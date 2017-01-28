Police Department Loses Years Worth of Evidence In Ransomware Incident (bleepingcomputer.com) 34
"Police in Cockrell Hill, Texas admitted Wednesday in a press release that they lost years worth of evidence after the department's server was infected with ransomware," reports BleepingComputer. "Lost evidence includes all body camera video, some in-car video, some in-house surveillance video, some photographs, and all Microsoft Office documents." An anonymous reader writes: Most of the data was from solved cases, but some of the evidence was from active investigations. The infection appears to be from the Locky ransomware family, one of the most active today, and took root last December, after an employee opened a document he received via via a spam email. The police department backup system apparently kicked in right after the infection took root, and created copies of the already encrypted data. The department did not pay the $4,000 ransom demand and decided to wipe all its systems.
It sounds like they only had one backup, and that promptly got overwritten. It should be standard procedure to have an offsite backup as well. I always did.
Also, didn't they think of properly set file permissions?
Only if you foolishly overwrite all previous backups so that only the last version remains. If that's how their backup works, then it's severely lacking given the importance of the data in question. What if you need a file and discover it got corrupted, and it might have been corrupted months ago?
Not what backup means, you're describing a RAID or other sort of mirror (even if it is delayed). Redundancy is not the same as a backup.
A backup has history, you could use snapshots or tape rotations or whatever, but older versions cannot be overwritten by newer versions, in most (best) cases, older versions cannot be written to period (the tape could have a physical tab or the storage system does not allow writing). When things change (eg. they are encrypted), you would see a very large backup if you're do
A single copy that's overwritten ever time it's run is not a backup of any nature it's a copy.
Why would evidence be stored on an internet accessible or even online thing. Computer forensics 101 is get the drive cloned, bagged, tagged, and stored all other digital evidence should be the same. How they can fail as such basic levels of evidence preservation is astounding. Realy anything not on a write-once medium since the time it was collected should be suspect.
For 40k/year I can easily set up a 200TB storage system, host it in a datacenter and professionally maintain it. $4000 buys you about 20TB which would probably last about 3-5 years without maintenance and that should be sufficient to back up pretty much everything in that police department with 3 months of retention.
The phrase that comes to mind is, "An automatically mirrored copy is not a backup."
Any real backup strategy requires versioning. For example, my personal data backups involve a NAS providing storage for Time Machine. If a ransomware attack screwed up my Mac, I would have multiple backups that I could restore from, and if the ransomware attacked while the backup was running and corrupted the entire backup volume, I could still roll back the NAS volume to its most recent daily snapshot and restore the Time
Hell no, a federal government IT department? You mean, a bunch of bureaucrats charging $100k/y for a 10TB storage unit because 'vendors' from the Gartner Triangle recommended it to them and attached a huge IBM and Oracle contract to it.
What these small departments need is to find and hire a local IT person or if they can't afford an IT person (if you have less than 200 devices, you don't need a dedicated IT person), contract with a local company, there are plenty everywhere, they will take care of these sor
The police department backup system apparently kicked in right after the infection took root, and created copies of the already encrypted data.
Backup. You keep using that word. I don't think it means what you think.
If you automatically overwrite previous data with no way to restore some older state, meaning that at a given moment you may only have a copy a few minutes old and no older state - it's not backup. It's just a secondary remote copy. Useful against heavy physical damage to the primary storage (or the whole machine), but nothing else. If it's not even remote, it's not useful for anything.
A link to scribd? That unreadable mess? (Score:2)
Here's a better link [theregister.co.uk].
Intentional infection? This doesn't add up. (Score:3, Interesting)
"Most of the data was from solved cases, but some of the evidence was from active investigations...the department did not pay the $4,000 ransom demand and decided to wipe all its systems."
I'm sorry, but one legal firm can rack up more than $4000 in legal fees in a single day.
You're going to tell me that the active investigations along with the potential liability of not holding data for years worth of solved cases was somehow not worth $4000?
The numbers just don't add up here. At all. Hate to go all conspiracy theory, but this sounds more like an intentional infection and a premature decision to wipe data that might have shown a bad light on a certain law enforcement actions.
Re:Intentional infection? This doesn't add up. (Score:4, Interesting)
Any evidence that was altered by ransomware would get challenged by a defense attorney. Maybe they decided they didn't need to pay ransom for evidence that had built-in reasonable doubt.
Maybe they decided to do the right thing and not fund criminals. We need more people to do the same thing. If nobody payed, ransomeware would stop being a thing. Plus, the evidence should now be considered compromised anyway.
Re:Intentional infection? This doesn't add up. (Score:4, Insightful)
It is $4000 to a criminal organization, it's illegal (especially for government agencies like a POLICE department) to make any payment and become complicit in the criminal activity.
On the other hand, $4000 is what they start off with, I heard of a company that got hit with $10k in ransom demands, a few days later they realized their backups weren't working well so they gave them the $10k, by then the criminals realized they were attempting and failed to restore from backup so they quadrupled the demand so t
Feels like we're heading backwards (Score:2)
After all, Computers have complicated lives very greatly.
Because most smart folks don't want to be cops, and most cops aren't all that smart...