Hackers said they posted the names, addresses, and other personal information of 7,000 law enforcement officers that were stolen from a training academy website they compromised. Many of the entries also included the officers' social security numbers, email addresses, and the usernames and passwords for their accounts on the …
Do I get this right?
They stored the password unencrypted? Are there OS's still out that store passwords by default unencrypted? Even for a web login there are quite some standard libs that will store passwords only encrypted, right? Today you really need to spend some effort to have logins that store the passwords enuncrypted, I would think.
If the passwords were actually stolen
As you point out, it indicates a level of incompetence one would have thought one would have seen in at least two decades. The "Missouri Sheriff's Association" should be sued out of existence.
Not that simple
Unfortunatly it's not that simple. The OS has nothing to do with how a website stores its usernames and passwords, the code for the website does that, and while there are libraries to help you do hashing etc, there is no 'make me a ultra secure, scalable website' library you can just plug into a webserver and it 'just works'.
You do get things like dotNetNuke and other CMS solutions which come with secure login bundled in but they have a learning curve that most people don't bother with.
Lastly there is the .NET framework's FormsAuth (lastly that I am aware of, I'm a .NET developer so have no insight over PHP or Java's offerings) which kinda gives people the ability to custom roll a secure area and make it not suck but that is more like a really gentle push in the right direction, it's no way pretty to use if you want to get really custom on it.
So in short, unfortunatly there isn't, and the quickest (IE cheapest) and easiet way to create a website login is just to roll it yourself.
The excuse I usually hear for not hasing passwords is that if a user forgets the password, or the 'business' want to be able to log into customer's area's for testing purposes, it is easier if the password can be extracted from the database. "And no encrytion is not enough because then I might actually have to use some quick and easy to use tool to read the password as opposed to SQL Server Manager."
That's not an excuse for bad security.
Wanting to retrieve a password is no excuse for storing passwords unencrypted. And hashing is not the same as encrypting.
I feel your pain. It's not a great excuse though, is it? All the systems that I know of have ways of retrieving or resetting passwords. In the worst case (i.e. where it's the business and not the user who wants to be able to retrieve the password), a db admin could manipulate the user's record such that the password could be retrieved/reset without going through the Web site's security checks.
It's hard, for me, to imagine a system where a db admin couldn't do that: at least where we're just talking about simple uid/pwd validation and not the use of some other security device as well.
This is getting rather propeller
Dumping dox of informants?
Uh, maybe not the best idea.
4 thumbs down?
Not sure why your post has got 4 thumbs down - I guess that proves at least 4 Register readers can't see the wider context
Exposing informants completely undermines everything. Remember Wikileaks, and the claims against them that the releases put people in the field in danger: it turns people against the idea. (It doesn't matter that it's not necessarily true - mud sticks and people will use it to get others on their side when they file their "Anti-Freedom" bills into Parliament/Congress.)
It's counter-productive. You can't claim to be fighting the good fight while putting common normal people in danger. It's just like NOTW claiming to be the soldiers' friend, while hacking the families. It reveals that the true agenda lies elsewhere
I hope this release isn't true, I appreciate it needs to be confirmed
Dumping informant details
It may endanger the informants, but it also shows that they were never really protected in the first place. Often the dangerous criminals are able to get that stuff anyways, and by the same methods, they just don't publish it and so it never gets fixed. At least this way it lets the informants know they are not safe, and cannot trust law enforcement.
It is a good tactical move.
"At least this way it lets the informants know they are not safe, and cannot trust law enforcement."
But that's the wider point, that's crucial for all of us and society. Informants *do* need to be kept safe, and *do* need to be able to trust law enforcement.
Clearly they have not been as safe as they should, but that's always been the goal. Now the goal cannot be attained.
There are better ways of highlighting the dangers to these informants than actually putting them in more danger. Before they were in a bit of danger, but now they are most certainly in absolute danger.
Well done, power to the people! Stick it to the man! Oh, wait, there are youths setting fire to a car in my road but I best not report it
They have all our info and have no qualms about using it. Now we have theirs.
Democracy at work.
"They have all our info and have no qualms about using it. Now we have theirs"
You missed the distinction.
I'm talking about informants. You're talking about members of the police.
If you want to call the police "Them" then fine. But informants are usually "Us"
WTF?? Releasing personal info on individuals - again
How can releasing the personal information of law enforcement officers possibly be justified?
