Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US (vice.com)

Posted by msmash on from the was-bound-to-happen dept.

Securus, the company which tracks nearly any phone across the US for cops with minimal oversight, has been hacked, Motherboard reported Wednesday. From the report: The hacker has provided some of the stolen data to Motherboard, including usernames and poorly secured passwords for thousands of Securus' law enforcement customers. Although it's not clear how many of these customers are using Securus's phone geolocation service, the news still signals the incredibly lax security of a company that is granting law enforcement exceptional power to surveill individuals. "Location aggregators are -- from the point of view of adversarial intelligence agencies -- one of the juiciest hacking targets imaginable," Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat.

68 comments

  1. Just assume everyone knows everything every time. by Anonymous Coward · · Score: 2, Insightful

    Is this the new working assumption we all need?

  2. What the hell by Anonymous Coward · · Score: 4, Interesting

    But this latest data breach is not the only sign that Securus is careless with sensitive information. Rid pointed Motherboard to a Securus user manual available online. One part shows a map and user interface for a Securus product, but instead of populating the screen with fake data for demonstration purposes, the guide appears to include the real name, address, and phone number of a specific woman. (Motherboard confirmed the details with those in online databases, as well as a media report that mentions the woman).
    How stunningly incompetent

    1. Re:What the hell by Anonymous Coward · · Score: 0

      So was it haxx0rz, or was it not haxx0rz? This is apparently really important to msmash.

  3. Couldn't happen to a nicer company.... by b0s0z0ku · · Score: 5, Insightful

    Hope he left some Cryptolocker behind after siphoning their data and jerking their pants off in public. Between charging prison inmates exorbitant rates to call their families and giving anyone who asks cell phone location data (without verifying the veracity of a warrant), Securus is a truly predatory company. The US wouldn't lose anything if they went under tomorrow.

    1. Re:Couldn't happen to a nicer company.... by ugen · · Score: 2

      If they go under tomorrow, another company will promptly take its place. It's not a specific business - it's the system and the set of laws and (corrupt) interests protecting it.

    2. Re:Couldn't happen to a nicer company.... by orlanz · · Score: 1

      I think the hacker should publicly release random parts of that data. It would suck for quite a number of people, but make sure you get the lobbyists and politicians in that release, and we may just have an uproar like with Facebook. Then laws may actually change and make these sorts of businesses less enticing to run. Until people find out that when people mean hacked, they mean THEIR data, I don't think things will change.

      Even something simple like Motherboard setting up a webpage where you enter your phone number and the system returns what columns of information was hacked out (column headings like name, address, age, location, record count, etc.)

    3. Re:Couldn't happen to a nicer company.... by Anonymous Coward · · Score: 0

      We are not talking people who sung too loudly in church choir here. We are talking criminals here. Securus is actually doing the world a favor by handling the JPay stuff. If criminals didn't like this, they might consider not doing stuff to wind up in the clink in the first place?

    4. Re:Couldn't happen to a nicer company.... by b0s0z0ku · · Score: 1

      Securus doesn't bother checking for a warrant, so we could be talking about stalking victims, domestic violence victims, persons of interest to foreign intelligence agencies, anyone who anyone else wants to spy on.

      Not that I particularly care for even police with a lawful purpose having that kind of power to track people -- a lot of "crimes" in the US shouldn't be crimes at all.

    5. Re:Couldn't happen to a nicer company.... by Anonymous Coward · · Score: 0

      Securus has been hacked before and they didn't learn their lesson. This company also manages phone services in jails and prisons in 37 states. In 2015, somebody broke into their systems and lifted 70 million call records including conversations between inmates and their lawyers. If that wasn't enough, they charge exorbitant rates for these calls and have kickback schemes with sheriffs and wardens.

    6. Re: Couldn't happen to a nicer company.... by Archangel_Azazel · · Score: 1

      Gosh Mr. AC, why not just log in to make to comment? Oh, because it's baseless and rings with every other "well just don't break the law" comment. The whole argument ignores when they change the "laws" to target folks like protesters, unit opinions, etc.
      But you already knew that, I'm sure.

      --
      Your mind is like a parachute. It works best when it's been opened.
    7. Re: Couldn't happen to a nicer company.... by Archangel_Azazel · · Score: 1

      ...next time I monitor spell check. *Scowl*.
      You got my point.

