Slashdot Mirror

← Back to Stories (view on slashdot.org)

Police Department Loses Years Worth of Evidence In Ransomware Incident (bleepingcomputer.com)

Posted by EditorDavid on from the crimes-against-crimefighters dept.

"Police in Cockrell Hill, Texas admitted Wednesday in a press release that they lost years worth of evidence after the department's server was infected with ransomware," reports BleepingComputer. "Lost evidence includes all body camera video, some in-car video, some in-house surveillance video, some photographs, and all Microsoft Office documents." An anonymous reader writes: Most of the data was from solved cases, but some of the evidence was from active investigations. The infection appears to be from the Locky ransomware family, one of the most active today, and took root last December, after an employee opened a document he received via via a spam email. The police department backup system apparently kicked in right after the infection took root, and created copies of the already encrypted data. The department did not pay the $4,000 ransom demand and decided to wipe all its systems.

131 comments

  1. mmmmmm... by Anonymous Coward · · Score: 0

    Rubs chin, thinks camera evidence may not have been favorable. Dog ate my home work get out still works.

    1. Re: mmmmmm... by Anonymous Coward · · Score: 0

      Many smaller police departments don't have an IT department to rely on. They have an officer who has a computer at home and has maybe done a website or two and congratulations, you are the internal technology person.

    2. Re: mmmmmm... by Anonymous Coward · · Score: 0

      Your hypothetical IT officer must be middle aged. Website. Why not an app?

    3. Re:mmmmmm... by meerling · · Score: 4, Insightful

      So they're trying to claim that they didn't have any other backups?
      They lost 8 years of files... Because it did a backup right after the encryption...
      THE MORONS ONLY HAD ONE BACKUP!!!!

      There is so much wrong with this from a security standpoint that whatever fool made that decision needs to either be fired, or at least removed from any influence over IT.

      As the old saying goes:
          So when did your data become important to you, before or after you lost it?

    4. Re:mmmmmm... by Anonymous Coward · · Score: 0

      I'm pretty sure that such a complete lack of backups is criminally negligent.

  2. Backups? by WalksOnDirt · · Score: 3, Informative

    It sounds like they only had one backup, and that promptly got overwritten. It should be standard procedure to have an offsite backup as well. I always did.

    --
    a,e,i,o,u and sometimes w and y (at be if of up cwm by)
    1. Re:Backups? by rbanffy · · Score: 1

      This.

      Also, didn't they think of properly set file permissions?

      --
      http://www.dieblinkenlights.com
    2. Re:Backups? by geekmux · · Score: 1

      It sounds like they only had one backup, and that promptly got overwritten. It should be standard procedure to have an offsite backup as well. I always did.

      A backup implies exactly that regardless of medium or location, and if the backup runs after the infection, then you're doing nothing but backing up (ransomware) encrypted data.

      The end result is you're still fucked.

    3. Re:Backups? by bsolar · · Score: 1

      Not to mention archived backups from various points in time.

    4. Re: Backups? by Nidi62 · · Score: 2

      What's the point of even doing a backup if you overwrite the only copy every time? If the backup ran after he opened the file you should be able to access the previous backup

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    5. Re:Backups? by Anonymous Coward · · Score: 0

      It's also standard procedure that offsite backups have to be paid for and maintained, and from second-hand stories from IT friends in publicly funded organizations, that is not an easy thing to argue for in a budget. Most of these situations are great ideas because we don't factor in the cost of doing it right vs the cost of recovering when whatever we're preventing happens.

      The department decided the data wasn't worth the $4,000 ransom (assuming paying the ransom would actually get the data back). The cost to maintain a proper backup solution will likely be more than 10x that per year.

    6. Re:Backups? by dgatwood · · Score: 1

      The phrase that comes to mind is, "An automatically mirrored copy is not a backup."

      Any real backup strategy requires versioning. For example, my personal data backups involve a NAS providing storage for Time Machine. If a ransomware attack screwed up my Mac, I would have multiple backups that I could restore from, and if the ransomware attacked while the backup was running and corrupted the entire backup volume, I could still roll back the NAS volume to its most recent daily snapshot and restore the Time Machine backup, and I would lose less than one day of changes. And I'm in the process of setting up a clone to an off-site NAS on the other side of the country.

      For evidence in an active investigation, I would expect at a bare minimum multiple offsite, offline backups of everything, even if that just means that whatever officers/agents are working on the case keep a copy on their individual laptops. Anything less than that is gross negligence. And this is why we need a federal IT department that provides services to all of these agencies.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    7. Re:Backups? by bsolar · · Score: 1

      A backup implies exactly that regardless of medium or location, and if the backup runs after the infection, then you're doing nothing but backing up (ransomware) encrypted data.

      The end result is you're still fucked.

      Only if you foolishly overwrite all previous backups so that only the last version remains. If that's how their backup works, then it's severely lacking given the importance of the data in question. What if you need a file and discover it got corrupted, and it might have been corrupted months ago?

    8. Re:Backups? by Anonymous Coward · · Score: 0

      Don't they have physical hard copy of all the evidence for situations like this? Yes it'll take work to file them in the system again but they are always there.

    9. Re:Backups? by guruevi · · Score: 1

      Not what backup means, you're describing a RAID or other sort of mirror (even if it is delayed). Redundancy is not the same as a backup.

      A backup has history, you could use snapshots or tape rotations or whatever, but older versions cannot be overwritten by newer versions, in most (best) cases, older versions cannot be written to period (the tape could have a physical tab or the storage system does not allow writing). When things change (eg. they are encrypted), you would see a very large backup if you're doing incremental backups (since all files changed simultaneously).

