This article includes some of the files and passwords they posted on the web. Same for this article.
Arizona DPS system hacked: LulzSec group claims responsibility
by Matt Haldane - Jun. 23, 2011 06:08 PM
The Arizona Republic-12 News Breaking News Team
An international group identifying itself as LulzSec claims it hacked into the Arizona Department of Public Safety's computer and downloaded a trove of sensitive law enforcement files now being distributed on the Internet.
LulzSec said in a bulletin that it targeted DPS because it opposes SB 1070, a law the Arizona Legislature passed that widened state law-enforcement officers' ability to target illegal immigrants. The law, which has been copied by several states, is largely on hold pending a review by the U.S. Supreme Court.
Steve Harrison, a DPS spokesperson, confirmed late Thursday that the agency's system had been hacked earlier in the day. He told 12 News the agency had heard rumors that someone was working on hacking the agency's system, but DPS could not do anything until the system was actually breached.
Experts are working on closing the loopholes and have closed external access to the DPS system.
Officers can still communicate internally, Harrison said.
According to news reports, the anonymous computer-hacking group has taken credit for breaching websites of the Central Intelligence Agency, the U.S. Senate, the Public Broadcast System, and numerous video game companies -- Sony being the latest target.
LulzSec posts its exploits on Twitter, and as of Thursday, claimed more than 261,200 followers.
On Thursday afternoon, LulzSec taunted Maricopa County Sheriff Joe Arpaio on his official account, saying, "Media? Heat? You?" The tweet included an expletive in Spanish aimed at the Border Patrol. [Perhaps Ch*nga la Migra? - Good guess!!!!]
Asked if Maricopa County was taking special precautions amid the high-profile attacks, a county spokesman declined to provide details, saying only, "We are always vigilant."
In a bulletin accompanying the latest torrent of information, LulzSec said:
"We are releasing hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement. We are targeting AZDPS specifically because we are against SB1070 and the racial profiling anti-immigrant police state that is Arizona."
The group said it would release more information every week to embarrass military and law enforcement officials "in an effort not just to reveal their racist and corrupt nature but to purposefully sabotage their efforts to terrorize communities fighting an unjust 'war on drugs.' "
Arizona DPS system hacked: LulzSec group claims responsibility
by Yvonne Wingett Sanchez, Matt Haldane and Shaun McKinnon
Jun. 24, 2011 12:00 AM
The Arizona Republic
Computer experts are trying to determine how an international group of hackers broke into the Arizona Department of Public Safety's computers on Thursday and downloaded and released hundreds of law-enforcement files.
The hacking group LulzSec, which has taken responsibility for breaching the websites of the CIA and the U.S. Senate, said in a bulletin that it targeted the DPS because LulzSec opposes Senate Bill 1070, a law the Arizona Legislature passed that widened law-enforcement officers' ability to apprehend illegal immigrants. The law is largely on hold pending a review by the U.S. Supreme Court.
The DPS files, posted on LulzSec's website, include personal information about officers and numerous documents ranging from routine alerts from out-of-state police agencies to videos and photos about the hazards of police work and operations of drug gangs. The names of the files are as innocuous as "resume" and "evaluation form" and as provocative as "cartel leader threatens deadly force on U.S. police."
In its Web posting, the group said the files were primarily related to U.S. Border Patrol and counterterrorism operations.
The hackers vowed to release more classified documents each week as a way to embarrass authorities and sabotage their work.
Steve Harrison, a DPS spokesman, confirmed late Thursday that the agency's system had been hacked earlier in the day. The agency had heard rumors that someone was working on hacking the agency's system, but the DPS could not do anything until the system was actually breached, Harrison said.
Gov. Jan Brewer was briefed on the situation, but her spokesman referred all questions to the DPS.
Experts are working on closing the loopholes and have closed external access to the DPS system.
Harrison said the release of officers' personal information is alarming. This information included the names of eight officers, their spouses' names, cellphone numbers and addresses.
"When you put out personal information, you don't know what kind of people will respond," Harrison said, noting that another officer was attacked at his home Thursday morning in an unrelated incident.
The only breach identified by the DPS so far has been that of the e-mail accounts, the passwords of which were also posted online. The agency suspects most, if not all, of the information released was obtained via what was available on those accounts.
Although LulzSec claims some of the files were labeled "not for public distribution," Harrison said. The DPS did not believe any sensitive information that would compromise current investigations was leaked.
Many of the files reflect the mundane concerns of law enforcement. Others offer insight into efforts to keep pace with rapidly evolving technology and the ways criminals take advantage of it.
Some documents also relate to the DPS' effort to address issues of alleged racial profiling, stemming from a 2001 lawsuit that the agency agreed to settle. As part of that agreement, the DPS has continued to allow a university research firm to collect data on its officers' traffic stops.
Other documents included an intelligence bulletin about the leader of a Mexican drug cartel, an advisory from the Arizona Counter Terrorism Intelligence Center and Highway Patrol operational plans for responding to border threats.
According to news reports, the anonymous computer-hacking group has taken responsibility for breaching websites of the CIA, the U.S. Senate, the Public Broadcast System and numerous video-game companies.
LulzSec posts its exploits on Twitter and, as of Thursday, claimed more than 261,200 followers.
Aaron Sandeen, the state's chief information officer, said a national cybersecurity agency that monitors state websites notified his office of a potential breach.
The DPS website was shut down immediately, Sandeen said, and IT teams went to work "to make sure there was no outbreak anywhere else within the network."
The DPS information system is separate from the rest of state government, he said. No other state agency websites have been compromised, he said.
Sandeen said the DPS attack appeared to have been malware.
DPS employees late Thursday were comparing passwords and e-mail addresses to verify whether the information LulzSec has published matches actual DPS accounts.
"DPS is working to verify all user accounts, change all passwords and make sure everything is secure," Sandeen said. "We have to validate that it is a legitimate hack and it's legitimate information."
IT teams also were looking for the source of the cyberattack by scanning internal computer files for unusual activity, such as peaks of usage.
For example, Sandeen said increased traffic this week on the DPS sex-offender registry could provide some clues.
"I don't know if that's related, but that's something we will look into," he said.
On Thursday afternoon, LulzSec taunted Maricopa County Sheriff Joe Arpaio on his official account, saying, "Media? Heat? You?" The tweet included an expletive in Spanish aimed at the Border Patrol.
Sheriff's Deputy Chief Jack MacIntyre said the Sheriff's Office is taking "some countermeasures" with the agency's IT system.
"We will be cooperating with DPS to make sure that we minimize any possible impact," he said. Asked if the sheriff's computer systems had been compromised, MacIntyre responded, "We don't think so, we're looking at that - although we're not absolutely sure. We're working on it full-scale with all our IT people."
Sen. Linda Gray, chairwoman of the state Senate's Public Safety and Human Services Committee, said she was unaware of the attack. But she did worry about confidential employee information, such as home addresses and other identifying details, being disseminated on DPS personnel.
Much of that information is shielded from public disclosure in the interest of protecting law enforcement who work on sensitive matters, she said.
Asked if Maricopa County is taking special precautions amid the high-profile attacks, a county spokesman declined to provide details, saying only, "We are always vigilant."
In a bulletin accompanying the latest release of information, LulzSec said:
"We are releasing hundreds of private intelligence bulletins, training manuals, personal e-mail correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement. We are targeting AZDPS specifically because we are against SB 1070 and the racial profiling anti-immigrant police state that is Arizona."
The group said it will release more information every week to embarrass military and law-enforcement officials "in an effort not just to reveal their racist and corrupt nature but to purposefully sabotage their efforts to terrorize communities fighting an unjust 'war on drugs.' "
Republic reporters Ronald J. Hansen, Sean Holstege and Mary K. Reinhart contributed to this article.
Ariz. state police checking computers after attack
MARK CARLSON, Associated Press THE ASSOCIATED PRESS STATEMENT OF NEWS VALUES AND PRINCIPLES
PHOENIX (AP) — State police said Friday that they are checking security and have launched an investigation to determine the extent of an attack on the police agency's computer system.
The Lulz Security hacking collective claimed on Thursday that it successfully accessed the Arizona Department of Public Safety computer system and took data including sensitive case files and the phone numbers and addresses of some officers.
So far, only seven out of DPS' 1,700 employees have had their email accounts compromised and their personal information seized by the group of overseas computer hackers, an agency spokesman said.
"We're concerned that somebody was able to get that far," DPS Capt. Steve Harrison said Friday in an interview with The Associated Press. "We don't consider it so severe that it's going to compromise future investigations."
Harrison said it doesn't appear the hackers accessed DPS' main server, but they may have gained entry to a computer that officers use to log onto email accounts and download whatever information was on that computer's hard drive.
Some of the data the hackers may have obtained is information that DPS doesn't want to fall into the hands of drug traffickers and other criminals, Harrison said.
"It could be how drug trafficking organizations work, drug concealment methods — things that we wouldn't necessarily want drug traffickers to know that we know," he said.
State police notified other police agencies after the attack occurred, urging them to apply security measures and protocols to check and secure computer systems in case Lulz attempted to access other police computer systems in Arizona.
DPS has not received any reports of other police computer systems being compromised, Harrison said.
A spokesman for the Phoenix office of the FBI says the agency was aware of the computer hacking situation at DPS.
"At this time we're not confirming or denying that we're involved in the investigation," said agent Manuel Johnson, an FBI spokesman.
The cyber attackers said they were specifically targeting DPS because of the state's tough immigration enforcement law known as SB1070 "and the racial profiling anti-immigrant police state that is Arizona."
The Lulz group also said it planned to release "more classified documents and embarrassing personal details of military and law enforcement" every week, but it was unclear whether other Arizona agencies were targeted.
Jun. 20, 2011 6:35 PM ET
Hackers claim attack on FBI partner in Conn.