      --
      Your mind is like a parachute. It works best when it's been opened.
    8. Re:Couldn't happen to a nicer company.... by Anonymous Coward · · Score: 0

      /sarcasm/
      *clearly* there's no conflict of interest here at all.

    9. Re:Couldn't happen to a nicer company.... by jittles · · Score: 1

      ...and giving anyone who asks cell phone location data (without verifying the veracity of a warrant), Securus is a truly predatory company.

      WHat are you talking about?? They always make sure the warrant is valid before they do anything. It's just that the only warrants they accept must say things like "e pluribus unum" and must have a unique serial number that is generated and validated by US Mint.

  4. Am I in the list? by SysEngineer · · Score: 1

    How does someone find out if they are in the list and being watched? Paranoid

    1. Re:Am I in the list? by Actually,+I+do+RTFA · · Score: 2

      Are you in the US?

      --
      Your ad here. Ask me how!
    2. Re:Am I in the list? by SeaFox · · Score: 4, Informative

      How does someone find out if they are in the list and being watched?
      Paranoid

      The list is of Securus' law enforcement customers, not individual citizens. And there is no "list of people being watched" here. The data is already being collected on everyone, it's just a matter of if a Securus customer made any requests about you. Without more info on how one uses the service, it's hard to tell if there is a record of who was tracked.

    3. Re:Am I in the list? by Anonymous Coward · · Score: 0

      Do you have a cell phone?

    4. Re:Am I in the list? by Anonymous Coward · · Score: 0

      Are you in the US?

      That's not enough to go on. The earlier article stated that Canada's telecom oligopoly of Bell, Rogers and Telus, collude with the Securus scumbags, too.

    5. Re:Am I in the list? by ArhcAngel · · Score: 1

      Isn't that obvious? Get arrested and sent to prison so you can access their database.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    6. Re:Am I in the list? by Anonymous Coward · · Score: 0

      But... is my local Sheriff or one of his deputies on "the list" ? B/C they f(n) watch me!!!

    7. Re:Am I in the list? by SeaFox · · Score: 1

      The list is a list of customers. That doesn't say anything about how often they use the service, or who they are using the service to watch. The list likely includes Sheriff's offices that have not logged in in years.

  5. Re:Just assume everyone knows everything every tim by Anonymous Coward · · Score: 0

    nothing new in this.

  6. Dick Chopp will not deprecate his nads inspections by Anonymous Coward · · Score: 0

    Did you know that there is a urologist in Austin TX named Dick Chopp?!! Isn’t that cray cray?!!

  7. Not just cops. by 140Mandak262Jamuna · · Score: 1
    In both the meaning of the word "just".

    Bad cops track too.

    People other than cops track them too.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Not just cops. by Anonymous Coward · · Score: 1

      In both the meaning of the word "just".

      Bad cops track too.

      People other than cops track them too.

      Set up a fake account and track cops and top federal LEA/TLA officials and publish the juicy bits to Wikileaks.

      Securus won't remain in business for long.

    2. Re:Not just cops. by Anonymous Coward · · Score: 0

      Set up a fake account and track cops and top federal LEA/TLA officials and publish the juicy bits to Wikileaks.

      "Mr. Mueller, cell location tracking places you repeatedly at the Russian Embassy on a regular basis since 2016. What exactly was your business with the Russians?"

    3. Re:Not just cops. by Anonymous Coward · · Score: 0

      If that were the case, I would imaging that his business with the Russians would be questioning them about collusion with the Trump campaign while they were attempting to influence US elections through fake social media accounts, fake news, hacking Trumps opposition, and outright trying (succeeding at?) hacking election systems.

  8. Onion candidate #27 by Tablizer · · Score: 1

    Professional hackers have been hacked, and their recursive hacking algorithm, known as GrndH0gDai, was recursively hacked and stolen.

    --
    Table-ized A.I.
  9. Re:Just assume everyone knows everything every tim by Tablizer · · Score: 2

    So they know about my turtle porn all the way down?

