back to article Texas cops lose evidence going back eight years in ransomware attack

Cockrell Hill, Texas has a population of just over 4,000 souls and a police force that managed to lose eight years of evidence when a departmental server was compromised by ransomware. In a public statement, the department said the malware had been introduced to the department's systems through email. Specifically, it arrived …

  1. Steve Aubrey

    Better than even

    "We will update this article if and when we receive a response."

    My money's on "if".

    1. mark 177
      Thumb Up

      Re: Better than even

      And my money is on "else"

  2. Version 1.0 Silver badge

    Backup worked but ...

    The new wave of software waits until the backups have run before launching - so all the backups are encrypted.

    The way around this is a little counter-intuitive, slow backups over a metered connection so that when you see the connection get pegged because everything is being backed up, you can start looking at the problem and shut the door to preserve the backups of the backups.

    1. Orv Silver badge

      Re: Backup worked but ...

      "All" the backups depends a bit on the depth of your backup scheme, too -- expiring all the non-encrypted backups takes months to years in many situations. (And yes, depending on how fast it works the abnormally large incrementals might be a warning sign.) Of course, you still lose everything between the last non-encrypted backup and the date of discovery.

      1. Danny 14

        Re: Backup worked but ...

        People keep 1 day of backups? No weekly/monthly/quarterly archive? Jebus.

  3. Anonymous Coward
    Windows

    What was the point of that article

    If you are not going to give any technical details or mention the Operating System then what was the point of posting that article?

    'The document advises you to enable macros “if the data encoding is incorrect.”'

    1. Pascal Monett Silver badge

      It was a US police station. You really think there's a chance that they're running Linux ? Because if they were, the story would be a lot bigger since there would be a vulnerability exposed in Linux.

      No, this is a bog-standard Windows environment, likely running with Outlook email. If they're lucky, they've got funds for an Exchange server.

      Which means they're about as secure as a whore who never uses condoms, and the consequence is inevitable.

      In passing, maybe it might have been worth 4 fucking Bitcoins to ensure that a single accused person (not to mention the dozens that might be implicated) could have his innocence proven ?

      Oh, sorry. This is the US of NSA - an arrest means YOU'RE FUCKING GUILTY, YOU PIECE OF TRASH.

      1. Mystic Megabyte
        FAIL

        @pascal

        A friend recently took a two week trip to the USA to visit his children. After the visit he bought a train ticket for an early morning departure. He asked if he could stay overnight in the station and was told it was OK. At some point the police arrived and told him to leave, they did not accept that he had a valid ticket. Then they handcuffed him and stamped on the cuffs which hospitalised him due to hand injuries.

        Torture, civil forfeiture and legalised spying. I will not be visiting the USA!

        1. Anonymous Coward
          Anonymous Coward

          Re: @pascal

          Please tell that to all those migrants trying to cross our southern border without going thru customs. I don't think they realize how bad it is in Gringo Land. You could do Trump and the rest of us citizens a signal service by making that wall (and whatever other draconian immigration policies Trump has in mind) unnecessary!

          It's crazy that so many poor migrants should suffer so in the journey. And now in addition, who knows what other horrors, courtesy of Cheeto Jesus?

          YOU (yes...you!) could stop all this suffering, just by explaining to them what a hell hole it is they are trying so hard to enter! If you can somehow take on and are successful in this humanitarian quest, you would be a hero to millions and then people would really listen to you (finally!). It would put you in the perfect position to properly and publicly excoriate President Trump for the monster he is! Ha ha!!

  4. redpawn

    Use it because it's easy

    Easy does not make good backups though. For mission critical serves real tested and network isoated backups are a must.

    Microsoft Office may have been the entry point and it could have been macros which did the deed. Hope this does not cause people to be unfairly jailed for lack of exculpatory evidence.

    1. joed

      Re: Use it because it's easy

      "Hope this does not cause people to be unfairly jailed for lack of exculpatory evidence." - from US incarceration rate it's more likely that large number may be spared jail time or - for Texas in particular - death row.

      However, since we don't live in VR (yet) the impact may be just inconvenience to court clerks.

  5. Ilsa Loving

    Destroying evidence?

    Couldn't the police department be charged with destroying evidence?

  6. GBE

    https://en.wikipedia.org/wiki/Mens_rea

    1. MrT

      Mens rea...

      ... See no evil, hear no evil always springs to mind.

