I don’t know how you partied last night (if you did), but it looks like the AntiSec folks thoroughly enjoyed themselves by releasing data they acquired from the California Statewide Law Enforcement Association (CSLEA).
In a statement on the defaced site earlier in the evening, the hackers referred to the hack as being part of “pr0j3kt m4yh3m,” a response to local governments and law enforcement attacking the #Occupy protesters in cities and parks. But the hackers also offered a broader political justification:
From the murder of Oscar Grant, the repression of the occupation movement, the assassination of George Jackson in San Quinten prison, the prosecution of our anonymous comrades in San Jose, and the dehumanizing conditions in California jails and prisons today, California police have a notorious history of brutality and therefore have been on our hitlist for a good minute now.
Will there be some embarrassed members of CSLEA this morning? It’s likely, as the hackers read and then dumped personal e-mails. But perhaps the greatest embarrassment will be over the fact that even when they could reasonably anticipate an attack, CSLEA failed to prevent it and left too much sensitive information seemingly unencrypted and available:
Interestingly, CSLEA members have discussed some of our previous hacks against police targets, raising concern for the security of their own systems. However Ken [Ken Fair is the Computer & Networks Systems Technician for CSLEA -Dissent] deliberately made some rather amusing lies as to their security. He repeatedly denied having been hacked up until web hosts at stli.com showed him some of the backdoors and other evidence of having dumped their databases. We were reading their entire email exchange including when they realized that credit card and password information was stored in cleartext. This is about the time Ken changed his email password, but not before receiving a copy of the ‘shopper’ table which contained all the CCs. Too late, Ken.
In all fairness, they did make an effort to secure their systems after discovery of the breach. They changed a few admin passwords and deleted a few backdoors. Shut mail down for a few days. They also finally decided to set a root mysql password, but we got the new one: “vanguard”. We noticed that you got rid of the credit card table, and most of the users in your database. Still haven’t figured out how to safely hash passwords though: we really loved your change from ‘redd555’ to ‘blu444’. Clever.
But we still had shell on their servers, and were stealthily checking out the many other websites on the server, while also helping ourselves to thousands of police usernames and passwords (it’s how Special Agent Fred Baclagan at the California DOJ Cybercrimes Unit got humiliated last month). For two months, we passed around their private password list amongst our black hat comrades like it was a fat blunt of the dank shit, and now it’s time to dump that shit for the world to use and abuse. Did you see that there were hundreds of @doj.ca.gov passwords? Happy new years!!
All told, there were 1,076 e-mail addresses and clear-text passwords of people in California government (ca.gov), 321 of which were @doj.ca.gov addresses.
I won’t reproduce everything that was posted in the defacement, but note that they produced an internal exchange of e-mails about the security of the site and members’ information that was, with the clarity of hindsight, overly optimistic at best, and downright wrong at worst.
The hackers also revealed the “shoppers table” that was removed back in November after they discovered that there had been an intrusion. That table included first and last names, e-mail addresses, company and address, phone and fax numbers, and other information on purchases – including dozens of entries with credit card type, full credit card number, and credit card expiration date. The credit card data were in clear text.
/*******************************************************************************
LOLOLOL SO MUCH FOR “ENCRYPTED MEMBER DATA”. DAMN KEN YOU DID HALF THE WORK
FOR US. AND DESPITE BEING AWARE OF THE BREACH, YOU STILL COULD NOT KEEP US OUT.
ON TO THE NEXT TARGET…. NEW YORK POLICE CHIEFS, OWNED AND EXPOSED !!!
*******************************************************************************/
The passwords roster, uploaded to the web as part of the CSLEA data dump, includes 2,519 first and last names, usernames, clear-text passwords, e-mail addresses, and in some cases zipcodes.
In light of the security concerns law enforcement had after earlier attacks on other law enforcement agencies, AntiSec’s ability to get into CSLEA’s databases should be a source of embarrassment and concern to the organization. That AntiSec was able to continue to traipse around on their server after they became aware of the previous breach is well, bad.
I haven’t waded through the entire e-mail spool that was dumped, and will leave it to others to search to see if there are any “smoking guns.”
In the meantime, CSLEA is down and all you see if you try to connect to the home page is:
Smoking Gun? This is a Turd fully ablaze. If the individual(s) tried to keep this quiet when the crew was running amuck within servers and accounts, nothing is sacred. One never knows which accounts, both users and system accounts have been poisoned.
What scares me is the fact that there is a non-generic reply from the server. Instead of getting some sort of 404 error or its’ equivilent, its a one liner. That “could” mean that the server itself is still alive, but no longer configured. If they think they can simply remove the site and access and call themselves secure, they are sadly mistaken, the crew probably has ownership to their IIS, MySQL, member server and even DNS or maybe domain controller(s).
When a hacker is brash and shows before and after passwords, it means they own password lists and more than likely the SAM (or its equivilent) where most passwords are stored. The hacker(s) potentially can create trusts to other networks and have access to the network remotely on the fly. In four words…. This is Really Bad.
What scares me is the fact that there is a non-generic reply from the server. Instead of getting some sort of 404 error or its’ equivilent,its a one liner. That “could” mean that the server itself is still alive, but no longer configured. If they think they can simply remove the site and access and call themselves secure, they are sadly mistaken, the crew probably has ownership to their IIS, MySQL, member server and even DNS or maybe domain controller(s).
If the users think they can simply change passwords when an intruder has root access, its a mild understatement that the security posture is extremely weak. None of the backups can truly be trusted as well. All a hacker has to do is change the passwords of several users who may not have accessed the accounts in some time, and they have at least a method to get back in. Add in the ability to use netcat, trojans or rootkits and your done. Some rootkits are extremely hard to find. Its best to open the box, remove all the drives and take them out in the parking lot. Take your frustrations out on the HDD’s and then call a highly recognized security company to come in and make it right.
Compare the list of individuals in your records vice what is on the servers. Ensure the list is complete and contact everyone via phone. Tell them that your starting over, and that any information that was used in the past may have been compromised. Archived email addresses and content may have been altered. If the individuals need a new account on the new network, they need to re-apply for an account, which should have at least 3 different safeguards that should be strictly followed. If the legimate users need any old data, they have to put in a trouble ticket and talk to an associatee. Do Not allow for social engineering to play into this, otherwise you will find yourself in the same stink river with no paddle, except the one that’s tanning your hide once more.