Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US (vice.com) 68
Securus, the company which tracks nearly any phone across the US for cops with minimal oversight, has been hacked, Motherboard reported Wednesday. From the report: The hacker has provided some of the stolen data to Motherboard, including usernames and poorly secured passwords for thousands of Securus' law enforcement customers. Although it's not clear how many of these customers are using Securus's phone geolocation service, the news still signals the incredibly lax security of a company that is granting law enforcement exceptional power to surveill individuals. "Location aggregators are -- from the point of view of adversarial intelligence agencies -- one of the juiciest hacking targets imaginable," Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat.
Just assume everyone knows everything every time. (Score:2, Insightful)
Is this the new working assumption we all need?
Re: (Score:2)
Re: (Score:2)
DAILY SPECIAL !!!
Today only!!!
Circumcisions: half off !!!
-- Dick Chopp
Re: (Score:2)
Re: (Score:2)
So they know about my turtle porn all the way down?
Re: (Score:2)
Then where the hell are my keys?
Re: (Score:2)
The 3 pieces of celery with almond butter that, along with a cup of coffee, was supposed to be a snack, are in the closet with the paper towels.
The paper towel that was supposed to be for wiping off the countertops is on top of the toilet where I had to pee all of a sudden.
The cup of coffee that was warmed up in the microwave is in the cabinet where the extra packets of stevia are kept.
The stevia and soy milk are in the desk where my pad's USB charger is.
My pa
What the hell (Score:4, Interesting)
But this latest data breach is not the only sign that Securus is careless with sensitive information. Rid pointed Motherboard to a Securus user manual available online. One part shows a map and user interface for a Securus product, but instead of populating the screen with fake data for demonstration purposes, the guide appears to include the real name, address, and phone number of a specific woman. (Motherboard confirmed the details with those in online databases, as well as a media report that mentions the woman).
How stunningly incompetent
Couldn't happen to a nicer company.... (Score:5, Insightful)
Re:Couldn't hrappen to a nicer company.... (Score:3)
Re: (Score:3)
If they go under tomorrow, another company will promptly take its place. It's not a specific business - it's the system and the set of laws and (corrupt) interests protecting it.
Re: (Score:2)
I think the hacker should publicly release random parts of that data. It would suck for quite a number of people, but make sure you get the lobbyists and politicians in that release, and we may just have an uproar like with Facebook. Then laws may actually change and make these sorts of businesses less enticing to run. Until people find out that when people mean hacked, they mean THEIR data, I don't think things will change.
Even something simple like Motherboard setting up a webpage where you enter your pho
Re: (Score:2)
Securus doesn't bother checking for a warrant, so we could be talking about stalking victims, domestic violence victims, persons of interest to foreign intelligence agencies, anyone who anyone else wants to spy on.
Not that I particularly care for even police with a lawful purpose having that kind of power to track people -- a lot of "crimes" in the US shouldn't be crimes at all.
Re: Couldn't happen to a nicer company.... (Score:1)
Gosh Mr. AC, why not just log in to make to comment? Oh, because it's baseless and rings with every other "well just don't break the law" comment. The whole argument ignores when they change the "laws" to target folks like protesters, unit opinions, etc.
But you already knew that, I'm sure.
Re: Couldn't happen to a nicer company.... (Score:1)
...next time I monitor spell check. *Scowl*.
You got my point.
Re: (Score:2)
...and giving anyone who asks cell phone location data (without verifying the veracity of a warrant), Securus is a truly predatory company.
WHat are you talking about?? They always make sure the warrant is valid before they do anything. It's just that the only warrants they accept must say things like "e pluribus unum" and must have a unique serial number that is generated and validated by US Mint.
Am I in the list? (Score:1)
Re: (Score:3)
Are you in the US?
Re:Am I in the list? (Score:5, Informative)
How does someone find out if they are in the list and being watched?
Paranoid
The list is of Securus' law enforcement customers, not individual citizens. And there is no "list of people being watched" here. The data is already being collected on everyone, it's just a matter of if a Securus customer made any requests about you. Without more info on how one uses the service, it's hard to tell if there is a record of who was tracked.
