Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy United States

FBI Says Hackers Are Sending Fraudulent Police Data Requests To Tech Giants To Steal People's Private Information (techcrunch.com) 42

The FBI is warning that hackers are obtaining private user information -- including emails and phone numbers -- from U.S.-based tech companies by compromising government and police email addresses to submit "emergency" data requests. From a report: The FBI's public notice filed this week is a rare admission from the federal government about the threat from fraudulent emergency data requests, a legal process designed to help police and federal authorities obtain information from companies to respond to immediate threats affecting someone's life or property.

The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an "uptick" around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness. "Cyber-criminals are likely gaining access to compromised U.S. and foreign government email addresses and using them to conduct fraudulent emergency data requests to U.S. based companies, exposing the personal information of customers to further use for criminal purposes," reads the FBI's advisory.

FBI Says Hackers Are Sending Fraudulent Police Data Requests To Tech Giants To Steal People's Private Information

Comments Filter:
  • by Rosco P. Coltrane ( 209368 ) on Friday November 08, 2024 @12:24PM (#64930927)

    Stealing people's private information is THEIR thing and nobody else's.

    • by Sebby ( 238625 ) on Friday November 08, 2024 @12:42PM (#64930983)

      Stealing people's private information is THEIR thing and nobody else's.

      I'm sure you're posting this as sarcasm, but unfortunately it's absolutely true - and this current "problem" is of their own making: they insisted that they needed this "emergency way" of getting people's information, and just like any other 'backdoor' it's being abused by other bad guys.

      • by gweihir ( 88907 ) on Friday November 08, 2024 @02:39PM (#64931363)

        I do not think it was sarcasm. One indicator of things starting to get really bad is when sarcasm and comments on reality start to sound very much alike.

        • by McLoud ( 92118 )

          I do not think it was sarcasm. One indicator of things starting to get really bad is when sarcasm and comments on reality start to sound very much alike.

          -1 Funny

        • by shanen ( 462549 )

          Mod parent funny?

      • This is sometimes referred to as a cry wolf attack. If you want to limit the government’s use of illegal search and seizure, you do it by making so many counterfeit, but nearly identical, requests. When you do it to such volume and degree that it becomes indistinguishable to identify legitimate government requests, the only safe recourse is to not respond to any of them. From the service provider point of view they are seeing multiple reports of wolves that turn out to be unfounded. Its like a false f

    • by gweihir ( 88907 )

      Exactly.

  • After retrieving and logging and warehouse all of the data, it's time to turn to the very bad people that made us do that. "Stop it! Ow."
  • lawful access (Score:5, Insightful)

    by awwshit ( 6214476 ) on Friday November 08, 2024 @12:34PM (#64930955)

    Tell me again how 'lawful access' to encrypted data is a good idea.

    • Re:lawful access (Score:5, Insightful)

      by Valgrus Thunderaxe ( 8769977 ) on Friday November 08, 2024 @01:08PM (#64931059)
      "Lawful access" used to mean a warrant. Why are these companies just handing over this data and not pushing back against any of this?
      • by ebunga ( 95613 )

        Because nobody has time to wait upwards of 15 minutes during working hours or 30 to 45 minutes on Sunday at 3am to follow due process and actually get a judge to rubber stamp the request.

      • by ls671 ( 1122017 )

        The silliest thing is that compromising an FBI email address seems to be all you need. Seriously, do they send the data by email too?

        Send a request by email maybe, but it should only contain a link to a secure portal where you can see and verify the request and submit the data there. Or, use something else equally secure.

        • wowzers! That is how we in the DoD are supposed to operate. Why wouldn't the FBI?
        • Email is encrypted since decades.

          • by ls671 ( 1122017 )

            It's only encrypted over the wire between server hops and decrypted on every server then re-encrypted to send to the next server. PGP/GPG allows end to end encryption but for some reason, almost nobody uses it. I have GPG setup up for my emails but nobody to send encrypted email to because nobody uses it.

            • It is also encrypted from your mail host to your computer.
              TSL ...

              • by ls671 ( 1122017 )

                Sure, there are two ways; STARTTLS where the client first connects unencryted and plain TLS, same scheme is used between sever hops.

                Again only PGP/GPG provide proper encryption of emails and almost nobody uses it for some reasons and without it, any admin on the servers can read your emails, not very secure. I run mail servers.

                Even with HTTPS, the hostname is sent unencryted nowadays so many sites can have the same IP address while using different certificates. I also run web servers.

                Note: It is called "TLS

  • Oh, really? (Score:4, Insightful)

    by bickerdyke ( 670000 ) on Friday November 08, 2024 @12:46PM (#64930997)

    So is anyone regretting now that tech companies have been trained to comply without any questioning, hesitation or public participation?

    That's what we wanted.

    • What are you talking about? I've always wanted that. May the king live forever! {goes back to hanging tin can and bone alert bells at property perimeter} I sleep great.
  • by PubJeezy ( 10299395 ) on Friday November 08, 2024 @12:49PM (#64931005)
    A backdoor for anyone is a backdoor for everyone.
    • by gweihir ( 88907 )

      Quite true. Well said.

    • A backdoor for anyone is a backdoor for everyone.

      A hole's a hole.

    • A backdoor for anyone is a backdoor for everyone.

      When your verification policies literally allow hackers to impersonate law enforcement, that’s hardly a “backdoor”. You’re abusing human ignorance and stupidity here. Those who created these policies could easily correct them. And they should.

  • by will4 ( 7250692 ) on Friday November 08, 2024 @01:21PM (#64931119)

    Simply, corporations could as best possible within existing regulations, not collect or store the data.

  • by gweihir ( 88907 ) on Friday November 08, 2024 @01:36PM (#64931177)

    ... of a police state and its proto-forms: Impersonating the police gives you massive, unwarranted power.

  • They thought "security through obscurity" was actual security. :-(
  • impersonation of a police officer / judge is an felony

  • by laughingskeptic ( 1004414 ) on Friday November 08, 2024 @02:49PM (#64931385)
    These are the FBI's solutions:
    - law enforcement organizations should take steps to improve their cybersecurity posture to prevent intrusions, including stronger passwords and multi-factor authentication.
    - The FBI said that private companies “should apply critical thinking to any emergency data requests received,” given that cybercriminals “understand the need for exigency.”

    The companies should refuse requests that do not come through a process that incorporates digital document security. For instance, a request could be initiated using a 2-Factor login controlled by the private company using a physical token like a YUBIkey that the company sends to registered officers for an appropriate fee. That request is then digitally work-flowed from the company to the requestor to fill out and digitally sign and then to their validated supervisor for a digital signature. This can all be done in minutes if it is really an emergency, but requires that the officers are prepared ahead of time to issue these requests, have registered, have their token, have had their supervisors validated, etc. This way the companies would have a much clearer understanding of who they are dealing with other than "rando@police.city.us". For one thing, they would know the physical mailing address of the tokens and can verify the address actually belongs to a police department.

    The tech companies should all know better. This is shear incompetence on their part allowing this clown show to go on as long as it has.
  • You have discovered something the rest of us knew years ago.

  • Most home invasions begin with "open up, it's tthe police!"

    Then you get murdered.

    Or a rock concert, but probably murdered.

    Stay strapped and demand authentication.

  • Hey law enforcement, until you get your act together all requests must be picked up in-person by a LEO so we can verify the legitimacy of the request.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...