AntiSec's law enforcement hack exposes thousands to identity theft
- By William Jackson
- Aug 10, 2011
An analysis of 10G of data reportedly stolen from scores of local U.S. law enforcement agencies found that hackers obtained and exposed names, addresses, Social Security numbers and more for thousands of individuals.
“It’s quite bad,” said Todd Feinman, chief executive officer of the security company Identity Finder, which analyzed the data posted by the AntiSec campaign.
The posting exposes nearly 2,000 individuals to the risk of identity theft and other unwelcome revelations, and is compounded by the fact that the impact could have been easily mitigated.
AntiSec hackers expose data from 74 sheriff's offices
AntiSec hackers claim theft of military e-mails from Booz Allen
“Nothing that the hackers did was sophisticated,” Feinman said. “There were insufficient security controls by any reasonable standard,” and the personally identifiable information should not have been kept or should have been redacted or otherwise protected.
One unexpected bit of protection against identity thieves who might attempt to use the posted data is that some of the files are infected with viruses. Identity Finder found 22 different viruses in 334 files, Feinman said.
“There is no indication this was done by the hackers,” he said. “The viruses appear to have been found in the files that were taken,” which is in itself an indication of lax IT security in many law enforcement agencies.
AntiSec, a campaign of hacking against government and private sector sites being carried out by a loose coalition of antiauthoritarian groups, on Aug. 6 posted the cache of stolen data.
“A week after we defaced and destroyed the websites of over 70 law enforcement agencies, we are releasing a massive amount of confidential information that is sure to embarrass, discredit and incriminate police officers across the U.S.,” the groups wrote in a posting.
The data apparently was taken from servers at Brooks-Jeffrey, of Mountain Home, Ark., which hosted the sites. “It took less than 24 hours to root BJM's server and copy all their data to our private servers,” the hackers wrote.
They used a common SQL injection attack to obtain root on the servers, and apparently left back doors on the servers as well. The backdoor software was carried over when the hosting company replaced the compromised server, the hackers wrote. “This time we were not going to hesitate to pull the trigger: in less than an hour we rooted their new server and defaced all 70+ domains while their root user was still logged in and active.”
The files contained some sensitive information on police investigations and persons who were involved in the investigations. Identity Finder analyzed the files to locate personally identifiable information in them. The scan found:
- 1,923 unique Social Security numbers.
- Eight credit card account numbers.
- 4,661 unique passwords.
- 57 bank account numbers.
- 53 driver’s license numbers.
- 2,058 unique dates of birth.
- 17,105 unique phone numbers.
- 7,165 unique postal addresses.
- 1.5 million non-unique e-mail addresses.
Feinman said that all of the Social Security numbers were associated with names, addresses and dates of birth, which would make them valuable for use in identity theft.
Although some of the information contained in the cache is readily available, such as names, addresses and phone numbers, “there is a lot of information here that isn’t publicly disseminated,” he said.
Feinman said it was disturbing that police agencies and offices were not properly protecting information that was in their possession. “They should be held to a higher security standard,” he said.
Not only should network and system security be adequate to protect information being held, but personally identifiable information should not be maintained unless necessary, and when it is necessary to keep the information it should be protected so that it is not exposed in a breach.
The recent string of AntiSec breaches demonstrates that perimeter security is not enough to protect data, and that an additional layer of security is needed to prevent sensitive data from leaving a compromised system. The assumption by current security experts is that exploit of a given system is always possible.
“Something is always going to get into your system,” Feinman said.
William Jackson is a Maryland-based freelance writer.