Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US (vice.com)

Posted by msmash on from the was-bound-to-happen dept.

Securus, the company which tracks nearly any phone across the US for cops with minimal oversight, has been hacked, Motherboard reported Wednesday. From the report: The hacker has provided some of the stolen data to Motherboard, including usernames and poorly secured passwords for thousands of Securus' law enforcement customers. Although it's not clear how many of these customers are using Securus's phone geolocation service, the news still signals the incredibly lax security of a company that is granting law enforcement exceptional power to surveill individuals. "Location aggregators are -- from the point of view of adversarial intelligence agencies -- one of the juiciest hacking targets imaginable," Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat.

37 of 68 comments (clear)

  1. Just assume everyone knows everything every time. by Anonymous Coward · · Score: 2, Insightful

    Is this the new working assumption we all need?

  2. What the hell by Anonymous Coward · · Score: 4, Interesting

    But this latest data breach is not the only sign that Securus is careless with sensitive information. Rid pointed Motherboard to a Securus user manual available online. One part shows a map and user interface for a Securus product, but instead of populating the screen with fake data for demonstration purposes, the guide appears to include the real name, address, and phone number of a specific woman. (Motherboard confirmed the details with those in online databases, as well as a media report that mentions the woman).
    How stunningly incompetent

  3. Couldn't happen to a nicer company.... by b0s0z0ku · · Score: 5, Insightful

    Hope he left some Cryptolocker behind after siphoning their data and jerking their pants off in public. Between charging prison inmates exorbitant rates to call their families and giving anyone who asks cell phone location data (without verifying the veracity of a warrant), Securus is a truly predatory company. The US wouldn't lose anything if they went under tomorrow.

    1. Re:Couldn't happen to a nicer company.... by ugen · · Score: 2

      If they go under tomorrow, another company will promptly take its place. It's not a specific business - it's the system and the set of laws and (corrupt) interests protecting it.

    2. Re:Couldn't happen to a nicer company.... by orlanz · · Score: 1

      I think the hacker should publicly release random parts of that data. It would suck for quite a number of people, but make sure you get the lobbyists and politicians in that release, and we may just have an uproar like with Facebook. Then laws may actually change and make these sorts of businesses less enticing to run. Until people find out that when people mean hacked, they mean THEIR data, I don't think things will change.

      Even something simple like Motherboard setting up a webpage where you enter your phone number and the system returns what columns of information was hacked out (column headings like name, address, age, location, record count, etc.)

    3. Re:Couldn't happen to a nicer company.... by b0s0z0ku · · Score: 1

      Securus doesn't bother checking for a warrant, so we could be talking about stalking victims, domestic violence victims, persons of interest to foreign intelligence agencies, anyone who anyone else wants to spy on.

      Not that I particularly care for even police with a lawful purpose having that kind of power to track people -- a lot of "crimes" in the US shouldn't be crimes at all.

    4. Re: Couldn't happen to a nicer company.... by Archangel_Azazel · · Score: 1

      Gosh Mr. AC, why not just log in to make to comment? Oh, because it's baseless and rings with every other "well just don't break the law" comment. The whole argument ignores when they change the "laws" to target folks like protesters, unit opinions, etc.
      But you already knew that, I'm sure.

      --
      Your mind is like a parachute. It works best when it's been opened.
    5. Re: Couldn't happen to a nicer company.... by Archangel_Azazel · · Score: 1

      ...next time I monitor spell check. *Scowl*.
      You got my point.

      --
      Your mind is like a parachute. It works best when it's been opened.
    6. Re:Couldn't happen to a nicer company.... by jittles · · Score: 1

      ...and giving anyone who asks cell phone location data (without verifying the veracity of a warrant), Securus is a truly predatory company.

      WHat are you talking about?? They always make sure the warrant is valid before they do anything. It's just that the only warrants they accept must say things like "e pluribus unum" and must have a unique serial number that is generated and validated by US Mint.

