Almost like an echo from retired hackers, those from the 90s who long ago faded into the ether, the motto for 2011 may have been along the lines of “hack the planet.” Yet there are some who obviously learned nothing about the consequences of maintaining sloppy security in 2011. In the cyber world, 2012 was not greeted by the boom of fireworks but by a double wham bam to law enforcement in California and New York. As the Office of Inadequate Security pointed out, “Members of the #Anonymous #AntiSec collective welcomed 2012 by dumping data from law enforcement-related organizations on both coasts.” A portion of the defacement can be seen on Kevin Townsend’s site.
As part of “pr0j3ct m4hy3m,” AntiSec hackers “defaced and destroyed” the official site for the California Statewide Law Enforcement Association (cslea.com). CSLEA is still not only down, but the sites hosted by CSLEA have been “wiped off the net.”
Part of the message left by Anonymous on the CSLEA site stated the “California police have a notorious history of brutality and therefore have been on our hitlist for a good minute now.” AntiSec hackers had a “good laugh” after reading some of the private email correspondence, but claimed to have been passing “around their private password list amongst our black hat comrades” for the past two months to guarantee more “abuse.” Furthermore, the hacktivists posted, “What we were really after was their membership rosters, which included the cleartext password to 2500 of their members, guaranteeing the ownage of many more California pigs to come.”
“Interestingly, CSLEA members have discussed some of our previous hacks against police targets, raising concern for the security of their own systems,” the hackers wrote. Apparently, “Ken” the CSLEA Computer and Networks Systems Technician, “made some rather amusing lies as to their security. He repeatedly denied having been hacked up until web hosts at stli.com showed him some of the backdoors and other evidence of having dumped their databases. We were reading their entire email exchange including when they realized that credit card and password information was stored in cleartext. This is about the time Ken changed his email password, but not before receiving a copy of the ‘shopper’ table which contained all the CCs. Too late, Ken.”
In all fairness, they did make an effort to secure their systems after discovery of the breach. They changed a few admin passwords and deleted a few backdoors. Shut mail down for a few days. They also finally decided to set a root mysql password, but we got the new one: “vanguard”. We noticed that you got rid of the credit card table, and most of the users in your database. Still haven’t figured out how to safely hash passwords though: we really loved your change from ‘redd555′ to ‘blu444′. Clever.
“All told, there were 1,076 e-mail addresses and clear-text passwords of people in California government (ca.gov), 321 of which were @doj.ca.gov addresses,” wrote to the Office of Inadequate Security. In regard to the ‘shoppers table,’ which was removed in November after CSLEA discovered the intrusion, it “included first and last names, e-mail addresses, company and address, phone and fax numbers, and other information on purchases – including dozens of entries with credit card type, full credit card number, and credit card expiration date. The credit card data were in clear text.”
The hackers also posted the message, “ON TO THE NEXT TARGET…. NEW YORK POLICE CHIEFS, OWNED AND EXPOSED !!!” As for law enforcement on the east coast, the AntiSec hackers wrote, “For our next owning we bring you multiple law enforcement targets in the state of New York, who has been on our crosshairs for some time due to their brutal repression of Occupy Wall Street.”
We’re dropping the md5-hashed passwords and residential addresses for over 300 Police Chiefs in the state of New York. We are also sharing several private mail spools of a few NY police chiefs. While most of the contents of these emails involve boring day to day office work and blonde joke chain emails, there were also treasure troves of embarrassing personal information as well as several “For Official Use Only” and “Law Enforcement Sensitive” documents discussing police methods to combat protesters.
WikiLeaks and Twitter accounts belonging to members of Anonymous and AntiSec have been tweeting:
It would seem like law enforcement would have taken steps to secure sites after the FBI warned in August, “The FBI assesses with high confidence a that law enforcement personnel and hacking victims are at risk for identity theft and harassment through a cyber technique called ‘doxing.'” It further advised taking precautionary measures such as “Safeguarding material containing personal information pertaining to officers and named victims.”
IdentityFinder has been posting the staggering data breach numbers, but has “not yet verified the data’s contents” for the CSLEA and NY law enforcement hacks. “If this breach turns out to be legitimate (and so far we have no reason to believe otherwise), it would constitute the most substantial hack against law enforcement in recent months.”
From the Stratfor hack, IdentityFinder claimed the there are now more than 3/4 of a million people affected. The detailed analysis from the data dumped on December 29 as part of LulzXmas so far includes “68,063 unique credit card numbers, 859,311 unique email addresses, 50,569 phone numbers and 860,160 hashed passwords, of which roughly 11.8% could be easily cracked.” It notes, “the breachers claim to be preparing to release 2.7 million internal Stratfor emails to the Internet soon.”
The Specialforces.com hack exposed “7,277 unique credit card numbers; 68,830 email addresses, of which 40,854 are unique; 36,368 plain-text usernames and passwords, some of which might be duplicates. The breachers claim to have ‘approximately 14,000 passwords.'”
If that’s not enough leaky news, anyone interested in purchasing a vehicle that is not only sure to cause a stir, but also might come with some unusual extras to make you a target, you may be interested in the WikiLeaks Top Secret Mobile Information Collection Unit being auctioned on eBay. A @wikileaks tweet called it the “most honest Ebay auction EVER: ‘Extras: – and possibly tracking bugs installed by the government.’