STEPHEN DOCKERY, Associated Press THE ASSOCIATED PRESS STATEMENT OF NEWS VALUES AND PRINCIPLES
HARTFORD, Conn. (AP) — Hackers who claimed responsibility for online attacks of Sony Corp. and the CIA said they compromised the security of more than 1,000 accounts of a Connecticut-based FBI partner organization, hours before releasing a web manifesto calling for "war" on governments that control the Internet.
The online collective Lulz Security said it attacked a local section of InfraGard, a partnership between the FBI and the private sector to share security information. Connecticut InfraGard's website was down Monday afternoon.
The FBI was aware of the attack and that the website had been shut down as a precaution, agency spokeswoman Jenny Shearer said. She declined to comment on the extent of any damage.
Lulz tweeted Sunday night that its Connecticut attack had "compromised 1000+ FBI-affiliated members." The group said it would not leak the user information but would embarrass the FBI with "simple hacks." It did not provide details on the information it said was compromised.
InfraGard is an association of businesses, academic institutions and law enforcement agencies dedicated to sharing information to prevent hostile acts against the United States, according to its website. Business representatives who participate get access to security information from government sources such as the FBI and Department of Homeland Security and can participate in discussions with others in the IT-security field.
This month, the Atlanta chapter of InfraGard said hackers stole 180 passwords from its members and leaked them online. Lulz also claimed responsibility for that attack, saying it was a response to a report that the Pentagon was considering whether to classify types of cyber-attacks as acts of war.
After announcing the Connecticut attack, the group issues its statement calling for a united hacker effort against governments and organizations that control the Internet.
"Our Lulz Lizard battle fleet is now declaring immediate and unremitting war on the freedom-snatching moderators of 2011," the group said in the statement, which was written in its characteristic rambling speech.
The group said it was teaming with another hacker collective, Anonymous, and encouraged others to fight corruption and attack any government or agency that "crosses their path" including banks and other "high-ranking establishments."
Anonymous is a group of online activists that has claimed responsibility for attacking companies online such as Visa, MasterCard and PayPal over their severing of ties with WikiLeaks following that group's release of troves of sensitive documents. Anonymous also led a campaign against the Church of Scientology.
Anonymous and similar hacker organizations are notable for their leaderless, diffuse construction that maximizes secrecy but can lead to mixed or unclear messages.
Lulz has taken credit for hacking into the PlayStation Network of Sony Corp., where more than 100 million user accounts were compromised, and defacing the PBS website after it aired a documentary seen as critical of WikiLeaks founder Julian Assange. The hackers also say they are responsible for attacks on the CIA webpage and the U.S. Senate computer system.
Jun. 24, 2011 3:50 PM ET
A timeline of hacking group LulzSec's attacks
THE ASSOCIATED PRESS STATEMENT OF NEWS VALUES AND PRINCIPLES The Associated Press
A timeline of Lulz Security's international hacking spree:
— Early May: LulzSec sets up shop on Twitter and claims its first series of hacks, leaking what it says is a database of "X Factor" contestants and attacking Fox.com.
— May 30: LulzSec breaks into the website of the U.S. Public Broadcasting Service, or PBS, posting a phony story claiming that dead rapper Tupac Shakur is actually alive in New Zealand. The hack came after the broadcaster aired a documentary seen as critical of WikiLeaks founder Julian Assange. PBS's ombudsman defends the program's treatment of Assange as "tough but proper."
— June 2: LulzSec announces that it has broken into Sony Pictures Entertainment, posting the usernames, passwords, email addresses and phone numbers of tens of thousands of people, many of whom had given the company their information for sweepstakes draws. The group said it had compromised about 1 million accounts but could only leak a small selection. Sony calls in the FBI.
— June 3: The hackers strike again, this time announcing that they've stolen about 180 passwords from the Atlanta chapter of an FBI partner organization called InfraGard. The group also claims to have used one of the passwords to steal nearly 1,000 emails from Unveillance LLC, an Internet surveillance company in Delaware. Among the emails is a report outlining how Libya's oil infrastructure could be compromised by sophisticated computer viruses.
— June 10: LulzSec leaks what it says is a database of email addresses and passwords belonging to users of an established pornography website. A handful appear to belong to U.S. Army personnel.
— June 13: LulzSec attacks the U.S. Senate, although there doesn't appear to be much damage. A law enforcement official says that a public-facing server was accessed and that no other files were breached. The group also claims to have stolen information on more than 200,000 users from video game company Bethesda Softworks, which makes games such as "Brink" and "Fallout: New Vegas."
— June 16: LulzSec claims responsibility for technical problems with the CIA's public website.
— June 20: LulzSec claims to have hit another branch of InfraGard — this time in Connecticut — compromising several hundred more accounts. The group also claims responsibility for bringing down the public website of Britain's FBI equivalent, the Serious Organized Crime Agency.
— June 21: A 19-year-old Brit is arrested on suspicion of cybercrime following a joint FBI-Scotland Yard investigation. He's later charged with attacking the Serious Organized Crime Agency. British police have hailed the arrest as a significant development, but LulzSec says his involvement with the group was only tangential. The teen has yet to enter a plea.
Jun. 24, 2011 3:48 PM ET
Brazen, publicity-seeking hackers on attack spree
PETER SVENSSON, Associated Press
RAPHAEL G. SATTER, Associated Press THE ASSOCIATED PRESS STATEMENT OF NEWS VALUES AND PRINCIPLES
LONDON (AP) — Can you be famous if no one knows your name? A new band of hackers is giving it its best shot, trumpeting its cyber-capers in an all-sirens-flashing publicity campaign.
Lulz Security has stolen mountains of personal data in a dozen different hacks, embarrassing law enforcement on both sides of the Atlantic while boasting about the stunts online.
The group, whose name draws on Internetspeak for "laughs," has about 270,000 followers on the messaging site Twitter. Although LulzSec has declined interview requests, it has laid out its prankster philosophy in "tweets" and press releases.
"Vigilantes? Nope. Cyber terrorists? Nope. We have no political motives — we do it for the lulz," the group said in a message sent shortly after it emerged in early May.
LulzSec's Twitter mascot is a black-and-white cartoon dandy that looks like a cross between Mr. Peanut and The New Yorker magazine's monocle man. Its rambling messages are peppered with references to YouTube sensation Rebecca Black, the Dungeons and Dragons role playing game and tongue-in-cheek conspiracy theory.
One of LulzSec's victims says the group sets itself apart from the rest of the hacker underground with its posturing and bragging on Twitter.
"Most of the hacker groups that are pretty well known out there ... don't really like to flaunt their findings. They'll do it among their peers, but not typically the public," said Karim Hijazi, a security expert whose emails were ransacked by the hacking group last month.
LulzSec made its name by defacing the site of the U.S. Public Broadcasting Service, or PBS, with an article claiming that rapper Tupac Shakur was still alive. It has since claimed hacks on major entertainment companies, FBI partner organizations, a pornography website and the Arizona Department of Public Safety, whose documents were leaked to the Web late Thursday.
Many attacks have yielded sensitive information including usernames and passwords — nearly 38,000 of them, in the case of Sony Pictures. Others appear to have been just for kicks. In a stunt last week, LulzSec directed hundreds of telephone calls to the customer service line of Magnets.com, a New Jersey-based manufacturer of custom refrigerator magnets.
LulzSec uses a similar technique to temporarily bring down websites, flooding them with bogus Internet traffic. This is an old hacker standby that doesn't require much sophistication. Members also break in to sites to steal data. That requires more skill and often involves duping employees into revealing passwords.
LulzSec's actions against government and corporate websites are reminiscent of those taken by the much larger, more amorphous group known as Anonymous. That group has launched Internet campaigns against the music industry, the Church of Scientology, and Middle Eastern dictatorships, among others.
Both are fiercely protective of the secret-busting site WikiLeaks. The hacking groups' supporters share the same brand of offbeat humor inspired by Internet catchphrases and viral videos.
LulzSec has repeatedly insisted on its independence.
"We're not AnonOps, Anonymous, a splinter group of Anonymous, or even an affiliate of Anonymous," the group has said. "We're LulzSec."
An Anonymous member told The Associated Press that he believed LulzSec was formed by people from Anonymous who got tired of the time it took to reach consensus and launch hacking projects. He said that they also wanted to go beyond the ethical boundaries of Anonymous.
"They wanted to go on more adventurous, brazen hacking adventures and really get their names out there," he said. He spoke on condition that his name is withheld given the pressure being put on Anonymous members by law enforcement.
Judging by the timing of its tweets and other communications, he believes that LulzSec is based mainly in the eastern half of the U.S., but a few members are European. The number of members is not known, but there appears to be no more than a handful, perhaps a dozen.
Anonymous also uses Twitter as a soapbox, but more as a way of recruiting helpers than publicizing its exploits. It's also been more selective about its targets. It attacked the Egyptian Ministry of Information's website during the revolution in the country, but has shied away from leaks of ordinary user information, for example.
There's every sign authorities are paying attention to the new group, although it isn't clear how much progress they've made in tracking the hackers down. On Tuesday, 19-year-old Ryan Cleary was arrested as part of a joint FBI-Scotland Yard investigation into hackings linked to both LulzSec and Anonymous.
British Police Commissioner Paul Stephenson described Cleary's arrest as "very significant," although LulzSec has shrugged off the development — and promised more spectacular hacks.
The Anonymous member believes law enforcement has little chance of finding LulzSec. He told the AP that LulzSec likely used such methods as logging on only from public Wi-Fi hotspots. Police could possibly trace the attacks to the hotspot, but by the time they get there, any hacker would be long gone.
Hijazi believes LulzSec harassed him because his firm, Unveillance, tracks "botnets" — clusters of computers that can be controlled remotely because they've been infected with malicious software. The botnets, each of which can have more than a million computers, are usually controlled by cybercrime gangs.
He speculates that LulzSec wants botnets because it would boost its power to bring down websites. But the group would be stepping on the toes of some very dangerous people if members started taking over botnets, he said.
"It's going to make everyone really mad, both the good guys and some really big bad guys," he said. "I hope law enforcement finds them first."