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    10. Re:Backups? by Anonymous Coward · · Score: 0

      Physical copy from body cam/dash cam and surveillance video? You mean old fashion films and paper photos, right?

    11. Re:Backups? by guruevi · · Score: 1

      For 40k/year I can easily set up a 200TB storage system, host it in a datacenter and professionally maintain it. $4000 buys you about 20TB which would probably last about 3-5 years without maintenance and that should be sufficient to back up pretty much everything in that police department with 3 months of retention.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    12. Re:Backups? by guruevi · · Score: 1

      Hell no, a federal government IT department? You mean, a bunch of bureaucrats charging $100k/y for a 10TB storage unit because 'vendors' from the Gartner Triangle recommended it to them and attached a huge IBM and Oracle contract to it.

      What these small departments need is to find and hire a local IT person or if they can't afford an IT person (if you have less than 200 devices, you don't need a dedicated IT person), contract with a local company, there are plenty everywhere, they will take care of these sorts of issues for less than the consultancy fee on a government agency contract.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    13. Re: Backups? by Anonymous Coward · · Score: 0

      You're describing a good backup system, however historical snapshots aren't a requirement in the definition of a backup.

    14. Re: Backups? by Anonymous Coward · · Score: 0

      You're forgetting to pay the salary of the person qualified to oversee and periodically test the backup procedure. Also, being sensitive law enforcement data probably prevents them storing it on public data centers by law.

    15. Re: Backups? by silas_moeckel · · Score: 1

      A single copy that's overwritten ever time it's run is not a backup of any nature it's a copy.

      Why would evidence be stored on an internet accessible or even online thing. Computer forensics 101 is get the drive cloned, bagged, tagged, and stored all other digital evidence should be the same. How they can fail as such basic levels of evidence preservation is astounding. Realy anything not on a write-once medium since the time it was collected should be suspect.

      --
      No sir I dont like it.
    16. Re:Backups? by Anonymous Coward · · Score: 1

      " $4000 buys you about 20TB"

      One could build an 8 bay, 32 TB, Raid 6 NAS for around $2000.

    17. Re:Backups? by aaarrrgggh · · Score: 1

      You can also run into backup drive space issues with locky if you run incrementals and keep historical backups on a space-available basis only. If you have less than ~300% space on your backup system this can become an issue pretty easily. When you are set up for incrementals, often a full backup will take several cycles and require even more space.

      Doesn't excuse not having offline backups, but in the post-tape world that gets harder and harder.

    18. Re: Backups? by vux984 · · Score: 1

      What's the point of even doing a backup if you overwrite the only copy every time?

      This is among the least expensive in terms of storage and in terms of time. You can do an rsync between a local and offsite storage, get a couple redundant copies easily and simply.

      It prevents against a non-malicious system failure... e.g. a hard drive going bad.

      Yes, its wholly inadequate vs ransomware, or malicious file modification, or gradually failing hardware that is corrupting data.

      But even so it remains one of the most common backup strategies because it is simple an inexpensive. And police IT budgets, despite their seeming propensity to buy needless military surplus, is generally very tight.

    19. Re:Backups? by CaptainDork · · Score: 1

      Yeah, but what about the day BEFORE the infection?

      And the day before that, going back in time.

      I worked two law firms -- half day each -- and one wanted 7 days of rolling backup. The other wanted 30 days of rolling backup.

      For the first site, 6 external hard drives (EHD) were always offsite, and for the second, 29 EHD were always offsite.

      In both cases, the firms' management made the call regarding:

      1.) Cost of backup hardware and offsite storage
      2.) Risk of record retention -- especially email.

      The law firms were not required, by law, to retain emails at all.

      They were, however, required to provide the emails as discoverable in litigation.

      Neither were ever subpoenaed during my tenure, but each, separately, would have been incapable of complying with any email data requests going further back in time than their oldest backup.

      --
      It little behooves the best of us to comment on the rest of us.
    20. Re: Backups? by Saithe · · Score: 1

      It's only tight because those that hold the money doesn't have to think about this when it's only a "what if" scenario. Hopefully they now know it's a necessary investment.

    21. Re:Backups? by nedlohs · · Score: 1

      So you restore from the day before that instead of the most recent one.

      The whole idea of backups is you can restore to some point in the past - with the size of that window and the granularity within it depending on how much you want to spend...

      If you just have one copy then you don't have a backup, you have a really slow RAID.

    22. Re: Backups? by turbidostato · · Score: 1

      "This is among the least expensive in terms of storage and in terms of time."

      No, it isn't. In terms of time is much quicker to backup to /dev/null, and even backups to /dev/null get surpassed both in time and storage by not doing backup at all.

      And, in this case, it seems they offer exactly the same result so, why don't they make it clear -and cheaper, what are they really acomplishing?

    23. Re: Backups? by whoever57 · · Score: 2

      What's the point of even doing a backup if you overwrite the only copy every time?

      Like many, you don't understand the difference between a backup and an archive. A backup is meant to preserve data in the event of a hardware or other failure. An archive is supposed to preserve the data as it was at some point in history.

      --
      The real "Libtards" are the Libertarians!
    24. Re:Backups? by amxcoder · · Score: 1

      Proper backups would be able to go back to a certain date and recover the data from before the files were locked out. Even if one set of backup data was completely lost, an older backup set should have been available to get back 99% of the data minus maybe very recent changes, and even that is normally considered a worse case scenario in restoring backups.

