When Cops Get Hacked: Lessons (Un)Learned from a Decade of Law Enforcement Breaches
6:55PM Jul 30, 2020
law enforcement agencies
demmick summer. A comment circulating every two years, which always leaves a trail in my mind. During quarantine. I've been working from home. Yes, you. And for some reason I started sketching this year. I've also been missing my makerspace hammerspace community workshop. And of course, looking forward to hope. Hope to see you in two years.
More than 125 US law enforcement agencies have suffered some form of data breach over the last 10 years. Our next talk will feature the data sets about such breaches. The factors enabling them. The E FF 's research and the unsecured surveillance tech, and one of the largest dumps of internal police documents in history, and what all of this has all of this data has to teach us. We present em best Dave moss and Madison belcanto with when cops get hacked lessons unlearned from a decade of law enforcement breaches.
Thank you. So my name is Steve moss and I am a senior investigative researcher at Electronic Frontier Foundation and I work on FF threat lab. I'm just getting ideas from all this panel is going to work today. We're going to start off with a sort of 20 minute presentation or so from Madisonville Pando, but I'm going to talk for a little bit. For about maybe 1015 minutes. Then we're going to do a q&a with Mr bast, and then hopefully we'll have some time for some questions at the end. Let me just do some quick introductions. So Madisonville Pando is a recent graduate from the Reynolds school of journalism at the University of Nevada, Reno in 2019 and 2020, I had the pleasure of working with Madison first as an intern, then as a student and then doing an independent study where Madison was helping gather information about what police departments are using surveillance technology around the country. So Madison's final research projects focused on cybersecurity vulnerabilities in law enforcement agencies. She also recently graduated and so she's a freelance journalist, looking for some new opportunities, especially opportunities that would help her scrutinize law enforcement and corporate surveillance. Now, Emma best is an independent journalist and transparency activist who has filed thousands of Freedom of Information Act requests, with government agencies, they are known for their tenacity and their keen eye for details of documents and they are ruthless advocate for the truth at any cost. They also co founded the distributed denial of secrets collective and coordinates, its operations, and you might know DDoS because of the blue leaks which has taken over a lot of the news recently, I would also like to say that Emma is also one of my personal heroes, and if you just go into muck rock and go through their requests, you will receive a masterclass on wrenching information from the government. So at this stage I'm going to hand it off to Madison, who has a slide presentation about law enforcement agencies and breaches.
And I will get to that right now.
Okay. So as we've said previously, this is when cops get hacked lessons and learn from Executive Law Enforcement breaches. I'll just go a little bit about me. My name is Madison, Panda and I'm a recent graduate from the Reynolds school of journalism at the University of Nevada, Reno in 2019 and 2020, I worked as a student researcher an intern, the Electronic Frontier Foundation threat lab, and what started as a three month internship quickly turned into me weaseling my way into volunteering, and then having my own independent study my last year of college. And my final project I spent over 200 hours researching and collecting data on cyber attacks, and their effect on law enforcement agencies. So a little bit of background about my work at E FF, I worked on the Atlas of surveillance, which documents the most pervasive technology used by law enforcement throughout the United States. These technologies included automated license plate readers facial recognition and cell site simulators, as well as many others. The project uses open source intelligence to map or surveillance tech is being used, and by what jurisdiction. And during my time, we have been collecting instances of surveillance concentrated around the US Mexico border and had collected over 200 instances. Since then the research has moved nationally with over 5000 data points since Atlas went live with the data clearly showing the exponential increase of law enforcement agencies buying into surveillance technology, I noticed that the rate at which she ran technology was evolving did not match the rate of IT resources evolving. And this led me to believe that the allure of technology overshadows the implications and the threat of poor IT resources. In fact, it seemed to be the last thing on everyone's mind. In addition, with one quick google search, it was quite clear that data breaches and cyberattacks were slowly but surely becoming a more prevalent for up to privacy. I started to form in my observation, a few overarching questions to implement within my own research. These questions included, how many law enforcement agencies experienced cyberattacks and breaches. How are they protecting their digital evidence, what information is generally exposed and are law enforcement agencies properly equipped to protect their technology. With these questions in mind, I began collecting news articles, press releases public records, writing foi requests and basically trying to find any open source intelligence in order to create a database that could potentially answer my questions and show whether or not the protection of data was a high priority for law enforcement. In the 200 plus hours that I've been working on implementing this project. I've documented so far that over 125 law enforcement agencies, 126, to be exact, have suffered some sort of data breach or cyber attacks since 2012. The data taken include social security numbers, phone numbers, addresses, license plate information on the US Mexico border to print identification and data from fusion centers, and with months and months of research under my belt. I woke up about June 22, only to see that more than 250 police permits have