___
Peter Svensson contributed from New York.
Jun. 23, 2011 9:18 PM ET
Group says it hacked Ariz. public safety files
PHOENIX (AP) — A group that boasts of successfully hacking Sony and the CIA website now claims to have hacked into the computer files of an Arizona law enforcement agency.
The Lulz Security hacking collective announced Thursday that it was releasing "hundreds of private intelligence bulletins, training manuals, personal email correspondence, names, phone numbers, addresses and passwords belonging to Arizona law enforcement."
The cyber attackers say they were specifically targeting the Arizona Department of Public Safety because of the state's tough immigration policy.
Calls to the Arizona DPS and FBI officials weren't immediately returned Thursday evening.
But one DPS officer says he's aware his home phone number, email and home address have been posted and is in the process of getting his phone number changed.
Arizona DPS: LulzSec hacking started with officers' e-mails
by Ginger Rough - Jun. 24, 2011 01:51 PM
The Arizona Republic
The Arizona Department of Public Safety said Friday that an international group of hackers appeared to have breached a vulnerable spot in its network by accessing the e-mail of seven of its officers stationed in "remote areas" of the state.
Those seven officers were part of a separate e-mail system that did not require users to update their passwords on a regular basis, nor require a more complex combination of capital and lowercase letters and numbers as their entry code.
"Because we have people stationed all over the state, not everyone is on the same password requirements," DPS spokesman Steve Harrison said Friday. "We were in the process of changing that system over already. Obviously, this will make us go a little faster."
The hacking group LulzSec, which has taken responsibility for breaching the websites of the CIA and the U.S. Senate, said in a bulletin Thursday afternoon that it targeted the DPS because it opposes Senate Bill 1070, a tough immigration law passed in 2010 by the Arizona Legislature. The law is largely on hold pending a review by the U.S. Supreme Court.
Harrison said the more than 700 DPS files, posted on the LulzSec website, appear to either be attachments to the e-mails themselves or stored on the hard drives of the computers the officers used to access their accounts.
"Obviously there are some training issues related to this," Harrison said of the simplistic passwords used by the hacked officers. "They need to use a little more robust system."
Harrison declined to discuss specifically what measures the department was taking to contain the breach and ensure it doesn't happen again. But he did say the department's information technology team immediately changed the officers' passwords after confirming the breach Thursday afternoon.
They also blocked external access to the DPS servers Thursday evening in response to the attack. The servers were brought online again shortly after noon Friday, he said.
The stolen DPS files include personal information about officers and numerous documents, ranging from routine alerts from out-of-state police agencies to videos and photos about the hazards of police work and operations of drug gangs.
DPS is handling both the internal investigation into the breach and the criminal investigation resulting from the hack, Harrison said. At this point, it appears that LulzSec violated both federal and state laws, and DPS anticipates bringing in the U.S. Federal Bureau of Investigation to help with the criminal probe.
"I anticipate we will ask for and receive assistance from the FBI," Harrison said. "I suspect this will be a joint investigation, and we will work to bring charges at both the state and federal level."
Manuel Johnson, a spokesman for the Phoenix FBI, said Friday that his office was aware of the attack, but he referred all questions to DPS.
It's not clear who would process the case, if a suspect is identified.
State Attorney General Tom Horne said DPS would have the discretion to send the criminal probe either to his office or to the U.S. Attorney for Arizona, given the apparent violations of both federal and state statutes.
"If the people could be found, we would certainly prosecute them," Horne said.
Gov. Jan Brewer has been briefed on the security breach, but her office is referring all questions to DPS.
House Speaker Andy Tobin, R-Paulden, said Friday that he is "outraged" by the attack, for reasons that include its apparent motivation over SB 1070.
"This extremist group has now put hundreds of Arizona's finest in danger," Tobin said in a statement. "These cyber terrorists should be prosecuted to the full extent possible. Their actions have compromised the safety of our brave law-enforcement officers and their families."
Cops say hacked computers ain't no big deal. On the other hand did you ever hear cops admitting they f*cked up?
Arizona DPS officials downplay attack's effect on operations
by Ginger Rough, Mary Jo Pitzl and Alia Beard Rau - Jun. 25, 2011 12:00 AM
The Arizona Republic
The Arizona Department of Public Safety worked Friday to strengthen its computer networks after an international group of hackers exploited a weak spot in the system by accessing the e-mail accounts of eight officers stationed in rural areas of the state.
The hacking group Lulz Security, which has claimed responsibility for breaching CIA and U.S. Senate websites, said in a bulletin Thursday afternoon that it had successfully stolen 700 DPS files. The group posted the information on its website in retaliation for the state's passage last year of Senate Bill 1070, a tough immigration law largely on hold pending a review by the U.S. Supreme Court.
DPS officials characterized LulzSec's breach as isolated and said it did not affect the agency's larger servers and the information contained on them.
The incident is one of many recent efforts targeting government websites to make political statements. It raises concerns about the security of sensitive information on government computers and prompted some state lawmakers to suggest that the state may need to toughen penalties to deter future attacks.
In the latest strike, the hackers obtained reams of information, including personal details about officers and other documents. The eight officers whose e-mails were attacked were part of a separate, outdated system that did not require users to update their passwords on a regular basis. It also did not require a complex combination of capital and lower-case letters and numbers for a password.
Most DPS personnel are on a system that requires password changes every 60 days.
"Because we have people stationed all over the state, not everyone is on the same password requirements," DPS spokesman Steve Harrison said Friday. "We were in the process of changing that system over already. Obviously, this will make us go a little faster."
The documents obtained by LulzSec were either e-mail attachments or stored on the hard drive of the computers used by the officers, he said.
"Obviously there are some training issues related to this," Harrison said of the simplistic passwords. "They need to use a little more robust system."
Harrison said the department is "unlikely" to discipline the officers because "we don't believe the officers did anything wrong."
Harrison declined to discuss specifically what measures the department is taking to contain the breach and ensure it doesn't happen again. But he did say the department's information-technology team immediately changed the officers' passwords Thursday afternoon.
They also blocked external access to DPS servers Thursday evening in response to the attack. The servers were brought online again shortly after noon Friday, he said.
Other systems safe?
The breach raises questions about whether other state agencies also might be vulnerable to a cyberattack.
The hackers vowed to release more classified documents each week to embarrass authorities and sabotage their work.
State agencies operate on different computer networks, which range in age, and contain a wide range of personal data, including health information, motor-vehicle records and tax returns.
Officials in the Governor's Office declined to comment directly on the security of the state's computer network and would speak only to the scope of this breach.
"We have received no information that leads us to believe that the DPS servers . . . or the larger state system have been compromised," spokesman Matthew Benson said.
The DPS notified the Governor's Office and other law-enforcement agencies of the incident, Harrison said. At some point during the evening, the state's Information Technology Department and the Department of Administration also were briefed on the breach, but it was unclear whether details of the hack were formally shared with other state agencies.
A spokesman with the Department of Administration did not return phone calls and e-mails seeking comment.
Recent budget requests suggest some of the state's computer systems are overdue for upgrades. For example, the Department of Administration asked earlier this year for $5 million in its fiscal 2012 budget to start building an integrated statewide financial system.
In the request to Brewer, agency officials spoke in dire tones about the aging Arizona Financial Information System, which processes more than $30 billion in expenditures each year and handles 14 million transactions. The system was installed 19 years ago. Some components are even older. It noted that the "inflexibility of the current system(s) security features does not provide the necessary controls to mitigate potential major risks."
There is nothing in budget documents that indicates the request was honored.
The DPS issued a statement Friday saying safeguards were in place at all agencies to "ensure the security of electronic and computerized records." Those measures include round-the-clock monitoring of external access to the state's computer network, firewalls and anti-virus software. Several laws broken
The Arizona hacking appears to be part of a joint effort between hacking groups Anonymous and LulzSec, which they have dubbed Operation Anti-Security, according to a statement released by LulzSec. The intent is to target government websites, the group said.
The groups have released the Arizona information and the names of 2,800 Colombian special police-unit members. They also claim to have breached Britain's Serious Organized Crime Agency and two Brazilian government websites.
Tom Holt, assistant professor in the School of Criminal Justice at Michigan State University, said Thursday's hacking appears to fit with a growing trend called "hactivism."
Hackers used to work individually, either for entertainment or to make money, he said. But "hactivists" are grass-roots groups with a political motivation.
What is somewhat disturbing about these two groups, Holt said, is that they are increasingly incorporating others into the various efforts. They've developed websites that help individuals start their own attack and provide resources via Twitter.
Holt said the hack was sophisticated, which could hamper identifying any culprit.
"This seems a little bit more complex, and the amount of data acquired suggests that these actors have some degree of skill," he said. "The way in which they got the information might leave some trails. But it will require a degree of sophistication by the investigators."
In accessing the DPS files, LulzSec appears to have violated both federal and state laws. The DPS said Friday that it anticipates bringing in the FBI to help with the investigation.
Title 13, Section 2316 of the Arizona Revised Statutes makes it a crime, among other things, to "recklessly use a computer, computer system or network to engage in a scheme or course of conduct that is directed at another person and that seriously alarms, torments, threatens or terrorizes the person."
Violation of the statute is a Class 2 felony and punishable by up to 12.5 years in prison, the state Attorney General's Office said.
Federal computer crimes are prosecuted under the Computer Fraud and Abuse Act, which sets penalties of one to 10 years in prison, depending on the crime.
The released documents included information from federal agencies, including the U.S. Department of Homeland Security.
Law-enforcement officials said Friday that finding the guilty parties will be difficult, given that hackers can commit their crimes from virtually anywhere in the world.
It is not clear who would prosecute the case if a suspect were identified.
State Attorney General Tom Horne said the DPS would have the discretion to send the criminal probe either to his office or to the U.S. attorney for Arizona, or both. Tougher statutes
Thursday's hack could lead to a push for tougher state laws against cybercrime, several state lawmakers said Friday.