      It's best to be able to get up to the minute backups, or roll back file versions. But the reality is, you might be so screwed that you have to go back to a "known good date" and deal with the loss of the data from that date to current date. Preferably this span of time is only a day or two, or as little time as is feasible.

    25. Re:Backups? by Solandri · · Score: 1

      Incremental or differential backups would've noticed "Hey, this file has changed from before. I'd better keep a copy of the previous version around just in case."

    26. Re: Backups? by CaptainDork · · Score: 3, Interesting

      Retired IT here, after 34 years.

      It's not easy being a cost center.

      I was always on the wrong side of the ledger.

      All of my meetings with management were about spending money that they had to recover.

      Sometimes a new implementation would be an instant money-saver, but that was not very often.

      I insisted on one of two (2) things:

      1.) Acceptance of my recommendations or
      2.) An official email quoting my recommendation, along with the rejection of same.

      2.) was, on occasion, the answer to the question, "How in the hell could you let this happen?"

      --
      It little behooves the best of us to comment on the rest of us.
    27. Re: Backups? by Anonymous Coward · · Score: 0

      so it is *among* the least expensive. Original never said *the* least expensive

    28. Re:Backups? by Anonymous Coward · · Score: 0

      They were, however, required to provide the emails as discoverable in litigation.

      Neither were ever subpoenaed during my tenure, but each, separately, would have been incapable of complying with any email data requests going further back in time than their oldest backup.

      At home, I have almost 6GB of email archives. Some emails were lost around 1999, and a few have had their attachments detached, but most exist.
      At work, I have more than 40GB of archives in the present job, with only junk deleted. I have had that job (with promotions) for about 15 years.

    29. Re:Backups? by WindBourne · · Score: 1

      exactly.
      Something is REALLY fishy about this one.
      Hopefully, the FBI looks into it, but with this admin, I doubt it.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    30. Re: Backups? by Anonymous Coward · · Score: 0

      Or, you could put it in AWS Glacier for a monthly fee of $200 per month.

    31. Re: Backups? by sjames · · Score: 1

      The whole cost center thing is a silly over-simplification anyway. If it enables the company to have revenue it is a profit center. The question they should be asking is if we replaced all of this IT stuff with a building full of people with spindles and adding machines, a big warehouse full of documents and a bunch of people to run documents back and forth, how much extra would that cost and how much would it slow us down.

      IT is a cost center like sales and marketing is a cost center. You have to pay sales and marketing people, and you have to buy them equipment. You have to hire people to set up and take care of that equipment for them.

    32. Re: Backups? by CaptainDork · · Score: 1

      TL;DR but a scan informs that IT is a cost center.

      --
      It little behooves the best of us to comment on the rest of us.
    33. Re:Backups? by sjames · · Score: 1

      Unless they routinely deleted email on reading, the backups might contain inboxes containging years of emails.

      OTOH, unless there is a specific data retention requirement, discovery is for things you have. If things missing from discovery are consistent with your retention policy (showing that you didn't make a mad rush to delete things to avoid discovery), you're fine.

    34. Re: Backups? by sjames · · Score: 1

      In the sense that EVERYTHING is a cost center yes. It is not as the management over-simplification where soem departments are macically profit centers even though they also cost money.

    35. Re:Backups? by CaptainDork · · Score: 1

      Your point is well-taken.

      The only real protection from discovery would be the non-existence of emails (or other data) deliberately deleted prior to any overwrites with the backup.

      --
      It little behooves the best of us to comment on the rest of us.
    36. Re: Backups? by CaptainDork · · Score: 1

      My wheelhouse is small in that I was the systems department.

      I'm not qualified to fantasize about the cost of light bulb changers and shit.

      I am an eye-witness to my own lengthy career and it's my call, not yours, regarding my position on the ledger that put me in the category of cost center.

      So it is written, so let it be done.

      --
      It little behooves the best of us to comment on the rest of us.
    37. Re:Backups? by dshk · · Score: 1

      and then the ransomware encrypts the content of the $2000 NAS completely. Offline backups are also necessary. Offline backups with history. Very long history.

    38. Re: Backups? by sjames · · Score: 1

      I didn't claim management didn't do that, just that it is wrong headed and results in problems.

    39. Re: Backups? by CaptainDork · · Score: 1

      It is wrong-headed for business managers to do risk analysis of data security.

      In my world of IT management, we all knew, from firm to firm, what best practices would allow us to be top-notch gatekeepers.

      Business made the decisions because they were the owners of the data.

      IT managers and staff were simply the custodians.

      --
      It little behooves the best of us to comment on the rest of us.
    40. Re: Backups? by sjames · · Score: 1

      No, wrong headed to decide one department is a profit center and gets gold toilets and another gets scraps because they are a cost center.

      Risk analysis is fine, but only when that analysis is done by people smart enough to know that every center has a cost and every center brings profits. Those odd ideas about cost centers and profit centers lead to poor decisions which lead to bad results, like a police department that's loaded for bear but then loses all the digital evidence.

      The fact that you had to keep an evidence file suggests the management regretted more than one of those decisions. Otherwise they would have already known how it happened and would be ready to write it off as a worthwhile risk that didn't pay off.

    41. Re: Backups? by CaptainDork · · Score: 1

      We didn't have gold toilets.

      Perhaps you're thinking of this case.

      --
      It little behooves the best of us to comment on the rest of us.
    42. Re: Backups? by sjames · · Score: 1

      Of course not, you were a "cost center". Also apparently bad at metaphor.

    43. Re: Backups? by Sabriel · · Score: 1

      Your assumption of whether GP understands the difference is irrelevant to their argument: that during the period where your system is overwriting the only copy, you don't have a backup* to "preserve data in the event of a hardware or other failure"...