been hacked. And with that the data tripled. And what is now called Blue leaks over 269 gigabytes of law enforcement data, was published on the distributed denial secrets website. And most of the data was taken from fusion centers, and local police departments, the research that I've done so far, could have only alluded to major data breach, that affect the data of thousands of people, and in what took me three months or six months to collect tripled in near seconds, only magnifying the dangers of poor IP security protocols to create my initial database, I want to choose information that could help me verify any trends and whether or not my observations had any weight. These categories of course include the name of agency. The technology breach, whether it be automated license plate readers, or servers, the type of attack, whether that be malware distributed denial of service, or insider threats. The method of attack, whether it be ransomware Trojan horses spyware and other methods including phishing. If it was a ransomware whether or not that was paid or unpaid. If there was any information stolen or breached, and the year of incident. In addition to creating a database. I also began development on a map that would show these overarching trends. The map that you see here as representative of the data that we have prior to blue leaks, but that will of course be added later. This working map includes instances of ransomware Distributed Denial of Service. Also denial of service viruses negligence and physical theft. And there are several trends that we can take off, away from this map right off the bat, most notably is a quantity of breaches that are concentrated in the south and north eastern parts of the United States. In fact, both Georgia and Texas experienced the most cyber attacks, specifically ransomware, which was the most common form of cybercrime
ransomware at this point, take some more than half of the cyber checks that affect law enforcement agencies in this dataset ransomware is one of the most expensive cyber attacks that I've seen so far. And because of this, I also tracked him he paid, and how many did not. What I found so far is that 34% paid 45% refuse payment, and 21% were unclear. The most common method at which this happened with phishing when an employee or volunteer would accidentally open a malicious link from a third party email. This is not surprising given that in 2017 Digital Guardian reported that 91% of successful cyber attacks are launched via phishing email. Furthermore, in a report from the International Association of Chiefs of Police between 2014 and 2017, Michigan auditors conducted a phishing attack on 5000 randomly selected state employees to see how they would deal with this potential threat. One third of the recipients. Open the email, and almost one fifth provided their user ID and password. And if this is the case, and the lack of cyber knowledge with these employees has the potential to create a very expensive crisis. In fact, the Riviera Beach Police Department paid $600,000, and they like city police permit paid $470,000, and in both instances, not including the cost of IT resources, the state of Florida and the respective cities had to pay over a million dollars to restore their servers back to normal. According to Motorola Solutions in their cyber report in 2018, the average cost of a data breach was estimated to be about 6.5 3 million. However, in many cities, the cost can be even higher. And the price of failing to secure networks is clearly rising in 2018, Atlanta Georgia was subject to a massive ransomware attack that demanded the city pay $51,000. The ransomware force, folks, forced most of the city services, go back to paper forms. And while it's unclear if Atlanta paid the ransomware, the city initially had to pay $2.6 million. In order to restore their servers, more interesting though, prior to the attack, Atlanta had been criticized after an audit in early 2018 revealed over 1500 vulnerabilities, the city systems, the inspectors found that over 100 servers were using a version of Windows that had been unsupported by Microsoft since 2015, and that there was a relaxed approach to cybersecurity practices. In fact, weak passwords were to blame for this expensive attack in 2019 state schools reported that the initial payment was not enough, and the city actually had to pay 17 million in order to remedy the loss in 2019, most of Baltimore's government computer systems were infected by ransomware that demanded Bitcoin around $76,000 restore access. According to another report by state scoop Baltimore was susceptible to such an attack due to its poor it practices, which included decentralized control of their technology budget. This ended up being a really serious issue after the city refused to pay the ransom, and it said had to aggregate over, over, $80 million. In order to restore their servers, and the decision to pay ransom wares and absolute gamble. In fact, the FBI and the Secret Service advise against paying ransom, as it could embolden more attacks. And in the case of the Baltimore Police Department, their expensive decisions stemmed from the belief that paying ransom was rewarding criminal behavior. And another important case of ransomware discovered in my research in 2016 the copra Hill Police Department Texas lost over 200,000 Records, after the chief of police decided to wipe the servers, rather than pay the ransomware of 4000 that apartment lost all Microsoft Office documents such as Word and Excel files. In addition, they lost all body worn camera video dashcam and in car video how surveillance videos and photographs that were stored on the server. To make matters worse, the Cockrell Police Department health Police Department failed to maintain their digital evidence, which had some public defenders worried since. At the time there were multiple cases that were relying on body worn camera footage to prove innocence. These cases were ultimately forced to rely on police reports, which brought a lot of scrutiny to the department. In such cases this ransomware not only undermine the police duties, but eroded the trust between the department and the public as they lost over eight years of evidence.