House Speaker Andy Tobin, R-Paulden, said he was "outraged" by the attack, particularly because it may have endangered DPS officers and their families.
Tobin said he had "been hearing from (legislative) members all day."
He said he believes lawmakers would be receptive to giving the DPS additional resources to improve its computer networks, if it determined that was needed, and increasing the state penalties for hacking into government computers.
"This is as important to protecting our law-enforcement officers and their families as a bulletproof vest might be," Tobin said. "It would absolutely be a priority for the Legislature."
Sen. John McComish, R-Phoenix, said he would like to ensure the penalty for cyberattacks is harsh enough to deter future hackers.
Others said solutions against additional attacks might be as simple as requiring the state's e-mail administrators to enact more rigorous password-protection programs.
The military, for example, uses "challenge words" to verify the validity of a password, adding another layer of security, said Rep. Jack Harper, R-Surprise, a member of the House Military Affairs and Public Safety Committee.
Republic reporters Mary K. Reinhart and Sean Holstege contributed to this article.
Arizona DPS: Officers' personal info, cartel briefings stolen
by Sean Holstege and Ronald J. Hansen - Jun. 25, 2011 12:00 AM
The Arizona Republic
Hundreds of pages of e-mails. Nearly four dozen images and two dozen slide shows. Intelligence briefings about drug cartels.
Home telephone numbers and work schedules for Arizona Department of Public Safety officers.
The hundreds of documents posted online by an international group of hackers on Thursday have raised questions about whether local and border-security law enforcement was compromised by a breach of DPS computers.
DPS officials deny enforcement work was compromised.
"Other than personal information, we don't think this will affect our operations at all," DPS Capt. Steve Harrison said. "It's a minor inconvenience." He acknowledged, however, that the posting of personal information about DPS officers put them "in harm's way."
The materials are clearly not what a law-enforcement agency would choose to divulge, at least out of caution.
A stark example is an intelligence briefing describing a high-level border-town meeting involving the head of the most powerful drug cartel in Mexico, as related by a confidential informant. The cartel leader and a small army of cartel traffickers were plotting how to smuggle large amounts of marijuana through Arizona.
"If there is information about how sources of information get to our attention, the cartels will change their ways," said Peter Forcelli, a supervisor with the bureau of Alcohol, Tobacco, Firearms and Explosives in Phoenix, who works border smuggling cases.
Also posted online were such things as the work schedule for officers in a DPS bureau, the types of weapons used by officers in another bureau, and personal information and photographs of agency officers and family members.
There is no indication that any source's confidentiality was betrayed or an investigation was jeopardized.
Phoenix police Lt. Vince Piano, who runs an undercover operation targeting drug cartels, said that the damage of the breach to day-to-day enforcement operations is minimal but that the incident will serve as a wake-up call.
"It's going to make officers a lot more cautious," Piano said. "After this, my guys aren't e-mailing anything."
State and federal authorities are now poring through the more than 700 files that include at least 1,300 pages of DPS e-mails taken by hackers known as Lulz Security, to assess the damage.
At a minimum, the unwanted disclosures have forced authorities to rethink cybersecurity. At least for a short time, state and federal agents combating the cartels will have to shift tactics, veteran agents say.
The vast majority of released documents seem mundane. On Friday, the DPS acknowledged that the hackers used the department's remote e-mail system to obtain e-mails and attachments in accounts for eight employees. But the penetration got no further than those documents. Those records range from staff rosters and routine paperwork to unclassified bulletins from intelligence-sharing centers and training slide shows and videos describing drug-cartel methods.
Volumes of personal information were taken from spreadsheets of dozens of employee names. They include badge numbers and personal phone numbers and, in some cases, spouse names. "It's unconscionable and can place these officers in harm's way," Harrison said.
There are home phone numbers for some state judges and personal contacts for some federal authorities.
One spreadsheet lists the work schedule for every officer in one DPS border office for this year, with vacation dates noted. Another indicates the type of weapons used by officers in a different bureau. A third includes the dispatch codes used by police agencies around the state.
Several files outline the dates, locations and participants in police crackdowns.
Many of the documents are alerts about drug-related intelligence, offering a window into how much the DPS knew at various times.
In 2010, the U.S. Department of Homeland Security warned about cartels planning an imminent attack in Sonora border towns.
The alert notes, "There is nothing to indicate that the violence will cross over into the United States, but agents should maintain situational awareness."
In 2010, an unclassified FBI bulletin, based on contact with a confidential informant, warned about cartels seeking to kill local and federal law-enforcement officers at three agencies.
The release of information about confidential informants is "compromising and damaging," said DPS Sgt. Carlos Contreras, a veteran of various task forces assigned to smuggling crimes.
Even more seemingly benign and stale leaks, such as duty rosters, generic operations plans or slides about smuggling techniques can set back counternarcotics agents in the constant chess battle with the cartels.
"It gives them a pretty solid mechanism for changing their tactics," Contreras said, adding that he has been advised to never put sensitive information in e-mails.
Harrison said the DPS is now re-evaluating its procedures. The agency is thinking about a more secure way to share files electronically and changing its e-mail security protocols.
The breach has reverberated beyond the DPS.
The Homeland Security investigations unit of Immigration and Customs Enforcement "is in contact with the Department of Public Safety and the FBI regarding the recent security breach," ICE said in a written statement, adding that it "is still conducting an assessment to determine its operational impact."
Among the documents are photographs of officers. One image shows an officer shaking hands with former President George W. Bush. Another includes a family member's photograph.
There is a picture of nearly 40 officers from one bureau. There are also 43 spreadsheets and 22 slide shows, most of them relating to training or routine paperwork.
What is largely absent is anything relating to Senate Bill 1070, the ostensible reason LulzSec targeted the DPS in the first place.
One e-mail from June 2010 suggests the author saw SB 1070 as a potential reason to move illegal-immigrant suspects from the open desert to safer conditions.
"If we have a distressed pedestrian, regardless of origin, we have a humanitarian responsibility to act for their safety. And if that requires that we transport them to a Border Patrol checkpoint or facility or to another location where we can remove them from the heat, I believe we will meet both the headline and humanity tests," the e-mail said.
A 2008 e-mail did express one officer's anger over Mexican drug dealers profiting from the porous border, "What the @#@%*@ are we thinking???" the sender asked.
A 2009 alert from the U.S. Justice Department warns police that iPhones feature remote-erasure tools, potentially allowing criminals to destroy evidence before police can analyze it. The authorities recommended securing the phones in a way to ensure the erasure signal couldn't be received.
The hacking episode has embarrassed the state agency and left it assessing the value of information never intended for public view.
"We feel like somebody whose house has been burglarized: shock, anger, frustration and a little fear," Harrison said.
Lessons in hacking from DPS attack
Posted: Friday, June 24, 2011 2:01 pm | Updated: 9:55 pm, Fri Jun 24, 2011.
By Ken Colburn, Data Doctors East Valley Tribune | 0 comments
Q: If an organization like DPS can have their email hacked, how can us little guys ever be safe?
A: The very high profile publication of sensitive documents reportedly acquired from the email accounts of various officers from the Arizona Department of Public Safety this week has some very real lessons for all of us.
Despite various media accounts that are reporting that DPS was “hacked,” based on what we have seen so far, it seems that the more likely scenario was that individual member’s email accounts were compromised (there’s a big difference).
LulzSec, the hacker group behind this, has announced that they will continue to publish compromised files on a weekly basis, so only time will tell just how much information has been compromised.
Since the individual email accounts seem to be the point of exploitation, this could have happened in a number of places (at work or from home) or for a number of reasons.
Our forensics team evaluated the more than 700 files that were posted by LulzSec and the digital stamps (metadata) hidden in many of the files show that they were created by a wide variety of authors beyond the group of users that were known to be compromised, which would be consistent with a library of files that were received as attachments.
One possible scenario is that since all of the passwords that were published for the compromised accounts were very weak (one was actually 12345) or used common words, the hackers used simple password breaking tools to gain access to the accounts.
The lesson here is that if you don’t use letters and numbers in combinations for your passwords and you don’t avoid using common words that are in the dictionary, you expose yourself to readily available tools for breaking passwords. The more characters you use, the more secure the password becomes and if you sprinkle in special characters like ! - ? ( ) & $ (which some systems won’t support) you can improve the security even further.
Another scenario is that these officers were targeted with very well crafted email messages that tricked them into allowing a “key logger” or other malware to be installed into their computer, which allowed the hackers to record keystrokes or remotely access their email accounts.
Since home computers tend to be less secure for a variety of reasons (expired security software, no firewall, etc.), it’s much easier to gain access to a large corporate or government mail system by compromising a user’s home computer and wait for them to access their work email system.
The main lessons here are to always be suspicious of anything that you get in your Inbox that is prompting you to click on a link or to open a file attachment — and above all, keep your operating system and security software up to date.
You also need to be very careful with links posted on Facebook, Twitter, instant messages or any social network as this is just the latest delivery method they use to compromise your computer or accounts.
These exploits can be effective even on very secure corporate systems if the hackers can convince the user to install something that is posing as a legit program or update. The most common trick in the past has been to lure the user to a salacious video then tell them that they need an updated player to view the video.
The reality is that there is no 100% secure way to operate on the Internet these days as the methods for being exploited are growing exponentially, but if you pay attention, you can dramatically reduce your chances of being exploited.
The most common way for hackers to get past security measures is to trick the user, so be suspicious of everything and keep your system updated!
• Ken Colburn is president of Data Doctors Computer Services and host of the “Computer Corner” radio show, noon Saturdays on KTAR 92.3 FM or at www.datadoctors.com/radio. Readers may send questions to evtrib@datadoctors.com.
Hacked Memos of State Police in Arizona Are Released
By MARC LACEY and RICHARD A. OPPEL Jr.
