I’m putting together the presentation I’m doing next month at the SecTor Conference in Toronto, and all sudden-like, a post comes across the IACA mailing list about building police department websites.
We’ve spoken before about this, but since the rash of attacks against law enforcement, I think I need to speak a little louder.
First, though, let’s all listen for a few minutes to the man we’re nominating as the Poster Child of The Guy Not To Hire To Build Your Police Website. Scott Swain was the coder and web-hoster of the website of the Texas Police Chiefs Association. That site was defaced on 2 September but hacked some time earlier by criminal hackers as part of the Texas Takedown Thursday breach.
We’re not suggesting that Scott Swain is a bad website builder or hoster, but we are suggesting that some of his comments in a post-hack interview indicate that, while perhaps inexpensive, he’s certainly not the kind of programmer who, in our opinion, exhibits an appreciation of the details peculiar to a law enforcement application.
This is not a hit job on Swain (we don’t know him, and have nothing against him – in fact, some of the sites he’s worked on are pretty sharp looking). Our comments are specifically about finding coders and contractors who understand the job of providing web presence to cops, and also informing how cops and administrators think about their web presence.
As we wrote in May, many agencies agency see the advantages of having an Internet-facing website (public outreach, community relations, transparency, enhanced dialogue with constituents, a platform from which to address the people, etc, etc), But many agencies don’t feel they can justify the expense of paying for a well-designed, properly coded site. Therein lies the cause of the biggest mistake made by law enforcement agencies with respect to their websites:
“Oh, it doesn’t matter. Everything on that website is public anyway.”
You’ll forgive me but that is hogwash. If we look at the recent Texas Takedown Thursday attacks (note: 17 days after the hack, the site is still down), a substantial amount of information leaked out of the server that was hosting the website which a) shouldn’t have been there and b) was incredibly damaging from both a personal standpoint (just ask some of the chiefs whose Adult Friend Finder-type account details were leaked) and from a law enforcement operations standpoint.
Here then, are a few of the points made by Swain which stand out.
Didn’t Know It Happened
The first thing we noticed was Swain’s comment that he discovered the breach hours after it happened when someone he didn’t know called him to tell him it was all over Twitter and Facebook and that “thousands” of people had seen it. He was unaware of the status of his own server.
Didn’t Know What Happened
When asked about the technical details of how the breach occurred, Swain says, “I’ve not figured that out yet. They covered their tracks very well.” That’s an honest answer, and he should be commended for it. As an opinion, he certainly does not appear to be losing any sleep in trying to determine what happened, so that it doesn’t happen again.
Didn’t Know What To Do When It Happened
What we do know is that more than three hours after the first defacement occurred, Swain (or someone) went into the server and put the original site’s “Technical Difficulties” page up, but did so without fixing the underlying problem. This led to a re-defacement of the site an hour later.
Is that a security problem? Yes and no. The leaked data had already been leaked, so it didn’t make the problem worse.
But it made everyone involved look even more like boneheads (and there was plenty of that to go around the first time).
“I’m Not A Security Expert”
Swain rightly says that he is not a security expert and states that he never made any security claims. This is likely true and a big part of the problem: I would bet you an ice cold Dr Pepper that no one asked him about security. That’s not Swain’s fault. Swain rightly points out that many sites which have had the benefit of consultation by security experts have fallen. We have pointed out here many times that everyone gets hacked. In July, we wrote
In failing to secure your computer networks, there is a clear danger to your officers, your citizens – those you have sworn to protect. Their names, addresses, descriptions, personal identifiers, photos and intimate details are often stored – often contrary to guidelines and common sense – on police networks.
This is not to say, “We told you so”, but to measure that statement against ultimate reality, please take a look at what was released in the Arizona (and Arizona and Arizona breaches), Texas and Missouri hacks.
One important thing is to make sure that your website doesn’t allow people to run code on it and thus take it over. The trick, the art, the science, is validating input, using valid code, and understanding the environment you create. That sharp looking website that Swain made looks great, but there’s a difference between looking great and being properly coded. That website isn’t even using proper XHTML – it’s using old fashioned HTML, with tables and not style sheets for layout, and it’s doing that poorly, too.
Coding is hard
We have quoted Dave Aitel before and do so again here:
“If you’ve spent more on your user interface then you have spent on security, your security sucks.”
Listen, it’s hard to code even HTML right. Validating this page on the W3C Markup Validation Service from our site will result in 18 errors. If we’re not paying attention to the HTML, we’re almost certainly not paying attention to the underlying database code. It’s just sloppy. However there is a big difference between our site and a police agency’s
First, PLI is a non-mission-critical, non-law-enforcement website.
Second, the nice people at WordPress are contracted to fix security errors as they occur, and they generally monitor and stay alert to vulnerabilities in their code. Not to protect us, you understand, but to protect their business. They have skin in the game.
So we’ve outsourced the problem to them and conducted an informed risk:benefits analysis and decided that the stakes are low enough to let them make their errors. When this site gets hacked it will be inconvenient, annoying and troublesome, but no one will be hurt or die or have their credit compromised because of it; no complainants or rape or domestic violence victims will be publicly named.
You should either insist that your contractor give you code which is valid and well-written, because it is an objective measure of quality, or you should be able to state honestly that you’ve conducted an informed risk analysis.
What To Do
In March we published an article showing how organizations can become stronger once hacked. In May, we published an article describing why police websites are important to defend. In July we listed the top five things that law enforcement agencies must do to defend their networks.
Now to that body of work we’ll add just two more rules:
When you’re making a website, hire professionals with ethics and experience in dealing with information security. This does not mean that you won’t get hacked. It does mean that it will make hacking your website less trivial, and that the scope of what is released when you inevitably do get hacked will be narrower.
Ask questions of your Contractor. Swain stated that he believed that some of the goals of the hackers were “beautiful”, but that their methods are not “necessarily” in line with what he thinks. He has been, in the past, an activist promoting (laudably) non-violence. In summing up the harm Anonymous has caused, he refers only to the damage cause by this hack to his small business, and does not mention the damage caused by leaking the personal information of first responders.
Before you hire someone to code your law enforcement website, ask questions. Does your potential coder generally support law enforcement? Are they anti-government? Do they understand the sensitive nature of LE websites and their unique needs when compared to, say, a salon? Do they believe that supporting the police is tantamount to supporting corruption? Are they activists themselves?
Asking kinds of questions up front can help you identify a coder who understands the nature of the assignment, and who is not likely to say publicly that he agrees with the motives of criminals who brought you down.
Let me be clear: we here at PLI believe that law enforcement officers are answerable to the public and must be held to the highest ethical and legal standards. We believe that illegal acts by police officers must be vigorously investigated and punished. We just as strongly believe that our criminal justice system provides adequate methods and opportunities to accomplish those goals.