Re: (Score:2)
The list is a list of customers. That doesn't say anything about how often they use the service, or who they are using the service to watch. The list likely includes Sheriff's offices that have not logged in in years.
Re: (Score:2)
Not just cops. (Score:2)
Bad cops track too.
People other than cops track them too.
Re: (Score:1)
In both the meaning of the word "just".
Bad cops track too.
People other than cops track them too.
Set up a fake account and track cops and top federal LEA/TLA officials and publish the juicy bits to Wikileaks.
Securus won't remain in business for long.
Onion candidate #27 (Score:1)
Professional hackers have been hacked, and their recursive hacking algorithm, known as GrndH0gDai, was recursively hacked and stolen.
Securus (Score:5, Funny)
Cue my surprise (Score:2)
Don't hold your breath. You'll be waiting a while.
FFS, isn't enough enough already? (Score:3)
Data breaches, Woody, data breaches everywhere!
Come on people, isn't enough enough already?
1. Companies like this 'Securus' shouldn't exist in the first place.
2. ALL companies that handle personally identifiable/sensitive data should have properly secured systems 100% of the time, no excuses.
3. Nobody's phone location data should be revealed unless there is a valid warrant.
When is this bullshit going to stop? As-is, you can't connect anything to the Internet without exposing yourself to massive amounts of risk of being hacked into either by criminals or the government, you can't carry a smartphone around for the same reasons (only worse), and it's getting to the point where even your bank isn't a safe place to keep your moeny because they're getting hacked, too. What do we do about all this? What is the way forward? How do we fix this?
Shit like this is why I don't have a smartphone, and why I pay cash for everything I buy in person: to reduce my exposure to this sort of risk. Neither I nor any one of us should have to do that.
Re: (Score:2)
When is this bullshit going to stop?
By the time the USofA joins the EU.
Now the UK is all but gone we can do with another English language group.
Re: (Score:1)
When is this bullshit going to stop?
By the time the USofA joins the EU. Now the UK is all but gone we can do with another English language group.
You probably wouldn't want one with as much baggage as the US has.
Sounds like... (Score:1)
Sounds like a violation of the 4th amendment, just with extra steps.
Re: (Score:3)
Sounds like a violation of the 4th amendment, just with extra steps.
"It's illegal and unconstitutional for me to do as a LEO so I'll just pay someone else to do it for me!"
"You'll go far in US politics, Son!"
Strat
Re: (Score:2)
Sounds like a violation of the 4th amendment, just with extra steps.
Great, just try to enforce it. First you will need standing. If you get past that, then you will need a remedy. Since the remedy for a 4th amendment violation is exclusion of evidence, which does not apply in a civil trial, you will need to be the defendant in a criminal trial. If you get past all of that, then law enforcement will use parallel construction anyway.
Re: (Score:1)
I'm interested in (Score:2)
The "usernames and poorly secured passwords for thousands of Securus' law enforcement customers"
I'll bet that could open some doors!
Re: (Score:2)
Not IF, but WHEN... (Score:3)
Security vulnerabilities are a fact of life, and most people in any kind of a technology job are aware of that. It's not if you're going to be hacked, but when, and by who. And in fact, it's not these highly publicized breaches that we really need to worry about; rather, it's the breaches that nobody ever finds out that probably keeps the security experts awake at night. So if some well-meaning script-kiddie stumbled his way into Securus, than what that really tells us, is that someone with nefarious intent has almost certainly already exploited the same weakness well prior to this. Nobody found out about that hack* for two reasons: 1) The "real" hackers covered their tracks and didn't get caught, and 2) they didn't notify the press with childlike glee of their successful hack of a highly sought after target... rather, they used the vulnerability to collect as much data as possible, and hid any strategically useful data that they discovered under a rock, to be sold to the highest bidder on the black market.
* Mind you... "that hack" could just as easily have been "those hacks"... and we likely still wouldn't know it happened, nor how extensive the damage was, until it's too late to fix anything.
Encryption backdoors (Score:3)
Now tell me with a straight face that the FBI's suggestion to use a third-party key management system that they could go to with a warrant would be secure. Go on, let me hear it.