FBI Says Hackers Are Sending Fraudulent Police Data Requests To Tech Giants To Steal People's Private Information (techcrunch.com) 42
The FBI is warning that hackers are obtaining private user information -- including emails and phone numbers -- from U.S.-based tech companies by compromising government and police email addresses to submit "emergency" data requests. From a report: The FBI's public notice filed this week is a rare admission from the federal government about the threat from fraudulent emergency data requests, a legal process designed to help police and federal authorities obtain information from companies to respond to immediate threats affecting someone's life or property.
The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an "uptick" around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness. "Cyber-criminals are likely gaining access to compromised U.S. and foreign government email addresses and using them to conduct fraudulent emergency data requests to U.S. based companies, exposing the personal information of customers to further use for criminal purposes," reads the FBI's advisory.
The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an "uptick" around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness. "Cyber-criminals are likely gaining access to compromised U.S. and foreign government email addresses and using them to conduct fraudulent emergency data requests to U.S. based companies, exposing the personal information of customers to further use for criminal purposes," reads the FBI's advisory.
The FBI is furious (Score:5, Funny)
Stealing people's private information is THEIR thing and nobody else's.
Re:The FBI is furious (Score:5, Insightful)
Stealing people's private information is THEIR thing and nobody else's.
I'm sure you're posting this as sarcasm, but unfortunately it's absolutely true - and this current "problem" is of their own making: they insisted that they needed this "emergency way" of getting people's information, and just like any other 'backdoor' it's being abused by other bad guys.
Re: (Score:2)
why haven't we de-funded all these assholes already? shut down the police now. i don't feed i need to be "policed", by anyone.
If women have to be policed so they can't exercise bodily autonomy, so do you for whatever you do.
Re: (Score:3)
Re: (Score:1, Insightful)
Men lack bodily autonomy as well.
Men have no right to their foreskins. They lose them before they are even old enough to decide whether or not they want to keep them. "My body my choice" does not apply to men.
Furthermore, men must all register for the draft. There hasn't been one in the USA for a long time, but we all know how eager our government has been to force men to go to foreign lands and die in a conflict that we don't even intend to win. Men, at the government's whim, lose absolute control of t
Re: (Score:1)
So you are procrime? What are you? 12? A convict? Pissed off that they caught you?
Congrats on posting the stupidest comment I've seen in a while.
Careful what you wish for.... (Score:2)
why haven't we de-funded all these assholes already? shut down the police now. i don't feed i need to be "policed", by anyone.
You'll get your wish soon - that path was taken care of on Tuesday.
Re: (Score:1)
Well, that's an irrational hot take. We need good law enforcement, and we need it both at the local and federal levels. Unfortunately the FBI is corrupt to the core. They've known my dad is a rapist and a Russian spy for decades and they are just playing dumb. Meanwhile their entire operation is as leaky as a sieve. This has been papered over as incompetence so many times it shouldn't matter any more whether it's just incompetence or malicious corruption. But who watches the watchers? Other than, apparently
Re:The FBI is furious (Score:4, Insightful)
I do not think it was sarcasm. One indicator of things starting to get really bad is when sarcasm and comments on reality start to sound very much alike.
Re: (Score:1)
I do not think it was sarcasm. One indicator of things starting to get really bad is when sarcasm and comments on reality start to sound very much alike.
-1 Funny
Re: (Score:2)
Mod parent funny?
Cry Wolf Strategy (Score:2)
This is sometimes referred to as a cry wolf attack. If you want to limit the government’s use of illegal search and seizure, you do it by making so many counterfeit, but nearly identical, requests. When you do it to such volume and degree that it becomes indistinguishable to identify legitimate government requests, the only safe recourse is to not respond to any of them. From the service provider point of view they are seeing multiple reports of wolves that turn out to be unfounded. Its like a false f
Re: (Score:2)
Exactly.
FBI Reports: (Score:2)
lawful access (Score:5, Insightful)
Tell me again how 'lawful access' to encrypted data is a good idea.
