Experts: Small targets no match for savvy hackers
LITTLE ROCK, Ark. – An online attack against dozens of rural American law enforcement agencies in which emails, credit card numbers and crime tips were stolen and posted on the Internet has left some officials wondering how they can ward off future hacking attempts, if at all.
The attack by the hackers' collective Anonymous on agencies in five states — Arkansas, Kansas, Louisiana, Missouri and Mississippi — was likely so broad in scope because many sites were hosted by the same company, Brooks-Jeffrey Marketing, of Mountain Home, Ark. But the theft exposed a "dirty little secret" about hacking — the best hackers can beat the tools meant to stop them and many potential victims don't know it, said Anup Ghosh, the co-founder and CEO of the software security company Invincea.
"Everyone is getting compromised. You either know it or you don't," Ghosh said Monday.
Most of the technology meant to prevent hacking was developed in the mid- to late-1990s, yet hackers have continued to develop their trade, Ghosh said. "The guys writing the attack codes have evolved their technologies considerably," he said.
What has changed is that "hacktivists" such as Anonymous want the world to know about their crimes, breaches that were once kept quiet or that went unnoticed by hacking targets are now being trumpeted. "The hacktivists benefit by making public the fact that they've compromised those networks and they're putting the data out there essentially to embarrass those organizations and cause harm," Ghosh said.
After posting the stolen law enforcement data online on Saturday, Anonymous members taunted local sheriffs on Twitter and the group's website, saying they wanted to embarrass and discredit law enforcement after a series of arrests targeting alleged members of the group.
Much of the pilfered information appeared to be benign, but some emails contained crime tips, profiles of gang members and other sensitive information. The attacked websites appeared to be back up Monday, and the stolen information remained online elsewhere.
In Missouri, nine county sheriffs and the state sheriffs association were hacked, and deputies' credit card information and home addresses were made public. In small-town Gassville, Ark., hackers posted photos of teenage girls in their swimsuits that were sent to Police Chief Tim Mayfield as part of an ongoing investigation, Mayfield said. The hackers also said they used credit card numbers to make "involuntary donations" to a variety of groups. One person confirmed to The Associated Press that his credit card was used.
The FBI and several law enforcement agencies are investigating the attack, said Steve Frazier a spokesman for the FBI's Little Rock office. He declined to comment further.
Kevin Mitnick, a Las Vegas security consultant and a former hacker, said simple security audits, in which someone like him tries to hack into a site, can show a website's vulnerabilities, which can then be fixed.
But Heather Egan Sussman, an attorney in Boston who specializes in information privacy, said she wondered if cash-strapped government agencies can afford the privacy measures they need.
"I think what we're seeing are state and local agencies that are underfunded, overworked, overstressed," she said. "And yet they are housing some of the most sensitive data about citizens and residents."
Several of the sheriffs whose sites were compromised have downplayed the attack, saying they're not sure what was taken or that they don't keep sensitive information online.
"The stuff on the website, really, I'm not even concerned about," said Sheriff Joe Guy of McMinn County, Tenn. "It's out there for the public to see."
But others, including Guy, questioned whether their websites would be more secure if they weren't hosted alongside dozens of others run by the same company.
"Based on what's been posted online, this has purely been an attempt to embarrass law enforcement," said Guy, whose department pays Brooks-Jeffrey Marketing about $200 per month. Hosting a site privately "might have reduced the chances of it purely because it wouldn't be in a provider that does law enforcement," he said.
Brooks-Jeffrey officials did not respond to repeated messages seeking comment about the online attack.
Brad DeLay, the sheriff in Lawrence County, Mo., said he doubted that changing the way officials operate websites, such as having the state or a law enforcement organization develop a site for all sheriffs, would stop the hackers.
"There are hackers out there," DeLay said. "If they want in, they're going to get in. That's been proven time and time again with the FBI, the Pentagon. Nothing is completely foolproof."
Ghosh agreed and noted that placing all county sheriffs under one umbrella — like Brooks-Jeffrey did — might make hacking easier. "Now it would take a single hack to get all the information," he said.