Within the data set, the second most common form of cybercrime was a breach implemented by third party individual or individuals, third party breaches often resulted in confidential data, such as personal data passwords informant information and etc being breached. For purposes of this research, any method in which there was a breach, that was accounted for within this category, whether that be through physical theft phishing Trojan or any other method, pre blue leaks in fact in 2019 information of thousands of federal agents became public after three chapters of the FBI National Academy were breach. More than 4000 records that could have negatively affected agents were made public, including their names job titles and addresses. In addition to the breach of information on federal agents in 2019 the LAPD was also breached, leaving personal information of over 20,000 applicants open to the public. In addition to hundreds of sworn officers. The information that was potentially stolen included email addresses birthdates, and the last four digits of social security numbers. And to make matters worse, they also had passwords used to log into the database. The department only found out about this breach after the perpetrator revealed themselves to the agency with the knowledge about people who had applied between 2010 and 2018. Luckily, In response, the LA Times reports the department did bolster it funding after this. And unless known but more common to the types of breaches in this data set. In February 2012 hackers breached the Dallas Police Department's internal servers. And so the usernames and passwords are for several officers, including information about informants, and jail inmates, as well as going to breach dishes this one, however, was notable because it occurred in 2012 again in 2014, in 2017, and recently in 2020, showing no real change in it practices. The third most prevalent form of cyberattack on law enforcement agencies, was a distributed denial of service. This took about nine instances so far, of the 2126 that I found in my data. I'm certain there are more but as of right now this is what I found. And instances of DDoS the access to emails website servers, and legitimate traffic and traffic are often disrupted due to us from what has been evidenced by the data is also often a tool for hacktivist against police. For example, in 2017, an African man executed a distributed denial of service against the Akron police department, the Ohio Department of Public Safety and the Department of Defense, after you uploaded a video to Twitter, saying that the Akron Police Department abuses the law. Furthermore, in 2014, the St. Louis County Sheriff's St Louis County Police Department was taken offline for several hours, as a result of a DDoS attack and retaliation for the police shooting of Michael Brown, and in support of the protests that resulted from that shooting. One other concerning trend in the data is the denial of safety services from a telephone denial of service. Well DDoS seems to be more in common, it is on the rise. And then these instances communication systems become inaccessible due to an attack 911 systems and incident response back in 2017, a six month old Dallas boy died after his babysitter called 911, and these calls were delayed due to a DDoS attack. Furthermore, it's also dangerous for public safety professionals, as paramedics cannot request please support and firefighters cannot call for mutual aid.