    --
    Table-ized A.I.
  10. Re:Couldn't hrappen to a nicer company.... by b0s0z0ku · · Score: 2

    why blame the poor house? it can provide a roof over decent human beings' heads. far better if the company goes under and the owners get foreclosed. maybe someone will buy it and turn it into a halfway house for people the previous owners helped railroad...

  11. Re:Couldn't hrappen to a nicer company.... by Anonymous Coward · · Score: 0

    The only thing that stops a bad person in a house is a good person lighting that house on fire and picking off the cockroaches with an AR-15 as they flee the burning structure.

  12. Securus by jwymanm · · Score: 4, Funny

    = Security + Circus

    1. Re:Securus by Anonymous Coward · · Score: 0

      Wish I had mod points, hilarious.

  13. Cue my surprise by zmaragdus · · Score: 1

    ..................

    Don't hold your breath. You'll be waiting a while.

    --
    (((dB)))
  14. FFS, isn't enough enough already? by Rick+Schumann · · Score: 2

    Data breaches, Woody, data breaches everywhere!

    Come on people, isn't enough enough already?

    1. Companies like this 'Securus' shouldn't exist in the first place.
    2. ALL companies that handle personally identifiable/sensitive data should have properly secured systems 100% of the time, no excuses.
    3. Nobody's phone location data should be revealed unless there is a valid warrant.

    When is this bullshit going to stop? As-is, you can't connect anything to the Internet without exposing yourself to massive amounts of risk of being hacked into either by criminals or the government, you can't carry a smartphone around for the same reasons (only worse), and it's getting to the point where even your bank isn't a safe place to keep your moeny because they're getting hacked, too. What do we do about all this? What is the way forward? How do we fix this?

    Shit like this is why I don't have a smartphone, and why I pay cash for everything I buy in person: to reduce my exposure to this sort of risk. Neither I nor any one of us should have to do that.

    1. Re: FFS, isn't enough enough already? by Anonymous Coward · · Score: 0

      You should convince the swamp to no longer demand backdoors...

      Best of luck.

    2. Re:FFS, isn't enough enough already? by Anonymous Coward · · Score: 0

      1. Companies like this 'Securus' shouldn't exist in the first place.

      Very true, and changing this would go far in helping this particular problem.

      2. ALL companies that handle personally identifiable/sensitive data should have properly secured systems 100% of the time, no excuses.

      I agree, however I know enough to not demand it like you did.
      How do you define "secure"? What words do a programmer type to make "secure"?

      Not always but most of the time, exploits of security work by taking advantage of what the code does vs what the code was written to do.

      When I need a place to put data in memory, I use the commands provided by the OS to do that, as in I ask for a block of memory of a given size.
      How was I to know the OS would re-use that memory for some other program and begin executing my data as if it was instructions?
      I shouldn't even be required to know that putting the ASCII text string "aflax" in memory would correspond to CPU op-codes that instruct the computer to hand you another programs data.
      After all I never asked for a place to store program instructions, I asked for a place to store bytes for data and explicitly told the OS I don't wish any instructions to be executed from here.

      Yet according to you, me following the documentation perfectly and other software I had no hand in writing fucked it up, is somehow my fault. My fault, and "no excuses"

      3. Nobody's phone location data should be revealed unless there is a valid warrant.

      So you are claiming cellular networks shouldn't be allowed to let your phone move from one tower to another, without a valid warrant?

      Isn't it your fault for not getting a home wired phone to use only at home, instead of getting a cell phone who's primary feature is "use cell towers"?

      What happens if the phone guy at the store turns my phone on to make sure it works? I need a warrant now for them to allow me to use the tower near my home?

      The entire point of cell phones is they can move their connection between towers as you move.
      The very act of connecting to a tower shows you are near that tower.
      That is location data.

      To need a warrant to move between towers would completely negate the purpose of non-wired-in-place phones.

      Unless you are mistakenly assuming this company handed out location data without the corrupt police signing their name on the paper that they claim is a warrant. Because they do just that.

    3. Re:FFS, isn't enough enough already? by Teun · · Score: 1

      When is this bullshit going to stop?

      By the time the USofA joins the EU.
      Now the UK is all but gone we can do with another English language group.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    4. Re:FFS, isn't enough enough already? by Anonymous Coward · · Score: 0

      Your english sucks, is it not your primary language or are you just dumb?

