Hackers Gaining Power of Subpoena Via Fake 'Emergency Data Requests' (krebsonsecurity.com) 57
Krebs on Security reports: In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena. Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name. But in certain circumstances -- such as a case involving imminent harm or death -- an investigating authority may make what's known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.
It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately. In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR -- and potentially having someone's blood on their hands -- or possibly leaking a customer record to the wrong person. "We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers," said Mark Rasch, a former prosecutor with the U.S. Department of Justice. "And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately," Rasch continued. "Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there's no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they'll comply." To make matters more complicated, there are tens of thousands of police jurisdictions around the world -- including roughly 18,000 in the United States alone -- and all it takes for hackers to succeed is illicit access to a single police email account.
It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately. In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR -- and potentially having someone's blood on their hands -- or possibly leaking a customer record to the wrong person. "We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers," said Mark Rasch, a former prosecutor with the U.S. Department of Justice. "And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately," Rasch continued. "Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there's no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they'll comply." To make matters more complicated, there are tens of thousands of police jurisdictions around the world -- including roughly 18,000 in the United States alone -- and all it takes for hackers to succeed is illicit access to a single police email account.
There is risk of death on both options, so verify. (Score:2)
If you give out someone's information to a stalker, you're putting lives at risk. There is a risk on both sides, not just on the stay quiet side. Given that, companies should always take the time to verify the request before responding. We had people die in earlier eras when the data could not be obtained quickly. A response that takes time to verify is still faster than what we've had for years prior. And verification will get faster if more people use it.
Re: (Score:2)
The challenge is that Bush II used a terrorist attack, which according to conservative dogma he is at least partially responsible for, to create a socialist police state, the unintended consequences we are still experiencing. This reminisce
Re: (Score:2)
It is not so much deaths. People die from products and disclosure all the time. The key is actionable deaths. Can a firm be held responsible for releasing information to what they believe is a legal order, and is there a simple method to confirm the order is legitimate
Aren't underwater subs with nuclear arsenal and operating in radio silence capable of authenticating command messages, or is that stuff only in movies?
If there is that capability, then I can't see why something similar can't be used here. And if there is the possibility that something similar can be used, then I would say, yes, they should be held responsible if they fail to properly verify the request when they'd be capable of doing so.
Re: (Score:2)
Bush was a socialist? Do you know what that word actually means, or are you just trying to say "authoritarian?"
Nothing about present day America is socialist. We are a purely capitalist society. Workers do not control the means of production, the owning class does. We may have some scanty social safety nets but they do not make us socialist. And Bush was part of the party that works the hardest to dismantle all social safety nets.
Was what Nixon did also "creating a socialist police state" in your mind?
Re: There is risk of death on both options, so ver (Score:2)
Re: (Score:2)
So maybe this kind of thing needs an escrow service, whose sole job is to verify the requests?
Access to police email systems? (Score:2)
Seems like this is the core problem.... If you secured the email system better, hackers wouldn't be prone to use it to make the fake emergency requests in the first place.
Email is notoriously easy to hack in many cases .... largely because extra precautions like 2FA aren't taken out of an interest in convenience.
That's a problem Facebook can't fix (Score:2)
> Access to police email systems? ...
> Seems like this is the core problem.... If you secured the email system better
Sure, that's a problem. A problem your local police department should fix.
Facebook can't fix that problem, of course.
The problem for Facebook is that when they get emails from chief@dallaspolice.gov saying that a photo shows a kid who was abducted by a stranger, they don't know if that email is legitimate or not. That's the problem Facebook has to deal with. If society wants to have in
Re: (Score:2)
The system should never be via email. It should be via some kind of portal with multi-factor authentication as well as out-of-band verification.
Re: (Score:2)
Or, better yet, Facebook (or whoever) could pick up the phone and call the public contact number for the department (on the department's web site, easily verified outside of the fake email) and talk to the requesting officer directly (there is a name in the request, right?).
This would also increase the efficiency of the whole process by making the conversation interactive in real time (less back and forth with questions), including the officer being able to verify they received the requested information.