  7. Adrian 4
    Facepalm

    wtf ?

    "It makes it incredibly difficult if not impossible to confirm what's written in police reports if there's no video"

    So how does that strengthen the police case ?

    1. Anonymous Coward
      Anonymous Coward

      Re: wtf ?

      Because US courts, especially in places like Texas, unfortunately tend to take the police at their word.

    2. The IT Ghost

      Re: wtf ?

      All too often in the US legal system, a police officer's sworn testimony is given more weight than that of any other person. While everyone is supposed to be equal under the law, if its your word against a police officer's, with no evidence either way, a judge will side with the officer every time. Sometimes it will take multiple supporting witnesses to overcome the bias. The officer *supposedly* has no vested interest in the outcome of a trial, while the defendant does, by definition. So the officer would not have a reason to lie, necessarily. However, should a conviction fail, I think its safe to think the officer's next promotion might be a little slower coming, to there's a hidden interest in having successful convictions following the officer's arrests.

      So yes...the playing field in a court of law always tilts in favor of whatever the police officer's report and/or sworn testimony says, and the opposing side has a battle to prove it wrong or mistaken.

      1. Mark 85

        @The IT Ghost -- Re: wtf ?

        Sad but true and it's just as bad if not worse with a jury trial. We, as a people, have become indoctrinated by TV cop shows over the years where the cops are honest and fair minded and the bad guys are always guilty. The one exception to this was the old Perry Mason.

        1. The IT Ghost

          Re: @The IT Ghost -- wtf ?

          An unfortunate truth, that. On rare occasion, you will see an officer remove the handcuffs and let the person go (seen that happen a few times on shows like COPS. Supposedly the person is merely being "detained"...but it says a lot about the relations between police and the public that they think putting someone in cuffs is "for everyone's protection". Sorry, officer, you don't need protection from me - I'm not going to prison for 10 years for assault and battery of a police officer - or anybody else for that matter. That you feel you do doesn't speak very well to your attitude toward the general public, though.

      2. Anonymous Coward
        Anonymous Coward

        Re: wtf ?

        It is the same over here. A policeman can perjure himself and still the judges will not throw the book at him for lying. How do I know? I witnessed it first hand. Police are above the law and in most cases can do and say whatever they like with impunity. They are treated differently.

  8. TimeMachine

    Similar thing happened in Cape Cod

    These guys got out Scott-free by one second granular recovery technology: http://www.securityweek.com/ransomware-attack-hits-cape-cod-police-department

  9. cantankerous swineherd

    such a shame when evidence of police malpractice is lost like this.

  10. Adam 52 Silver badge

    This story doesn't make any sense. If it's evidence then it'll be on something write-once, read-only. A DVD or some such. Otherwise you can't guarantee anything about the unbroken chain.

    For anything that's gone to court, or going to court, then the defence and court will have copies.

    All they can possibly have lost is recent, ongoing, investigations and then only if they don't have the original. I can believe that for car footage or Police station CCTV but not anything supplied by a third party.

    1. jtaylor

      Exactly this. If someone could click on email and run software that alters legal evidence, that same person already had the ability to alter that legal evidence.

      Malware wasn't the real problem here.

      1. Anonymous Coward
        Anonymous Coward

        I completely agree. It's a very low quality legal system if evidence isn't kept in a manner where a person's hand written signature is required every time it is examined. Hence the old fashioned idea of a tamper proof evidence bag.

        "Kept on a server" doesn't count.

        Here is the UK evidence bags are used. And the police are slightly keen to do that part of their job properly as judges and juries are generally cynical and disbelieving. A policeman saying in court "I saw him do it on a video" who is unable to produce said video is unlikely to be believed, especially if they had no log book entries to back that up (as would be likely - who would write down a running commentary whilst watching a video? They'd be expecting to be able to watch it again...). There is also a likelihood that the judge would never allow such testimony in the first place as it is impossible for the jury to assess the quality of the testimony.

  11. Doctor Syntax Silver badge

    It's 2017 and you can still be pwned by a forged email header

    "a cloned email address imitating a department issued email address"

    IOW, a From: line can say whatever the sender wants it to say. It's all that the recipient sees because they're not really going to dig down into the rest of the headers and a requirement for verification isn't built into our email protocols.

    We don't need to have to train users. We don't need to have email clients pop-up warnings. We don't need to have to run anti-virus on attachments or prevent them being opened. We need to bounce the mail at the recipient's service provider so that the recipient never sees any mail that doesn't come from where it claims to come from.