With all of this data under my belt, here's what it tells us. So,
on the authorized access or loss of law enforcement data due to a cyberattack has serious operational and privacy implications, a cyberattack could compromise an agency's ability to protect life and maintain order, and at the rate law enforcement agencies are being breached. I think it's an important reminder that law enforcement knows that they're high profile and need better protocols. In addition, law enforcement has been purchasing and using the most pervasive data collecting tools, without first fleshing out their IT departments or providing funding for pride to provide a cushion for the, for when the cyber attacks occur. Furthermore, cyber attacks erodes the trust and the credibility of an agency further calling into question law enforcement practices. In addition, there are two major attitudes that affect cyber safety for law enforcement agencies, and that is compliance and negligence, law enforcement and their respective leaders do not treat cyber risk as a system wide threat and attributed to underfunded and poorly equipped IT departments. It's important to keep in mind though that this is a system wide threat and all members of the agency must have some responsibility for it to be protected. In addition, it's also incredibly easy to be negligent, whether that be through lack of training or knowledge about cybersecurity risks staff members and officers cannot afford to dismiss security protocols staff members can't use old passwords, they shouldn't be downloading software that they know nothing about or plugging in USB devices without verifying and safety. In addition to compliance negligence major surveillance companies such as axon and vigilant solutions have profited from the rise in need of surveillance technology. In fact, just recently axon came under fire after decommissioned body worn cameras were found to still have the raw video data on them. In addition Clearview AI facial recognition drones drones, and perceptive automated license plate readers all major vendors surveillance suffered major data breaches in the last 10 years, four subjects came under fire after they against their contract, copied images of travelers and license plate onto their own private computer servers were subsequently breached Clearview as clientless was breached and an incident that affected law enforcement agencies, whose names were exposed publicly, as well as the searches that they have been conducting, it's very clear that this need for new technology has overshadowed the need for better security protocols. In fact encoded according to a 2018 report by the National Association of State Chief Information Officers. Most states only allocate 3% of their IT budgets to cyber security. It's like putting new tires on a junkyard car. It doesn't make any sense at all. If departments are going to be in the near future collecting our data on a grand scale, then they must protect that data and make sure that it's stable. So let's get back to the research questions. How many law enforcement agencies experienced cyberattacks or breaches. Well 126 so far, but 385 counting blue leaks and the numbers rising. How are they protecting their digital evidence. They're not poor passwords and protocols evidence a lack of care or knowledge about the importance of protecting this data, and our privacy, what data is generally exposed. Well personal data, social security numbers, addresses, phone numbers, any information for doxxing, as well as people who've been booked or come to come into the department. In addition, organizational data has also been taken such as usernames and passwords in order to get into the servers. And our law enforcement agencies properly equipped to protect their technology. No, they're not. It seems to me that they've been focusing more on the looks of surveillance technology, rather than the safety or providing that safety through funding,
what lessons can they learn well first training, it's imperative that staff receive receive cybersecurity training at every single level of the organization, not just the IT departments, users need to be aware of the cyber security hazards, including fake emails, USB devices and better password protocols. And what do they do if they feel like their accounts been compromised. Furthermore, law enforcement executives must understand that their systems must be attack and must provide backups. The organization must provide security for digital digital evidence and provide backups to their servers. In addition, they should save original copies hard copies files printed images and videos over saving and over documentation of this evidence to make sure that if they do lose it, obviously still have it. Lastly, they should be doing some incident response departments need to be better prepared for these attacks and preparing and rehearsing is the only way to determine readiness rehearsing the response to such an incident is critical. It must be determined how an IT partner will respond to an attack. Does the city have enough money, and what available resources are there. And maybe with some stronger protocols, some lessons can actually be learned. Right. Well thank you so much, and now we are going to be moving on to Dave moss who has his presentation. Thank you
so much. Um,
so I just wanted to give everybody. Everybody could just sort of give a digital round of applause I don't think we're gonna be able to hear it or anything like that because this was Madison's first conference talk, and it was fantastic. But I also got a message that I think that her slides weren't showing, I could see them on our end, but I just wanted to check with her maybe there's something going on on hopes end and Madison I can work on making sure those slides are are available after the talk is over. Um, I'm going to go ahead and share my slides now and I'm hoping people will be able to see them.
so I have my slides up, hopefully folks can see them if not I'll try to talk through it. Um, but my name is Dave moss, I'm a senior investigative researcher at the Electronic Frontier Foundation. I work on DFS threat lab, and I just recently published the project Atlas of surveillance. org. If you haven't had a chance to play with it, please go check it out, it will tell you how certain technologies are spreading across the country, as well as, potentially, what is being used in your local communities. So I work on E FF threat lab, and we've been around about a year and a half, and we are designed to do deep dive investigations into surveillance technology, we look into questions about how and where is tech used. How is the technology abused to target of particularly vulnerable communities, and how can we counter the technology or hold its users and sellers accountable. And a lot of what the
yet the threat lab
does has emerged from collaboration from more journalistic types like me, along with our infosec researchers like my colleagues bill Budington who's already given a talk at hope and Cooper Quinn, one of our senior staff technologists, what ends up happening is that somebody will discover a vulnerability in a police technology or we'll discover it, and then we go and investigate it and also try to get it fixed or addressed. I specifically focus in E FF on what we call street level surveillance, and this is these are the technologies that law enforcement uses around the country. Oh, sorry I think my slides are not are not showing right now, which is okay I will try to explain what they are and then we can add them, edit them in.
