A few more law enforcement-related web sites were hacked this past week, to add to the growing list:
Travis Crum reports that the West Virginia Chiefs of Police Association site was hacked and officers’ data dumped online:
The Federal Bureau of Investigation is looking for the people responsible for leaking the home addresses, home phone numbers and cellphone numbers of every police chief in West Virginia, according to the president of a statewide police chiefs organization.
William Roper, president of the West Virginia Chiefs of Police Association, said his organization’s website was compromised Monday by a group associated with Anonymous, an international hacker group with a stated mission of protecting free speech and fighting anti-piracy laws.
The subgroup, which calls itself “CabinCr3w,” posted the personal information of more than 156 police officers, including current and retired police chiefs, to a public website.
[…]
The hackers also posted the e-mail addresses and usernames of the association’s members. However, they were not able to gain access to the members’ passwords, Roper said.
The group posted apparent passwords for each of the association’s members, but they did not work Tuesday night.
Read more in The Charleston Gazette.
The Dallas Police Department was hacked Sunday. In a statement on the hack, CabinCr3w and W0rmer refer to a police officer who was placed on leave last month after he reportedly crashed his car while driving while intoxicated. The hackers write, “The police claim there (sic) are here to enforce the laws, to protect the people while hypocritically violating them on a daily basis themselves.” The data dump included 23 userids, e-mail addresses, and plain-text passwords as well as 21 first and last names with employee ID numbers and hire dates.
In Wisconsin, the Wisconsin Chiefs of Police Association web site was hacked Monday by CabinCr3w, Kahuna & W0rmer. They did not dump any personal information but did dump an administrative login and password. Operating independently, another hacker, Visi0nZ, had posted three logins/passwords as well as 540 e-mail addresses from the same organization the previous day.
The hackers note that all police departments should consider themselves targets:
All over the world people are starting to stand up for their rights and fight against the machine. These people ARE people, people with rights, people with the will to stand up against what is wrong in this world, people who are willing to quit their jobs, leave their homes and spend day after day practicing their right to protest and fight against what they are not happy with. These people have come under constant oppression by police departments around the world, they have had their rights stripped from them, their freedom pulled from them and we have had enough of it. We will NOT stand by and watch these public servants that WE pay with our hard earned money, abuse, arrest and torture our people anymore. EVERY police department is at risk, and will remain that way until police departments start taken notice as to whom they work for. They do not work for corporations, bankers, or governments, they work for the people and we are the people. Expect US!
Commmon, “All over the world people are starting to stand up for their rights and fight against the machine”…. This is a bit much. Since you have so much time to play, please come up with a better lingo. = )
I don’t believe in all that the state and government say, but there are other ways to handle this. Once the FBI and NSA get involved, it will be extremely hard to hide. These hacks probably are occurring at open WiFi areas so they think their tracks are being covered by obtaining IP that cannot be tracked back. There are ways, Thats all I am going to say. = X
Without the stability of a proper law enforcement, the world would be more chaotic. Without any police, you’d be in a Police state. You’d be LUCKY to have FOOD, let alone a place to live and a computer to hack with. Today, people’s views are distorted; they do NOT realize how good they have it. Imagine a city, let alone a country – without the basic necessities you thrive on. It’s a dog eat dog world, no one is trusted, and the odds are survival are slim. I’ll take the way it currently is over a change for the worse.
All of these sites must have a common provider and a common login or vulnerability. In the world today, if your protecting assets and you do not require a complex password that is more than 10 charecters, the assets are patched as required, and the staff understand the risk of what might take/infect/affect the assets of the company, then there will be issues.
If you host confidential information on a commercial provider, make sure you get a BIG, potentially multi-million dollar policy that they will pay if your information is breached. I wonder how many compnaies guarantee that…. “We will pay you to a maximum of 10 million dollars should the leak of any PII, trade secret, confidential, medical or banking information be compromised, resulting in catastrophic repautational loss to customers and clients. HEH, there aren’t any. They only guarantee that can provide that is a place that stores that info OFFLINE, in a vault as secure as Fort Knox.
Hackers sometimes thrive on publicity; give it to them, then they “give it to them” in respect to their victims.
RE your point about publicizing hacks:
It’s an issue I’m constantly grappling with in terms of this blog and DataLossDB.org.
On the one hand, this blog reports on breaches involving PII. To ignore the breaches would be to deprive readers and the infosec professionals who follow this blog of info that they may find helpful in identifying trends. It would also fail to inform members of the public who might not otherwise find out that their info has been compromised, as in many cases, I do not see breached entities notifying those affected.