  4. Am I in the list? by SysEngineer · · Score: 1

    How does someone find out if they are in the list and being watched? Paranoid

    1. Re:Am I in the list? by Actually,+I+do+RTFA · · Score: 2

      Are you in the US?

      --
      Your ad here. Ask me how!
    2. Re:Am I in the list? by SeaFox · · Score: 4, Informative

      How does someone find out if they are in the list and being watched?
      Paranoid

      The list is of Securus' law enforcement customers, not individual citizens. And there is no "list of people being watched" here. The data is already being collected on everyone, it's just a matter of if a Securus customer made any requests about you. Without more info on how one uses the service, it's hard to tell if there is a record of who was tracked.

    3. Re:Am I in the list? by ArhcAngel · · Score: 1

      Isn't that obvious? Get arrested and sent to prison so you can access their database.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    4. Re:Am I in the list? by SeaFox · · Score: 1

      The list is a list of customers. That doesn't say anything about how often they use the service, or who they are using the service to watch. The list likely includes Sheriff's offices that have not logged in in years.

  5. Not just cops. by 140Mandak262Jamuna · · Score: 1
    In both the meaning of the word "just".

    Bad cops track too.

    People other than cops track them too.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Not just cops. by Anonymous Coward · · Score: 1

      In both the meaning of the word "just".

      Bad cops track too.

      People other than cops track them too.

      Set up a fake account and track cops and top federal LEA/TLA officials and publish the juicy bits to Wikileaks.

      Securus won't remain in business for long.

  6. Onion candidate #27 by Tablizer · · Score: 1

    Professional hackers have been hacked, and their recursive hacking algorithm, known as GrndH0gDai, was recursively hacked and stolen.

    --
    Table-ized A.I.
  7. Re:Just assume everyone knows everything every tim by Tablizer · · Score: 2

    So they know about my turtle porn all the way down?

    --
    Table-ized A.I.
  8. Re:Couldn't hrappen to a nicer company.... by b0s0z0ku · · Score: 2

    why blame the poor house? it can provide a roof over decent human beings' heads. far better if the company goes under and the owners get foreclosed. maybe someone will buy it and turn it into a halfway house for people the previous owners helped railroad...

  9. Securus by jwymanm · · Score: 4, Funny

    = Security + Circus

  10. Cue my surprise by zmaragdus · · Score: 1

    ..................

    Don't hold your breath. You'll be waiting a while.

    --
    (((dB)))
  11. FFS, isn't enough enough already? by Rick+Schumann · · Score: 2

    Data breaches, Woody, data breaches everywhere!

    Come on people, isn't enough enough already?

    1. Companies like this 'Securus' shouldn't exist in the first place.
    2. ALL companies that handle personally identifiable/sensitive data should have properly secured systems 100% of the time, no excuses.
    3. Nobody's phone location data should be revealed unless there is a valid warrant.

    When is this bullshit going to stop? As-is, you can't connect anything to the Internet without exposing yourself to massive amounts of risk of being hacked into either by criminals or the government, you can't carry a smartphone around for the same reasons (only worse), and it's getting to the point where even your bank isn't a safe place to keep your moeny because they're getting hacked, too. What do we do about all this? What is the way forward? How do we fix this?

    Shit like this is why I don't have a smartphone, and why I pay cash for everything I buy in person: to reduce my exposure to this sort of risk. Neither I nor any one of us should have to do that.

    1. Re:FFS, isn't enough enough already? by Teun · · Score: 1

      When is this bullshit going to stop?

      By the time the USofA joins the EU.
      Now the UK is all but gone we can do with another English language group.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    2. Re:FFS, isn't enough enough already? by atrex · · Score: 1

      When is this bullshit going to stop?

      By the time the USofA joins the EU. Now the UK is all but gone we can do with another English language group.

      You probably wouldn't want one with as much baggage as the US has.

  12. Sounds like... by Stolovaya · · Score: 1

    Sounds like a violation of the 4th amendment, just with extra steps.

    1. Re:Sounds like... by BlueStrat · · Score: 2

      Sounds like a violation of the 4th amendment, just with extra steps.

