March 29, 2022

There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena.

Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.

But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.

It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

“We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers,” said Mark Rasch, a former prosecutor with the U.S. Department of Justice.

“And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately,” Rasch continued. “Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there’s no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they’ll comply.”

To make matters more complicated, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to succeed is illicit access to a single police email account.

THE LAPSUS$ CONNECTION

The reality that teenagers are now impersonating law enforcement agencies to subpoena privileged data on their targets at whim is evident in the dramatic backstory behind LAPSUS$, the data extortion group that recently hacked into some of the world’s most valuable technology companies, including Microsoft, Okta, NVIDIA and Vodafone.

In a blog post about their recent hack, Microsoft said LAPSUS$ succeeded against its targets through a combination of low-tech attacks, mostly involving old-fashioned social engineering — such as bribing employees at or contractors for the target organization.

“Other tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multi-factor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote of LAPSUS$.

The roster of the now-defunct “Infinity Recursion” hacking team, from which some members of LAPSUS$ allegedly hail.

Researchers from security firms Unit 221B and Palo Alto Networks say that prior to launching LAPSUS$, the group’s leader “White” (a.k.a. “WhiteDoxbin,” “Oklaqq”) was a founding member of a cybercriminal group calling itself the “Recursion Team.” This group specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

The founder of the Recursion Team was a then 14-year-old from the United Kingdom who used the handle “Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled, “Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.

Everlynn advertising a warrant/subpoena service based on fake EDRs. Image: Ke-la.com.

“Services [include] Apple, Snapchat, Google (more expensive), not doing Discord, basically any site mostly,” read Everlynn’s ad, which was posted by the user account “InfinityRecursion.”

A month prior on Cracked, Everlynn posted a sales thread, “1x Government Email Account || BECOME A FED!,” which advertised the ability to send email from a federal agency within the government of Argentina.

“I would like to sell a government email that can be used for subpoena for many companies such as Apple, Uber, Instagram, etc.,” Everlynn’s sales thread explained, setting the price at $150. “You can breach users and get private images from people on SnapChat like nudes, go hack your girlfriend or something haha. You won’t get the login for the account, but you’ll basically obtain everything in the account if you play your cards right. I am not legally responsible if you mishandle this. This is very illegal and you will get raided if you don’t use a vpn. You can also breach into the government systems for this, and find LOTS of more private data and sell it for way, way more.”

Last week, the BBC reported that authorities in the United Kingdom had detained seven individuals aged 16 to 21 in connection with LAPSUS$.

TAKING ON THE DOXBIN

It remains unclear whether White or Everlynn were among those detained; U.K. police declined to name the suspects. But White’s real-life identity became public recently after he crossed the wrong people.

The de-anonymization of the LAPSUS$ leader began late last year after he purchased a website called Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people.

Based on the feedback posted by Doxbin members, White was not a particularly attentive administrator. Longtime members soon took to harassing him about various components of the site falling into disrepair. That pestering eventually prompted White to sell Doxbin back to its previous owner at a considerable loss. But before doing so, White leaked the Doxbin user database.

White’s leak triggered a swift counterpunch from Doxbin’s staff, which naturally responded by posting on White perhaps the most thorough dox the forum had ever produced.

KrebsOnSecurity recently interviewed the past and current owner of the Doxbin — an established hacker who goes by the handle “KT.” According to KT, it is becoming more common for hackers to use EDRs for stalking, hacking, harassing and publicly humiliating others.

KT shared several recent examples of fraudulent EDRs obtained by hackers who bragged about their success with the method.

“Terroristic threats with a valid reason to believe somebody’s life is in danger is usually the go-to,” KT said, referring to the most common attestation that accompanies a fake EDR.

One of the phony EDRs shared by KT targeted an 18-year-old from Indiana, and was sent to the social media platform Discord earlier this year. The document requested the Internet address history of Discord accounts tied to a specific phone number used by the target. Discord complied with the request.

“Discord replies to EDRs in 30 minutes to one hour with the provided information,” KT claimed.

