Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Massive Cache of Law Enforcement Personnel Data Has Leaked (zdnet.com)

Posted by msmash on from the privacy-woes dept.

Zack Whittaker, reporting for ZDNet: A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials, ZDNet has learned. The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University. The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection. ZDNet obtained a copy of the database, which was first found by a New Zealand-based data breach hunter, who goes by the pseudonym Flash Gordon.

68 comments

  1. Haha by Anonymous Coward · · Score: 0

    Getting my popcorn ready now. This is gonna be good.

    1. Re: Haha by Anonymous Coward · · Score: 1

      Step 1. The billboards on I 10 reading "silver or lead."
      A clear warning to law enforcement to take a bribe or eat lead.

      Step 2. This story in TFA.

      This is Mexican cartels threatening US law enforcement.

  2. No password protection! by QuietLagoon · · Score: 4, Informative

    ...uploaded a year later to a web server, believed to be owned by the organization, with no password protection....

    Whoever put into place this stunningly amazing illustration of absolute ignorance about security should never be allowed near a keyboard again.

    1. Re:No password protection! by fafalone · · Score: 1

      In an ideal world. In ours, I'm sure it will be found they acted completely appropriately and 100% of the blame (and charges) will fall on whoever downloaded their wide open file.

    2. Re:No password protection! by Anonymous Coward · · Score: 0

      In other words, President Scroob's luggage was more secure!

    3. Re:No password protection! by Anonymous Coward · · Score: 0

      Imma let you finish, but first want to bet the site was created using free labor provided by students?

        " ...the website ... at Texas State University..."

      Who are often not chosen for their security chops.

    4. Re:No password protection! by dknj · · Score: 2

      I'm thinking about reality, and catchign this problem may be very difficult.

      What if this company (before it had strict IT controls in place) allowed employees to rent EC2 servers on their CC. Well DB/Windows/SysEngineerAdmin said let me spin up an EC2 server where I can dump my shit so I don't have to do stupid vpn tricks to move data around. He then lets others use said server, then forgets about it because what's $20/mo when you're making IT money? Someone stages a prod SQL dump with a random ass name like tmp-2o2-deadbeef.dat.

      Everyone ignores it.

      Later someone accidentally removes index.html when rm *.html in the wrong directory.

      "HEY DOES ANYONE NEED THAT?" *crickets* Now up to this point everyone thought this system engineer was just a weirdo but that's the usual M.O. for BOFH sysadmins. Life goes on as usual. Until one day an entrepreneurial hacker shodan's something completely unrelated and sees this garbage file.

      "Whoa, I wonder what that does."

      He downloads it but only part of it before he closes his laptop because his mom told him to go to sleep for the tenth time. Transfer aborted. Queue a ridiculous story of incompetent FBI agents, a system engineer hell bent on destroying the world, and several young teenagers who just want to hack the planet and make all the wrongs right in the world. There will be shenanigans as a new hacker friend joins their ranks but ends up being a hacker that pulled off the most epic hack 10 years earlier. Gawking at teen boobs and state of the art technology. Teaming up to create mass confusion and override security personal daily functions. All to recover the remainder of the database dump so they can share it with everyone to prove to the FBI and to the world that the system engineer is guilty and not the downloaders.

      I'm going to make a movie out of this and name it Hackers. It will be a cult classic eventually.. I hope..

      -dk

    5. Re:No password protection! by Anonymous Coward · · Score: 0

      Unless this was a form of whistleblowing. In which case, I'd like to see the guy land a gov't job. When this kind of thing starts happening to government officials, maybe then they'll give a crap about privacy/security.

    6. Re:No password protection! by Anonymous Coward · · Score: 0

      Except that we live in a world run by idiots where instead of charging the murdering law enforcement thug who actually killed a guy, they want to blame it all on the kid who made the fake 911 call. Common sense just doesn't apply.

  3. Hey, they spy on us ... by Anonymous Coward · · Score: 5, Insightful

    The way law enforcement has decided they don't give a fuck about our privacy, I'm afraid I have little sympathy for this.