      Oh, and also? While an archive is not necessarily a backup, a backup is inherently an archive.

      * (you may have part of a backup, maybe even parts of two backups, depending on how your backup process overwrites the old one with the new one, but I certainly wouldn't be counting on being able to recover a full backup out of the pieces)

    44. Re:Backups? by The-Ixian · · Score: 1

      Meh, it's only evidence. We all know that police don't care about that.

      --
      My eyes reflect the stars and a smile lights up my face.
    45. Re: Backups? by Agripa · · Score: 1

      It it is not sales, then it is overhead.

    46. Re: Backups? by CaptainDork · · Score: 1

      I never met a 4 I didn't like.

      --
      It little behooves the best of us to comment on the rest of us.
    47. Re: Backups? by vux984 · · Score: 1

      And, in this case, it seems they offer exactly the same result

      Yes *In this case*.

      But in other cases -- such as the building it is in being destroyed in a fire or the hard drive/raid array getting fried by lighting or a power surge etc -- a simple rsync job offers an actual offsite backup copy that they can restore data from.

      Its a legitimate backup strategy for a lot of use cases. In terms of risk management guarding against hardware loss or failure was historically the big one. Only recently has the 'malicious modification of files' rocketed to the top of the list both in likelihood of it happening and severity -- thanks to the rise of ransomware.

    48. Re: Backups? by sjames · · Score: 1

      That seems to be the misguided belief. Naturally, they would like for the product to just appear in the warehouse for free, but likewise as long as they're wishing, they would like the potential customers to spontaneously wire money to them. Thus, in reality sales is also overhead.

      Even janitorial services should be counted as savings since otherwise they would have >100K/year engineers or multi-million a year CEOs spending their expensive time waxing the floor in the lobby. Alternatively, they would lose everything as people flee from their filthy and trashed work environment. It wouldn't be very impressive to major clients either.

    49. Re: Backups? by Anonymous Coward · · Score: 0

      But in other cases -- such as the building it is in being destroyed in a fire or the hard drive/raid array getting fried by lighting or a power surge etc -- a simple rsync job offers an actual offsite backup copy that they can restore data from.

      No, it doesn't.

      It is not "backup", it is "redundancy".

      Having redundancy is useful for protecting against hardware failure. Improperly calling it a backup, is not.

    50. Re: Backups? by turbidostato · · Score: 1

      "a simple rsync job offers an actual offsite backup"

      You don't understand what a back up is.

      Hint: if it is not fully decoupled from the original source (as in "air gap") is not a backup. So an off-site rsync is not a backup; an off-site rsync and tarring the result from time to time to an external device, *may* be a backup.

      You are probably in the league of those that think RAID5 is also a backup strategy ("sure, not always, not perfect, but in some simple cases...").

      "Only recently has the 'malicious modification of files' rocketed to the top of the list"

      The "my dog ate my homework aka I mistakenly deleted a file can you recover it?" has *always* been the number one cause of checking out a restore, closely followed by "damn! all our boxes are infected by a virus/our main server has BSOD'ed, let's reinstall and recover from backups" in windows-land. Ransomware is -alike those "evolution clocks", a 23:59:59 event.

    51. Re: Backups? by vux984 · · Score: 1

      You don't understand what a back up is.

      Give it a rest. I know full well what a back up is.

      Hint: if it is not fully decoupled from the original source (as in "air gap") is not a backup.

      Someone running crashplan or carbonite etc has a backup that is resilient to ransomeware, hardware failure, malicious tampering, etc. That is enough of a backup to mitigate most modern threats. It has incremental backups and versioning, and preserves deleted files. And it's not a mounted remote folder so a malicious process/user running your computer can't run amok and delete the backups. By itself, its not perfect, but its sufficient for a lot of entities.

      You are probably in the league of those that think RAID5 is also a backup strategy ("sure, not always, not perfect, but in some simple cases...").

      A raid5 is an availability strategy. It has an element of redundancy, and you can survive a disk failure without data loss, but it is not a backup.

      The "my dog ate my homework aka I mistakenly deleted a file can you recover it?" has *always* been the number one cause of checking out a restore,

      damn! all our boxes are infected by a virus

      The massive majority of all virus infections prior to the recent rise of ransomware shoveled ads at the interactive user, or turned the system into part of a botnet or both, or exfiltrated passwords and banking information. Only a tiny fraction of a percent ever trashed the users data files... because until ransomware there wasn't any money in that. So the data files tended to be ok, and rsync was fine.

      our main server has BSOD'ed, let's reinstall and recover from backups"

      The rsync to remote sites works fine for this scenario too.

    52. Re: Backups? by vux984 · · Score: 1

      If I have a tape drive, and 7 tapes one tape labelled for each day of the week, and each day I rotate the tape.

      This gives me about a week of backups. Lots of entities uses stategies like this. It is certainly a backup strategy... it has a few flaws. It's vulnerable to the building catching fire. Its vulnerable to a malicious file deletion or modification if it goes undetected for more than a week.

      Likewise, have 2 scheduled rsync jobs to 2 remote sites is a backup strategy. It has some advantages over the the tape strategy above. It has some weaknesses.

      A comprehensive backup strategy is incremental, goes back much longer perhaps indefinitely, has redundant offsite components etc. It might also need deletion features to go back and 'delete' things you need to delete from the backups. Lots of places don't have this. Because its a lot more expensive in terms of bandwidth and storage and dollars and maintenance time.

