A Massive Cache of Law Enforcement Personnel Data Has Leaked (zdnet.com) 68
Zack Whittaker, reporting for ZDNet: A data breach at a federally funded active shooter training center has exposed the personal data of thousands of US law enforcement officials, ZDNet has learned. The cache of data contained identifiable information on local and state police officers, and federal agents, who sought out or underwent active shooter response training in the past few years. The backend database powers the website of Advanced Law Enforcement Rapid Response Training -- known as ALERRT -- at Texas State University. The database dates back to April 2017 and was uploaded a year later to a web server, believed to be owned by the organization, with no password protection. ZDNet obtained a copy of the database, which was first found by a New Zealand-based data breach hunter, who goes by the pseudonym Flash Gordon.
Re: Haha (Score:1)
Step 1. The billboards on I 10 reading "silver or lead."
A clear warning to law enforcement to take a bribe or eat lead.
Step 2. This story in TFA.
This is Mexican cartels threatening US law enforcement.
No password protection! (Score:5, Informative)
...uploaded a year later to a web server, believed to be owned by the organization, with no password protection....
Whoever put into place this stunningly amazing illustration of absolute ignorance about security should never be allowed near a keyboard again.
Re: (Score:2)
Re: (Score:3)
I'm thinking about reality, and catchign this problem may be very difficult.
What if this company (before it had strict IT controls in place) allowed employees to rent EC2 servers on their CC. Well DB/Windows/SysEngineerAdmin said let me spin up an EC2 server where I can dump my shit so I don't have to do stupid vpn tricks to move data around. He then lets others use said server, then forgets about it because what's $20/mo when you're making IT money? Someone stages a prod SQL dump with a random ass name
Hey, they spy on us ... (Score:5, Insightful)
The way law enforcement has decided they don't give a fuck about our privacy, I'm afraid I have little sympathy for this.
If you're in charge of this kind of information, and you put it on a server with no protection, you probably have no business in that job.
Do the police expect us to care about their privacy when they don't care about ours?
Not A Problem (Score:5, Insightful)
I'm sure that Law Enforcement is perfectly fine with the breach. After all, since they have nothing to hide, they have nothing to fear.
Right?
Re: (Score:3)
Indeed. Eat your own dog food or stop claiming it is delicious.
Re:Not A Problem (Score:5, Interesting)
To say that the data set was not "password-protected," is equivalent to, "unencrypted like we always wanted to do with your iPhone."
Sloppy Admins or . . . (Score:2)
What is the underlying problem for these data breaches? Sloppy admins? Inadequate management? Lack of funding to do the job properly?
Re: (Score:2)
The root cause is almost universally utterly clueless management. Whether it is by hiring people that cannot do the job, ignoring warnings or actively preventing competent people from fixing problems, it always comes down to failures in "leadership".
I hate to say this, but... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Encryption does not help. These databases are _online_ when they get stolen. This is not somebody walking into a data-center and stealing disks.
Re: (Score:2)
Bloody amateurs with delusions. I am sick and tired of you fuckups. Of course, some of you know you know nothing and pay my pretty nice salary, so there is that.
Re: (Score:2)
In this case, it wouldn't have. Other breeches involve grabbing files out of storage. In those cases it makes all the difference.
Re: (Score:2)
Sure, you need storage encryption. It is just rare that it helps for this type of problem, because these "other breaches" are very rare exceptions. They typically involve laptops getting stolen or backup media getting disposed of insecurely.
Incidentally, "breeches" are a type of riding pants.
Re: (Score:2)
They also happen when someone sets their AWS s3 permissions wrong or someone gets a shell on the server. Occasionally because someone's PHP doesn't sanitize requests.
Re: (Score:2)
For the case where somebody has a shell or somebody screwed up web-application security, encryption is worthless assuming the data gets accessed. If it does not get accessed, it qualifies as "backup". Encryption only protects data that is not in use. If you put confidential data on s3 for other purposes than encrypted backup, you deserve all the hurt that is coming your way.
Re: (Score:1)
The problem is not that we have all this sensitive information left out in the open. The problem is that it exists in the first place. Our great grand parents would be shocked that there is one social security number being used to identify and control all the citizens in the USA. They would saddened that the once freedom loving USAians are so happy with this fact.
Social security numbers were invented by the elite so they could cheaply and easily identify and hand out allotments and collect payments from
Re: (Score:2)
That helps some, but isn't the complete solution. You still have to be able to access the data in an automated way.
For example, we use encrypted columns with Microsoft's attempt at an SQL server, and of course if you have a bug in your web app then that doesn't help since it will still expose unencrypted data. Another example is using encrypted at rest file systems. Doesn't help when the drive is mounted.
Re: (Score:2)
Re: (Score:2, Interesting)
These bootlickers are fine having all of our personal data so it's only karmic justice that we get the same. Teach these ham sandwiches a lesson they won't forget.
Maybe now politicians will take privacy seriously (Score:4, Funny)
Or not.
