Hackers Gaining Power of Subpoena Via Fake 'Emergency Data Requests'

Krebs on Security reports: In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena. Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name. But in certain circumstances -- such as a case involving imminent harm or death -- an investigating authority may make what's known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.

It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately. In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR -- and potentially having someone's blood on their hands -- or possibly leaking a customer record to the wrong person. "We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers," said Mark Rasch, a former prosecutor with the U.S. Department of Justice. "And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately," Rasch continued. "Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there's no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they'll comply." To make matters more complicated, there are tens of thousands of police jurisdictions around the world -- including roughly 18,000 in the United States alone -- and all it takes for hackers to succeed is illicit access to a single police email account.

There is risk of death on both options, so verify.

[Aristos Mazer]

If you give out someone's information to a stalker, you're putting lives at risk. There is a risk on both sides, not just on the stay quiet side. Given that, companies should always take the time to verify the request before responding. We had people die in earlier eras when the data could not be obtained quickly. A response that takes time to verify is still faster than what we've had for years prior. And verification will get faster if more people use it.

Re:

[fermion]

It is not so much deaths. People die from products and disclosure all the time. The key is actionable deaths. Can a firm be held responsible for releasing information to what they believe is a legal order, and is there a simple method to confirm the order is legitimate

The challenge is that Bush II used a terrorist attack, which according to conservative dogma he is at least partially responsible for, to create a socialist police state, the unintended consequences we are still experiencing. This reminisce

Re:

[Sebby]

It is not so much deaths. People die from products and disclosure all the time. The key is actionable deaths. Can a firm be held responsible for releasing information to what they believe is a legal order, and is there a simple method to confirm the order is legitimate

Aren't underwater subs with nuclear arsenal and operating in radio silence capable of authenticating command messages, or is that stuff only in movies?

If there is that capability, then I can't see why something similar can't be used here. And if there is the possibility that something similar can be used, then I would say, yes, they should be held responsible if they fail to properly verify the request when they'd be capable of doing so.

Re:

[spun]

Bush was a socialist? Do you know what that word actually means, or are you just trying to say "authoritarian?"

Nothing about present day America is socialist. We are a purely capitalist society. Workers do not control the means of production, the owning class does. We may have some scanty social safety nets but they do not make us socialist. And Bush was part of the party that works the hardest to dismantle all social safety nets.

Was what Nixon did also "creating a socialist police state" in your mind?

Re: There is risk of death on both options, so ver

[klipclop]

Most of these "EDR" s can be verified by calling the main phone line of the originating police department they claim to be from. That's what I always recommend our operations team suggest when they forward the request to our security team for review and approval. From my side, I won't interact or cut corners and talk to law enforcement. It all has to go through the security team and they decide what to do with any network investigation I'm asked to perform.

Re:

[Reziac]

So maybe this kind of thing needs an escrow service, whose sole job is to verify the requests?

Access to police email systems?

[King_TJ]

Seems like this is the core problem.... If you secured the email system better, hackers wouldn't be prone to use it to make the fake emergency requests in the first place.

Email is notoriously easy to hack in many cases .... largely because extra precautions like 2FA aren't taken out of an interest in convenience.

That's a problem Facebook can't fix

[raymorris]

> Access to police email systems?
> Seems like this is the core problem.... If you secured the email system better ...

Sure, that's a problem. A problem your local police department should fix.

Facebook can't fix that problem, of course.
The problem for Facebook is that when they get emails from chief@dallaspolice.gov saying that a photo shows a kid who was abducted by a stranger, they don't know if that email is legitimate or not. That's the problem Facebook has to deal with. If society wants to have in

Re:

[aaarrrgggh]

The system should never be via email. It should be via some kind of portal with multi-factor authentication as well as out-of-band verification.

Re:

[taustin]

Or, better yet, Facebook (or whoever) could pick up the phone and call the public contact number for the department (on the department's web site, easily verified outside of the fake email) and talk to the requesting officer directly (there is a name in the request, right?).

This would also increase the efficiency of the whole process by making the conversation interactive in real time (less back and forth with questions), including the officer being able to verify they received the requested information.

But

Re:

[cciechad]

SS7 is not secure. I'm sure a determined actor could probably take control of the number or get the telco to send it to them through social engineering.

Re:

[taustin]

Then it's hopeless, and you should jump off a bridge now to avoid the Christmas rush.

Re:

[Pinky's Brain]

It wouldn't just take determination, also risk and resources. You can't make it impossible, but you can make it more expensive. Just doing a simple phone number lookup and verifying by phone makes it far more expensive to hack than pure email.

Security in economics.

Re:

[fafalone]

You can't stop a determined, highly skilled opponent, especially a state sponsored one... but if you can stop the legions of script kiddies, well now at least it's a small problem not affecting too many people. The number of people who can carry out a SS7 attack is many orders of magnitude small than the number of people who can get into a poorly secured e-mail account.