      Having copies your data in more than one place is a backup to guard against risks to your primary copy is a backup. It may not be a good backup strategy. It may be wholly inadequate.. but you are just being overly and weirdly pedantic by suggesting that it is improper to call addtional copies of the data a 'backup'.

      as for a RAID... that's where calling it a backup gets dicey because it really doesn't guard against ANYTHING except a drive failure. So calling THAT a backup is pushing it.

      But even an external flash drive that you copy your files to and take home for the night is a backup. A lousy backup strategy with lots of issues. But good enough for a surprisingly large number of threat scenarios.

    53. Re:Backups? by Anonymous Coward · · Score: 0

      An offsite "backup" would be just as pointless. it just gets overwritten too.

      What you need is a real backup system, not just one copy of the current data. Keep a timeline for every file. For evidence I would think the law (chain of evidence) would require every single change to be backed up. So no deleting the daily backups after a week and only keeping weeklies. KEEP IT ALL.

      As defense atorney I would file to reopen every single case lost in the last 8 years because the evidence could have been tampered with without the "backup" system recording it.

    54. Re: Backups? by Agripa · · Score: 1

      I do not disagree with anything you said. I just have run across this attitude before.

    55. Re: Backups? by Coren22 · · Score: 1

      https://www.google.com/search?...

      By definition, backups are just copies. A single copy that is overwritten daily is still a backup. It isn't a good backup plan, but it is not less of a backup by being only a copy.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    56. Re:Backups? by Coren22 · · Score: 1

      How is it able to overwrite the snapshots?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    57. Re: Backups? by silas_moeckel · · Score: 1

      From your own cited definition copies plural a single is just a copy.

      --
      No sir I dont like it.
  3. "backup" by akozakie · · Score: 2

    The police department backup system apparently kicked in right after the infection took root, and created copies of the already encrypted data.

    Backup. You keep using that word. I don't think it means what you think.

    If you automatically overwrite previous data with no way to restore some older state, meaning that at a given moment you may only have a copy a few minutes old and no older state - it's not backup. It's just a secondary remote copy. Useful against heavy physical damage to the primary storage (or the whole machine), but nothing else. If it's not even remote, it's not useful for anything.

    1. Re:"backup" by fluffernutter · · Score: 4, Interesting

      Sadly, the people who know this are commonly determined to be too expensive to employ. So, they get what they pay for.

      --
      Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
    2. Re:"backup" by Anonymous Coward · · Score: 0

      Yes. Ransomware is not entirely to blame. It was only a matter of time before disaster struck. A spilt cup of coffee, hit n run, sunspots, earthquakes, fire and brimstone raining down from the sky, dogs and cats living together, mass hysteria!

    3. Re:"backup" by Anonymous Coward · · Score: 0

      Indeed. The absolute bare minimum here would have been for it to delete the previous spare copy, rename the last copy and then create a new copy in the place of the old one.

      Which is OK, as long as you have some way of knowing that the files haven't been corrupted some time before yesterday.

      It's really asking for trouble, but if you send those files off site somewhere, that would be the bare minimum to be able to properly refer to it as a backup.

    4. Re:"backup" by Coren22 · · Score: 1

      https://www.google.com/search?...

      Or they are using the word exactly correctly? Just because it isn't a well thought out backup scheme, does not mean it is not a backup.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  4. A link to scribd? That unreadable mess? by BarbaraHudson · · Score: 1

    Here's a better link.

    --
    "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  5. MABA by Anonymous Coward · · Score: 0

    Make America Backup Again, one ransomware exploit at a time!

  6. includes all body camera video, some in-car video. by Anonymous Coward · · Score: 0

    sounds like in inside job cover-up.

  7. Intentional infection? This doesn't add up. by geekmux · · Score: 5, Interesting

    "Most of the data was from solved cases, but some of the evidence was from active investigations...the department did not pay the $4,000 ransom demand and decided to wipe all its systems."

    I'm sorry, but one legal firm can rack up more than $4000 in legal fees in a single day.

    You're going to tell me that the active investigations along with the potential liability of not holding data for years worth of solved cases was somehow not worth $4000?

    The numbers just don't add up here. At all. Hate to go all conspiracy theory, but this sounds more like an intentional infection and a premature decision to wipe data that might have shown a bad light on a certain law enforcement actions.

  8. Feels like we're heading backwards by rmdingler · · Score: 1
    This is exactly the sort of ammunition current power players will use to condemn the use of technology.

    After all, Computers have complicated lives very greatly.

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

    1. Re:Feels like we're heading backwards by EvilSS · · Score: 1

      Yea, those people I say: Fire. How many paper records have been lost to fires. Just look at what happened with the National Personnel Records Center in St Louis. Tens of millions of records lost.

      Bad practices are bad practices, be it with physical copies or digital.

      --
      I browse on +1 so AC's need not respond, I won't see it.
  9. Re:Intentional infection? This doesn't add up. by Kohath · · Score: 4, Interesting

    Any evidence that was altered by ransomware would get challenged by a defense attorney. Maybe they decided they didn't need to pay ransom for evidence that had built-in reasonable doubt.

  10. How the fuck? by Anonymous Coward · · Score: 1

    How do they not have a proper storage array with snapshot and remote copy functionality to provide both point in time "backups" as well as offsite replication?

    Even if they couldn't afford that why weren't they doing disk to disk backups using removable drives or backing up to a local tape drive and rotating the tapes daily?

    I sure hope somebody got fired for this...

