Police Tech & Gear
with Tim Dees
Computer safety: How to keep your police department data secure
The penetration of the Arizona Dept. of Public Safety network should be a warning to you
A few weeks ago, criminal hackers from LulzSecurity and Anonymous separately penetrated the safeguards of the internal network of the Arizona Dept. of Public Safety, capturing a significant haul of operational and personal information on the agency’s operations and officers. Posted under the title “Chinga La Migra” (a vulgar reference to immigration officials), the hackers made the information available to anyone who could download a Torrent feed, which is more or less everybody.
The situation would have been bad enough had the data been limited to operational information. The download included duty rosters with officers’ names, home addresses and personal phone numbers, training bulletins, policy manuals, crime and incident reports, internal memos, and photos of evidence and crime scenes.
The more sobering aspect of this data dump was the personal information that was thrown out there for anyone to see: family photos, voice mail sound files, video clips, personal letters. One officer had scans of his income tax return on his computer. Now the bad guys have not only his name and home address — they also have details of his income and his Social Security number.
One file contained officers’ user names and passwords to the network. Without exception, the passwords were extremely easy to crack. Most were variations on badge numbers, nicknames, spouse’s names, names of the stations where they were assigned, and in one case, “12345.”
If the term “Torrent feed” is foreign to you, here’s a primer: Torrents are typically used for very large files, such as movies, TV shows and music, but they can carry any type of data. They start off loaded onto a central server, such as ThePirateBay.org (which is where one of the stolen data stores was posted). When a Torrent contains multiple files, it is compressed into a single large file using 7Zip or some other archiving program. When the Torrent is downloaded, the user expands the archive file into its components. Torrents are often distributed through file-sharing networks, so if a Torrent disappears from the original host server, it may still be available from the computer of someone who downloaded it and is participating in the file-sharing network.
Trying to eradicate a Torrent is like playing Whack-A-Mole with an infinitely expanding playing field. Shut down one Torrent, and three more pop up.
Torrents represent one of the most troubling realities of the internet. Once something gets out there, it’s impossible to bring it back under wraps with any certainty. The safest practice is to be cautious with the information someone may be able to get.
In theory, any computer connected to the internet can be remotely penetrated, but it’s far more likely that your agency’s network, as compared to your own computer(s) will be a target. Your employer probably has policies about what should be stored on its servers, and you probably ignore at least some of them. This episode should give you reason to revisit that decision.
Your agency is going to need to maintain information such as your home address and telephone number — there’s no way around that. What shouldn’t be there are photos of your family, anything with your Social Security or credit card numbers, license plates of your vehicles, vacation itineraries, or anything else that you aren’t required to keep there and you wouldn’t want to have printed in the newspaper.
Change your password to something a moron couldn’t guess in three tries. Avoid anything tied to a personal detail someone else would know — badge number, date of birth, anniversary, dog’s name, etc. One method that generates a difficult-to-guess password but is easy to remember is to use a passphrase as a foundation. “You have the right to remain silent” gives rise to “UHv@r1t2r3m@1n51L3nt”, substituting numbers and punctuation symbols for some letters, and shifting captitalization irregularly. That one is 20 characters, which is probably more trouble than you want to go to. But if you introduce a few odd characters into a short password, it becomes very difficult to break.
The password “darren” could be broken by a slow desktop computer in a little over eight hours. “B33r&Mug” would tie up a distributed system of computers or an NSA-grade supercomputer for 83.5 days.
Protect yourself, and protect your family. Don’t leave this stuff around where anyone can find it.