    If you're in charge of this kind of information, and you put it on a server with no protection, you probably have no business in that job.

    Do the police expect us to care about their privacy when they don't care about ours?

  4. Not A Problem by StormReaver · · Score: 5, Insightful

    I'm sure that Law Enforcement is perfectly fine with the breach. After all, since they have nothing to hide, they have nothing to fear.

    Right?

    1. Re:Not A Problem by gweihir · · Score: 2

      Indeed. Eat your own dog food or stop claiming it is delicious.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Not A Problem by CaptainDork · · Score: 4, Interesting

      To say that the data set was not "password-protected," is equivalent to, "unencrypted like we always wanted to do with your iPhone."

      --
      It little behooves the best of us to comment on the rest of us.
    3. Re:Not A Problem by Anonymous Coward · · Score: 0

      That's it! Every police officer is now a Division agent, secretly policing from the communities until called to hunt bad people middle of the night.

    4. Re:Not A Problem by Anonymous Coward · · Score: 0

      Because no one with a grudge would come after a cop or their family, right?

  5. Sloppy Admins or . . . by hduff · · Score: 1

    What is the underlying problem for these data breaches? Sloppy admins? Inadequate management? Lack of funding to do the job properly?

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
    1. Re:Sloppy Admins or . . . by gweihir · · Score: 1

      The root cause is almost universally utterly clueless management. Whether it is by hiring people that cannot do the job, ignoring warnings or actively preventing competent people from fixing problems, it always comes down to failures in "leadership".

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  6. I hate to say this, but... by Falconnan · · Score: 5, Insightful

    This is why we need strong encryption and authentication as a legal requirement for all personal information databases. Law enforcement may not like it, but if they require backdoors on encryption schemes and access, this will continue to make them as vulnerable as everyone else. They have proven the argument they oppose for us. I get the problems this causes, but the damage allowed by not using proper data protection is generally much worse. And now they may end up learning this the hard way, and that's a shame.

    1. Re:I hate to say this, but... by Anonymous Coward · · Score: 0, Flamebait

      That's not a shame, that's fucking justice.

    2. Re:I hate to say this, but... by gweihir · · Score: 1

      Encryption does not help. These databases are _online_ when they get stolen. This is not somebody walking into a data-center and stealing disks.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:I hate to say this, but... by Anonymous Coward · · Score: 1

      The problem is not that we have all this sensitive information left out in the open. The problem is that it exists in the first place. Our great grand parents would be shocked that there is one social security number being used to identify and control all the citizens in the USA. They would saddened that the once freedom loving USAians are so happy with this fact.

      Social security numbers were invented by the elite so they could cheaply and easily identify and hand out allotments and collect payments from their servile subjects. For a long long time Law Enforcement has been happy with this because it allows them to easily round up those who offend the elites. It also allows illegals the easy ability to assume the identities of the native born citizens so they could be employed by the elites. This was a good thing for business, and law enforcement defended the status quo.

      Now however the tables are turning and this easily identifiable information is being used against law enforcement. Maybe law enforcement will get the idea that you should not be checking the papers of everyone you meet. Its a nice dream.

      The central problem is people are not looked at as people. They are looked at a a number in a database. No amount of encryption is going to solve that central problem. Computers were invented by people to make their lives easier. However today they are used to enslave people.

    4. Re:I hate to say this, but... by Anonymous Coward · · Score: 0

      An encrypted database that is stolen either by disks or on the wire could be pointless. It comes down to how it was encrypted and what was encrypted. Will it ever be broken? Sure. When is the question. So, encryption does help inthat when it is stolen, it reveals nada.

    5. Re:I hate to say this, but... by greenwow · · Score: 1

      That helps some, but isn't the complete solution. You still have to be able to access the data in an automated way.

      For example, we use encrypted columns with Microsoft's attempt at an SQL server, and of course if you have a bug in your web app then that doesn't help since it will still expose unencrypted data. Another example is using encrypted at rest file systems. Doesn't help when the drive is mounted.