Re:lawful access (Score:5, Insightful)
Re: (Score:3)
Because nobody has time to wait upwards of 15 minutes during working hours or 30 to 45 minutes on Sunday at 3am to follow due process and actually get a judge to rubber stamp the request.
Re: (Score:2)
The silliest thing is that compromising an FBI email address seems to be all you need. Seriously, do they send the data by email too?
Send a request by email maybe, but it should only contain a link to a secure portal where you can see and verify the request and submit the data there. Or, use something else equally secure.
Re: (Score:2)
Re: (Score:2)
Email is encrypted since decades.
Re: (Score:2)
It's only encrypted over the wire between server hops and decrypted on every server then re-encrypted to send to the next server. PGP/GPG allows end to end encryption but for some reason, almost nobody uses it. I have GPG setup up for my emails but nobody to send encrypted email to because nobody uses it.
Re: (Score:2)
It is also encrypted from your mail host to your computer. ...
TSL
Re: (Score:2)
Sure, there are two ways; STARTTLS where the client first connects unencryted and plain TLS, same scheme is used between sever hops.
Again only PGP/GPG provide proper encryption of emails and almost nobody uses it for some reasons and without it, any admin on the servers can read your emails, not very secure. I run mail servers.
Even with HTTPS, the hostname is sent unencryted nowadays so many sites can have the same IP address while using different certificates. I also run web servers.
Note: It is called "TLS
Oh, really? (Score:4, Insightful)
So is anyone regretting now that tech companies have been trained to comply without any questioning, hesitation or public participation?
That's what we wanted.
Re: (Score:3)
A backdoor for anyone... (Score:5, Insightful)
Re: (Score:2)
Quite true. Well said.
Re: (Score:3)
A backdoor for anyone is a backdoor for everyone.
A hole's a hole.
Re: (Score:3)
A backdoor for anyone is a backdoor for everyone.
When your verification policies literally allow hackers to impersonate law enforcement, that’s hardly a “backdoor”. You’re abusing human ignorance and stupidity here. Those who created these policies could easily correct them. And they should.
Not collect the data in the first place (Score:3)
Simply, corporations could as best possible within existing regulations, not collect or store the data.
One of` the side-effectes (Score:5, Insightful)
... of a police state and its proto-forms: Impersonating the police gives you massive, unwarranted power.
Lemme guess (Score:2)
impersonation of a police officer / judge is an fe (Score:2, Redundant)
impersonation of a police officer / judge is an felony
FBI solutions are SO WRONG (Score:5, Insightful)
- law enforcement organizations should take steps to improve their cybersecurity posture to prevent intrusions, including stronger passwords and multi-factor authentication.
- The FBI said that private companies “should apply critical thinking to any emergency data requests received,” given that cybercriminals “understand the need for exigency.”
The companies should refuse requests that do not come through a process that incorporates digital document security. For instance, a request could be initiated using a 2-Factor login controlled by the private company using a physical token like a YUBIkey that the company sends to registered officers for an appropriate fee. That request is then digitally work-flowed from the company to the requestor to fill out and digitally sign and then to their validated supervisor for a digital signature. This can all be done in minutes if it is really an emergency, but requires that the officers are prepared ahead of time to issue these requests, have registered, have their token, have had their supervisors validated, etc. This way the companies would have a much clearer understanding of who they are dealing with other than "rando@police.city.us". For one thing, they would know the physical mailing address of the tokens and can verify the address actually belongs to a police department.
The tech companies should all know better. This is shear incompetence on their part allowing this clown show to go on as long as it has.
Great work FBI! (Score:2)
You have discovered something the rest of us knew years ago.
Authentication (Score:1)
Most home invasions begin with "open up, it's tthe police!"
Then you get murdered.
Or a rock concert, but probably murdered.
Stay strapped and demand authentication.
What if data-holders required in-person requests? (Score:2)
Hey law enforcement, until you get your act together all requests must be picked up in-person by a LEO so we can verify the legitimacy of the request.