Asked about the validity of the unauthorized EDR shared by KT, Discord said the request came from a legitimate law enforcement account that was later determined to have been compromised.

“We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies,” Discord said in a written statement. “We verify these requests by checking that they come from a genuine source, and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

KT said fake EDRs don’t have to come from police departments based in the United States, and that some people in the community of those sending fake EDRs are hacking into police department emails by first compromising the agency’s website. From there, they can drop a backdoor “shell” on the server to secure permanent access, and then create new email accounts within the hacked organization.

In other cases, KT said, hackers will try to guess the passwords of police department email systems. In these attacks, the hackers will identify email addresses associated with law enforcement personnel, and then attempt to authenticate using passwords those individuals have used at other websites that have been breached previously.

“A lot of governments overseas are using WordPress, and I know a kid on Telegram who has multiple shells on gov sites,” KT said. “It’s near impossible to get U.S. dot-govs nowadays, although I’ve seen a few people with it. Most govs use [Microsoft] Outlook, so it’s more difficult because theres usually some sort of multi-factor authentication. But not all have it.”

According to KT, Everlynn and White recently had a falling out, with White paying KT to publish a dox on Everlynn and to keep it pinned to the site’s home page. That dox states that Everlynn is a 15-year-old from the United Kingdom who has used a variety of monikers over the past year alone, including “Miku” and “Anitsu.”

KT said Everlynn’s dox is accurate, and that the youth has been arrested multiple times for issuing fake EDRs. But KT said each time Everlynn gets released from police custody, they go right back to committing the same cybercrimes.

“Anitsu (Miku, Everlynn), an old staff member of Doxbin, was arrested probably 4-5 months ago for jacking government emails used for EDR’ing,” KT said. “White and him are not friends anymore though. White paid me a few weeks ago to pin his dox on Doxbin. Also, White had planned to use EDRs against me, due to a bet we had planned; dox for dox, winner gets 1 coin.”

A FUNDAMENTALLY UNFIXABLE PROBLEM?

Nicholas Weaver, a security specialist and lecturer at the University of California, Berkeley, said one big challenge to combating fraudulent EDRs is that there is fundamentally no notion of global online identity.

“The only way to clean it up would be to have the FBI act as the sole identity provider for all state and local law enforcement,” Weaver said. “But even that won’t necessarily work because how does the FBI vet in real time that some request is really from some podunk police department?”

It’s not clear that the FBI would be willing or able to take on such a task. In November 2021, KrebsOnSecurity broke the news that hackers sent a fake email alert to thousands of state and local law enforcement entities through the FBI’s Law Enforcement Enterprise Portal (LEEP). In that attack, the intruders abused a fairly basic and dangerous coding error on the website, and the fake emails all came from a real fbi.gov address.

The phony message sent in November 2021 via the FBI’s email system.

KrebsOnSecurity asked the FBI whether it had any indication that its own systems were used for unauthorized EDRs. The FBI declined to answer that question, but confirmed it was aware of different schemes involving phony EDRs targeting both the public and the agency’s private sector partners.

“We take these reports seriously and vigorously pursue them,” reads a written statement shared by the FBI. “Visit this page for tips and resources to verify the information you are receiving. If you believe you are a victim of an emergency data request scheme, please report to www.ic3.gov or contact your local FBI field office.”

Rasch said while service providers need more rigorous vetting mechanisms for all types of legal requests, getting better at spotting unauthorized EDRs would require these companies to somehow know and validate the names of every police officer in the United States.

“One of the problems you have is there’s no validated master list of people who are authorized to make that demand,” Rasch said. “And that list is going to change all the time. But even then, the entire system is only as secure as the least secure individual police officer email account.”

The idea of impersonating law enforcement officers to obtain information typically only available via search warrant or subpoena is hardly new. A fictionalized example appeared in the second season of the hit television show Mr. Robot, wherein the main character Elliot pretends to be a police officer to obtain location data in real time from a cellular phone company.