    6. Re: I hate to say this, but... by Anonymous Coward · · Score: 0

      I'm pretty sure I have my own SSN...

      Oh who am I kidding, someone in Cali uses my SSN everywhere. He's a doctor...and an illegal alien.

    7. Re:I hate to say this, but... by Anonymous Coward · · Score: 0

      Encryption does not help. These databases are _online_ when they get stolen. This is not somebody walking into a data-center and stealing disks.

      Welcome to 1991. Maybe its time for you to stop injecting contemporary 1980's levels of security understanding. Those of us that know what we are talking about it are sick of filtering out your noise.

    8. Re:I hate to say this, but... by Falconnan · · Score: 1

      That's where strong authentication would come in, but you're not wrong.

    9. Re:I hate to say this, but... by gweihir · · Score: 1

      Bloody amateurs with delusions. I am sick and tired of you fuckups. Of course, some of you know you know nothing and pay my pretty nice salary, so there is that.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re:I hate to say this, but... by Falconnan · · Score: 1

      Any unnecessary harm to someone is a shame. If nothing is learned from it, the shame is even greater.

    11. Re:I hate to say this, but... by sjames · · Score: 1

      In this case, it wouldn't have. Other breeches involve grabbing files out of storage. In those cases it makes all the difference.

    12. Re:I hate to say this, but... by Anonymous Coward · · Score: 0, Flamebait

      Harm to fascist bootlickers is completely necessary and should be encouraged. These ham sandwiches have been allowed to act like unrestrained stormtroopers for too long.

    13. Re:I hate to say this, but... by gweihir · · Score: 1

      Sure, you need storage encryption. It is just rare that it helps for this type of problem, because these "other breaches" are very rare exceptions. They typically involve laptops getting stolen or backup media getting disposed of insecurely.

      Incidentally, "breeches" are a type of riding pants.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    14. Re:I hate to say this, but... by sjames · · Score: 1

      They also happen when someone sets their AWS s3 permissions wrong or someone gets a shell on the server. Occasionally because someone's PHP doesn't sanitize requests.

    15. Re:I hate to say this, but... by gweihir · · Score: 1

      For the case where somebody has a shell or somebody screwed up web-application security, encryption is worthless assuming the data gets accessed. If it does not get accessed, it qualifies as "backup". Encryption only protects data that is not in use. If you put confidential data on s3 for other purposes than encrypted backup, you deserve all the hurt that is coming your way.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Maybe now politicians will take privacy seriously by greenwow · · Score: 3, Funny

    Or not.

  8. Re:Great, lefties can now target law officers by Anonymous Coward · · Score: 2, Interesting

    These bootlickers are fine having all of our personal data so it's only karmic justice that we get the same. Teach these ham sandwiches a lesson they won't forget.

  9. damn these insights! by Jeremy+Erwin · · Score: 2

    That data alone would give anyone insight into the capabilities of police and law enforcement departments across the country.

    Might actually be useful for formulating public policy. And ultimately, who's in charge of formulating pubic policy?
    That's right.

    THE PUBLIC!

    1. Re:damn these insights! by CaptainDork · · Score: 1

      THE PUBLIC!

      They don't give a flying rat's ass.

      --
      It little behooves the best of us to comment on the rest of us.
  10. Re:Maybe now politicians will take privacy serious by Desler · · Score: 0

    Why would they bother? Neither Ryan's nor McConnell's data was leaked so why would they care?

  11. Already Leaked by sdinfoserv · · Score: 1

    Too Late, this was already stolen in the OPM (Office Of Personnel Management) breach. Remember, the OPM breach compromised every single federal worker, military person, and everyone who had gone through a top secret back ground check - as all FS86 forms were stolen. Most high level officers have gone through this.

    1. Re:Already Leaked by bill_mcgonigle · · Score: 4, Interesting

      Remember, the OPM breach compromised every single federal worker

      The Chicoms got a copy of the OPM database but you can't get it on the dark web, like this one will be. That's a major difference.

