An online attack against dozens of rural American law enforcement agencies in which emails, credit card numbers and crime tips were stolen and posted on the Internet has left some officials wondering how they can ward off future hacking attempts, if at all.
The attack by the hackers’ collective Anonymous on agencies in five states — Arkansas, Kansas, Louisiana, Missouri and Mississippi — was likely so broad in scope because many sites were hosted by the same company, Brooks-Jeffrey Marketing, of Mountain Home, Ark. But the theft exposed a “dirty little secret” about hacking — the best hackers can beat the tools meant to stop them and many potential victims don’t know it, said Anup Ghosh, the co-founder and CEO of the software security company Invincea.
“Everyone is getting compromised. You either know it or you don’t,” Ghosh said Monday.
Hackers have evolved
Most of the technology meant to prevent hacking was developed in the mid- to late-1990s, yet hackers have continued to develop their trade, Ghosh said.
“The guys writing the attack codes have evolved their technologies considerably,” he said.
What has changed is that “hacktivists” such as Anonymous want the world to know about their crimes, breaches that were once kept quiet or that went unnoticed by hacking targets are now being trumpeted.
“The hacktivists benefit by making public the fact that they’ve compromised those networks and they’re putting the data out there essentially to embarrass those organizations and cause harm,” Ghosh said.
After posting the stolen law enforcement data online Saturday, Anonymous members taunted local sheriffs on Twitter and the group’s website, saying they wanted to embarrass and discredit law enforcement after a series of arrests targeting alleged members of the group.
Much of the pilfered information appeared to be benign, but some emails contained crime tips, profiles of gang members and other sensitive information. The attacked websites appeared to be back up Monday, and the stolen information remained online elsewhere.
In Missouri, nine county sheriffs and the state sheriffs association were hacked, and deputies’ credit card information and home addresses were made public. In small-town Gassville, Ark., hackers posted photos of teenage girls in their swimsuits that were sent to Police Chief Tim Mayfield as part of an ongoing investigation, Mayfield said. The hackers also said they used credit card numbers to make “involuntary donations” to a variety of groups. One person confirmed to The Associated Press that his credit card was used.
Kansas offices hacked
The Jefferson County Sheriff’s Office and the Kansas Sheriff’s Association were among the websites hacked by Anonymous.
It’s unclear whether any sensitive or confidential information was obtained from the Jefferson County website, said Sheriff Jeff Herrig.
“We don’t know,” said Herrig, expressing concern about the possibility that some of the leaked data could affect a case.
Sandy Horton, director of the Kansas Sheriff’s Association, said her group’s website does not contain any sensitive or personal information.
Both Herrig and Horton said the hacking caused problems with their websites, and they’ve been working on fixing any issues.
No other local law enforcement agencies were reportedly affected by the hacking, which is being investigated by the FBI.
The hackers posted 10 gigabytes worth of data.
Anonymous said Saturday it attacked 70 mostly rural law enforcement websites in the U.S. in retaliation for the arrests of some of its sympathizers.
Anonymous may have gone after the sheriff’s office because the hosting company, Little Rock-based Brooks-Jeffrey Marketing, was an easy target, said Dick Mackey, vice president of consulting at Sudbury, Mass.-based SystemExperts.
Mackey said many organizations don’t see themselves as potential targets for international hackers, causing indifference that can leave them vulnerable, he said.
“It seems to me to be low-hanging fruit,” he said. “If you want to go after someone and make a point and want to have their defenses be low, go after someone who doesn’t consider themselves a target.”