FBI Says Hackers Are Sending Fraudulent Police Data Requests To Tech Giants To Steal People's Private Information (techcrunch.com) 32
The FBI is warning that hackers are obtaining private user information -- including emails and phone numbers -- from U.S.-based tech companies by compromising government and police email addresses to submit "emergency" data requests. From a report: The FBI's public notice filed this week is a rare admission from the federal government about the threat from fraudulent emergency data requests, a legal process designed to help police and federal authorities obtain information from companies to respond to immediate threats affecting someone's life or property.
The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an "uptick" around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness. "Cyber-criminals are likely gaining access to compromised U.S. and foreign government email addresses and using them to conduct fraudulent emergency data requests to U.S. based companies, exposing the personal information of customers to further use for criminal purposes," reads the FBI's advisory.
The abuse of emergency data requests is not new, and has been widely reported in recent years. Now, the FBI warns that it saw an "uptick" around August in criminal posts online advertising access to or conducting fraudulent emergency data requests, and that it was going public for awareness. "Cyber-criminals are likely gaining access to compromised U.S. and foreign government email addresses and using them to conduct fraudulent emergency data requests to U.S. based companies, exposing the personal information of customers to further use for criminal purposes," reads the FBI's advisory.
The FBI is furious (Score:5, Funny)
Stealing people's private information is THEIR thing and nobody else's.
Re:The FBI is furious (Score:5, Insightful)
Stealing people's private information is THEIR thing and nobody else's.
I'm sure you're posting this as sarcasm, but unfortunately it's absolutely true - and this current "problem" is of their own making: they insisted that they needed this "emergency way" of getting people's information, and just like any other 'backdoor' it's being abused by other bad guys.
Re: (Score:2)
why haven't we de-funded all these assholes already? shut down the police now. i don't feed i need to be "policed", by anyone.
If women have to be policed so they can't exercise bodily autonomy, so do you for whatever you do.
Re: (Score:2)
Re: (Score:2, Insightful)
Men lack bodily autonomy as well.
Men have no right to their foreskins. They lose them before they are even old enough to decide whether or not they want to keep them. "My body my choice" does not apply to men.
Furthermore, men must all register for the draft. There hasn't been one in the USA for a long time, but we all know how eager our government has been to force men to go to foreign lands and die in a conflict that we don't even intend to win. Men, at the government's whim, lose absolute control of t
Careful what you wish for.... (Score:2)
why haven't we de-funded all these assholes already? shut down the police now. i don't feed i need to be "policed", by anyone.
You'll get your wish soon - that path was taken care of on Tuesday.
Re: (Score:1)
Well, that's an irrational hot take. We need good law enforcement, and we need it both at the local and federal levels. Unfortunately the FBI is corrupt to the core. They've known my dad is a rapist and a Russian spy for decades and they are just playing dumb. Meanwhile their entire operation is as leaky as a sieve. This has been papered over as incompetence so many times it shouldn't matter any more whether it's just incompetence or malicious corruption. But who watches the watchers? Other than, apparently
Re: (Score:3)
I do not think it was sarcasm. One indicator of things starting to get really bad is when sarcasm and comments on reality start to sound very much alike.
Re: (Score:2)
Exactly.
FBI Reports: (Score:2)
lawful access (Score:5, Insightful)
Tell me again how 'lawful access' to encrypted data is a good idea.
Re: (Score:3)
Re: (Score:3)
Because nobody has time to wait upwards of 15 minutes during working hours or 30 to 45 minutes on Sunday at 3am to follow due process and actually get a judge to rubber stamp the request.
Re: (Score:2)
The silliest thing is that compromising an FBI email address seems to be all you need. Seriously, do they send the data by email too?
Send a request by email maybe, but it should only contain a link to a secure portal where you can see and verify the request and submit the data there. Or, use something else equally secure.
Re: (Score:2)
Oh, really? (Score:3)
So is anyone regretting now that tech companies have been trained to comply without any questioning, hesitation or public participation?
That's what we wanted.
Re: (Score:3)
A backdoor for anyone... (Score:5, Insightful)
Re: (Score:2)
Quite true. Well said.
Re: (Score:3)
A backdoor for anyone is a backdoor for everyone.
A hole's a hole.
Re: (Score:3)
A backdoor for anyone is a backdoor for everyone.
When your verification policies literally allow hackers to impersonate law enforcement, that’s hardly a “backdoor”. You’re abusing human ignorance and stupidity here. Those who created these policies could easily correct them. And they should.
Not collect the data in the first place (Score:2)
Simply, corporations could as best possible within existing regulations, not collect or store the data.
One of` the side-effectes (Score:5, Insightful)
... of a police state and its proto-forms: Impersonating the police gives you massive, unwarranted power.
Lemme guess (Score:2)
impersonation of a police officer / judge is an fe (Score:1)
impersonation of a police officer / judge is an felony
FBI solutions are SO WRONG (Score:3)
- law enforcement organizations should take steps to improve their cybersecurity posture to prevent intrusions, including stronger passwords and multi-factor authentication.
- The FBI said that private companies “should apply critical thinking to any emergency data requests received,” given that cybercriminals “understand the need for exigency.”
The companies should refuse requests that do not come through a process that incorporates digital document security. For instance, a request could be initiated using a 2-Factor login controlled by the private company using a physical token like a YUBIkey that the company sends to registered officers for an appropriate fee. That request is then digitally work-flowed from the company to the requestor to fill out and digitally sign and then to their validated supervisor for a digital signature. This can all be done in minutes if it is really an emergency, but requires that the officers are prepared ahead of time to issue these requests, have registered, have their token, have had their supervisors validated, etc. This way the companies would have a much clearer understanding of who they are dealing with other than "rando@police.city.us". For one thing, they would know the physical mailing address of the tokens and can verify the address actually belongs to a police department.
The tech companies should all know better. This is shear incompetence on their part allowing this clown show to go on as long as it has.
Great work FBI! (Score:2)
You have discovered something the rest of us knew years ago.
Authentication (Score:1)
Most home invasions begin with "open up, it's tthe police!"
Then you get murdered.
Or a rock concert, but probably murdered.
Stay strapped and demand authentication.