In the early days it was about information security, internet openess and DRM, then it was about taking big corps down a peg or two, then it was for the lulz.
Now, they are twisting the agenda to include retaliatory attacks against the people who are employed to protect and serve. How sad that such high and noble ideals should come to potentially telling convicted murderers where 7000 cops and their families live.
It's just not funny anymore (if ever it was in the first place).
Annon, Lulz, et al - please grow up and take your anarchic agenda elsewhere.
You mean like switch to shooting, torturing and imprisoning people instead of just hassling them on the internet? That's what grown ups do isn't it? Besides, these are enemy combatants not innocent people. And if a few of them are innocent, oh well, that's collateral damage I guess. That's how the grown ups justify it anyway.
Is that what you want? I sure don't. I'll take juvenile mischief over the adult kind any day.
Perhaps a little better targeted -><ambivalent> After seeing a video of some poor 37 year old homeless guy with a mental issue to death in Fullerton, California recently, I'm not so sure. Hearing this guy calling for his dad as they yelled "Quit Resisting" over and over while they kicked his ass into a coma and eventual(!) death, me, having four boys of my own, saw red.I could care less about the cops that participated in that attack - throw them naked in the middle of the prison yard during open rec and turn off the cameras</ambivalent>
It is weak that AntiSec or whomever is obviously going after low-hanging fruit, at least have a legitimate target.
Disclaimer: I do not make statements to either acknowledge or deny agreement with the hackers in this case. If you think I agree, or think I disagree, please read this disclaimer again until it makes sense.
I believe the logical reasoning behind the hackers releasing all they could find on law-enforcement, is that they've seen the law-enforcement becoming profit-enforcement for those with deep pockets, and not law-enforcement for all citizens. I suspect that as long as they continue to see law-enforcement being abused as the private enforcement arm of Corporate States of America, the hackers WILL consider all law-enforcement officers, and affiliates, legal targets for their vendetta.
I can understand their logic on this one, even if I neither agree nor disagree.
This is what I was thinking
Releasing docs that expose corruption, abuse of process etc; that's one thing and something I would mostly support.
But this? This act I do not agree with. They are treating all of these officers the same and whilst there are certainly some who will deserve a sound kicking, there are many who are trying to do their job the best they can.
We have seen data unprotected, unencrypted by many government agencies and corporations for many years. They all claim to keep it safe, then they either do something stupid which gets it released, or fail to protect it as happened here, or even worse, they intentionally give it to business partners who do who knows what with it.
At the same time all this goes on, those in law enforcement and political positions are often excluded from those and other published list. Turn about is fair play. About time they get a feel of what everyone else goes through.
Falsest dichotomy I've read for a very long time. You don't have to take ANY kind of "mischief"!
It was never about information security or openess in the first place.
It's just that unlike the current crop, the old guys thought they needed a justification to get their lulz.
Hackers becoming threat to society
"AntiSec also said it released the names and personal information of anonymous law-enforcement informants"
If this is true, police should deal with these hackers the same way the gangs will deal with informants: bullet through the head. Signing people's death warrants for the lulz is not funny.
These hackers are fast becoming a threat to society. They need to be taken down quickly, before politicians start altering the law to make anonymity on the Internet impossible.
Posted anon while I still can.
Maybe any fallout that results to CI's or the officers (financial endagerment or death) should be exacted on anybody found and CONVICTED of being associatted with these particular groups. If the offenders are minors, then try them as adults. If they're smart enough breeze through security like that then they're familiar with the rudimentary concepts of right and wrong.
It's one thing to be responsible for the whole of society paying higher interest rates to credit card companies; but it's entirely another to jeopardize the lives of the people who generally do their best at keeping us safe at night, while we sleep..
law enforcement screwed up as well
...looks like law enforcement wasn't taking the informants security seriously anyway if amateurs could extract plaintext lists.
Some would argue simply having the records on a computer shows reckless disregard for their safety, though it's probably cheaper and easier to just bribe a bent policeman than hire a black hat hacker...
Which is the Greater threat?
If this information is available for the scriptsters to find that easily, doesn't this show that even vaguely-organized criminal enterprises also had access to this information?
If anyone is going to put a "bullet through the head" of the scriptsters, it's more likely the organized criminals that regularly trawlled the database for information who are now going to have find a new way to get the data they want. Signing people's death warrants because you can't be bothered to secure a database is not justification to execute those who showed these sheriff/emperors had no clothes, unless you are also associated with the organized criminals who are now going to have to work harder.