    1. Re:How the fuck? by Anonymous Coward · · Score: 0

      All of those items cost money. The cops would rather spend that money on surplus armored vehicles and desert camo gear from the Iraq war. I work in a small company and we had one idiot infect the company with Locky. It was an email from herself to herself with a zip file attached. She had to open that zip file, open the javascript file and then ok for something to run. A while later she asked me why the icons on her desktop looked "funny". Microsoft Security essentials actually did catch the program but not before it trashed a few unimportant network shares.

    2. Re:How the fuck? by drew_92123 · · Score: 1

      Because most smart folks don't want to be cops, and most cops aren't all that smart...

    3. Re:How the fuck? by hey! · · Score: 1

      Well, clearly their spending priorities are wrong. Police are not a paramilitary organization; they don't exist to fight battles although that happens sometimes. Their primary function is to bring miscreants to justice, along with the evidence needed to obtain a conviction. If they can't do that there's no reason to spend money on police at all; you could just put the money into the National Guard instead.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    4. Re:How the fuck? by Anonymous Coward · · Score: 0

      How do they not have a proper storage array with snapshot and remote copy functionality to provide both point in time "backups" as well as offsite replication?

      Because cops are fucking dumb. Remember the stupid violent kids at school? The ones who weren't good at sport became cops.

  11. Re:Intentional infection? This doesn't add up. by Anonymous Coward · · Score: 3, Insightful

    Maybe they decided to do the right thing and not fund criminals. We need more people to do the same thing. If nobody payed, ransomeware would stop being a thing. Plus, the evidence should now be considered compromised anyway.

  12. Re:Intentional infection? This doesn't add up. by gravewax · · Score: 4, Insightful

    The numbers add up perfectly, you just aren't adding up the right numbers. system has already been compromised, how could they possibly trust any data as evidence after recovery? On top of that you have the government stance of never paying ransom. Looks to me like they took the right approach.

  13. Re:Intentional infection? This doesn't add up. by guruevi · · Score: 3, Interesting

    It is $4000 to a criminal organization, it's illegal (especially for government agencies like a POLICE department) to make any payment and become complicit in the criminal activity.

    On the other hand, $4000 is what they start off with, I heard of a company that got hit with $10k in ransom demands, a few days later they realized their backups weren't working well so they gave them the $10k, by then the criminals realized they were attempting and failed to restore from backup so they quadrupled the demand so the company got the FBI involved, when the criminals realized the FBI got involved, they wiped EVERYTHING. It took them about 3 weeks and about $100k to recover the broken backups by a professional recovery company.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  14. Statement says they did NOT lose evidence by Anonymous Coward · · Score: 3, Informative

    "...hard copies of ALL documents and the vast majority of the videos and photographs are still in the possession of the Police Department on CD or DVD".

    They only lost digital copies of evidence...probably why they chose to wipe rather than pay ransom.

    1. Re:Statement says they did NOT lose evidence by Anonymous Coward · · Score: 0

      Vast majority does not mean ALL. And you only need to destroy the most incriminating (to the police that is) bodycam footage under cover of "we've been hacked". As long as the police and attorney general's office is not severly peanalized for mishandling evidence under their care (or required to collect but does not), they will continue to act with impunity.

    2. Re:Statement says they did NOT lose evidence by phorm · · Score: 1

      Or anything that hasn't been converted to hard-copy. I doubt the devices record on ROM media directly.

    3. Re:Statement says they did NOT lose evidence by Anonymous Coward · · Score: 0

      Imagine if you were a police detective, and these weren't the police we were talking about here. Wouldn't you think it's terribly convenient that the only unrecoverable evidence that might have criminal wrongdoing was the body camera footage?

  15. Re:Intentional infection? This doesn't add up. by bsolar · · Score: 3, Insightful

    They can trust the data by recovering it from the tamper-proof archived backups they *should* have. If they lack them, they failed and in this case it seems they failed big time.

  16. Windows I presume by Tough+Love · · Score: 0

    Presumably, Windows. Balance of probability both by numeric prevalence and vulnerability. How is it responsible for police to store valuable data on a vulnerable system? Without backup no less?

    --
    When all you have is a hammer, every problem starts to look like a thumb.
    1. Re:Windows I presume by Tough+Love · · Score: 1

      Presumably, Windows. Balance of probability both by numeric prevalence and vulnerability. How is it responsible for police to store valuable data on a vulnerable system? Without backup no less?

      What's this, a visit from a Microsoft astroturder with mod points? Confirming that Microsoft is, well, the same old Microsoft.

      BTW, it is not in doubt that the police had their stuff on a Windows computer because Locky, like the vast majority of ransomware, is Windows malware.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
  17. Re:Intentional infection? This doesn't add up. by Anonymous Coward · · Score: 0

    legal fees?

    >$4000 in IT costs to do the wipe and reconfigure.

  18. well, prop for not paying the ransom, but... by Anonymous Coward · · Score: 1

    It's good they decided not to perpetuate the randomware industry by paying the ransom. That was the right choice on their part.

    However: "...after an employee opened a document he received via via a spam email...."

    There are all kinds of problems with this, starting with the general lack of technical awareness of the whole population (I won't blame it specifically on that one lady or gent: they have a billion or so to keep them company, and if you only try to hire technically literate people, you won't have many to pick from). Then there are the holes in the backup strategy, and the fact that just "opening a document" has any ability to let randomware infiltrate the network. Heck that isn't even true of my personal network at home, so I wonder what their IT staff is doing...

    1. Re:well, prop for not paying the ransom, but... by david_thornley · · Score: 1

      In a group of people who aren't computer security professionals, somebody's going to open the document, or at least, you have to figure someone will. The exact person doesn't matter. If your computer system is such that opening a document can encrypt the storage, somebody's screwed up the system very thoroughly.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  19. Amazing by JustAnotherOldGuy · · Score: 1

    It's disheartening to realize that I, just an average Joe, have better, more secure backup procedures than the police department in Cockrell Hill, Texas.