      I know one of our fellow /.'ers who was seriously trying to get a copy of the OPM database. He turned up suddenly dead last year with a self-inflicted gunshot wound. Probably a coincidence, but he was insistent that I turn off my cell phone before talking about it. No joke - I gave him a copy of Tails as I do for everybody but I have no evidence of causality there.

      I only know a few of y'all in person, but you're the best kind of crazy friends.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  12. Re:Maybe now politicians will take privacy serious by Anonymous Coward · · Score: 0

    I swear, people can't see the forest for the trees.

  13. Re:Maybe now politicians will take privacy serious by Anonymous Coward · · Score: 1

    If the OPM data breach didn't change anything, nothing will.

  14. Stay in NZ Flash! by Comboman · · Score: 2

    US law enforcement types love to blame the messenger rather than take responsibility for their mistakes.

    --
    Support Right To Repair Legislation.
  15. That would be a change. by Anonymous Coward · · Score: 0

    Great, evil lefties can now target law officers. Because #feelings and #resist and #not-thinking-though-complex-issues, they need to bring chaos and hurt those keeping our society safe.

    That would be a change, since currently it's the right-wing president and his band of idiots who are bringing chaos and hurting those keeping our society safe (in particular, the FBI).

  16. Re:Maybe now politicians will take privacy serious by greenwow · · Score: 1

    That incident didn't get near the coverage in the media that it deserved. It contained potentially incriminating data including mental health and financial records from background checks for over 20 million people. It's a gold mine of potential blackmail information that could be used against our federal employees and military.

  17. Re:Maybe now politicians will take privacy serious by Desler · · Score: 1

    And yet I'm still completely right. What motivation does either of those politicians have to get privacy legislation up for a vote? Especially when both have been actively hostile to the very notion of consumer privacy rights. And before you claim a both sides nonsense, when the FCC passed data privacy rules in 2016 that were later overturned by Congress not a single Democrat in the Senate or House voted for the repeal. In the Senate not a single Republican voted against the repeal and in the House only 15 Republicans of 236 voted against the repeal. So sorry, I'm not missing anything.

  18. In other news... by Anonymous Coward · · Score: 0

    In other news, another law enforcement vendor's system was breached.
    This vendor provides de-escalation procedures and non-violent methods for conflict resolution.

    The vendors states there was nothing in the databases for the hackers to steal.

  19. Where do I actually download these "public" leaks? by Anonymous Coward · · Score: 1

    I keep hearing every other day about "massive" data leaks, but then I never find any kind of link or indication of where you actually get the data. I have the Tor browser installed, but never find any .onion that actually works or has any content on it. These leaks are certainly not available on The Pirate Bay as torrents. I have no idea where to get it.

  20. Re:Maybe now politicians will take privacy serious by Anonymous Coward · · Score: 1

    That happened under Obama so the media basically swept it under the rug.

    You didn't mention the 5+ million fingerprints also stolen.

    > potential blackmail

    A Chinese citizen was arrested by the FBI for creating the malware used in the attack.

  21. Re:Maybe now politicians will take privacy serious by Desler · · Score: 3, Informative

    That happened under Obama so the media basically swept it under the rug.

    It was reported on every major news outlet when it happened. So that's a strange notion of "sweeping under the rug" you've got there.

  22. ah by cascadingstylesheet · · Score: 1

    A Massive Cache of Law Enforcement Personnel Data Has Leaked

    SJW donut shop revenues hardest hit.

    1. Re:ah by cascadingstylesheet · · Score: 1

      A Massive Cache of Law Enforcement Personnel Data Has Leaked

      SJW donut shop revenues hardest hit.

      You see, because SJW owners of donut shops will know who they are and feel obligated to refuse service to them and ... oh forget it ;)

      It was funny inside my head ...

    2. Re:ah by cascadingstylesheet · · Score: 1

      A Massive Cache of Law Enforcement Personnel Data Has Leaked

      SJW donut shop revenues hardest hit.