Published: June 24, 2011
PHOENIX — A cache of internal documents released online on Thursday by hackers who gained access to the computer system of the Arizona Department of Public Safety revealed the array of potential outlaws on the state police’s radar screen, from international terrorists to Mexican drug smugglers to motorcycle gang members.
Wave of Attacks
Two online collectives, Anonymous and LulzSec, have claimed responsibility for a string of Internet attacks in recent months, bringing down Web sites and hacking into corporate and government systems. The attacks by LulzSec, the newer group, have grown increasingly brazen.
There was a memo telling officers not to send text messages while driving and a warning that criminals had found a way to break into the trunks of Crown Victoria police cruisers. A document on state budget cuts disclosed which roads the state police would stop patrolling this year because of reduced staffing.
In one of the leaked documents, the Border Patrol reported how four “possible illegal aliens” encountered by sheriff’s deputies in southern Arizona on June 18 were found to be Qatari nationals in the country legally. Other memos warned officers of a FedEx truck that might be smuggling illegal immigrants and advised that two armed, off-duty Marines had been found patrolling the border.
“The documents are sensitive, but they don’t appear to be classified,” said Capt. Steve Harrison, a department spokesman.
The Arizona police agency shut down its e-mail system on Thursday and Friday to allow computer forensics experts time to investigate the intrusion, which was orchestrated by Lulz Security, a group of hackers who have previously gained access to a number of government and private Web sites.
Most alarming to the Arizona police was the release of personal data of some officers, including their home and cellphone numbers and addresses. The identities of some undercover officers were also disclosed.
“They put these officers’ lives in jeopardy,” Captain Harrison said of the hackers, who described their intrusion as a response to Arizona’s immigration crackdown last year.
Several officers whose names were in the documents told The Associated Press that their phones were ringing constantly on Thursday night with calls from people who had seen their numbers online. “It’s getting real annoying,” Officer Daniel Scott said.
Captain Harrison said the release of the documents was not likely to affect current criminal cases. But he said the information could alert potential suspects that the police were monitoring them, interfering with future prosecutions.
The documents provided a behind-the-scenes look at the range of law enforcement priorities in Arizona.
An intelligence bulletin by the F.B.I. and the United States attorney’s office in Arizona mentioned five incidents over a four-week period in early 2008: A man who said he was Taiwanese was questioned after he took photographs of a federal courthouse; five Hispanic people were found in a vehicle with Mexican plates parked near the Palo Verde Nuclear Generating Station; a man reportedly sent his brother, who was in the Taliban in Afghanistan, large amounts of money; a “nervous” man was reported trying to buy chemicals; and a Lebanese man in the country illegally was detained after he was found with envelopes stuffed with money placed throughout his vehicle.
A counterterrorism alert, dated May 3, warned Arizona officers to be on guard for attacks after the killing of Osama bin Laden. Potential targets in the state, the memo said, could be shopping malls, sporting events like the Major League Baseball All-Star game in July and military installations.
In a more local matter, an Officer Safety Bulletin warned about an Arizona man who apparently had battled cocaine addiction, threatened to kill an unidentified victim and claimed that “he ate their pet cat.”
An internal memo urged officers to slow down while driving, reminding them that they saved relatively short amounts of time when they went above the limit of 100 miles per hour recommended in urgent situations.
It is clear that computer security was a concern. A 2009 memo passed along from a law enforcement group in Maryland warned officers to be careful of e-mails purporting to be from the F.B.I. and containing a harmful attachment. Another memo warned officers to be careful of what they put on social networking sites, because the information could be used to damage their credibility in court.
Arizona state police files compromised again
29 June 2011
Jayson Peters
This is getting embarrassing.
Not even a week after the Arizona Department of Public Safety suffered a serious cyberattack that resulted in the online publication of sensitive case files and officer’s phone numbers, home addresses and ridiculously simple passwords, Gizmodo reports that the agency has been hit again.
This time, the hackers in the AntiSec movement claim to be releasing “humiliating dirt” on a dozen officers, including Social Security numbers, online dating account information, chat logs and “seductive girlfriend pictures.” A statement from AnonymousIRC on Twitter crows “Did you think we were done with you?” and links to a torrent file page that slams DPS and Arizona’s policies on illegal immigration. It also describes “cops forwarding racist chain emails, k9 drug unit cops who use percocets, and a convicted sex offender who was part of FOP Maricopa Lodge Five.”
It goes on to say the group also compromised a DPS spokesman “who been bragging to the news about how they are upgrading their security and how they will catch the evil hackers who exposed them. Clearly not secure enough, because we owned his personal hotmail, facebook and match.com accounts and dumped all his personal details for the world to see. The same fate will meet anyone else who tries to paint us as terrorists in an Orwellian attempt to pass more pro-censorship or racial-profiling police state laws.”
The statement also describes a Navajo former DPS officer who was “pushed out” of the force for whistleblowing a court jurisdiction violation and planning to file a racial discrimination claim against DPS.
DPS spokesman Steve Harrison, himself mentioned in this second batch of files, confirms the new attack and says the agency is reviewing the information released. If even some of the data turns out to be authentic, it’s a serious black eye for Arizona law enforcement — both for its content, and for the laughable standards of information security it represents among those charged with protecting the public.
AntiSec 'hackers without borders' claim new hack on Arizona state police
June 29, 2011 | 12:28 pm
AntiSec -- a group of hackers made up of members from the Anonymous and the disbanded LulzSec -- published online files that it says contain personal information and documentation of racism in the Arizona Department of Public Safety.
The group says it broke into the state police agency's email servers to get the data, which is made up of "names, addresses, phone numbers, passwords, social security numbers, online dating account info, voicemails, chat logs, and seductive girlfriend pictures belonging to a dozen Arizona police officers" as a follow up to LulzSec's Web attack on Arizona DPS last week.
Officials from Arizona DPS were unavailable to confirm AntiSec's latest claims on Wednesday. Last week, the Arizona Highway Patrol Assn. said online attacks and data leaks, such as the LulzSec action, could compromise the safety of law enforcement officers.
AntiSec announced its hack against the state's safety department on Wednesday on Twitter and various "torrent" file-sharing websites such as the Pirate Bay.
"We found more internal police reports, cops forwarding racist chain emails, K9 drug unit cops who use percocets, and a convicted sex offender who was part of FOP Maricopa Lodge Five," a police fraternity, AntiSec said in its data leak.
The group said it hacked into the personal email, Facebook and Match.com accounts of a spokesman for Arizona DPS who has "been bragging to the news about how they are upgrading their security and how they will catch the evil hackers who exposed them." AntiSec also promised to do the same to "anyone else who tries to paint us as terrorists in an Orwellian attempt to pass more pro-censorship or racial-profiling police state laws."
Racism and corruption in the Arizona Department of Public Safety is what AntiSec says it is trying to expose and the group accuses the state police agency of "illegally issuing tickets to Navajos in AZ state court jurisdiction instead of tribal courts" and pushing out officers who spoke up against such civil rights concerns.
The group also acknowledged that its hacking could pose harm to police, but said it's not close to the harm police have brought on the state of Arizona.
"Yes we're aware that putting the pigs on blast puts risks their safety, those poor defenseless police officers who lock people up for decades, who get away with brutality and torture, who discriminate against people of color, who make and break their own laws as they see fit," AntiSec said. "We are making sure they experience just a taste of the same kind of violence and terror they dish out on an every day basis. Our advice to you is to quit while you still can and turn on your commanding officers before you end up in our cross hairs next, because we're not stopping until every prisoner is freed and every prison is burned to the ground."
The group also encouraged other hackers to "set aside our differences and join the antisec popular front against the corrupt governments, corporations, militaries, and law enforcement of the world. We promise you much more bounty to come guaranteed to bring smiles to the faces of all those who have hated the police. Unite and fight, for the flames of revolution burn bright!"
Hackers strike Arizona police sites again
by Matt Haldane - Jun. 30, 2011 10:01 PM
The Arizona Republic-12 News Breaking News Team
A group of hackers defaced several Fraternal Order of Police websites across Arizona on Thursday evening, posting the user names, passwords and other information of hundreds of officers.
A release by the hackers, plastered across the homepages of the affected websites, claimed they were releasing information on 1,200 officers. This marks the third major release of documents and personal information on Arizona law enforcement officials within the past week.
The group claims to have defaced 10 websites for different FOP chapters within the state, but only some of them remain that way. Others either quickly restored the sites or took them down while they addressed the issue.
As with the other released documents, the group claims to be protesting SB 1070, the controversial Arizona law targeting illegal immigrants. The first hack was done under the banner of LulzSec, but they claimed to have disbanded on Saturday, their 50th day of existence.
Since then, a group calling itself AntiSec has taken up the cause, posting what it called a "master list" of everything that has been released so far.
Like the other releases, the list contains all the documents said to be available for download via peer-to-peer services. The group is claiming to have gone as far as releasing credit card and Paypal information for one of the officers in the one of the documents.
True to form in their manner of mocking their victims, a music video of the rap song "Hazy Shade of Criminal" by Public Enemy was posted at the top of each hacked page.
AntiSec claims to be an anarchist group working to "resist against the governments and corporations of the world."
The releases have consistently denounced the police as racist and corrupt.
Hackers claim ‘third knockout blow against Arizona law enforcement’
30 June 2011
Jayson Peters
AntiSecHere we go again.
A third dump of data stolen by political activists hacking into Arizona law enforcement officials’ computers was released Thursday night. And now they’re just toying with officers, claiming to have been reading the emails of the state Fraternal Order of Police director even as he was discussing previous cyberattacks on the Arizona Department of Public Safety that made references to the FOP. This, apparently, after he had changed his passwords and “taken down” the union organization’s websites.
Those union sites, too, appear to have been hacked and are in fact currently down, including those for the statewide organization and websites for Mesa and Tucson chapters.