Weaver said what probably keeps fraudulent EDRs from being more common is that most people in the criminal hacking community perceive it as too risky. This is supported by the responses in discussion threads across multiple hacking forums where members sought out someone to perform an EDR on their behalf.

“It’s highly risky if you get caught,” Weaver said. “But doing this is not a matter of skill. It’s one of will. It’s a fundamentally unfixable problem without completely redoing how we think about identity on the Internet on a national scale.”

The current situation with fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for highly sensitive subscriber data. In July 2021, a bipartisan group of U.S. senators introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.

“Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill.

The Digital Authenticity for Court Orders Act would require federal, state and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures and removal of online content.


52 thoughts on “Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”

  1. JamminJ

    It’s always a treat when Mr robot shows up to show how it’s done.

    1. The Sunshine State

      Or you can learn the tricks of trade from “David Lightman” who showed us first the true art of social engineering, Maybe those teenage boys in England should have just stuck to playing a nice game of chess.

  2. Gary

    When I set up my own email server I rejected packaged solutions because they allowed email passwords to be changed and accounts to be created online via a web interface. I create accounts and change passwords by ssh-ing into the server via PKI.

    When accounts and passwords are treated like handing a person a gun then this fakery will stop. And no it isn’t too much work. And why would you ever let someone create their own passwords? Hello…monkey123!
    At a minimum use something like a common access card scheme.

  3. The Sunshine State

    Real good informative article

    Pringles can ? Now and days you can buy a inexpensive war diving WIFI antenna LOL

  4. Hal

    What about OOB verification? Are these EDRs so frequent that someone on the provider side can’t pick up a phone?

    Digital signatures are fine but why not go for a simpler process change?

    1. JamminJ

      The company processing the EDR doesn’t really have anything to verify by phone. They don’t have a database of all known police departments with lists of authorized persons. “getting better at spotting unauthorized EDRs would require these companies to somehow know and validate the names of every police officer in the United States.”

      Even if they did, phone verification might thwart some foreign based adversaries. But for experienced social engineers, they can easily talk their way through a verification. These are the same people who routinely call mobile telecom companies for SIM swaps.

      Phone systems do not have security or integrity built in (caller ID can even be spoofed).
      For email its not default, but encryption and digital signatures can easily be implemented.

      I think digital signature are a very good way to handle this problem. The physical world equivalent would be an officer showing up to the office and flashing a badge that could not be counterfeited.

      1. Ferdinand

        Wouldn’t it be easy for a company to find the website of the domain the E-Mail came from, call the number that’s displayed on the site and ask if employee xy exists or if they have sent the request?

        1. JamminJ

          Not easier. Remember there is a lot of urgency in EDRs. Can’t rely on verification by calling the number on the website’s contact roster. That usually takes days and no guarantee that someone will pick up 24/7.

          1. Nope

            Bull. If they can’t be verified they aren’t legit and should be ignored entirely.

            1. JamminJ

              Should, perhaps. Will they risk ignoring a real emergency? Probably not. I’m sure they’d rather risk giving away private data occasionally if it means they won’t deny a real emergency request.

              1. Nope

                If you’re authenticating insufficiently and running with it anyway you are potentially creating real emergencies everywhere you go. Think ahead or blow up in a hurry.

      2. Jonah Stein

        Every department in the United States would be a good start… but these emergency data requests come from all over the world!

        1. Billy Jack

          I would have trouble believing that the contact info for a customer in the US would be of any legitimate interest to some police department in Russia requesting it on an emergency basis.

          1. JamminJ

            I don’t think these requests are coming from russia. There are dozens of other countries that have law enforcement cooperation agreements though.

            A lot of these online services receiving EDRs, don’t quite know where their customer resides either. They can’t just go by the contact information given, because that could be part of the crime.

    2. JamminJ

      All that said, they might not implement digital signatures in such a way that prevents an adversary from digitally signing an order if they have compromised an account.

      “the General Services Administration shall provide an online service, available both through a publicly-documented and publicly-available application programming interface and through secure and public websites, that enable authorized court officers and employees to digitally sign a covered order and recipients of a covered order and other third parties to verify that the covered order has a valid digital signature at no cost to the recipient or third party.”