    This may, of course, close off the route whereby some bank or other business has a commercial spammer digital marketing business send you marketing emails pretending to come from themselves. Oh, what a crying shame!

    1. bazza Silver badge

      Re: It's 2017 and you can still be pwned by a forged email header

      Here is the UK quite a lot of ISPs won't let you send email using their severs that doesn't have your correct address in the 'from' field.

      At least that stops some of the flow of malicious email out of infected PCs, etc. If every email server on the planet did the same thing, we'd be better off.

      1. Doctor Syntax Silver badge

        Re: It's 2017 and you can still be pwned by a forged email header

        "Here is the UK quite a lot of ISPs won't let you send email using their severs that doesn't have your correct address in the 'from' field."

        If you don't use their servers that has little effect. It would stop a simple spambot from using their servers which might get them blacklisted and I suspect that's the limit of their worries.

        It would only be an effective means of stopping forged headers if they also prevent you from using some other provider's server. Having had my own domain through several changes of ISP the latter case hasn't been a restriction and the fact that so many spams do have lying From: lines makes it quite clear that it's not a restriction in general.

        1. lglethal Silver badge
          Facepalm

          Re: It's 2017 and you can still be pwned by a forged email header

          I've made this suggestion to the Hotmail Support Staff numerous times, or at least just the option to be able to block emails based on what is written in the from field (not necessarily where it actually came from). For some reason, I've never received a response. It seems like ti would be dead easy to implement server side, would save them a tonne of storage cost and bandwidth but they dont seem to have any desire to do this. It boggles belief sometimes...

          1. Doctor Syntax Silver badge
            Unhappy

            Re: It's 2017 and you can still be pwned by a forged email header

            "I've made this suggestion to the Hotmail Support Staff numerous times"

            You might as well just send the suggestion to /dev/null.

        2. TheVogon

          Re: It's 2017 and you can still be pwned by a forged email header

          You don't need to use an ISP email server. You can simply Telnet to the destination email server and type in whatever you like as the source email address...

          1. Danny 14

            Re: It's 2017 and you can still be pwned by a forged email header

            But spf and dmarc wont help stupidity. People opening mails from paypall.com or paypal.be (im assuming paypal dont own all tlds) then these might well validate and be full of fart pellets.

            1. Doctor Syntax Silver badge

              Re: It's 2017 and you can still be pwned by a forged email header

              "People opening mails from paypall.com or paypal.be (im assuming paypal dont own all tlds)"

              They own paypall.com and paypal.be is "not available" so I guess they've got a lock on that. In general someone in Paypal's position will be pretty thorough at getting likely faked names under control. If they miss one and assuming verification were de rigeur then anyone wanting to use one would have to register it themselves and leave some sort of trail for fraud investigators. At present it's not a problem for spammers to simply put in paypal.com as I'm sure we've all seen multiple times.

              1. tiggity Silver badge

                Re: It's 2017 and you can still be pwned by a forged email header

                It;s not just paypal.x domains that could be the issue though

                But spammers do not need paypal.com -paypa1.com could look legit with many fonts (as plenty where 1 looks like l) - and a whole host of unicode charset options to have fun on domain names.

    2. Mike007 Bronze badge

      Re: It's 2017 and you can still be pwned by a forged email header

      Actually there is a way to validate the From header. If you try to spoof an email from a @paypal.com address to a gmail user it will not only put it in spam, but if you open it there will be a notice on the top telling you it is not the real paypal.com.

      This is not some special agreement between gmail and paypal but is based entirely on open industry standards - I have implemented the same anti-spoof protection for some of my own domains. SPF validates the envelope address (allowing a server to "take responsibility" if it wants), but DMARC validates the From address (meaning it validates the claim about who sent it).

      The only case where you can't validate an email sender is if users are allowed to use unrelated third party SMTP servers (so some public email providers can't require it), which I certainly hope does not apply to an official police email address.

      1. Doctor Syntax Silver badge

        Re: It's 2017 and you can still be pwned by a forged email header

        "This is not some special agreement between gmail and paypal but is based entirely on open industry standards"

        As things stand this is entirely optional as you make clear: "I have implemented the same anti-spoof protection for some of my own domains".

        Until this is universally required the situation remains, you can still be pwned by a forged email header.

  12. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like