A statement from the hacker collective AntiSec reads:
“For the third knockout blow against Arizona law enforcement, we decided to get destructive. We’re defacing eight AZ Fraternal Order of Police websites and releasing a master list of over 1200 officer’s usernames, passwords, and email addresses. Additionally we are leaking hundreds of private FOP documents and several more mail spools belonging to FOP presidents, vice presidents, secretaries, a police chief, and the FOP Labor Council executive directory and webmaster whose insecure web development skills was responsible for this whole mess. We’re doing this not only because we are opposed to SB1070 and the racist Arizona police state, but because we want a world free from police, prisons and politicians altogether.”
These self-styled anarchists claim to have found “more racist email chain emails,” including an Arizona police chief forwarding jokes about torturing “ragheads” and many crude jokes about President Barack Obama. (You can read the whole description here.)
“Amusingly we also were reading James Mann’s emails as they were discussing the AZDPS hacks and struggling to send out press releases explaining why they had a sex offender in their FOP ranks. Initially James changed all his passwords and pulled the AZFOP sites down out of fear of impending hacker attacks, but there is no stopping the kind of chaos we bring upon all those who cross our path.”
The authors of the AntiSec document describing the released files says the password list that made the intrusion possible has been passed around for some time — “However the list proved to be too great, and now we are seeking community assistance in going through everybody’s inbox to retrieve and expose their secrets. Go forth and bring mayhem to the lives of these corrupt officers,” they exhort.
“Let this third and crushing blow against Arizona police send a strong message to the ruling class around the world. You will no longer be able to operate your campaign of terror against immigrants and working people in secrecy: we will find you, expose you, and knock you off the internet. Many lulz have been had while we purposefully strung you along slowly and painfully for the past two weeks. We know exactly what we’re doing, so think twice before considering crossing us.
“Hackers of the world, join us as we resist against the governments and corporations of the world, for there is enough bounty for everybody aboard the good ship #antisec.”
The statement says the latest download links were presented on Pastebin because the host of the previous release, bittorrent tracker site ThePirateBay, was down.
Read more about the original LulzSec attack on the Data Doctors blog and see related links there.
Follow Nerdvana on Facebook and Twitter.
Lessons in hacking from DPS attack
Posted: Friday, June 24, 2011 2:01 pm | Updated: 6:10 pm, Wed Jun 29, 2011.
Lessons in hacking from DPS attack By Ken Colburn, Data Doctors East Valley Tribune
Q: If an organization like DPS can have their email hacked, how can us little guys ever be safe?
A: The very high profile publication of sensitive documents reportedly acquired from the email accounts of various officers from the Arizona Department of Public Safety this week has some very real lessons for all of us.
Despite various media accounts that are reporting that DPS was “hacked,” based on what we have seen so far, it seems that the more likely scenario was that individual member’s email accounts were compromised (there’s a big difference).
LulzSec, the hacker group behind this, has announced that they will continue to publish compromised files on a weekly basis, so only time will tell just how much information has been compromised.
Since the individual email accounts seem to be the point of exploitation, this could have happened in a number of places (at work or from home) or for a number of reasons.
Our forensics team evaluated the more than 700 files that were posted by LulzSec and the digital stamps (metadata) hidden in many of the files show that they were created by a wide variety of authors beyond the group of users that were known to be compromised, which would be consistent with a library of files that were received as attachments.
One possible scenario is that since all of the passwords that were published for the compromised accounts were very weak (one was actually 12345) or used common words, the hackers used simple password breaking tools to gain access to the accounts.
The lesson here is that if you don’t use letters and numbers in combinations for your passwords and you don’t avoid using common words that are in the dictionary, you expose yourself to readily available tools for breaking passwords. The more characters you use, the more secure the password becomes and if you sprinkle in special characters like ! - ? ( ) & $ (which some systems won’t support) you can improve the security even further.
Another scenario is that these officers were targeted with very well crafted email messages that tricked them into allowing a “key logger” or other malware to be installed into their computer, which allowed the hackers to record keystrokes or remotely access their email accounts.
Since home computers tend to be less secure for a variety of reasons (expired security software, no firewall, etc.), it’s much easier to gain access to a large corporate or government mail system by compromising a user’s home computer and wait for them to access their work email system.
The main lessons here are to always be suspicious of anything that you get in your Inbox that is prompting you to click on a link or to open a file attachment — and above all, keep your operating system and security software up to date.
You also need to be very careful with links posted on Facebook, Twitter, instant messages or any social network as this is just the latest delivery method they use to compromise your computer or accounts.
These exploits can be effective even on very secure corporate systems if the hackers can convince the user to install something that is posing as a legit program or update. The most common trick in the past has been to lure the user to a salacious video then tell them that they need an updated player to view the video.
The reality is that there is no 100% secure way to operate on the Internet these days as the methods for being exploited are growing exponentially, but if you pay attention, you can dramatically reduce your chances of being exploited.
The most common way for hackers to get past security measures is to trick the user, so be suspicious of everything and keep your system updated!
• Ken Colburn is president of Data Doctors Computer Services and host of the “Computer Corner” radio show, noon Saturdays on KTAR 92.3 FM or at www.datadoctors.com/radio. Readers may send questions to evtrib@datadoctors.com.
Arizona DPS reports e-mail hacker attack
by Ginger Rough, Ronald J. Hansen and Sean Holstege - Jun. 30, 2011 12:00 AM
The Arizona Republic
Hackers used information obtained through last week's breach of the Arizona Department of Public Safety to break into officers' personal e-mail and Facebook accounts, posting on Wednesday more than 800 new pages of personal data.
A group using the mantel "AntiSec" said it had obtained personal information on at least a dozen officers at the DPS, including a department spokesman who criticized hackers for last week's activities.
Capt. Steve Harrison, whose Hotmail, Facebook and other accounts were breached, said the department does not believe the hackers compromised the agency's computers, servers or any of the state's networks. "We suspect they used information from the first intrusion, did Google searches and tried to use the same e-mail names and passwords," Harrison said.
"We have no indication that they again accessed any DPS systems or that there is any link between the DPS systems and the personal accounts."
Last Thursday, a hacker group known as LulzSec posted reams of case files, e-mails and intelligence documents in a targeted breach it said was in retaliation for Senate Bill 1070, Arizona's tough immigration law.
The DPS said the hackers broke into its system by targeting the e-mail accounts of officers in remote areas of the state who were not required to frequently change their passwords or use complex log-ins.
LulzSec said it was disbanding and rejoining a larger hacker organization known as Anonymous.
But the hackers involved in Wednesday's incident suggested some of the same people were responsible in its online statement.
"Just when you thought it was over, we're hitting the Arizona police state with our second round of attacks," the hackers said.
Wednesday's data dump included 818 pages of private e-mails and text messages from 13 people - some of whom have not worked for the DPS - and scores of pictures and documents. Most involve musing about their struggles to find work, cope with layoffs or recover from an on-duty back injury.
But there were significant breaches, too. In one case, hackers posted the rosters of a professional police organization that included names and home numbers. Also disclosed were some names of officers at other local, state and federal agencies who had worked on narcotics- and human-smuggling squads.
At least one officer received a telephone bomb threat at his home Wednesday. DPS officials found no evidence of an explosive, Harrison said. "It was probably a crank call," he said. "They think its funny, but it's not funny. It causes officers a lot of anxiety and concern for themselves and family."
The DPS is encouraging officers to scrub their computers for spyware and malware, change their passwords, and not use the same log-ins for different accounts. The agency also is telling officers to monitor their credit reports and other accounts.
Citing Homeless Law, Hackers Turn Sights on Orlando
SourceCiting Homeless Law, Hackers Turn Sights on Orlando
By DON VAN NATTA Jr.
Published: June 30, 2011
MIAMI — The hacker group Anonymous has declared a cyberwar against the City of Orlando, disabling Web sites for the city’s leading redevelopment organization, the local Fraternal Order of Police and the mayor’s re-election campaign.
Volunteers from Food Not Bombs were arrested at Lake Eola Park in Orlando, Fla., last month after feeding homeless people without a permit.
Anonymous, a large yet loosely formed group of hackers that claimed responsibility for crashing the Web sites of MasterCard and the Church of Scientology, began attacking the Orlando-based Web sites earlier this week.
The group described its attacks as punishment for the city’s recent practice of arresting members of Orlando Food Not Bombs, an antipoverty group that provides vegan and vegetarian meals twice a week to homeless people in one of the city’s largest parks.
“Anonymous believes that people have the right to organize, that people have the right to give to the less fortunate and that people have the right to commit acts of kindness and compassion,” the group’s members said in a news release and video posted on YouTube on Thursday. “However, it appears the police and your lawmakers of Orlando do not.”
A 2006 city ordinance requires organizations to obtain permits to feed groups of 25 people or more in downtown parks. The law was passed after numerous complaints by residents and businesses owners about the twice-weekly feedings in Lake Eola Park, city officials said. The law limits any group to no more than two permits per year per park.
Since June 1, the city police have arrested 25 Orlando Food Not Bombs volunteers without permits as they provided meals to large groups of homeless people in the park. One of those arrested last week on trespassing charges was Keith McHenry, a co-founder of the first Food Not Bombs chapter in 1980 in Cambridge, Mass. He remained in the Orange County Jail on Thursday awaiting a bond hearing.
This week Anonymous offered a “cease-fire” if no volunteers were arrested during Wednesday evening’s feeding of the homeless. But the police arrested two volunteers, and on Thursday morning Anonymous disrupted the Web site Downtown Orlando, which promotes redevelopment there and is run by the city. An organization spokeswoman confirmed the attack but declined to comment, referring questions to the mayor’s office.
A spokeswoman for Mayor Buddy Dyer, whose re-election campaign site was disabled on Tuesday, called the attack on the Downtown Orlando site an “inconvenience.” She said the city would not change its policy of arresting volunteers who feed homeless people without a permit.
“We will continue to enforce the city ordinance,” said the spokeswoman, who asked not to be identified out of a concern she would become a target of Anonymous. “We must continue to focus on what our Orlando residents want and not the desires of others from outside the community.”