But could publicity be encouraging some hackers? I have no doubt that in some cases it does. And there are certainly hacks, like some I posted elsewhere today, where I want to smack the hackers and tell them to grow up. Recklessly exposing individuals’ personal information just because you can or “for the lulz” demonstrates a fundamental lack of respect for privacy and the individual. Similarly, thinking you are going to have a specific impact on the mid-East situation by hacking and dumping citizens’ credit card numbers is just counterproductive and demonstrates that the hackers have not sufficiently studied history or have failed to appreciate the psyche of parties on both sides of the Israeli-Palestine conflict.
And if you treat all police disrespectfully because some may deserve your disrespect, you risk creating more problems as police circle their wagons and increasingly view the public as their enemy. People often rise or sink to your expectations.
But anyone who lumps all hackers together as “Anonymous” simply isn’t paying enough attention to the differences among them in terms of their decision-making, actions, and ethics.
So I’ll continue to make decisions about what to post on a case-by-case basis as I try to balance my self-imposed duty to inform against the harm that such reporting might contribute to.
My comment of:
” Hackers sometimes thrive on publicity; give it to them, then they “give it to them” in respect to their victims.”
That statement was meant generally across the board; It wasn’t specifically pointing a finger at this site. There are many, many sites that offer news of a hack. This site DOES NOT add B.S. into the stories, it’s pretty straight forward here. Many other sites simply add more crappy content to get people to knee-jerk and get hits. Kudos for staying on topic and related.
I think the hackers use it as ego-testical stimulation, and motivation to keep doing it.I view the Hype of hacking like Hollywood, it’s dirt; its an “Oooh and Ahhh”. I stereotypically lump all hackers into the same pile, mainly due to its ethical and morale negativity. It’s against the law. In My opinion, there is no good in a hack unless its to save a life.
Sure, its news. I agree with you, many people may not find out about some of the hacks unless there is a avenue for them to find out about it. But there is something missing. I see an issue with no potential cure.
If people read about hacks, and want to act, they don’t have a clue where to start. Say a CEO, CIO or other “C” reads some of this – where does he go to get some guidance thats relatively easy to understand and doesn’t take a long time to gain some general knowledge? He/She comes to this site, or any site for that matter and sees an issue…. but no cure. Whats that do for him/her? I am not talking about going to a 3rd party vendor that professes to supply them with a bogus hacker proof banner, an antivirus or IDS IPS device that is so complex its worthless to most. I am talking like places like NIST, NSA or other organizations that can offer guides that can have even an intermediate LAN admin sit down, and with some effort understand/comprehend how much it takes to secure a site, and what it takes to keep it that way. Thats simply food for thought.
Continued good luck on the site and keep up the good work.
Thanks for clarifying your previous comment and for the kind words about this site. Much appreciated.
Here’s a timely case in point. A report on the Mobile PD hack by Associated Press says:
“Not able to confirm?” Seriously? The hackers posted redacted entries. It should be easy enough to search the database to see if those entries correspond to actual entries. Do they really expect us to believe that they couldn’t confirm? So yes, in this type of situation I’m more inclined to believe the hackers than the hacked entity and will post the hacks to try to ensure the public is accurately informed. And people in Mobile who may have data in that database should probably assume their SSN was acquired and take steps to protect themselves because even if these hackers have deleted SSN, who knows how many others may have accessed that database without the Mobile PD’s awareness? Is Mobile PD planning to send out notification letters to everyone in their database or will they say they don’t have to because they can’t confirm the hackers’ claims? Will they offer free credit monitoring? You ask about solutions. In this case, what is the solution when the entity hasn’t acknowledged the extent of a breach? The public is left to its own devices to protect itself – and that’s wrong, in my opinion.
Mobile PD never responded to this blog’s notification of the breach nor provided this site with any statement on it. They gave a statement to AP who didn’t challenge them critically. Clever PR, huh? On the other hand, one of those involved in the hack informs me that although the Mobile PD has apparently pulled the confidential database from the server since my notification to the PD last night, they did not patch the vulnerability. He also laughed at their claim that they could not confirm the hack, noting that the hackers were running SQL inquiries over a period of days and it would be easy to detect that there had been access. I wonder if they even noticed that he accessed their server again and still has access to admin logins. Scary, huh?
This blog is not solution-oriented, I grant you. I’m not a security professional and wouldn’t presume to offer advice. But lawyers and infosec professionals tell me privately that they use my blog to inform their clients and employers to support their advice that entities need to invest more in better security. And this blog is also useful in informing policymakers and Congress about the need to address security and breach notifications.
So as much as we may disagree on some points, you and I agree on some of this. I definitely agree that if the hackers hope to cause problems for a company, they’re unlikely to be successful, although in some cases (like HBGary), they seem to have created havoc/embarrassment for a while. But most hacks do not result in significant or enduring harm for entities, so the hackers’ overall strategy is unlikely to be successful and only like to backfire on them.