Sorry. What's that
Oh, they're on the livestream. Excellent. So we talked about street level surveillance we're talking about drones and license plate readers and body worn cameras and face recognition. I'm going to go over two examples of when we have had to go to law enforcement, about some sort of vulnerability we found, and I want to show you an example of police responding badly. And an example of police responding well. And a lot of these things I'm going to show you are going to seem like they're several years old, but that's because there's a narrative arc here that goes over several years and because we're so far out I can tell you a little bit more about what happened than we could when we first announced these. So back in 2014. We had learned from a mother in San Diego, that the San Diego district attorney's office was giving out CD ROMs to the public with parental safety software with software meant to monitor your children to make sure they're not dealing drugs or engaging with predators online. And we're very curious about this and we obtained a copy and started analyzing it, and at the same time we started noticing that there were hundreds of agencies around the country, giving out the software and all the software kind of worked the same It was like a very slick DVD case, there was usually the emblem of the sheriff or the district attorney on it. There will be a video on the CD ROM of the police, you know, police chief or whatever, reading out like a promotional thing, it really seemed to be very promotional rather than actually safety related. Once we got the software started analyzing it, and had a few features that were pretty boring. Like, it would show you where you know what all the JPEGs were on a particular computer, or what the browsing history was at the user, but one of the more difficult, or one of the more controversial elements, is that it included a keylogger, there was a feature that you needed to install, which allowed you to put some keywords in up to 10 keywords that anytime, your child typed in this keyword, you would start getting emails in real time of their chat box or their their keystrokes. And even though they're marketing This is parental software those of us who work at E FF know that this is spyware, this is stalkerware. This is the kind of stuff that is illegal, a lot of places. This is the sort of stuff that is used in domestic violence. It is used in cyber crime. It's just the sort of thing that is totally inappropriate for a law enforcement agency to be giving out. But what made it even worse is that once we started inspecting it, we realized that what it is sending that those, those key logs. Outside of the computer, it was sending them unencrypted so you could actually just snatch right out of the air, everything that somebody was sitting there typing, as long as you added in a keyword, so if you edited the word VA, it would just start sending it to you all the time because people are typing the word VA. And so this was really a serious problem and our first thought was, well there's 200 plus agencies using this they need to recall it. Let's go to the vendor. And so we explained this to the vendor, and they came back with this nonsensical response, and we told them I'm like, you know, if you're, you're putting people more at risk if people can snatch their password, out of the air, and the response was, computer cop software doesn't give sexual predator or identity thieves more access to children's computers as our dot keylogger works. I can't even read this, this makes like no sense whatsoever. Um, it was very clear that the people running computer cop, really didn't know much about technology, and perhaps the software hadn't even been updated since the late 90s. And so what was actually driving the software if it wasn't people who were specializing in technology. When we started looking at the promotional material, and here's how this is being pitched to police departments that this is a win win for your family, and your department. It can be customized for your department we will throw an extra, you know, give us a little money we'll throw in a high produced video of you into the, into the CD ROM, but there's a little line here at the very bottom of the screen that I want to zoom in on. And that is that this is a perfect election and fundraising tool. And this really revealed the motivation for for police departments to be distributing the software to families, the idea here was to give people a product and say this is great and get a TV coverage for giving it out for free, and being able to put something in the hands of people that has their image and seems like it's valuable.