But
Re: (Score:2)
Re: (Score:2)
Then it's hopeless, and you should jump off a bridge now to avoid the Christmas rush.
Re: (Score:2)
It wouldn't just take determination, also risk and resources. You can't make it impossible, but you can make it more expensive. Just doing a simple phone number lookup and verifying by phone makes it far more expensive to hack than pure email.
Security in economics.
Re: (Score:2)
Re: (Score:2)
Even easier than that. I can take over the PD numb (Score:2)
Once upon a time, a hacker showed a secret service agent that he had taken over the phone number for the Atlanta secret service office.
He went to the secret service office nearest his home to meet with the agent. He asked the agent "do you have a phone on you?" When the agent replied he did, the hacker said "call the Atalanta office". The agent did. The hacker opened his laptop and played back the recording of the agent's call.
This hack doesn't require anything related to SS7. It doesn't require social eng
Re: (Score:2)
Re: (Score:2)
Of course "ideally" the police should have uniform ways to authenticate themselves, but that is very difficult with 1000's of jurisdictions making their own rules in the US. Preserving local autonomy AND responding rapidly to large numbers of incidents AND avoiding any misfires is indeed a tall order.
Re: (Score:2)
Right.... I think the need for a rapid response and the possibility of the request coming from any department, anywhere, means you're not going to have complete security here. But you at least want to make it more difficult to hack the system. That's why I suggested it needs to start with the police departments using as secure an email system as they can.
Secondarily? I'd think there either is or *should* be a pretty serious punishment involved for impersonating an officer via hacking the departmental ema
Re: (Score:2)
Of course improving police email security would help reduce the size of the problem, but it cannot be considered part of the solution. Any sufficient solution needs to assume a police email account can be hacked.
Needs a catchier name (Score:2)
Judges are on call at all times (Score:2)
I've been getting political ads now that the midterms are getting closer and none of them have any policy in them. It's mostly about how such and such politician had a drunk driving conviction or something nonsensical like that.
Change who you vote for and vote in your primary. Never listen to a politician. They use body language to trick you
Re: (Score:2)
It's not nonsense. If the person running for office says they'll be tough on crime, then having one (or more) conviction for drunk driving doesn't sound like they're tough on crime because otherwise they would know it's illegal to drive drunk.
The same if someone says they'll lower taxes and you find out they haven't been paying taxes for years.
What you consider nonsense goes to th
Re: (Score:2)
What color is the sky in fantasy land? Even in big cities, courts don't always operation 24 hours a day, 7 days a week. And judges don't like being woke up at 3:00 AM.
Re: (Score:2)
Yes, this. Nobody should ever hand over any PII to any law enforcement organization without a warrant, period. They can get a warrant on any specious basis at any time in most jurisdictions, so that is frankly a stupendously low bar.
Re: (Score:2)
Change who you vote for and vote in your primary
The "Republican" and "Democratic" wings of the Party have primaries.
Some of us don't want either side of the Party. What are we supposed to do then?
Simple solution (Score:2)
Require such mails to attach a phone number. Only send the data if the request has been confirmed by voice. This ought to get rid of quite a big chunk of the fake subpoenas.
No phone number? No data. Of course the phone number gets checked when the subpoena is received (to prevent fakes).
Re: (Score:2)
Require such mails to attach a phone number. Only send the data if the request has been confirmed by voice. This ought to get rid of quite a big chunk of the fake subpoenas.
No phone number? No data. Of course the phone number gets checked when the subpoena is received (to prevent fakes).
While it might stop a portion, if a hacker has infiltrated a police email system i'm pretty sure they can get a voip/GV number in the area code of the precinct and pretend to be a cop. If they can scam people out of a nearly endless stream of $, do you really think the folks at google/apple/fb/etc. handling these requests are going to use their spidey sense and turn down what could be legal requests in life-or-death situations? I think not.
Re: (Score:2)
You just need a more thorough calling system.
Call the precinct's public number (not provided by the emailer), and connect to the officer that way.