The attack on the Orlando Web sites was the second on a city or state government in two weeks. Last week, hackers gained access to the computer system of the Arizona Department of Public Safety and released law-enforcement records.
The Federal Bureau of Investigation and the Orlando Police Department are investigating, officials said.
Members of Orlando Food Not Bombs condemned the cyberattacks. “We have absolutely nothing to do with Anonymous or any other group that is doing this kind of thing,” said one member, Ben Markeson. “And what Anonymous is doing is a distraction from the real issue at hand.”
Mr. Markeson said the Orlando mayor and City Council members had attempted to “criminalize poverty” by passing a series of ordinances intended to “hide the homeless.”
“Mayor Dyer wants to hide the poor and the hungry people living in our community,” he said.
The mayor’s spokesman denied the allegation, saying: “Nothing could be further from the truth. The city has a strong relationship with our region’s homeless providers and will continue to dedicate resources and services that assist our homeless population.”
Anonymous has become known for prominent denial-of-service attacks on high-traffic Web sites. A denial-of-service attack takes place when an overwhelming crush of Web traffic is intentionally sent to a Web site until it is incapacitated and knocked off line.
Anonymous members rallied a call-to-arms against the city as part of a campaign it dubbed Operation Orlando. Its members promised that future arrests of volunteers helping the homeless would be met with fresh attacks. “For every arrested person,” the group said on Twitter, “Anonymous will deface or assault TEN websites in Orlando.”
Nick Bilton contributed from New York.
Worlds largest criminal botnet?
SourceHow the FBI and Interpol trapped the world's biggest Butterfly botnet
The biggest criminal botnet ever identified, with millions of enslaved computers in 172 countries, now has a name of its own – and embedded within the software that created it are the names of its criminal bot masters.
Christian Science Monitor
By Mark Clayton
The world's biggest criminal botnet, that has enslaved tens of millions of computers across 172 countries, now has a name: “Metulji," Slovenian for "butterfly." But even this monster butterfly could get netted.
Earlier this month, the FBI and Interpol conducted "Operation Hive," which resulted in the arrests of two Metulji operators in Bosnia and Slovenia.
But that may be just the beginning. Despite its mammoth size, the Metulji botnet has an Achilles heel that law enforcement and cyber security experts are exploiting: its criminal creator kept meticulous records of his customers.
Cheap to build, botnets are a stealthy, anonymous, nearly ideal criminal platform for Internet attacks against company websites. But they are even better at quietly stealing bank logons, passwords, credit card numbers, and social security numbers, says Karim Hijazi, CEO of Unveillance, the Wilmington, Del., botnet tracking company that discovered Metulji.
"We're already pretty sure this botnet has stolen credentials that resulted in thefts totaling in the millions of dollars," says Mr. Hijazi. "We still don't know how many computers are part of this botnet yet. But we expect to have a pretty good idea before long."
The creator of the sophisticated software kit – who made his money by selling it to those who wanted to build their own botnets – kept careful track of his customers’ criminal nicknames, Mr. Hijazi says. His “Butterfly Bot Kit” was also used to create the infamous Mariposa botnet, another gigantic botnet that at one point in 2009 had 12 million computers in 100 nations under its spell.
Just two years later, Mariposa has been neutralized by law enforcement – in large part by tracking down the purchasers of the software.
"The key here is that during the Mariposa case we discovered the licensing mechanism inside the Butterfly framework," says Luis Corrons, technical director of Panda Labs, whose company is assisting in the analysis of the new botnet. "These licenses are in the form of bot master nicknames, which are ... tied to the sales made to all bot masters who purchased a Butterfly botnet."
The Metulji botnet was created with a more advanced version of the Butterfly Bot Kit – but it, too, keeps purchase records. Since the Butterfly framework creator was arrested and his computers confiscated, it is "safe to assume" that law enforcement has "very good insight into who is running ANY Butterfly-based botnet out there," Mr. Corrons writes in an e-mail
Oddly, despite a number of Mariposa-linked arrests last year in Spain and Slovenia, bot masters are still depending on the Butterfly framework to run their Metulji botnets.
"Obviously, those bot masters are either not concerned about going to jail or just plain stupid," Corrons adds.
New York Times
July 1, 2011, 4:11 pm
Hackers Hit Arizona Police Again
By RIVA RICHMOND
Hackers continued to plague the Arizona state police, releasing online yet another trove of stolen data and defacing eight police Web sites in what the hackers called “the third knockout blow.”
The latest digital dump, which occurred late Thursday, included documents, e-mail messages and a “master list” of account passwords and other personal information for more than 1,200 officers, the hacker group said in a statement. The hackers, associated with the AntiSec or antisecurity movement, appeared to have obtained the data by breaking into systems belonging to the Arizona Fraternal Order of Police, which said it was looking into how it occurred.
The release follows two others: one last week included data stolen from the Arizona Department of Public Safety’s e-mail system and a second earlier this week included contents of officers’ private online accounts.
A spokesman for the department, Capt. Steve Harrison, said the hackers may have taken advantage of some officers’ use of the same user names and passwords for multiple accounts to jump from account to account. He said the department was still investigating how its e-mail system was initially compromised and was working with multiple law enforcement agencies on a criminal inquiry. The hacker group, which is part of the hacking collective Anonymous and contains members of the group formerly known as LulzSec, said its attacks were motivated by opposition to “the racist Arizona police state” and a belief in the anarchist goal of “a world free from police, prisons and politicians altogether.”
The release was part of an operation that is taking aim at governments and corporations. “Let this third and crushing blow against Arizona police send a strong message to the ruling class around the world. You will no longer be able to operate your campaign of terror against immigrants and working people in secrecy: we will find you, expose you, and knock you off the Internet,” it said.
The stash included e-mails with anti-Muslim content, including jokes about torturing “ragheads,” as well as crude jokes about President Obama, according to the group.
John Ortolano, president of the Fraternal Order of Police, said the racist label was “very disturbing” to him and his fellow officers, the majority of whom are not white, adding that it “couldn’t be further from the truth.”
But the officers’ persecution appears to be far from over. The hackers said they had been sharing passwords for the officers’ online accounts with other malicious hackers, and had issued a public call to sympathizers to help them dig through their e-mail “to retrieve and expose their secrets.” They also said they had shared their digital back doors into the police’s computer systems with other hackers.
Document leaks of all kinds by hackers may only increase. A subgroup of Anonymous known as the People’s Liberation Front has started two new WikiLeaks-type sites for hackers called LocalLeaks.tk and HackerLeaks.tk. The same group has claimed responsibility for attacks on sites associated with Orlando, Fla..
The sites are a response to a lack of significant leaks since WikiLeaks’ release of State Department cables last year, Anonymous said. “Instead of waiting for insider whistle-blowers, the hacker movement Anonymous hopes that a few outside intruders might start the leaks flowing.
Arizona DPS hacker damage is spreading
Director discusses probe, plans for better security
by JJ Hensley - Jul. 9, 2011 12:00 AM
The Arizona Republic
The damage from hackers who gained access to Arizona Department of Public Safety employee e-mails seems to have spread exponentially in the two weeks since the breach was discovered.
First, the hackers published the content of seven DPS employees' e-mails, and days later another group shared what its members found in the personal e-mail accounts of 11 DPS employees. Then, last week the group defaced Fraternal Order of Police websites around the state, posting online the user names and passwords for hundreds of officers and promising to release information on more than 1,000 other officers.
Investigators have determined that the hackers gained access to the DPS e-mails through information they gleaned by hacking into the websites of outside labor groups, DPS Director Robert Halliday said.
Regardless of where the security lapse originated, Halliday said, the scare has served as a wake-up call to DPS administrators in charge of computer security at the state's police agency. Halliday spoke this week to The Arizona Republic about the episode.
Question: What have you been able to piece together in the past two weeks about what took place?
Answer: I think they wanted people to know that they hacked into the Department of Public Safety. The reality is they came in through e-mails of personal accounts they got through labor groups. In our organization, we became somewhat complacent about our system and the security of it. We have people with passwords of 12345 and use them for every password in the world.
Q: Have you found that the hackers tried to access criminal-justice information?
A: We have not been made aware of that at this point, but there are people and organizations trying to hack into our site every day. That's not what this is about. . . . The most important thing that they got, I think - above any information bulletins, intelligence bulletins, operations plans - they got the names and addresses of our officers, and that concerned me the most.
Q: Have you gotten any reports of officers being threatened?
A: One time. We had an officer that was called. His wife is the one that answered the phone, there was some very abusive, vulgar language used, to include, "You might see a bomb show up." We immediately sent a team to his location. All of the people who were victims of this intrusion, we immediately contacted them and tried to make sure that everybody was aware of what was going on. To my knowledge, we've only had one person who was actually called and threatened with the possibility of a bomb.
Q: Where are you in terms of the criminal investigation?
A: I'm not at liberty to talk about that. There is an ongoing investigation of this system. We've asked for help from the federal side, we've asked for help from the industry side, we've asked for a lot of help to discern how we can make this thing better. My hope is that the ongoing investigation would, at some point in time, avail itself of the perpetrators and drag them into court and hopefully get some deterrent factor out of this.
Q: What steps are you taking internally to ensure a similar attack doesn't happen again?
A: We were in the process of migrating all of our folks over to a system with stronger passwords, and that was about two-thirds of the way done. When this popped up, there were about 100 people who had not come over. I shut them out at that point. If they want to get back in our system, which we encourage them to do, they've got to come and get their strong password. You've got that First Amendment right that you're always looking at. You can't tell somebody what they can and can't do with their personal e-mail accounts, but I think we can say, "If you're not going to abide by our policies and procedures, then we're not going to allow you to have access to our system and we'll have to get the information to you like we did 30 years ago."
Q: Some of the private-account e-mails contained information that officers thought would never see the light of day, including comments about supervisors and personnel at DPS and in other organizations. If your investigation requires you to look on their personal computers, how are you handling that?