      It may be just as easy for someone who can compromise a local government email account, to also get the ability to digitally sign an EDR. They would need to implement MFA with their digital signature system. Some organizations use digital signing certificates on a smart card carried by account holders. But we’ll see.

    3. Gary

      The problem is the number of people making the request is huge. Out of band communications is great if you have a relationship with the person on the other end of the call. I have done this myself for two different people when their simple passwords were guessed. But in this case the request is from a random person.

  5. John Q. Citizen

    Thank you, Brian, for another fine article. And thank you for indicating something that Jane or Joe Citizen can do.

    I have called my senators to ask them to co-sponsor S.2547 – Digital Authenticity for Court Orders Act of 2021 (see https://www.congress.gov/bill/117th-congress/senate-bill/2547).

    Apparently there is no equivalent House bill, so I called my House rep (Paul Tonko) to ask him to sponsor an equivalent bill in the House. Paul Tonko is “technical” and this kind of thing should be right up his alley.

    I had a nice short conversation with staff; she said that either phone call or sending an email via a contact form is fine, they are both logged into their system. On a phone call (or message) I like “leaning in” and speaking very simply and plainly about technical issues; in an email or online form, I can include helpful links. She agreed, with a little chuckle.

    A pleasant phone call. The office must hire extroverts!!

    1. Gannon (J) Dick

      On Friday the Census/National Archives is releasing raw 1950 Census Data per the 72 Year Rule. This is the first “chance” since 2012 the USG has had to take a scheduled organizational victory lap (the 1940 Census). Jane or Joe Citizen have been misled as to how the “smartest guys in the room” play doctor.

  6. JamminJ

    20 years before Mr. Robot:

    PLAGUE (in a hammy southern accent)
    I disguised myself as an Alabama State Trooper
    and penetrated the FBI NCIC.

    The FBI computer holds files on twenty million
    Americans. I just hacked into it.

    From here I got access to every piece of data
    ever stored on Dade Murphy’s parents. His
    parents separated five years ago, reconciled
    two years later, filed for divorce last year,
    custody battle, boy chose to go with his
    mother. Hmm.

    So, we get the mother, we get the boy.

      1. JamminJ

        Would be interesting to see who got the reference and who thinks its spam.

    1. martin

      The difference between your example (and the War Games one above) and Mr Robot is that Mr Robot is the first show to only show actual tools and techniques, instead of more or less believable hollywood deus ex machinas.

      I’m fairly certain that the exact steps in the clip above have been done by miscreants in real life.

      1. JamminJ

        Yes. Mr Robot is better. But hackers is still a classic. Love them both.

        1. Almo E

          I love the 7-part EuroHBO series “Hackerville” too. Catch it if you can!

  7. Seen It All

    Brian, Thank you for another great article. Time moves on, but things remain the same. The latest group of 14 year-olds is busy with Doxbin, which was started by people as old as their fathers. The level of police cyber acumen has improved just slightly from years ago when I reached out to a major city police department and was told their Cyber Division did not have any internet access. My advice to anyone who is a likely or repeat target of swatting is to let your local police department know, so they don’t hop on over to your house some day with guns blazing.

  8. biomatrix

    How hard would it be for someone to pick up the phone and call the requesting PD to verify?

    1. JamminJ

      Very hard.
      “there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone ”

      They have to really keep a huge database up to date.

      1. Nope

        “It’s impossible to keep a database of numbers handy.”

        1. Nope

          “One of the problems you have is there’s no validated master list of people who are authorized to make that demand,” Rasch said. “And that list is going to change all the time. But even then, the entire system is only as secure as the least secure individual police officer email account.”

  9. Federico

    “The only way to clean it up would be to have the FBI act as the sole identity provider”

    No, the only way to clean it up is a federal statute, pre-empting local laws, to make it illegal to issue such requests or respond to them.