Oh, there is no Officer Frank Drebin at that precinct? Let them know someone is attempting to impersonate one of their staff, and forward the email details and let them handle it if they wish.
Hackers Gaining Power of Subpoena... (Score:2)
"... using their illicit access to police email systems".
I think I see what the problem is here.
Re: (Score:1)
"...and the request appears to come from an email address connected to an actual police department domain name"
"Appears". That's even easier than going to all the trouble of hacking an email account. Not that that is much trouble...
No verification process? (Score:2)
How do they not have a quick and easy way for an EDR recipient to verify it is legitimate?
Call the PD, FBI, or whoever sent it by telephone. If they have the staffing to send an EDR then they have the staffing to answer a phone.
Re: (Score:2)
I wanna see that phone list.
It's not like they'll be able to trust any phone number in the (Possibly fraudulent) EDR, and if you just google their phone number, that will end up in phone-tree hell, assuming you can even find one.
Re: (Score:2)
That phone list has one rule, nobody gets to see the phone list.
jk
These agencies already have procedures, call lists, etc. It should NOT be that hard.
Simple solution (Score:2)
I know this might come across as obvious, but why not leverage the existing mechanisms in place for verifying the identity of an emergency service? Like physical law enforcement vehicles, ambulances, firetrucks, all have distinctive features that are difficult for someone to copy. Let's do that with a special phone number and email address system only for emergency services.
How I'd envision this, is that a special TLD be created, e911 or e112. All devices manufactured after a specific date recognize e911/e1
Corporate Capitalism vs nothing to lose crowd. (Score:2)
Trust but verify. (Score:2)
I'm curious that if, in fact, a company gets an EDR, why can't they simply call the police department's main line, ask to speak with the originator of the EDR to confirm? This would require bad actors not only to compromise the email system, but also the Phone System and intercept/answer all calls to the main number. It's not fool proof, but it's extra work for the bad guys.
People are always both the strongest and weakest link in the security chain. Making the extra call to verify would likely provide a
Back in the day... (Score:2)
If all the major sites are requiring and verifying the requests come from an official police domain/address,
"law and order" .. it just can't get more pathetic (Score:2)
"an investigating authority may make what's known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents"
this is the only real problem here. not email security, not methodology, not anything of that ... the real issue here is that the police has a way to null and void civic rights without a court ordering so. what could possibly go wrong, you ask? well literally everything, even if the process worked as expecte
Re: "law and order" .. it just can't get more path (Score:2)
Bingo.
And since the police dept is mostly misusing this facility so now we have some real or imaginary 'hackers' who can conveniently be blamed whenever some one gets caught misusing the EDR.
There can be a few rare cases where tracking someone online would save a life, but mostly it would be police trying to get details on something which is difficult to get a judge to sign off on.
Besides if they are so pressed for time, they would anyway get on a call with the ISP/Telco to expedite the info as soon as t
Re: (Score:2)
Don't comply.
I don't know what an EDR is. I've never been authorized to access the data you are requesting. I can forward your request to our legal department for clarification.
Many years (decades) ago when I worked for a public utility, some scruffy looking guy walked into our construction and engineering office. He claimed to be an undercover officer and needed access to a customer's records "right now". Not wanting to make a scene with what might be an unstable individual, I said "Certainly, sir. Right
Hard to verify? (Score:2)
Re:Easy to verify, but not in bulk. (Score:2)
Re: (Score:2)
So only the local precinct can put in EDRs? What about the FBI? BATFE? Marshalls? Or a precinct in another state (This IS the Internet we're talking about). Just calling the local unified PD is going to get you the run-around.
Re: (Score:2)
Should require a call back. (Score:2)
When they approve an "Email" as police, it should be connected to a specific phone number as well as a jurisdiction.
When you get an email request, you should call the phone number to confirm. Thirty seconds is all it will take, a lot less than it takes to fulfill many such requests.
Most of the time there should be a longer wait for the request to be processed than it takes to confirm via phone call.
Re: Should require a call back. (Score:2)
So a printed yellow pages or phone directory is what you need