A: That's already occurred. There were some things that were brought up in regards to people in the organization, but I don't really look at that with a jaundiced eye, frankly. People have comments. I'll share things with people that I trust. Those are the kinds of things that pop up. The last thing you want to do is hand your computer over to someone who's going to see you call them a jerk or whatever. To me that's just normal. There's nothing I would want to do about that. The other side of that is we explain to them (that) all we're looking at is the things that came into your computer.
Q: Do you have any sense yet on costs associated with security upgrades?
A: We haven't. You look at the system . . . I wouldn't put that real high on the list. But now I have a different perspective about that. I think everything that falls short of our officer safety and personnel safety becomes a priority.
Q: Why haven't you been able to say more about the security breach?
A: It's real simple: There's a criminal investigation going on. When we have a criminal investigation in any arena, we're pretty closed-mouth about any specifics. The last thing I want to do is put something out that's going to impinge on any investigation or give them information on how to divert off of something that's critical to investigation or prosecution.
Maricopa County technology systems vulnerable
by Michelle Ye Hee Lee and Yvonne Wingett Sanchez
Jul. 21, 2011 12:00 AM
The Arizona Republic
Maricopa County's technology system is weak and vulnerable to attack, and agencies lack controls to protect confidential information from security breaches, according to various internal audits conducted in recent years.
Questions about the security of government computer systems in Arizona have surfaced in the wake of incidents last month in which a group hacked into databases belonging to Arizona law-enforcement labor groups. The hackers, who claimed to be members of a loosely-knit group known as LulzSec, accessed work and personal e-mail accounts of law-enforcement officers and posted the information on the Internet and social-media outlets. The same group has taken responsibility for breaching websites of the CIA and U.S. Senate.
On the same day the group breached Arizona sites, LulzSec taunted Maricopa County Sheriff Joe Arpaio on Twitter, leading to speculation that the hackers might target Maricopa County.
Computer experts said that Maricopa County computer systems could be vulnerable to security breaches, basing their assessments on recent internal audits and the trend of public agencies operating with aging information-technology systems and fewer resources.
Maricopa County's system maintains sensitive information on a wide range of topics, from law-enforcement operations and jail inmates to tax payments by private citizens.
Stephen Wetzel, chief county information officer, would not discuss steps taken to protect confidential data but said in a statement that the county "continues to take appropriate precautionary action to protect its information resources."
County Manager David Smith said county computers are frequent targets.
"There are attempts to break into county databases all the time," he said. Firewalls have prevented such attacks. But county employees were asked to change their passwords after the LulzSec attacks, Smith said.
Maricopa County has a capital budget of about $250 million this fiscal year. Smith said about half that is expected to be spent on technology - computer upgrades, a new telephone system and radios for the Sheriff's Office.
Over the last three years, at least 10 internal audits and reports uncovered IT weaknesses in a handful of large county departments, including the Department of Transportation and the Assessor's Office. The reports show the county's security vulnerabilities vary widely.
Since June 2009, auditors have recommended the county update its IT governing plan to make sure it is properly protecting data. But as recently as February, the county had not come up with a formalized plan to use technology in conducting county business, public records show.
Auditors found no formalized privacy programs or technology for departments to protect sensitive data and no policy for tracking lost or stolen equipment, according to the February report. They surveyed 41 of the county's roughly 55 agencies and found that most maintain sensitive personal data on employees and citizens, including medical records and Social Security information.
No entity can achieve complete security because hacking can happen to anyone, said Paul Henry, security and forensics analyst at Lumension, a Scottsdale-based IT security company. The key is to focus on basic security measures like turning off servers not in use and regularly upgrading programs, servers and third-party applications.
Employees should be able to access only what they need for their jobs, said Lance Hoopes, director of information security and technology at the University of Arizona and adjunct lecturer at its Eller College of Management.
"Complacency is a really bad thing. You think, 'We're not being hit, we're immune,' and then all of a sudden you get hit. It happens, so you have to be constantly vigilant," Hoopes said.
With tightening budgets, government and business face heightened IT risks, experts said. Layoffs lead to overworked IT staff, and they have fewer resources because of budget cuts. Government agencies are especially vulnerable because qualified IT professionals tend to find jobs in the private sector, said Steven Zylstra of the Arizona Technology Council.
Computer security often gets pushed aside unless there is a crisis, especially when management has less money and must juggle priorities, Zylstra said.
"It does make people wake up and know when they see other people like them who are being, in this case, attacked. So hopefully, it helps the county and other local municipalities to pay more attention to something that's very serious," Zylstra said.
Audits
Numerous audits have found weaknesses with Maricopa County's information-technology systems. Examples:
- June 2011: The Public Works and Transportation departments were advised to strengthen user-access controls like passwords, privileged-account administration and policies to prevent access by unauthorized users.
- June 2011: The Flood Control District was warned to strengthen IT controls and update policies and procedures to prevent "access through a computer hacker, worm or virus (that) creates possible data integrity and system availability problems." Auditors said a security breach could make it impossible for the agency to provide "vital information to appropriate agencies during emergencies, or potential emergencies."
- March 2011: The Library District was advised it lacked formal IT policies, procedures and processes, resulting in ad hoc processes and users with inappropriate levels of system access.
- February 2011: A review of countywide IT inventory found evidence of inadequate data-privacy controls, weak IT governance processes and aging IT systems.
- February 2010: A review of the county's financial system found security weaknesses, including in the Office of Enterprise Technology and the Internal Audit department.
- June 2009: A review found that county IT governance was weak and had outdated and incomplete IT policies that could lead "to poor decisions, inadequate cost determinations, uncontrolled expenditures, failed or subpar systems, weak or non-existent performance measures, and non-compliance with laws or regulations."
- April 2009: The Public Fiduciary was warned that sensitive ward information was not properly secured, which could lead to misuse of ward data.
- March 2009: A review of county data centers and disaster recovery finds many weaknesses that could lead to vulnerabilities. "Some critical interior physical security controls did not provide adequate protection against plausible threats," the audit said.
Source: Maricopa County Internal Audit department
U.S. aims to boost cyber defenses after attack
by Robert Burns and Lolita C. Baldor - Jul. 15, 2011 12:00 AM
Associated Press
WASHINGTON - The Pentagon on Thursday revealed that, in the spring, it suffered one of its largest losses ever of sensitive data in a cyberattack by a foreign government.
It's a dramatic example of why the military is pursuing a new strategy emphasizing deeper defenses of its computer networks, collaboration with private industry and new steps to stop "malicious insiders."
William Lynn, deputy secretary of Defense, said in a speech outlining the strategy that 24,000 files containing Pentagon data were stolen from a defense-industry computer network in a single intrusion in March. He offered no details about what was taken; but in an interview before the speech, he said the Pentagon believes the attacker was a foreign government.
"We have a pretty good idea (who did it)," Lynn said in the interview. He would not elaborate.
Many cyberattacks in the past have been blamed on China or Russia. One of the Pentagon's fears is that eventually a terrorist group, with less at stake than a foreign government, will acquire the ability to not only penetrate U.S. computer networks to steal data but to attack them in ways that damage U.S. defenses or even cause deaths.
In his speech at the National Defense University, Lynn said that sophisticated computer capabilities reside almost exclusively in nation-states and that U.S. military power is a strong deterrent against overtly destructive cyberattacks. Terrorist groups and rogue states, he said, are a different problem and harder to deter.
"If a terrorist group gains disruptive or destructive cybertools, we have to assume they will strike with little hesitation," he said.
The Pentagon has long worried about the vulnerability of its computer systems. The concern has grown as the military becomes more dependent not only on its own computers but on those of its defense contractors, including providers of the fuel, electricity and other resources that keep the military operating globally.
At his Senate confirmation hearing last month, new Defense Secretary Leon Panetta cited "a strong likelihood that the next Pearl Harbor" could well be a cyberattack that cripples the U.S. power grid and financial and government systems. He said last weekend that cybersecurity will be one of the main focuses of his tenure at the Pentagon.
The Pentagon operates more than 15,000 computer networks and 7 million computers in dozens of countries.
"For the Department of Defense, our networks are really our lifeblood," Marine Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, told reporters before Lynn's release of the new strategy.
As shown by the March attack on a defense-industry computer network that contained sensitive defense data, the military's vulnerability extends beyond its own computers. In a new pilot program, the Pentagon is sharing classified threat intelligence with a handful of companies to help them identify and block malicious activity.
Lynn said intrusions in the past few years have compromised some of the Pentagon's most sensitive systems, including surveillance technologies and satellite-communications systems. Penetrations of defense-industry networks have targeted a wide swath of military hardware, including missile-tracking systems and drone aircraft, he said.
In Cartwright's view, a largely defensive approach to the problem is inadequate. He said the Pentagon is focused 90 percent on defensive measures and 10 percent on offense; the balance should be the reverse, he said. For the federal government as a whole, a 50-50 split would be about right, Cartwright argued.
"If it's OK to attack me and I'm not going to do anything other than improve my defenses every time you attack me, it's difficult (to stop that cycle)," Cartwright said. "There is no penalty for attacking (the U.S.) right now."
In response to an audience member's question after his speech, Lynn said the White House could be expected to consider using military force in response to a cyberattack "if there is massive damage, massive human losses, significant economic damage."
Earlier this year, President Barack Obama signed executive orders that laid out how far military commanders around the globe can go in using cyberattacks and other computer-based operations against enemies and as part of routine espionage. The orders detail when the military must seek presidential approval for a specific cyberattack on an enemy, officials and cybersecurity experts told the Associated Press.
The strategy unveiled by Lynn is oriented toward defensive rather than offensive measures. It calls for developing more resilient computer networks so the military can continue to operate if critical systems are breached or taken down. It also says the Pentagon must improve its workers' cyber "hygiene" to keep viruses and other intrusions at bay.
The strategy also is focused on insider threats. It says it will try to deter "malicious insiders" by "shaping behaviors and attitudes through the imposition of higher costs for malicious activity."
Here are some more articles on hacked police computers.