      You're making a lot of assumptions about what I had to say and then sperging out on it like you're on speed or something. Calm the fuck down?

      You're making it all personally about YOU when it's clearly not; again: Calm the fuck down, please?

      Finally, you're making shit up that has nothing to do with what I had to say, and overall you're annoying as fuck. Please fuck off, annoying AC?

    5. Re:FFS, isn't enough enough already? by atrex · · Score: 1

      When is this bullshit going to stop?

      By the time the USofA joins the EU. Now the UK is all but gone we can do with another English language group.

      You probably wouldn't want one with as much baggage as the US has.

  15. Sounds like... by Stolovaya · · Score: 1

    Sounds like a violation of the 4th amendment, just with extra steps.

    1. Re:Sounds like... by BlueStrat · · Score: 2

      Sounds like a violation of the 4th amendment, just with extra steps.

      "It's illegal and unconstitutional for me to do as a LEO so I'll just pay someone else to do it for me!"

      "You'll go far in US politics, Son!"

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    2. Re:Sounds like... by Anonymous Coward · · Score: 0

      Isn't this the same logic LEOs uses to catch people?
      They can't personally offer the bait because that's entrapment, but they can strong-arm a CI to perform a setup and now it's perfectly legal. Nevermind that the activity would not have occurred at all had the LEOs not instigated it in the first place.

    3. Re:Sounds like... by Agripa · · Score: 1

      Sounds like a violation of the 4th amendment, just with extra steps.

      Great, just try to enforce it. First you will need standing. If you get past that, then you will need a remedy. Since the remedy for a 4th amendment violation is exclusion of evidence, which does not apply in a civil trial, you will need to be the defendant in a criminal trial. If you get past all of that, then law enforcement will use parallel construction anyway.

    4. Re:Sounds like... by Stolovaya · · Score: 1

      Pretty much. The 4th amendment is shit on a lot. Civil forfeiture alone...

  16. Re:Dick Chopp will not deprecate his nads inspecti by DickBreath · · Score: 1

    Does this urologist offer to perform Circumcisions as part of his practice?

    DAILY SPECIAL !!!
    Today only!!!
    Circumcisions: half off !!!

    -- Dick Chopp

    --

    I'll see your senator, and I'll raise you two judges.
  17. He should of tracked Goverment Officials by Anonymous Coward · · Score: 0

    And Give their Constituents the location. They have nothing to Hide.

  18. I'm interested in by Grand+Facade · · Score: 1

    The "usernames and poorly secured passwords for thousands of Securus' law enforcement customers"

    I'll bet that could open some doors!

    --
    Rick B.
    1. Re:I'm interested in by currently_awake · · Score: 1

      Given that many people re-use usernames and passwords, you are correct. I wonder how many local police computers are now accessible?

  19. hack it good by Anonymous Coward · · Score: 0

    Hack it into the ground since there is apparently nothing the government will do about it.

  20. Not IF, but WHEN... by zarmanto · · Score: 2

    Security vulnerabilities are a fact of life, and most people in any kind of a technology job are aware of that. It's not if you're going to be hacked, but when, and by who. And in fact, it's not these highly publicized breaches that we really need to worry about; rather, it's the breaches that nobody ever finds out that probably keeps the security experts awake at night. So if some well-meaning script-kiddie stumbled his way into Securus, than what that really tells us, is that someone with nefarious intent has almost certainly already exploited the same weakness well prior to this. Nobody found out about that hack* for two reasons: 1) The "real" hackers covered their tracks and didn't get caught, and 2) they didn't notify the press with childlike glee of their successful hack of a highly sought after target... rather, they used the vulnerability to collect as much data as possible, and hid any strategically useful data that they discovered under a rock, to be sold to the highest bidder on the black market.

    * Mind you... "that hack" could just as easily have been "those hacks"... and we likely still wouldn't know it happened, nor how extensive the damage was, until it's too late to fix anything.

  21. Re:Dick Chopp will not deprecate his nads inspecti by mnemotronic · · Score: 1

    An eye doctor in Columbia MD named Dr Glaros.

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
  22. Re:Just assume everyone knows everything every tim by Anonymous Coward · · Score: 0

    Criminal to Law Enforcement: "Well, I broke in because your lock wasn't very strong. You were asking for it."