The arrogance of the police to believe they don't need to encrypt their own data is a greater threat to society than the whisle-blowers. And if politicians are going to successfully alter the law to make anonymity on the Net impossible, they're going to have to start being a lot smarter than they clearly and repeatedly shown themselves to be in the past.
Sherlock sarcastically because it shouldn't take a genius to figure this out.
Sleep with the dogs, wake up with fleas etc..
"law enforcement wasn't taking the informants security seriously anyway"
Well, that's par for the course.
How do I know? Umm... better not say.
A part of me almost hopes someone does die
If an informant who stopped a serious crime is killed because of this it might finally wake a lot of people up, both the hackers and the people who store life-threatening information in plaintext format, that this is a serious issue and not to be fucked around with.
I'd rather they came to that conclusion without people dying, but somehow I doubt it.
>If the offenders are minors, then try them as adults.
Yeah and also I don't think they should have access to lawyers, or have any right to a fair trial either
Ever had personal contact .....
with an American cop in the course of his or her work? They very probably will indeed use a bullet, even if not necessarily into the head of any suspect they attempt to arrest in connection with this alleged offence.
Not saying ours are any better -- it's just that they don't have guns routinely.
Paris -- because even she knows what American cops are like.
Someone to die?
Jesus mate, how about a middle course?!
Hack in, nick stuff to show it's real, but then *don't share the bit that puts normal people in danger*
I'm sure that some informants are like the criminal rats in the moves, but I'd bet that most are normal people, pensioners on council estates, that sort of thing.
If somebody does die, public cooperation with the police will skydive. Despite the obvious problems with the police organisation, we shouldn't throw the baby out with the bathwater
Bullet through the head?
You need to think about that for a few minutes. If ytou believe in freedom, and justice, then you should believe people are innocent until proven guilty. Your suggestion of a bullet through the head takes all that away.
Who's side are you on?
The telephone game
I don't believe I insinuated that anybody should be shot for hacking. I simply stated that if convicted, they should be tried as adults. And while I'm clarifying, I think a fair number of you seem to be operating under the misperception that 'merica is nothing more than one giant cess pool with the constant drone of small arms fire. That might be the norm for LA, San Francisco, Denver, Chicago, Cincinnati, most of "the south", Detroit, Cleveland, Pittsburgh and everything on the eastern seaboard, from Maryland to, oh say, the northern state border for Mass.
We're not all uncivilized heathens or uncouth trash that rely on pistols. I happen to prefer my 30-06 or my .308 rifles.
Now, back to "at the risk of sounding serious"... One can argue that the police screwed the pootch for laxed security, ok, fine. I'll grant you that one. BUT, comparing organized crime to a "hacktivist" group that's pissed at the world about wiki leaks? That's too much of a leap.
If they ever do find out who's responsible AND those suspects are found guilty then they should be punished to the fullest extent of the law. Killing them? Nah, just remove all the product warning labels and get rid of product liability law suits and the gene pool will clean itself out in no time.
somehow I'm not feeling it
LEOs tend to be stupid, so this may develop into an interesting scandal.
LMAO in 5, 4, 3 ....
It's on purpose
There is SCIENCE behind hiring practices for law enforcement officers. Part of that science strongly advocates hiring people who are not very good at original thinking and who quickly respond when their intelligence/power are threatened (or perceived as threatened).
The idea being that officers won't be as prone questioning orders or to being outsmarted by crooks. Really. The idea is that you hire somone so stupid they can't be out-stupided and who can't think for themselves. It's probably not a terrible theory but in practice far too many stupid violent thugs are the people who best fit the bill.
Didn't that twat Aaron Barr pine for stuff to make Anon & Glenn Greenwald look like bad guys? This could be them
In any case, who ever did this is irresposible and stupid.
IF they use (and reuse) the same password.
Strikes me, that a badge #, or other job related "word" as a password would indicate at least rudimentary attempts to use DIFFERENT passwords.
BTW Zane, not necessarily if it's less than 100% compromise of PWs. A dictionary attack on most enctrypted password files will succeed on a great many of the passwords, whatever the source. The exact contents of the released data would tell though. 100% of passwords would indicate either a broken reversible algorithm, or plaintext storage.
But then again, consider the number of subscription websites that even today return the actual original password to an "I forgot my password" request. It most certainly is possible.
Petty disputes getting out of hand?