  10. Mahhn

    Security systems are so weak that a 14 year old punk is a cyber crime boss in 2022.
    Makes me feel like there’s no point in trying to enforce security besides a pay check, but with the stress and BS with the lack of making a difference, just don’t seam worth my time anymore.

    1. JamminJ

      He’s 17 years old now. And it doesn’t take much for a punk teenager to be a “boss” on the internet. There are millions of little fiefdoms especially in gamer communities where they get experience booting players, doxxing them, swatting, and recruiting other kids for their “guilds”. They learn about in-game economics trading goods/services in virtual currencies, and can translate that easily to how real money transacts online.

      It’s not so much that security systems are so weak (although true to a point), but that when people can easily bribe employees or pay better hackers for hire… it doesn’t take much to be the boss of a cyber crime group. And the way these groups works, is that they can splinter very often and even the youngest can become a boss. There’s no honor among thieves and the backstabbing is rampant.

  11. Here's The Fix

    Easy to fix this. I have a friend with a business that gets two or three of these a year. They started requiring that in order to verify that they are who they say they are they have to submit a photo of the interior of the police station (preferably the desk of the detective requesting the information) and a photo of the detectives business card. They then call the number associated with that dept and detective. They obviously check the phone numbers as well. It’s a bit laborious, but they have explained that emails can too easily be spoofed. They haven’t been rejected once in these requests to validate identity. That said, I think there’s a better way.

    Essentially when one of these requests is made, a video attestation record will need to be created. “This is Detective ______ requesting a record of ________. Attached is a written summary of why these records are requested. This is my business card, and my direct phone number.”

    Corp entities like the ones being discussed have a method to quarantine DL video files to ensure that should any of them being anything other than a legit file, it wouldn’t put the network at risk. You could create a secure platform to host the video request files. Like a Vimeo for LEO. So for ISP’s, you get this email, then you login, enter some code to pull up your records request attestation video and done. I don’t care how back woods some police station is, they’re going to have someone there who knows how to create a video and upload it to a website.

    There’s a way to do this without getting the FBI involved to create a clearinghouse for all identity.

    1. JamminJ

      Interesting. But too convoluted to be called “easy”. Your mention of “laborious” is more accurate.
      The whole reason why EDRs are the target attack vector, is because “E” stands for emergency. This idea is not scalable, even if it works as a custom solution for a company who gets a 3 per year.

      If this idea were attempted at scale, then photos of police stations become a market commodity. Photoshopping a business card is too easy. There is no practical way to “obviously check the phone number”. If it were, then they could do that today.

      “they have explained that emails can too easily be spoofed”
      That’s the solution presented by the Senate Bill. Emails, by default, are not secure. But digital signatures have been around for a while now. It takes some effort to implement though. The idea is that federal Certificate Authorities already exists and could sign state LE intermediate CAs, which can sign certs for police departments. Then email can be trusted.

      The infrastructure for digital signatures already exists, so much of the work is done. It would be a huge project to implement a video attestation platform nationally, and have thousands of departments use it. Plus, it’ll be its own target.
      Sounds awfully similar to using ID.me, which is getting furious backlash.

    2. anon

      This wouldn’t work. Everything you’ve mentioned can be faked. Digital signatures are the way to go. They are mathematically secure. Implementation wise, if the hackers had access to the webservers and private keys then it becomes obsolete. These infrastructures need to be inherently secure from breaches themselves for digital signatures to work as intended.

      1. Here's The Fix

        What are digital signatures going to do on a compromised system?

        Video can’t be faked well enough at this point. You need a lot of sample data and individuals who work within police departments are often not active, or active much within social media.

        You need something that’s video, part captcha, and secured within two form auth site. Even if you compromise two parts of that, you still have to create a very convincing deep fake video of every local depts officer who handles this.

        1. JamminJ

          It does depend on the implementation of digital signatures.
          A proper implementation would put the private keys on a smart card employee badge. Even compromised police workstations would not break the security and integrity of digital signatures.
          Now if they allow emails to be digitally signed on a cloud platform without a hard token, that is accessible through single factor authentication, then that being compromised would certainly compromise the signature.
          Over the past three decades, digital signatures have proven way more robust and secure and trustworthy, compared to simple account login.

