Best of 2020: BlueLeaks is Huge FAIL for Anonymous and DDoSecrets
As we close out 2020, we at Security Boulevard wanted to highlight the five most popular articles of the year. Following is the fifth in our series of the Best of 2020.
Anonymous and Distributed Denial of Secrets have published 269GB of private law enforcement data. They justify the leak, collectively called “BlueLeaks,” by claiming it “provides unique insights into law enforcement and a wide array of government activities.”
But what about the unintended consequences? They could be huge—including the murder of witnesses, scapegoating of the innocent and the targeting of individual police officers.
What were they thinking? In today’s SB Blogwatch, we struggle to understand.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: 120V TMI.
BlueLeaks: Not Clever
Can’t drive? Ride the Brian Krebs cycle—“‘BlueLeaks’ Exposes Files from Hundreds of Police Departments”:
BlueLeaks … stems from a security breach at … Netsential, a Houston-based web development firm [which] maintains a number of state law enforcement data-sharing portals. The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks.
…
[I] obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), which confirmed the validity of the leaked data: … “Our initial analysis revealed that some of these files contain highly sensitive information.” … (Fusion centers are state-owned and operated entities that gather and disseminate law enforcement and public safety information between state, local, tribal and territorial, federal and private sector partners.)
…
The NFCA said a variety of cyber threat actors, including nation-states, hacktivists, and financially-motivated cybercriminals, might seek to exploit the data exposed in this breach [via] cyber attacks. … Netsential Director Stephen Gartrell declined to comment.
And Catalin Cimpanu adds—“Data from 200 US police departments & fusion centers published”:
Distributed Denial of Secrets (DDoSecrets) [is] a group that describes itself as a “transparency collective.” … According to the BlueLeaks portal, the leaked data contains more than one million files, such as scanned documents, videos, emails, audio files, and more [and that] most of the files are police and FBI reports, security bulletins, law enforcement guides [and] contain sensitive and personal information, such as names, bank account numbers, and phone numbers.
…
Fusion centers are involved in training officers and relaying federal alerts, guides, and other instructions from the central government to local police stations and vice versa. [Some] alerts contained instructions and points of focus for US police forces involved in the Black Lives Matter protests.
From the horse’s mouth? Distributed Denial of Secrets—@DDoSecrets—tweets up a storm:
#BlueLeaks provides unique insights into law enforcement and a wide array of government activities, including thousands of documents mentioning #COVID19. [It also] uncovers a database used by law enforcement to track Roma and [“gypsy”] travelers in the name of protecting the elderly. … As we understand it, the #BlueLeaks data wasn’t stored on a system cleared for classified information.
…
DDoSecrets publishes materials submitted by sources, both leakers and hackers. We provide a stable platform for the public to access data and an anonymity shield for sources to share it, but are uninvolved in the exfiltration of data.
So where did the trove actually come from? Andy Greenberg finds out—“Anonymous Stole … Megatrove of Police Documents”:
Anonymous is back—and it’s returned with a dump of hundreds of gigabytes of law enforcement files and internal communications. … DDOSecrets founder Emma Best [says] the hacked files came from Anonymous—or at least a source self-representing as part of that group, given that under Anonymous’ loose, leaderless structure anyone can declare themselves a member.
…
For Anonymous [it] represents perhaps the most significant action the group has undertaken in the US in years. [It] harks back to the 2011 operations of the Anonymous subgroup Antisec, whose members—including the prolific hacktivist Jeremy Hammond—stole and leaked data from a wide array of law enforcement targets in support of Occupy Wall Street protesters. … Hammond himself is still serving a 10-year sentence for his hacking crimes.
…
DDOSecrets … argues that the documents … reveal legal but controversial practices, as well as the tone of police discussions around groups like Antifa. … For those organizations and their members and employees, the effects could in some cases amount to more than mere embarrassment.
But the chilling effects? Ilia Kolochenko opines thuswise:
This leak will likely have disastrous effects for many innocent people, including people charged with crimes who later were acquitted. … Furthermore, it will jeopardize legally protected people, like witnesses, who helped investigators convict dangerous criminals.
…
[It] will now literally cause the death of the witnesses if their identity is revealed to the criminals or … accomplices. [And] it will substantially hinder the performance of daily law enforcement operations … bolstering street crimes and violent crime, exposing thousands of helpless people to the risk of serious bodily injuries and death.
And Rann Xeroxx copiess thatt concernn: [You’re fired—Ed.]
Hopefully the police, who risk their lives everyday, and their families, who’s anxiety and worry about the danger [they] are exposed to everyday … do not have to worry about doxxing and being targeted by … criminals and terrorist and thugs from … hate groups.
More to the point, what about the other people in the database? JSeattle points the finger:
I’m all for exposing the misconduct of our police, but unfortunately, most of the really sensitive data is likely to belong to suspects and victims. I’m talking full names, SSNs, DL#s, license plates, home/work addresses, and financial information; not to mention incident reports which may detail what could be the worst days in many of their lives.
So thanks a lot to whoever leaked this for exposing these folks to more suffering. Nice job supporting the movement.
In brief, LenKagetsu calls it “really bad”:
This is the wet dream of anyone seeking revenge against a snitch, an abusive ex, blackmailers, organized criminals, and other scumbags. They basically painted huge targets on an unfathomable amount of private citizens.
But how did the hackers get in? joekrill picks apart Netsential’s story (such as it is):
Sounds like they are trying to spin it as some malicious user “broke in”. If a “customer user account” is able to upload a malicious payload and exfiltrate huge amounts of other customers’ data, there’s a much larger, underlying problem here. Hard to see how Netsential could get through this fiasco and still have any business.
reply.
…
Netsential clearly had a massive security vulnerability in their system that allowed one user to access the data of all other users. That’s very much on them.
Consider a company that provides physical storage units and advertises that they are secure and can only be accessed by their owner. Then it turns out that there was a back alleyway running behind all the units that allowed any owner who had access to one unit the ability to access any other unit, without a key.
…
You’d have a hard time convincing me that the company itself wasn’t primarily at fault for such a huge oversight in the first place. And I certainly would never use them again.
Meanwhile, Opportunist sees an opportunity:
If you put something online, expect it to be published at some point in the future. That’s why you don’t keep your private stuff online. Or rather, that’s why you shouldn’t.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Matt Popovich (cc0)
