Lately there have been a number of significant information security (infosec) fails that have befuddled law enforcement, and we’ll take a quick dive in to each of these issues.

Case #1

On Oct. 28, the Electronic Frontier Foundation posted an article about automatic license plate reader cameras. It turned out that a number of police cameras were automatically scanning license plates in public locations, and the information was publicly visible by using some clever internet search tactics. Note: Nothing about these search techniques are illegal, and this kind of tactic can even be used to find other law enforcement systems that may be visible to the internet.

Ever considered the possibility that your brand new jail that has a “super secure network” built in to it might be insecure by default? And unless you change the default settings, you can open every single door in the jail from a remote location?

Well, that’s exactly what we’re looking at.

Lesson to be Learned

We MUST configure these devices when they come to us. Whether it’s a body camera, LPR, jail cell, fire alarm system–anything digital, basically–we need to be changing the defaults to suit our security requirements. And for the love of all that’s good and digital, change the default passwords!!

Case #2

Recently the FBI LEEP database was supposedly breached, along with the CIA chief’s personal email. The information posted by the LEEP breach was nothing more than names, email addresses, and affiliated agencies.

While this sounds super scary, it’s really nothing more than what most people could have gotten on a Google search for you and your agency. Additionally, the FBI just put out a PSA about hacktivists, pointing out that their current methodology involved making a phone call and claiming to be an employee of a company to gain access to sensitive information.

This raises another interesting point that’s worth noting–most “cyber attacks” do involve a fair amount of human hacking, not just technical geekiness. That’s where we can have a significant impact on stopping these breaches. The FBI actually just posted a PSA giving guidance on how to protect ourselves better from these attacks..

Lessons to be Learned

Change your passwords regularly, and use complex passwords! Also, if you’re not using two factor authentication, you need to. Two factor authentication is doing things like enabling your bank and email to only give you access after you receive a text message. Cumbersome? Maybe. Easier than a data breach? Vastly.

Case #3

Conficker was a worm that was discovered back in 2008. Or, in other words, two presidential elections ago. It’s pretty old, and 40 out of 40 antivirus scanners catch it these days because it’s incredibly well-known.

Well, it made a comeback a few days ago when a number of police body cameras were found with this aged malware. This raises a ton of concerns and questions, one of the biggest ones is – how much can we trust our vendors? This question goes back to at least 2011 when DHS was warning foreign vendors were shipping items with malware pre-installed.

Lessons to be Learned

How much do you trust your vendors? Can you audit your vendors and their supply chains? Is that built in to the contract? And have you ever considered building in to the contract verbiage about what to do if their devices give your organization a virus?

Sadly, this last one is something that’s going to become more common. In time we’ll need to start hiring our own infosec people to look at devices as they come in to our organizations and monitor their behavior to see if they’re malicious or not.

Conclusion

This is just a brief rundown of some of the infosec issues affecting law enforcement lately. If you know of any more, please feel free to reach out to me! @cyberbloodhound on Twitter or leaving a comment below.