Re: (Score:1)
And yet I'm still completely right. What motivation does either of those politicians have to get privacy legislation up for a vote? Especially when both have been actively hostile to the very notion of consumer privacy rights. And before you claim a both sides nonsense, when the FCC passed data privacy rules in 2016 that were later overturned by Congress not a single Democrat in the Senate or House voted for the repeal. In the Senate not a single Republican voted against the repeal and in the House only 15
Re: (Score:1)
If the OPM data breach didn't change anything, nothing will.
Re: (Score:2)
That incident didn't get near the coverage in the media that it deserved. It contained potentially incriminating data including mental health and financial records from background checks for over 20 million people. It's a gold mine of potential blackmail information that could be used against our federal employees and military.
Re: (Score:1)
That happened under Obama so the media basically swept it under the rug.
You didn't mention the 5+ million fingerprints also stolen.
> potential blackmail
A Chinese citizen was arrested by the FBI for creating the malware used in the attack.
Re: (Score:3, Informative)
That happened under Obama so the media basically swept it under the rug.
It was reported on every major news outlet when it happened. So that's a strange notion of "sweeping under the rug" you've got there.
Re: (Score:1)
How was if swept under the rug? The WaPo ran dozens of stories for months on end and even wrote followup stories about it earlier this year. Sorry, but you're full of shit.
Re:Maybe now politicians will take privacy serious (Score:4, Interesting)
Read the report. Nothing was done. The US gov sat on the discovery about mil/gov data getting accessed for months.
The movement of data in real time out of the USA was allowed.
Nothing was done to protect the data. Nothing was done to secure and encrypt the data.
The data set was left as bait to try and see what was going to be done.
The data set was copied out of the USA. The US gov for some expected the data set to be searched and used in real time.
That the access would be back to the US site, not the movement of all data out of the USA. The data set was left open, unencrypted to see how the access and searching would happen.
Nothing was searched for and all the data got copied out as the US gov watched on. The only method discovered was that the data was copied.
The tame US media reported the copy of the gov/mil data set as if a movie studio had a movie archive copied.
Re: (Score:2)
Just from searching the WaPo archives I found more than 4 or 5 dozen stories about the OPM breach going on for months after it was fully disclosed. So, again, you have some weird idea of what "sweep under the rug" means.
Re: (Score:2)
Re: (Score:1)
Yep. It's a directory of every single person - military, civilian, or contractor - who holds or has ever held a security clearance, including all their most sensitive information, all their dirty laundry, and a convenient list of all their family members and closest friends.
Seriously, this should have been the MOST classified database in the entire world. If there was only one thing deserving SCI protection, it should have been this.
But nope. They let China log right in and download it. And who knows wh
damn these insights! (Score:3)
That data alone would give anyone insight into the capabilities of police and law enforcement departments across the country.
Might actually be useful for formulating public policy. And ultimately, who's in charge of formulating pubic policy?
That's right.
THE PUBLIC!
Re: (Score:2)
THE PUBLIC!
They don't give a flying rat's ass.
Already Leaked (Score:2)
Re:Already Leaked (Score:5, Interesting)
Remember, the OPM breach compromised every single federal worker
The Chicoms got a copy of the OPM database but you can't get it on the dark web, like this one will be. That's a major difference.
I know one of our fellow /.'ers who was seriously trying to get a copy of the OPM database. He turned up suddenly dead last year with a self-inflicted gunshot wound. Probably a coincidence, but he was insistent that I turn off my cell phone before talking about it. No joke - I gave him a copy of Tails as I do for everybody but I have no evidence of causality there.
I only know a few of y'all in person, but you're the best kind of crazy friends.
Stay in NZ Flash! (Score:3)
Where do I actually download these "public" leaks? (Score:1)
I keep hearing every other day about "massive" data leaks, but then I never find any kind of link or indication of where you actually get the data. I have the Tor browser installed, but never find any .onion that actually works or has any content on it. These leaks are certainly not available on The Pirate Bay as torrents. I have no idea where to get it.
ah (Score:2)
A Massive Cache of Law Enforcement Personnel Data Has Leaked
SJW donut shop revenues [yahoo.com] hardest hit.
Re: (Score:2)
A Massive Cache of Law Enforcement Personnel Data Has Leaked
SJW donut shop revenues [yahoo.com] hardest hit.
You see, because SJW owners of donut shops will know who they are and feel obligated to refuse service to them and ... oh forget it ;)
It was funny inside my head ...
Re: (Score:2)
A Massive Cache of Law Enforcement Personnel Data Has Leaked
SJW donut shop revenues [yahoo.com] hardest hit.
You see, because SJW owners of donut shops will know who they are and feel obligated to refuse service to them and ... oh forget it ;)
It was funny inside my head ...
See, the fact that I had to explain the humor means that I was myself acknowledging how weak it was ... which is funny in a meta kind of ironic way ...
(It's humorsplaining Friday, apparently)
Re: ah (Score:2)
Re: (Score:1)
But it would have been fine had Sanders been a lesbian, though, right?
So where is a link to the data set? (Score:1)