      You see, because SJW owners of donut shops will know who they are and feel obligated to refuse service to them and ... oh forget it ;)

      It was funny inside my head ...

      See, the fact that I had to explain the humor means that I was myself acknowledging how weak it was ... which is funny in a meta kind of ironic way ...

      (It's humorsplaining Friday, apparently)

    3. Re:ah by Anonymous Coward · · Score: 0

      Posting anonymously because I gave you a pity mod point.

    4. Re:ah by Desler · · Score: 1

      But it would have been fine had Sanders been a lesbian, though, right?

    5. Re: ah by cascadingstylesheet · · Score: 1

      Bless your heart.

  23. Re:Maybe now politicians will take privacy serious by Desler · · Score: 2

    Just from searching the WaPo archives I found more than 4 or 5 dozen stories about the OPM breach going on for months after it was fully disclosed. So, again, you have some weird idea of what "sweep under the rug" means.

  24. Re:Maybe now politicians will take privacy serious by Anonymous Coward · · Score: 1

    Yep. It's a directory of every single person - military, civilian, or contractor - who holds or has ever held a security clearance, including all their most sensitive information, all their dirty laundry, and a convenient list of all their family members and closest friends.

    Seriously, this should have been the MOST classified database in the entire world. If there was only one thing deserving SCI protection, it should have been this.

    But nope. They let China log right in and download it. And who knows who else.

  25. Re:Maybe now politicians will take privacy serious by Anonymous Coward · · Score: 0

    Well, it was reported. Then swept under the rug.

    Heads should have rolled over that breach. Instead they gave out free subscriptions for credit monitoring service, which completely discounts and ignores the severity of the data that was spilled.

    Media? They lynch Trump's staff over the cost of their office furniture. One of Obama's cronies allowed the worst data breach in history and the media gave a collective "Meh".

  26. Re:Maybe now politicians will take privacy serious by Anonymous Coward · · Score: 0

    seriously for the protected classes, but not us peasants.

  27. So where is it? by Anonymous Coward · · Score: 0

    Was anyone able to find the leaked dataset?

    1. Re:So where is it? by Anonymous Coward · · Score: 0

      I'm wondering this too. I'm hoping to find a torrent that I can throw on a seedbox and do my part to make sure this gets spread as far and as wide as possible.

  28. So where is a link to the data set? by owenferguson · · Score: 1

    Seriously, Slashdot. Where's the fucking link?

  29. Re:Maybe now politicians will take privacy serious by Desler · · Score: 1

    How was if swept under the rug? The WaPo ran dozens of stories for months on end and even wrote followup stories about it earlier this year. Sorry, but you're full of shit.

  30. Finally by Anonymous Coward · · Score: 0

    Other people are bad at naming things too, as a programmer I don't feel alone now.

  31. Re:Maybe now politicians will take privacy serious by AHuxley · · Score: 3, Interesting

    Re "How was if swept under the rug?"
    Read the report. Nothing was done. The US gov sat on the discovery about mil/gov data getting accessed for months.
    The movement of data in real time out of the USA was allowed.
    Nothing was done to protect the data. Nothing was done to secure and encrypt the data.
    The data set was left as bait to try and see what was going to be done.
    The data set was copied out of the USA. The US gov for some expected the data set to be searched and used in real time.
    That the access would be back to the US site, not the movement of all data out of the USA. The data set was left open, unencrypted to see how the access and searching would happen.
    Nothing was searched for and all the data got copied out as the US gov watched on. The only method discovered was that the data was copied.
    The tame US media reported the copy of the gov/mil data set as if a movie studio had a movie archive copied.

    --
    Domestic spying is now "Benign Information Gathering"
  32. Re:Maybe now politicians will take privacy serious by AHuxley · · Score: 1

    Reporting that the data moved out of the USA was not reporting on why the data to moved out and why nothing was done to protect the data once access was discovered. The US gov watched for a long time. Nothing was done. The data movement out of the USA was watched. The full data set was allowed to be copied.

    --
    Domestic spying is now "Benign Information Gathering"