When we started filing public records requests, we found that our, you know theory here was actually born out. So here is an email exchange from, you know, guy named Jerry Cobb, the Maricopa County Attorney's Office he's actually the media relations person their press person, and he was the one who approached computer cop and purchase the software, it didn't come from their internet crimes against children. Task Force it didn't come from their cybercrime Task Force. It came from their media division. And rather than get a full examination of the software by a cyber security specialist, Skype Jerry Cobb just went to their IT guy, and their IQ guy, played around with it a little bit, and did a little research on it, and then it appears to be clean, he said. But then he also said that nothing is installed on the PC, which is good. That could be good if it was actually true. Because if you actually look at the software and this is a slide from the presentation that the computer comp company gives you have to install the keylogger it does install on the computer, and it doesn't just install on the, on the computer. In order to uninstalled it, you need the CD ROM, now I think that most people who have a lot of people are attending this conference or have a computer background would have been able to remove it manually without going through the uninstalled function, but your average family person. If they found this on their computer, they wouldn't have known how to get rid of it because they didn't have the CD ROM. So, when our blog post about this. This issue came out, there's a lot of press coverage and one of reporters went to their local law enforcement agencies to ask them about the security flaws, and there were some terrible responses out there. So the Contra Costa District Attorney's Office in California, said, Well, you know, there are so many agencies using it and we've never heard about identity theft so it must be okay. And then they said, Well, if we find out there's some sort of breach later, then we'll recall the software but we're not going to do it until then. And that's like the equivalent of like reporting to a government agency or reporting to a restaurant that their food is poisoned. Once you did a lab testing and they're like well, you know, nobody died yet so we're not going to take that out of our ingredients and our recipe. But my favorite response came from the limestone limestone County Sheriff like Blakely in Alabama. And his response was, we've had the keylogger checked out with our IT people, they have run it on our computer system. There is no malware. And I think if the mics were turned on, I can hear everybody's heads hitting their desks, several times over right now, because they actually install a keylogger on their police computers. Do they not know what a keylogger is, I don't know, but then they went on. Oh, so let me let me tell you one other thing, so there it people, when you research there it people, the guy the it persons his main job seems to be organizing the sheriff's office's annual rodeo which apparently is like the fifth best outdoor rodeo in the country. Great on him for organizing the rodeo. Shame on him for not betting the software. But then they also went on to attack us in the press calling the FF an ultra liberal organization that is not in any way credible on this, they're more interested in protecting predators and pedophiles than in protecting our children. And so the question is, if we're not credible Why do they think computer crop is credible. And the reason is is that computer cop was lying. Computer cop claimed in all of its promotional materials that it was endorsed by the software was endorsed by the National Center for Missing and Exploited Children, as well as the ACLU, but I called both of these groups and Nick Nick said that sure in 1998, they've given a one year endorsement. And that was the limit of it, they hadn't been in contact for 15 years and they were going to send a cease and desist to computer code, and then meanwhile when I asked computer cough like who would the ACLU did they were like, Oh well, it was the ACLU of Michigan, they said something in a news article once. So you Michigan came back and said, unequivocally, they did not endorse the product.
But the most
probably the strongest piece of endorsement that they would circulate with this letter from the Treasury office saying that this is a great thing to spend your civil asset forfeiture money on like use your excess funds to buy this software, it's great. And I got a copy of this letter and I was like, Huh. This looks a little strange, like I've seen government letters before. Usually there's a date, there's a return address, there's usually a line under here, this doesn't kind of look like the logo. Something weird is going on here. And then I looked later in the letter, and you might be able to tell on the screen, but this middle paragraph is the really promotional paragraph in its larger font it's spaced differently, and I'm like there's something weird going on here. So I put in a foi a request to try to get an original version of this document, and I included the version I had, and then a few days later, like I didn't even get my documents back but within a few days later I got tipped off that the Treasury Department's inspector general had put a fraud warning on its website with a copy of this letter saying that this letter purporting to be from the Treasury office is not genuine. So here we have, like, a company actually fabricating a government document in order to get contracts. So the Treasury office ran an investigation. It took three years, they found out that it was substantiated, and that at least three law enforcement agencies purchased the software having read that memo and thinking it was real. However, because computer cop stopped using the letter and posted a disclaimer on its website. And because the investigation took three years and the statute of limitation is three years, they decided to just leave it at that. Meanwhile computer cop gets to still have its website and still sell its product to law enforcement agencies to now, it's on USB instead of CD ROM. I also wanted to just sort of close the loop on this narrative and go back to a limestone County Sheriff Mike Blakely and see where he is today. He has been arrested on theft and ethics charges and is facing criminal trial in Alabama. So, there you go. All right. The second thing I want to talk about is automated license plate readers. So these are cameras that law enforcement will install on streetlights on highway overpasses, and they look for license plates. Do OCR on the license plates and upload them to a database with time dates GPS coordinates. The idea is to build a database where you can search somebody's license plate and see wherever they were over a period of time, or to get real time alerts on where they are, if you're trying to track somebody. But that means there's all these cameras around the country that are just connected to the Internet, and for years there have been researchers like Dan Freeman and Dan garius Freeman and Dan tendler and a group of cybersecurity students at the University of Arizona, who have found and reported over and over again that these cameras are online without password protection or with default passwords that are just there. And so, my colleague Cooper and I decided that enough was enough. We're going to figure out who these belong to and get them to shut them down. And so first thing we did was verified that yes you could go to a URL, and sometimes these were very obvious URLs, some of them we got the URLs through showdown. And yeah, fair enough. You could go and there was the configuration settings you could mess with those, you could bring up the camera and watch it live, you could siphon off the license plates, through it or you could connect via telnet and just get a flowing feed of the license plates. And,