      "It's illegal and unconstitutional for me to do as a LEO so I'll just pay someone else to do it for me!"

      "You'll go far in US politics, Son!"

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    2. Re:Sounds like... by Agripa · · Score: 1

      Sounds like a violation of the 4th amendment, just with extra steps.

      Great, just try to enforce it. First you will need standing. If you get past that, then you will need a remedy. Since the remedy for a 4th amendment violation is exclusion of evidence, which does not apply in a civil trial, you will need to be the defendant in a criminal trial. If you get past all of that, then law enforcement will use parallel construction anyway.

    3. Re:Sounds like... by Stolovaya · · Score: 1

      Pretty much. The 4th amendment is shit on a lot. Civil forfeiture alone...

  13. Re:Dick Chopp will not deprecate his nads inspecti by DickBreath · · Score: 1

    Does this urologist offer to perform Circumcisions as part of his practice?

    DAILY SPECIAL !!!
    Today only!!!
    Circumcisions: half off !!!

    -- Dick Chopp

    --

    I'll see your senator, and I'll raise you two judges.
  14. I'm interested in by Grand+Facade · · Score: 1

    The "usernames and poorly secured passwords for thousands of Securus' law enforcement customers"

    I'll bet that could open some doors!

    --
    Rick B.
    1. Re:I'm interested in by currently_awake · · Score: 1

      Given that many people re-use usernames and passwords, you are correct. I wonder how many local police computers are now accessible?

  15. Not IF, but WHEN... by zarmanto · · Score: 2

    Security vulnerabilities are a fact of life, and most people in any kind of a technology job are aware of that. It's not if you're going to be hacked, but when, and by who. And in fact, it's not these highly publicized breaches that we really need to worry about; rather, it's the breaches that nobody ever finds out that probably keeps the security experts awake at night. So if some well-meaning script-kiddie stumbled his way into Securus, than what that really tells us, is that someone with nefarious intent has almost certainly already exploited the same weakness well prior to this. Nobody found out about that hack* for two reasons: 1) The "real" hackers covered their tracks and didn't get caught, and 2) they didn't notify the press with childlike glee of their successful hack of a highly sought after target... rather, they used the vulnerability to collect as much data as possible, and hid any strategically useful data that they discovered under a rock, to be sold to the highest bidder on the black market.

    * Mind you... "that hack" could just as easily have been "those hacks"... and we likely still wouldn't know it happened, nor how extensive the damage was, until it's too late to fix anything.

  16. Re:Dick Chopp will not deprecate his nads inspecti by mnemotronic · · Score: 1

    An eye doctor in Columbia MD named Dr Glaros.

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
  17. Re:Just assume everyone knows everything every tim by ColdWetDog · · Score: 1

    Then where the hell are my keys?

    --
    Faster! Faster! Faster would be better!
  18. Re:Just assume everyone knows everything every tim by mnemotronic · · Score: 1

    Car keys are in refrigerator vegetable bin.
    The 3 pieces of celery with almond butter that, along with a cup of coffee, was supposed to be a snack, are in the closet with the paper towels.
    The paper towel that was supposed to be for wiping off the countertops is on top of the toilet where I had to pee all of a sudden.
    The cup of coffee that was warmed up in the microwave is in the cabinet where the extra packets of stevia are kept.
    The stevia and soy milk are in the desk where my pad's USB charger is.
    My pad with the article I was about to read on "Mindfulness" is in my jacket pocket where I keep the car keys.

    --
    The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
  19. Encryption backdoors by HeckRuler · · Score: 2

    Now tell me with a straight face that the FBI's suggestion to use a third-party key management system that they could go to with a warrant would be secure. Go on, let me hear it.

  20. Re:Just assume everyone knows everything every tim by JosKarith · · Score: 1

    Law Enforcement to "criminal" : Well we broke in cos' your civil rights weren't very strong. You were asking for it.

    --
    'Don't worry' said the trees when they saw the axe coming, 'The handle is one of us.'