right to edit comments, or not use those we reasonably think are just shouting, threatening or generally being mean.
First, let me say that I had an interesting discussion with one guy who wrote saying that he agreed with Anonymous’ point of view and tactics. I replied that I agree that governments and agencies should be totally accountable to the people. I’m on record saying exactly that. I use the term “criminal” when laws are broken. I disagree with methods and tactics that break the law. My posts have been telling cops that they have a duty to protect the people they have sworn to protect by taking care to secure their networks. Criminal activity on the part of the police is as unacceptable to us as any other. I sent this to the commenter, who said that transparency ends when police shoot unarmed civilians without provocation (something I agree with as well).
But let’s get back to the legal argument. We disagree with breaking the law and intruding into networks.
Part of our commenter’s response:
To just remind you, people were arrested in the civil rights movement for doing Sit ins. They were illegal. Today, they were seen as an important part of gaining the civil liberties minorities deserved. Anonymous, for the most part, is taking that Idea into the digital setting. they are cramming the CIA website wit so many “users” that no one else can get access.
There is also a very BIG (but yet legally recognized) difference between one person with a botnet (zombie Computers) attacking a site, and 6000+ individual users crashing a website. that’s 6000 voices saying “this is not right” and making their voice heard.
Anonymous works in legal ways too. Did you catch their recent spanking of Paypal/ ebay for refusing to take donations for WikiLeaks? In case not, they told their twitter followers to close their paypal accounts in protest. Last count (and the most accurate they could find) was in the first day alone, they had 45,000 accounts closed. It got so bad, that paypal took the option to close your account online off their website, requiring you to speak with a service rep. Even then, the cancellations didn’t stop…
…But no one takes notice of that. there was minimal reporting on a successful, legal attack on PayPal. But as soon as they go after the police sites, or Sony, or any other group in a DDOS fashion, it’s headline news. Sometimes, the bad press is better than the legal path with no press.
Well, that’s a well-written, respectful and respectable point of view. I happen to disagree but in fact, think it proves my point. I wrote back:
We totally support the legal action taken in encouraging people to close their accounts at Pay Pal. That is participatory democracy and the market speaking louder than anything. That is what I fight to defend, the rights of people to act like that. The attacks against cops? I don’t support that, because I’m a good guy, I obey the law, I protect people and everyone I work with does as well. I know that, like last night, the girl who fainted at the church concert, and the woman who crashed her car, are better off for my being there than they would have been. My argument to what you say is that because your ability to express yourselves legally is so compelling … that I don’t understand the resorting to the illegal. Who cares what the media finds intriguing? Anonymous’ power is clearly not vested in media opinion, but rather that of the people it influences. If you look at the cause I think you will see that you do more good legally than illegally. Just my opinion.
There are some more comments below, and we will look at each as they come in, adding those which continue the discussion in a constructive and respectful manner.