you know, that was good we confirm that that was happening, but we still didn't know who they belong to. Through the IP address and showed and we had an idea of what city or whichever region, they were in. But if you look here you can see there's a thing called camera name, and there's a lane name so 28 and university, East found using that, along with the, the listing where the IP address was, we were able to then go into Google Maps and Google streetview, I just basically virtually drive around the neighborhood until we could find the cameras. And then once we match the mouse, we found that most of the cameras were in the outskirts of New Orleans. There were a few at the University of Southern California. And there was one in helia, Florida as well but most of them were in this area, and they were all cameras belong to this company called pips, which at the time was owned by 3am. And so we went to three m at first because we didn't know who the cameras belong to we knew where they were. But we didn't know what agency was responsible for them. And so three m came back and said, You know we stand behind your security features, we have a password feature, you know, like, it's explained on the box how to set up the password. If the agency isn't going to actually put on a password. That's not our business. So there's a second time both of these cases we have a vendor not taking responsibility for security issue. And so what we ended up doing so, we knew, University of Southern California has cameras were among them because the web URL was something like hips Cam one.usc.edu. And so we emailed USC, and they came back, they took down the cameras they fixed them. They thanked us for our time they wanted to start an open dialogue about about cybersecurity, and that was like the perfect response. I mean actually we've been more productive they just killed the whole program altogether, but at least they didn't malign us, they listen to us and they took action. Similar happening happened with St Tammany Parish Sheriff jack string. So, when we send all these emails to, we'd have to send emails to all the law enforcement agencies in the New Orleans area saying, Are these your cameras they're unsecured St Tammany came back to us immediately. They thanked us for the, for our bringing it to their attention. They brought the cameras down, they mobilize their staff to start auditing the cameras. The and to figuring out new solutions for putting up firewalls, but not only that but they reached out to all the other law enforcement agencies for us, and got them to lock down their cameras as well. So this was a huge a huge success story this was exactly how a law enforcement agency should respond when someone like e FF comes to them. Um, as a result of this whole situation with these cameras in New Orleans, we actually got some action in a political fashion related to this. At that same time that year, there was a bill passed by the Louisiana legislature to create a statewide network statewide network of license plate readers, in order to
catch people who weren't doing insurance,
who hadn't paid their insurance
bills. But bobby jindal the governor at the time, learned about what we done with St Tammany and vetoed the bill saying that these cameras create large pools of information that can be extremely vulnerable to theft or misuse. Unfortunately, jack strean as good as he wasn't cybersecurity has met the same fate as our limestone county sheriff. He also last year was charged with corruption and is facing trial, however jack strain actually has it worse off because he's also charged with guilt charged with rape and incest as well. So, doesn't matter if you're good or bad on cybersecurity, if you are an allegedly corrupt elected, law enforcement officer. Um, so checking back in on these license plate readers we looked at these back in, I think 2016 Zack Winokur, a TechCrunch essentially duplicated the research in 2019 and found that there are 150 license plate reader devices, still online still searchable via the Internet, and then a majority had default passwords setup. So, you know, like, even though we went through this whole thing we got a lot of media coverage and we were able to approach the law enforcement agencies, this is a problem that hasn't been solved and it's a lesson that hasn't been learned. So when I talk to cops about cybersecurity I bring up a few issues. First I say don't collect more than you can more data than you can protect, it's very tempting to purchase every particular technology out there, and collect everything in case it becomes useful, but every new piece of data you collect is another thing that you can lose don't purchase any technology that you can't independently verify if you don't have the staff to verify, to be able to verify the claims, you need to hire a third party auditor or third party to do it. And if the company won't let you do that, then don't buy it. Also, this should be obvious. Don't let your PR people make decisions about surveillance technology, and don't like decide that it's better to get a press bump. You know, take a shortcut click on technology or to get a press buff. Also, you've got to vet your vendors and don't take them at their word, you got to look into them, or at least Google them. And then also, I encourage law enforcement to defend encryption, there is this war against encryption among law enforcement claiming that strong encryption facilitates crime. But ultimately, it's what protects us and it doesn't just protect the privacy of regular people which it does, but it also protects all this data by that is that is held by police. And so if you weaken encryption for us. You're weakening encryption for police departments as well. And then finally, you know, police departments need to conduct meaningful audits and these audits need to be designed to catch breaches and catch vulnerabilities and not just the bare minimum that they can say to the FBI hey we complied with your, you know basic requirements. So that is all I have for now, I'll be happy to take questions in a second. But I do want to make sure that we spend some time with MMS talking about their Project Blue leaks. And I'll stop sharing right now, but I think I'm gonna pass it back to Madison who has some questions. Emma you're good to go.