Re:

[cciechad]

You don't even need to be able to hack SS7. Back in the day when crypto exchanges did SMS verification and resets they would just bribe some low level lackey at AT&T or some other phone company to reroute the number or just call up customer support and talk them into doing it.

Even easier than that. I can take over the PD numb

[raymorris]

Once upon a time, a hacker showed a secret service agent that he had taken over the phone number for the Atlanta secret service office.

He went to the secret service office nearest his home to meet with the agent. He asked the agent "do you have a phone on you?" When the agent replied he did, the hacker said "call the Atalanta office". The agent did. The hacker opened his laptop and played back the recording of the agent's call.

This hack doesn't require anything related to SS7. It doesn't require social eng

Re:

[timeOday]

It seems like whatever system is used, it ought to trace its provenance back to the originating judge using a digital signature, since that is the person with legal authority. How that might work in practice is the orders are administered on a website that requires 2fa to create or modify one. The police are then really just referring the company receiving the order back to that system using an email or phonecall.

Re:

[timeOday]

Oops, now I see.

Of course "ideally" the police should have uniform ways to authenticate themselves, but that is very difficult with 1000's of jurisdictions making their own rules in the US. Preserving local autonomy AND responding rapidly to large numbers of incidents AND avoiding any misfires is indeed a tall order.

Re:

[King_TJ]

Right.... I think the need for a rapid response and the possibility of the request coming from any department, anywhere, means you're not going to have complete security here. But you at least want to make it more difficult to hack the system. That's why I suggested it needs to start with the police departments using as secure an email system as they can.

Secondarily? I'd think there either is or *should* be a pretty serious punishment involved for impersonating an officer via hacking the departmental ema

Re:

[ranton]

Of course improving police email security would help reduce the size of the problem, but it cannot be considered part of the solution. Any sufficient solution needs to assume a police email account can be hacked.

Needs a catchier name

[srussia]

How about "spoofing" or "civil data forfeiture?

Judges are on call at all times

[rsilvergun]

To sign off on subpoenas. There was never any need for the ability to request these if you have a life or death situation you can get a subpoena within minutes.

I've been getting political ads now that the midterms are getting closer and none of them have any policy in them. It's mostly about how such and such politician had a drunk driving conviction or something nonsensical like that.

Change who you vote for and vote in your primary. Never listen to a politician. They use body language to trick you

Re:

[smooth wombat]

It's mostly about how such and such politician had a drunk driving conviction or something nonsensical like that.

It's not nonsense. If the person running for office says they'll be tough on crime, then having one (or more) conviction for drunk driving doesn't sound like they're tough on crime because otherwise they would know it's illegal to drive drunk.

The same if someone says they'll lower taxes and you find out they haven't been paying taxes for years.

What you consider nonsense goes to th

Re:

[taustin]

What color is the sky in fantasy land? Even in big cities, courts don't always operation 24 hours a day, 7 days a week. And judges don't like being woke up at 3:00 AM.

Re:

[drinkypoo]

Yes, this. Nobody should ever hand over any PII to any law enforcement organization without a warrant, period. They can get a warrant on any specious basis at any time in most jurisdictions, so that is frankly a stupendously low bar.

Re:

[GlennC]

Change who you vote for and vote in your primary

The "Republican" and "Democratic" wings of the Party have primaries.

Some of us don't want either side of the Party. What are we supposed to do then?

Simple solution

[Schoenlepel]

Require such mails to attach a phone number. Only send the data if the request has been confirmed by voice. This ought to get rid of quite a big chunk of the fake subpoenas.

No phone number? No data. Of course the phone number gets checked when the subpoena is received (to prevent fakes).

Re:

[torkus]

Require such mails to attach a phone number. Only send the data if the request has been confirmed by voice. This ought to get rid of quite a big chunk of the fake subpoenas.

No phone number? No data. Of course the phone number gets checked when the subpoena is received (to prevent fakes).

While it might stop a portion, if a hacker has infiltrated a police email system i'm pretty sure they can get a voip/GV number in the area code of the precinct and pretend to be a cop. If they can scam people out of a nearly endless stream of $, do you really think the folks at google/apple/fb/etc. handling these requests are going to use their spidey sense and turn down what could be legal requests in life-or-death situations? I think not.

Re:

[Vegan Cyclist]

You just need a more thorough calling system.

Call the precinct's public number (not provided by the emailer), and connect to the officer that way.

Oh, there is no Officer Frank Drebin at that precinct? Let them know someone is attempting to impersonate one of their staff, and forward the email details and let them handle it if they wish.

Hackers Gaining Power of Subpoena...

[nuckfuts]

"... using their illicit access to police email systems".

I think I see what the problem is here.