If I tell a local Bikie gang that they are sissies and one of them hits me, the local cops will tell they may file a report and I shouldn't be so stupid next time. The powers that be decided to take funding away from wikileaks and a bunch of people decided to hit back in a controlled way for 2 hours at each site. Had any of the payment providers simply said they were sorry and allowed payments again the spat would be over but egos got in the way and the big players got the FBI involved and their ego didn't allow them to tell the processors to just deal with it like they should have. The result is this will escalate and now its involved thousands of people outside of the grip of US law enforcement and this will lead to an all out attack against either Master Card, Visa or Paypal and it could bankrupt them if the timing is right. Since the technical details have already appeared in the IRC channels on how to bring down MC for good, its management has a legal obligation to its stock holders to make sure that doesn't happen even it it means backing down and a token donation to wikileaks. It may be morally wrong to pay the mobster not to break your knees but when they show up with a sledge hammer, you pay.
"If I tell a local Bikie gang that they are sissies and one of them hits me, the local cops will tell they may file a report and I shouldn't be so stupid next time. The powers that be decided to take funding away from wikileaks and a bunch of people decided to hit back in a controlled way for 2 hours at each site. Had any of the payment providers simply said they were sorry..."
Oh wait, you think it's the payment providers who are being petty, not the skiddies? Oh, and while it would be interesting to see MC being taken down for good, I think it would be the easiest way to make sure you have the entire world's resources focused on finding you and landing you in a jail cell/executed for financial terrorism...
Yes. They are the ones being petty. What they deserve is a good old-fashioned ass kicking on the sidewalk. I think they got off light with a couple of temporary website outages.
I don't think releasing the details of the cops is helping though. Most of those guys are just dumb rednecks who probably really try to help society (hopefully anyway). I do believe that the hackers/scripters have a valid point though. Law enforcement is getting out of hand and has become a private army for large corporations.
If a mom & pop commerce site was DDOS'd do you think the federal law enforcement would be arresting suspects on your behalf? You'd be lucky if the cop you talked to even filed a report.
Can some please take these immature wankers round the back and put some bullets through their heads?
Attempting to embarrass legitimate target is (vaguely) acceptable; publishing details of innocent bystanders is just utterly stupid and irresponsible.
I don't see the point.....
I think Anon and the breakaway groups have forgotten why they started in the first place.
What do they think they are going to gain by this?
I reckon thekeyboard warriors should come out from beind their computer screens and stand up and protest in person like real children, um, men.
Re: I don't see the point.....
"I think Anon and the breakaway groups have forgotten why they started in the first place."
Nope. They started doing it for a laugh (or Lulz if you must), and they're still doing it for a laugh. No altruistic motive ever intended.
I dunno mate
"They started doing it for a laugh (or Lulz if you must), and they're still doing it for a laugh"
I dunno about that mate, try following a couple of them on Twitter. There's a whole lot of "For the People, For the Greater Good" harping going on.
We are anonymous, we are coming for you, the rights of the people cannot be trodden down by those with the power, etc etc etc.
I think some of them are certainly buying into this rhetoric, it's picking up steam but not necessarily any sense to go with it
"For the greater good"
The greater good!
Those you should be scared of
"For the People, For the Greater Good"
Sounds like self-important, self-appointed vigilantes to me. Who made them arbiters of what is the greater good? Who voted for them as enforcers for the people?
It's always the same; the zealots who are certain they know best what's right are the ones who cause the most misery.
"The file strongly suggests that the training site failed to follow industry best practices by securing the password database with one-time hashes to prevent them from being read by attackers."
What is this "one-time hash" you speak of? Is that where you do the hash then throw the salt over your shoulder for good luck?
" ordinary dictionary words, or were identical to their names or badge numbers"
Zero sympathy then.
Has to said
Piggies, start squealing.
"antisec" is not a group, its the name of an ongoing operation.
lemme guess, SELECT * FROM Users; ?
Well I'm glad they are helping their "friends"...
...because now prosecuters are REALLY going to make an example of them. They may of got a slap on the wrists or a few years at worst, but becuase of the moron's continuing carry on, they will get maximum penalties.
Reap what you so and all that.
- Infosec geniuses hack a Canon PRINTER and install DOOM
- Boffins say they've got Lithium batteries the wrong way around
- Game Theory Half a BILLION in the making: Bungie's Destiny reviewed
- 'Windows 9' LEAK: Microsoft's playing catchup with Linux
- Phones 4u slips into administration after EE cuts ties with Brit mobe retailer