Yep. Sweet so
I'm just gonna start with a few questions for you. And the first one is, can you introduce distributed denial of secrets. What is it, how is it started, and what's its mission.
Distributed Denial of secrets is a transparency collective that drives and publishes leaked and hacked data that is likely to be of public interest now or in the future. I co founded the group in late, 2018, and since then we have released over four terabytes of data, including pacco leaks and gore leaks which were Latin American breaches of police systems, and most recently and notably blue leaks.
What can you kind of explain what blue leaks says,
Yes, so blue leaks, is one of in terms of data size, it's one of, if not the largest single breach of police systems that has been made public. Certainly in the number of agencies that are directly affected. It is, it's, I believe, just over 250 agencies and training and support resources that had their data in in the breach. We published it in June. On June 10. And since then, there have been dozens of articles in response, as well as the government seizure of our servers.
So, what kind of data is included in blue leaks and where does it come from
the data in blue leaks mostly deals with what's commonly known as fusion centers information exchanges. Many people have pointed out that most of the servers affected seem to be run by net Central and an examination of the code found a lot of vulnerabilities in there that weren't even exploited, or fixed. Yeah.
And is there any particular release from Blue leaks that you find to be your favorite or most important. Um,
I think. I think what seems most important so far and I expect this to change and evolve in the coming years because it's not just a release for the immediate future, it's in a 24 years of data that is an important historical archive, but the thing that has struck me as most immediately relevant is exactly how low the bar is for these fusion centers to gather and share. Heavy air quotes intelligence on things in the name of situational awareness. These have included labeling a, a teen Tick Tock artist a comedian, as training people how to riot and basically commit terrorist acts by showing some tweets that were made by well known comedians. It has involved. It has shown that the fusion centers have passed on, highly questionable intelligence, including claiming that services are being used to pay leftist protesters to riot. And this was an FBI alert that specifically cited a website that is a satirical website, and when the alert went out the website said in giant red letters. This website is fake. When confronted with these things fusion centers have consistently defended it and said they're not responsible for vetting the information that's up to specific law enforcement, and that it doesn't matter if the information is actually accurate or not because it informs the preparations and stance of police, as well as their quote situational awareness. The fact that these, these situational awareness bulletins are often drawing from right wing conspiracy theorists, including q anon doesn't really seem to be a problem to them, and they don't consider it as creating a situation where they're more likely to be violent with protesters, which is an odd stance to take when you are circulating warnings that leftists protesters are going to use car bombs to attack police stations, which you know of course was completely fabricated.
And what do you think this tells us about the cybersecurity of law enforcement agencies.
It tells us that they're not taking it seriously.
Like I said in the beginning. Several people have looked at some of the code that was exposed in the breach, and it was woefully out of date, it appears that many of the agencies must not have even done proper audits and the preparation, the, the, the preparation they did in terms of security was an instance of cover your ass that, that was it. And even afterwards, through the Freedom of Information Act, we got the TLP amber alert that they sent out about blue leaks. And it has at the end, a recommendation section, which says, Be vigilant for new waves of phishing campaigns. Use DKM verification, update your antivirus and don't click on strange links. That is the extent of their effort to fix things and educate their user base. And as a result, we're winding up with systems where they consistently gather information that they are not able to protect.
I'm getting from us that it is time for us to start wrapping up. And so we will let the hope of moderators kick back over and if. Fantastic, thank you so much Madison, Dave, Emma, thank you very, very much for this talk again when cops get hacked lessons unlearn from a decade of law enforcement breaches. Lots of conversation in the matrix chat, feel free to keep that going. thank you very very much to all of you.
Greetings from Philadelphia. This is Bernie s, and this is my botnet server of 50,000 honeybee bots in my backyard. Sweet.