Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday March 17, @09:52PM   Printer-friendly
from the random-police-credentials-must-be-in-sudoer-file dept.

The U.S. government database provided access to a treasure trove of sensitive data. "I can request information on anyone in the U.S.," one of the alleged hackers wrote:

Two men, one of whom previously presented themselves as an independent security researcher to Motherboard, allegedly went on a wide spanning hacking spree that included breaking into a federal U.S. law enforcement database; using a compromised Bangladeshi police officer's email to fraudulently requesting user data from a social media company; and even trying to buy services from a facial recognition company which doesn't sell products to the wider public.

[...] Sagar Steven Singh, 19, was arrested in Rhode Island on Tuesday; Nicholas Ceraolo, 25, remains at large with his location listed as Queens, New York, a press release from the United States Attorney's Office for the Eastern District of New York says. "Singh and Ceraolo unlawfully used a police officer's stolen password to access a restricted database maintained by a federal law enforcement agency that contains (among other data) detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports," it states.

[...] That pursuit of personal information is what allegedly drew Singh and Ceraolo to breaking into various law enforcement accounts. In one case, the pair allegedly used a police officer's credentials to access a web portal maintained by a U.S. federal law enforcement agency.

Also at Dnyuz.


Original Submission

This discussion was created by janrinok (52) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Touché) by Snotnose on Friday March 17, @11:22PM (4 children)

    by Snotnose (1623) on Friday March 17, @11:22PM (#1296768)

    that wants to force companies to pay more attention to security?

    / hint: dump Microsoft. Won't happen, but it would be the best bang for the buck.

    --
    The inventor of auto-correct has died. The funnel will be held tomato.
    • (Score: 5, Touché) by Opportunist on Friday March 17, @11:48PM

      by Opportunist (5545) on Friday March 17, @11:48PM (#1296773)

      And the same that wants to know and store everything about you, exactly that one.

      And unlike those companies, they won't be liable for anything. Like Mel Brooks already said in the History of the World, it's great to be the king.

    • (Score: 2) by MIRV888 on Saturday March 18, @03:10AM

      by MIRV888 (11376) on Saturday March 18, @03:10AM (#1296804)

      OK your byline is hysterical.
      I lol'd

    • (Score: 3, Informative) by guest reader on Saturday March 18, @06:50AM (1 child)

      by guest reader (26132) Subscriber Badge on Saturday March 18, @06:50AM (#1296830)

      that wants to force companies to pay more attention to security?

      They used a username and stolen password belonging to a local police officer. Maybe they should start using Multi-factor authentication [wikipedia.org] (includes 2FA).

      Original press release source [justice.gov] from U.S. Department of Justice: Two Men Charged for Breaching Federal Law Enforcement Database and Posing as Police Officers to Defraud Social Media Companies.

      Complaint-USA against Sagar Steven Singh and Nicholas Ceraolo [flashpoint.io], Case 1:23-mj-00213-MMH

      [...] On or about May 7, 2022, SINGH used a username and password belonging to a local police officer (the “Stolen Credentials”) to log in to the Portal without authorization.

      [...] A United States federal law enforcement agency (the “Federal Law Enforcement Agency”) maintains a nonpublic website (the “Portal”) whose purpose is to share intelligence from government databases with state and local law enforcement agencies. Data available through the Portal is not classified but is sensitive and includes detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports.

      The Portal is password-protected, and access to the Portal is restricted to law enforcement officials.

      • (Score: 2) by aafcac on Saturday March 18, @06:48PM

        by aafcac (17646) on Saturday March 18, @06:48PM (#1296925)

        And maybe we shouldn't be storing so much data in one place

  • (Score: 2) by MIRV888 on Saturday March 18, @03:05AM

    by MIRV888 (11376) on Saturday March 18, @03:05AM (#1296802)

    I don't even want to think about what nation states are / have done.
    I figure we are way more compromised than we think, but our enemies are too.

  • (Score: 2) by Osamabobama on Tuesday March 21, @05:52PM

    by Osamabobama (5842) on Tuesday March 21, @05:52PM (#1297430)

    The reason this is a story is because the data was compromised in one 'spree.' If, on the other hand, the database had not been compromised by these two, it would have remained in use by police, who could abuse it slowly, one query at a time. Police access to the database is durable--they don't need to hurry to exploit the data before they get locked out. They will be able to use it when the need arises, whether the use is officially sanctioned or not.

    The only thing keeping this database from being abused is the set of rules and laws punishing abuse. But those rules didn't deter the two perpetrators, and there will also be police officers who won't be deterred. Unless police are somehow more ethical than the rest of us, that is, but that idea has gotten really hard to defend in the last few years. Furthermore, any punishment for police abuse of the database will be much less than for hackers who aren't authorized to use the system in the first place, so the rules-based deterrent is going to be less effective on cops.

    --
    Appended to the end of comments you post. Max: 120 chars.
(1)