          It’s a misconception that an attacker would need to create a deep-fake video in order to convince a company to honor an EDR.
          Thousands of companies receiving these emergency requests, do not know the faces of all police officers. They would need to have pictures on file beforehand in order to validate a video. It’s impractical at scale.

          Now, if you suggest that they can just look up the photo of every police officer’s face in this country and a handful of other countries, then that not going to work. There is no database for these companies to look up photos of cops. And if there were, it would be nearly impossible to keep up to date as the list of authorized individuals will be changing constantly.

          There are ways to use live video calls during identity proofing and verification. Kind of like ID me, but it takes weeks to gather substantiating documentation like passports, driver’s licenses, and utility bills.
          It can take weeks or months. They’re all suitable for EDRs.

  12. JamminJ

    Interesting. But too convoluted to be called “easy”. Your mention of “laborious” is more accurate.
    The whole reason why EDRs are the target attack vector, is because “E” stands for emergency. This idea is not scalable, even if it works as a custom solution for a company who gets a 3 per year.

    If this idea were attempted at scale, then photos of police stations become a market commodity. Photoshopping a business card is too easy. There is no practical way to “obviously check the phone number”. If it were, then they could do that today.

    “they have explained that emails can too easily be spoofed”
    That’s the solution presented by the Senate Bill. Emails, by default, are not secure. But digital signatures have been around for a while now. It takes some effort to implement though. The idea is that federal Certificate Authorities already exists and could sign state LE intermediate CAs, which can sign certs for police departments. Then email can be trusted.

    The infrastructure for digital signatures already exists, so much of the work is done. It would be a huge project to implement a video attestation platform nationally, and have thousands of departments use it. Plus, it’ll be its own target.
    Sounds awfully similar to using ID.me, which is getting furious backlash.

  13. JustAnotherGreyBeard

    Brian, you must have copy/pasted the direct text from the FBI, because both those included links are wrapped with the M$ “safelinks” service.

  14. bigpanthis

    I wonder if any of these attackers have called OnStar. I think I saw that in a show once… you call them, give them your badge# and say they’re in pursuit of stolen car with license#… they can disable the car, give location, etc.. Or is that just TV reality?

  15. Juris Priest

    The simplest way to avoid these problems is not to use personally identifying information whenever possible, up to and including payment methods, and digital footprints like IP addresses and IMEI/IMSI. For obvious reasons one shouldn’t be storing data in the cloud when a self hosted option exists. Run everything through a vpn, preferably running in root, and be looked at by the same cops as suspicious because you don’t pop up on the grid in the usual manner.

    No solutions will propose deescalation of companies and governments trying to mine more PII, just more arcane systems of “trust” and honeypots to exploit. You still have a hard drive and hopefully root. DFE and party like it’s 1995.

  16. wallsY

    This only gets worse if the EARN-IT act is passed.

  17. Trixy

    Excellent article. Problems: “podunk” agencies are ones with insanely old hardware, century old data, incomplete data sets, and the worst clunky software – literally can’t use anything remotely current because lacking sufficient ram, server memory, chip speed and inability to gal fill the older data house. Also easiest to hack, and easiest to wipe tracks. They simply can’t afford hardware, nor admin to run. One of the top 5 largest cities in the US has this problem, if you can digest that. Internally SO many agencies, and unable to upgrade everything at once, with extremely old data archives, and no one to over see a proper design to resolve the problem, so guess what: they do nothing. 15 yrs ago I stumbled on tons of their records “accidentally/ inadvertently published” for the world to read. A quick call and they had no idea. Likely from prior stolen laptops, they had time to lift access etc.