    Yeah, maybe they're just a podunk little town in the middle of nowhere, but still...

    --
    Just cruising through this digital world at 33 1/3 rpm...
  20. Yay to "no backups"! by Chas · · Score: 1

    Maybe the police department will now move on a backup system with multiple iterated backups so that if this ever happens in the future they can recover everything.

    --


    Chas - The one, the only.
    THANK GOD!!!
    1. Re:Yay to "no backups"! by The-Ixian · · Score: 1

      Nah, this is a feature. It takes the pressure off from having to do actual work.

      I am sure they probably feel that more evidence needs to be digital and on systems that they let the intern surf the web on.

      --
      My eyes reflect the stars and a smile lights up my face.
  21. Would be a shame if this happened to the IRS by raymorris · · Score: 3, Funny

    Rubs chin, thinks it would be a shame if the IRS similarly lost their records. Also the student loan people. I would be sad if nobody had a record of the $60,000 in student loans that my wife owes.

    1. Re:Would be a shame if this happened to the IRS by Applehu+Akbar · · Score: 1

      Elliott, is that you?

  22. Re: Intentional infection? This doesn't add up. by Anonymous Coward · · Score: 0

    If the ransomware was able to modify the evidence, it wasn't really evidence.

    Expect future lawsuits involving evidence collected by this police department to be challenged in court.

  23. Re:Intentional infection? by BoRegardless · · Score: 1

    How could you trust any evidence once you know the system is open to change? More than one person should be fired for this.

  24. Right to be forgotten by manu0601 · · Score: 1

    EU's right to be forgotten has been criticized as impossible to enforce, but here is its implementation: get infected, refuse to pay, wipe data.

    Right to be enforced is enforced with the help of ransomware, though the citizen cannot choose when it happens.

  25. Re:Intentional infection? This doesn't add up. by gravewax · · Score: 1

    exactly, so under no circumstances does paying the ransom make sense. Either they have proper backups with non repudiation in which case it is not necessary or they don't in which case you can't trust what is recovered anyway

  26. Re:Intentional infection? by gravewax · · Score: 1

    completely agree. A properly audited and controlled system can be subject to change and still able to be trusted and I am somewhat stunned that this is not what they had given it is evidence that will be used in court.

  27. Re:Intentional infection? This doesn't add up. by fropenn · · Score: 1

    Just make the person who opened the spam mail pay the $4000. You get the ransom paid and that person will definitely be more careful next time.

  28. Incompetent and Irresponsible. by MrKrillls · · Score: 1

    Whether it's called backup or archive, their system was inadequate. Multiple full copies taken at various points in time - of all data - should be in more than one offsite location.

    --
    Don't step on the baby.
  29. Nailed it. by Anonymous Coward · · Score: 0

    We are being lied to.

    This was an inside job. That data was wiped to protect some dirty cops.

    You don't fix problems like these by hiring competent IT to work for police departments. You fix this through IT audits by non-police public agencies. With all the audit data made available for public review.

    Where there is not transparency, there is corruption. Every moment you blink is a moment in which your authorities betray you.

  30. remember by Anonymous Coward · · Score: 0

    remember: Police is the only profession where if you score too high on an intelligence test, they won't take you
    Jordan v. City of New London, 3:97CV1012 (1999).

  31. Just a single backup? by johannesg · · Score: 1

    So are we to understand there is just a single backup which, when running, overwrites the previous backup? So if you backup at the wrong moment, everything is gone? That is extremely, extremely incompetent...

    I can understand losing maybe a few days of work, but beyond that point, an older backup should be recoverable. Why wasn't it?

  32. What about the backup right before that one by Anonymous Coward · · Score: 0

    They did have a prior backup right?

  33. Protecting backups from ransomware/infections by Torin+Darkflight · · Score: 1

    I agree with the general consensus that they should have more than one backup. Having only one is foolish.

    That said, regardless of how many backups a location maintains, there should be a standard mechanism that analyzes key files BEFORE starting a backup, verifies that they have not been modified or deleted, i.e. by ransomware, and if it detects that they have been modified or deleted, displays an alert and stops the automatic backup before it even begins, thereby protecting the integrity of the existing backup.

    I was able to code such a mechanism myself into the automatic backup on our computer systems at work, which admittedly are simple .cmd scripts that use robocopy to back up key directories weekly to both an on-site and off-site NAS. But, it's effective. It outright refuses to run the backup if any of the files I told it to check are changed or missing.

    1. Re: Protecting backups from ransomware/infections by Anonymous Coward · · Score: 0

      Seriously? Backups tend to be designed to only look for files that HAVE changed. There isnt much point in writing a file to tape or disk again that hasnt changed.

  34. Re:Intentional infection? This doesn't add up. by Anonymous Coward · · Score: 0

    Any evidence that is not stored as such ( https://tools.ietf.org/html/rfc4998 ) cannot be validated as such and should not be called that.

  35. Re: Intentional infection? This doesn't add up. by Anonymous Coward · · Score: 0

    Maybe we should also making serious efforts to track down ransomware authors and slice off their faces. What about that, a price on the heads of anyone programming ransomware. After the first couple is disposed of, the rest will see the light.

  36. Small wonder by nospam007 · · Score: 1

    What did you expect from a Texas Police Department, after all they got a president killed on their watch.

  37. Re:Intentional infection? This doesn't add up. by wvmarle · · Score: 1

    Sucks to be that company, but on the upside the criminals also apparently got nothing out of it.