  23. Re:Just assume everyone knows everything every tim by ColdWetDog · · Score: 1

    Then where the hell are my keys?

    --
    Faster! Faster! Faster would be better!
  24. LMAO @ mental loon Zontar the Mindless by Anonymous Coward · · Score: 0

    See subject: It's always a pleasure showing everyone how stupid you are drug addict mentalboy https://tech.slashdot.org/comm... you piece of SHIT from a country of men w/ NO BALLS & yes, you're from Sweden shitbag!

    Which you tried LYING about to me after your twisted weak ass sent me a postcard from there (like the obsessed stinking little MENTALBOY whimp w/ "depression" (lmao, whimp) & drugged up CREEP you are fucker) but too bad I saw your post about the restaurant in Stockholm recently.

    * You & yours from "SWEDEN"? NO BALLS - you let your women get RAPED by muslims (whereas MY TRIBE, poles, DROVE THEM OFF when all the rest of Europe, except Lithuania, RAN)!

    You pitiful little no balls worms (which is WHY You are HOW you are - you can't help it - you're DESCENDED FROM SHITBAG PUNKS!)

    APK

    P.S.=> Truth HURT cocksucker? Meet me in person (you 'brag' you're a 'world-traveller' (big deal, I've seen europe too) 'rich man' (not - you're just some impoverished little LOSER, no questions asked) - come meet me FACE TO FACE & talk your shit to me bitch... apk

  25. Re: Just assume everyone knows everything every ti by Anonymous Coward · · Score: 0

    They're in the brown pot on your kitchen worktop.

  26. Re: Maybe they should have used APK's host file by Anonymous Coward · · Score: 0

    ....Maybe they should have used APK's host file shell script....

    Maybe you should try to stay on topic. The only posts that I see from APK these days are in response to AC trolling.

    I suggest that you take him up on his offer to meet face to face. Please let us know when this happens, or STFU.

    Thank you for your time.

  27. Re:Just assume everyone knows everything every tim by mnemotronic · · Score: 1

    Car keys are in refrigerator vegetable bin.
    The 3 pieces of celery with almond butter that, along with a cup of coffee, was supposed to be a snack, are in the closet with the paper towels.
    The paper towel that was supposed to be for wiping off the countertops is on top of the toilet where I had to pee all of a sudden.
    The cup of coffee that was warmed up in the microwave is in the cabinet where the extra packets of stevia are kept.
    The stevia and soy milk are in the desk where my pad's USB charger is.
    My pad with the article I was about to read on "Mindfulness" is in my jacket pocket where I keep the car keys.

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
  28. Encryption backdoors by HeckRuler · · Score: 2

    Now tell me with a straight face that the FBI's suggestion to use a third-party key management system that they could go to with a warrant would be secure. Go on, let me hear it.

  29. But all those guns! by Anonymous Coward · · Score: 0

    MUST be free with all those guns. Slavery unpossible. KEK

  30. The poor security is deliberate by Anonymous Coward · · Score: 0

    The folks funding some types of security work *want* gaps left in to be able to get data, themselves, without warrants or accountability. I just interviewed with a company selling email and file transfer file extracting software, aimed at SMTP and FTP. They're hosted multi-nationally so that *every* nation's security groups can plant a mole, they get funding, from every nation for tools sold without receipts, and they host the services and leave the data precisely where people inside the company, or stealing credentials trivially, can access it.

    The number of folks even at "trustworthy" companies that collect some extra benefits or college money for selling this kind of collected data is just *nasty*. And tightening up the security would block the security agency access to the data, and they'd lose funding. That was the *whole point* of the old 80-bit SSL key length limit, and the whole point of modern encryption export regulation. They sacrifice the safety and privacy of citizens to be able to spy on those they declare to be "enemies", for whatever reason they care about this month.

  31. Re: Maybe they should have used APK's host file by Anonymous Coward · · Score: 0

    You and your fellow useless fat virgin cunts really are pathetic trolls. Yawn, sad.

  32. Re:Just assume everyone knows everything every tim by JosKarith · · Score: 1

    Law Enforcement to "criminal" : Well we broke in cos' your civil rights weren't very strong. You were asking for it.

    --
    'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'