    Encrypted keys need developing specifically for law enforcement, that must reside on the receiving agency server that only agencies can exact (one example). A hard handshake, if you will… with rolling data, expirations and a digital signature of the would be approver, which expires if not perfectly executed first try. Something far above a simple copy paste, but that even the barest bone agency can utilize. Law enforcement also needs great help in how to bring old legacy systems forward. But if we had that answer, the IRS would have resolved their current dilemma…

    We have also have got to stop deluding ourselves around this security mirage. There really isn’t any security, so why do we treat it as if it exists? My point is that we design systems as if it exists – it doesn’t. Psychologically we need to start designing as if hacker WILL gain access. One idea of many possible: lead them to fake data – initiate real defenses on the offense, and not play victims. This what people do who travel, so when you’re robbed, your real wallet is not in your usual purse or pocket (the fake one in your purse or back pocket was just lifted or stolen – instead). There are many strategic approaches that could be developed. Let them in… but to the wrong data, for example. Let them in, and develop new logging techniques for tracking. Let them in, and give them viruses, etc… why not?? If you want security, think like a hacker – not a law abiding person who obeys rules. Then, lay traps.. get a reputation… go as far as leaking a fake server reputation (propaganda) to hackers. Pull out the arsenal. But don’t wait to be a victim.

    We know this exists, yet no one DOES anything. I worked for a very very large energy company, and as new admin I discovered the main server login and password were the SAME. It wasn’t even alpha numeric. So I began planning an emergency change, without fanfare. I had to keep it quiet and need to know only. My own boss, forbid me. Forbid. So I quit. I could not work for a company and be responsible for security, when I wasn’t allowed… I was told “well we don’t know all the systems that log into it” and my response was “good / cause if you don’t know, we need to see who yells”. He just didn’t get it, or was scared sh*less of the backlash. I was scared of not doing it. So never take for granted that large companies know better…

    1. Almo E

      So very well put. Honeypots, defense-in-depth, hmmmm, which one seems cheaper to you? Let the hackers steal fake PII, then go after them wherever it lands (Kyiv, Moscow, Beijing, DC). These aren’t nominally law-abiding citizens in the data being exfiltrated, so the obvious motivation looks to me like extortion/blackmail/build your crime ring, etc.

  18. flameboozeled...

    Nooooice!!!!!
    young lads plz take notice of the wisdom just dropped by Trixy.

    Security is an illusion.

    Famous, infamous, or hidden in plain sight either way your a pawn to money, pride, and ego especially in the world of IT.

  19. Almo E

    EDR requests would need some kind of verification (call-back, badge #, etc.) or at least I would hope so. I believe if FBI really does take this threat seriously, they’d set up a *protocol* for proof of origin, not just that somebody@podunkpd.city.st.us was requesting the EDR in “bombastic” (life or death) terms.

    1. JamminJ

      That’s the entire purpose of using digital signatures.
      Batch numbers are weak simple digits. And phone numbers can be spoofed so call backs don’t work either.

  20. Mark Lindsey

    The Solution:
    All EDRs from anywhere on earth should be only be processed in the STIX language with TAXII transportation and should be treated as if it were cyber threat intelligence being shared with LEO departments. The intelligence community does not send EDRs, or anything else, digitally. Imagine the Clerk of the U.S. District Court not having a properly filed hard copy of a court order, or the Joint Operations Center doesn’t have the luxury of taking hours or days to produce the EDR response because of a mass casualty event. It’s for emergencies, not casual inquiries. The normal and customary procedure for requesting disclosure of privileged or classified content is a signed order by a judge, actual paper with raised seal. That’s how it is done, and that’s how all official inter-departmental agencies, including the F.B.I., have forms to fill out, most of which, hackers have little or no access to. What’s so hard about having the EDR written and hand delivered? If it’s such an emergency it’s unlikely that an email is going to be sent and miraculously save the day.

    1. uscc

      What are you talking about? The IC absolutely sends requests digitally. We have entire classified networks dedicated to it. You expect law enforcement in Alabama, during an emergency, to fly to Silicon Valley California in order to serve a handwritten request to a tech company? That’s stupid.
      Intel collection is not the same as EDR. URGENCY is orders of magnitude different.

Comments are closed.