  38. $4000 was all? Sounds weird by WindBourne · · Score: 1

    Seriously, 4K is NOTHING compared to what any of those cases costs. So, the question is, why did they not pay?
    And the back-up only went with 1 level? Seriously?

    Normally, I stick up for the police, but Gut feeling says that there was a case that they did not want tried and the police were in on that.

    --
    I prefer the "u" in honour as it seems to be missing these days.
    1. Re:$4000 was all? Sounds weird by The-Ixian · · Score: 1

      They could have paid it... but that would have blown the budget for the PD sponsored BBQ....

      --
      My eyes reflect the stars and a smile lights up my face.
  39. Police are idiots by Anonymous Coward · · Score: 0

    The problem here isn't that the police failed to take measure x, y, or z. The problem is that police depts are run by people with very little education who have a superiority complex and therefore think they know a lot more than they actually do. This has repercussions everywhere: statistically wrong profiling, bogus "expert" testimony, using psychics to find perps or evidence, even false belief in chances of being wrong with DNA evidence, and especially with fingerprint evidence, bogus bite-mark evidence, bogus hair type evidence, even bogus ballistics evidence, and the list goes on and on, because, well, these people are gullible idiots.

  40. Don't blame the ransomware by Anonymous Coward · · Score: 0

    If these idiots had no backups it was just a matter of time before a hard drive failure did the same thing.

  41. Tomorrow's Headline Today by Anonymous Coward · · Score: 0

    "Assault Charges Against Officers Dropped After In-car and Body Camera Video Lost"

  42. Re:Intentional infection? This doesn't add up. by Anonymous Coward · · Score: 0

    Bingo! It's not that they know the ransomware changed their data, it's the mere possibility that it might. Opens up a whole can of worms for defense challenges. Imagine a courtroom conversation, between the defense lawyer and a poor Sherriff/Officer:

    Defense: "Is it true that all the evidence presented in this courtroom, was at one time encrypted by ransomware?"
    Sherriff: "Um, yes, but we got all the evidence back again..."
    Defense: "Unaltered?"
    Sherriff: "I don't understand..."
    Defense: "You lost the chain of custody. Your evidence was in the hands of a hostile hacker or hacking group. How do you know they didn't tamper with the evidence?"
    Sherriff: "Look, I'm just a Sherriff, I'm not IT. But I don't think ransomware changes the system..."
    Defense: "So you admit you are not an IT expert?"
    Sherriff: "Yeah, I mean no, I'm no computer expert!"
    Defense: "So you think the evidence was unaltered, but you really have no idea do you?"
    Sherriff: "I guess not, no."

    And that's before we even get to the issue of a Police Department paying ransoms. Which looks bad, absolutely terrible, and will grate on any police officer.

  43. Re:Intentional infection? This doesn't add up. by Agripa · · Score: 1

    You're going to tell me that the active investigations along with the potential liability of not holding data for years worth of solved cases was somehow not worth $4000?

    What legal liability? Some cases might get dismissed but why would that matter for the police department?

  44. Re:Intentional infection? This doesn't add up. by geekmux · · Score: 1

    You're going to tell me that the active investigations along with the potential liability of not holding data for years worth of solved cases was somehow not worth $4000?

    What legal liability? Some cases might get dismissed but why would that matter for the police department?

    And some cases might get re-opened because of new evidence brought to light that might benefit the wrongly accused, which would be essentially impossible to further such an investigation because of evidence being destroyed.

    Regardless, the chain of custody issue has to be validated with such an intrusion anyway, which even furthers my point regarding this being used as a scapegoat excuse for evidence being destroyed deliberately by those holding it.

  45. Re:Intentional infection? This doesn't add up. by Agripa · · Score: 1

    And some cases might get re-opened because of new evidence brought to light that might benefit the wrongly accused, which would be essentially impossible to further such an investigation because of evidence being destroyed.

    Why would the police care about that either? Most prosecutors certainly do not and go to great lengths to prevent review.

  46. Re:Intentional infection? This doesn't add up. by geekmux · · Score: 1

    And some cases might get re-opened because of new evidence brought to light that might benefit the wrongly accused, which would be essentially impossible to further such an investigation because of evidence being destroyed.

    Why would the police care about that either? Most prosecutors certainly do not and go to great lengths to prevent review.

    If years of evidence is truly worthless to the organization holding it, then why the hell did they even save it.

  47. Re:Intentional infection? This doesn't add up. by Agripa · · Score: 1

    And some cases might get re-opened because of new evidence brought to light that might benefit the wrongly accused, which would be essentially impossible to further such an investigation because of evidence being destroyed.

    Why would the police care about that either? Most prosecutors certainly do not and go to great lengths to prevent review.

    If years of evidence is truly worthless to the organization holding it, then why the hell did they even save it.

    Often they do not. There may be statutory requirements.

  48. Re: Backups? (!= archives) by darkonc · · Score: 1
    For me, the difference between an archive and a backup is that a backup is usually offline (i.e. unavailable and not intended to be available) while an archive is usually 'live' in some way. It makes sense to me to make backups of your archives (although possibly at a lower frequency than your 'live' data). It also makes perfect sense to use your backups to make an archive.

    By this rule 'live backups' that are (semi) online and available for users without other human interaction are actually archives. They don't technically become backups until you put them in vault or take them off-site. (and put them in storage).

    The reason why I make this distinction is that archives (like RAID) are still vulnerable to online corruption.

    --
    Sometimes boldness is in fashion. Sometimes only the brave will be bold.