Re:

[mrbester]

"...and the request appears to come from an email address connected to an actual police department domain name"

"Appears". That's even easier than going to all the trouble of hacking an email account. Not that that is much trouble...

No verification process?

[Monoman]

How do they not have a quick and easy way for an EDR recipient to verify it is legitimate?

Call the PD, FBI, or whoever sent it by telephone. If they have the staffing to send an EDR then they have the staffing to answer a phone.

Re:

[kwalker]

I wanna see that phone list.

It's not like they'll be able to trust any phone number in the (Possibly fraudulent) EDR, and if you just google their phone number, that will end up in phone-tree hell, assuming you can even find one.

Re:

[Monoman]

That phone list has one rule, nobody gets to see the phone list.

jk

These agencies already have procedures, call lists, etc. It should NOT be that hard.

Simple solution

[Kisai]

I know this might come across as obvious, but why not leverage the existing mechanisms in place for verifying the identity of an emergency service? Like physical law enforcement vehicles, ambulances, firetrucks, all have distinctive features that are difficult for someone to copy. Let's do that with a special phone number and email address system only for emergency services.

How I'd envision this, is that a special TLD be created, e911 or e112. All devices manufactured after a specific date recognize e911/e1

Corporate Capitalism vs nothing to lose crowd.

[Goatbot]

It had to happen, if the data is collected someone will figure out how to exploit for profit. What's the difference between a *Hacker* and a security manager. Surprised more law firms don't just offer this as a fee for service. Would not be difficult to justify these actions for any decent lawyer.

Trust but verify.

[lionchild]

I'm curious that if, in fact, a company gets an EDR, why can't they simply call the police department's main line, ask to speak with the originator of the EDR to confirm? This would require bad actors not only to compromise the email system, but also the Phone System and intercept/answer all calls to the main number. It's not fool proof, but it's extra work for the bad guys.

People are always both the strongest and weakest link in the security chain. Making the extra call to verify would likely provide a

Back in the day...

[fafalone]

You didn't even need to break into police e-mail. You just pretended to be some podunk small town cop whose department didn't have it's own website and e-mails yet. Because there absolutely were many departments like that, it would be hard to immediately verify late at night (local time where the department allegedly was), because nobody in the city/county government would answer calls at that hour.

If all the major sites are requiring and verifying the requests come from an official police domain/address,

"law and order" .. it just can't get more pathetic

[znrt]

"an investigating authority may make what's known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents"

this is the only real problem here. not email security, not methodology, not anything of that ... the real issue here is that the police has a way to null and void civic rights without a court ordering so. what could possibly go wrong, you ask? well literally everything, even if the process worked as expecte

Re: "law and order" .. it just can't get more path

[ami.one]

Bingo.
And since the police dept is mostly misusing this facility so now we have some real or imaginary 'hackers' who can conveniently be blamed whenever some one gets caught misusing the EDR.

There can be a few rare cases where tracking someone online would save a life, but mostly it would be police trying to get details on something which is difficult to get a judge to sign off on.

Besides if they are so pressed for time, they would anyway get on a call with the ISP/Telco to expedite the info as soon as t

Re:

[PPH]

Don't comply.

I don't know what an EDR is. I've never been authorized to access the data you are requesting. I can forward your request to our legal department for clarification.

Many years (decades) ago when I worked for a public utility, some scruffy looking guy walked into our construction and engineering office. He claimed to be an undercover officer and needed access to a customer's records "right now". Not wanting to make a scene with what might be an unstable individual, I said "Certainly, sir. Right

Hard to verify?

[superdave80]

Seriously, just look up the local precinct phone number, call, and say, "We need to speak to officer X or someone in charge to verify this request." Relying on email only seems like a huge, unnecessary risk.

Re:Easy to verify, but not in bulk.

[Reiyuki]

Email would be more efficient for bulk requests. Some companies probably get hundreds or thousands of requests per week, which would explain why they don't even bother to check to confirm if they're real or not.

Re:

[kwalker]

So only the local precinct can put in EDRs? What about the FBI? BATFE? Marshalls? Or a precinct in another state (This IS the Internet we're talking about). Just calling the local unified PD is going to get you the run-around.

Re:

[superdave80]

All of those places you listed have phone numbers as well. And when I said 'local precinct', I meant the precinct that made the request, not necessarily the precinct closest to the company making the request.

Should require a call back.

[gurps_npc]

When they approve an "Email" as police, it should be connected to a specific phone number as well as a jurisdiction.

When you get an email request, you should call the phone number to confirm. Thirty seconds is all it will take, a lot less than it takes to fulfill many such requests.

Most of the time there should be a longer wait for the request to be processed than it takes to confirm via phone call.

Re: Should require a call back.

[ami.one]

So a printed yellow pages or phone directory is what you need