from the random-police-credentials-must-be-in-sudoer-file dept.
The U.S. government database provided access to a treasure trove of sensitive data. "I can request information on anyone in the U.S.," one of the alleged hackers wrote:
Two men, one of whom previously presented themselves as an independent security researcher to Motherboard, allegedly went on a wide spanning hacking spree that included breaking into a federal U.S. law enforcement database; using a compromised Bangladeshi police officer's email to fraudulently requesting user data from a social media company; and even trying to buy services from a facial recognition company which doesn't sell products to the wider public.
[...] Sagar Steven Singh, 19, was arrested in Rhode Island on Tuesday; Nicholas Ceraolo, 25, remains at large with his location listed as Queens, New York, a press release from the United States Attorney's Office for the Eastern District of New York says. "Singh and Ceraolo unlawfully used a police officer's stolen password to access a restricted database maintained by a federal law enforcement agency that contains (among other data) detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports," it states.
[...] That pursuit of personal information is what allegedly drew Singh and Ceraolo to breaking into various law enforcement accounts. In one case, the pair allegedly used a police officer's credentials to access a web portal maintained by a U.S. federal law enforcement agency.
Also at Dnyuz.
(Score: 4, Touché) by Snotnose on Friday March 17 2023, @11:22PM (4 children)
that wants to force companies to pay more attention to security?
/ hint: dump Microsoft. Won't happen, but it would be the best bang for the buck.
When the dust settled America realized it was saved by a porn star.
(Score: 5, Touché) by Opportunist on Friday March 17 2023, @11:48PM
And the same that wants to know and store everything about you, exactly that one.
And unlike those companies, they won't be liable for anything. Like Mel Brooks already said in the History of the World, it's great to be the king.
(Score: 2) by MIRV888 on Saturday March 18 2023, @03:10AM
OK your byline is hysterical.
I lol'd
(Score: 3, Informative) by guest reader on Saturday March 18 2023, @06:50AM (1 child)
They used a username and stolen password belonging to a local police officer. Maybe they should start using Multi-factor authentication [wikipedia.org] (includes 2FA).
Original press release source [justice.gov] from U.S. Department of Justice: Two Men Charged for Breaching Federal Law Enforcement Database and Posing as Police Officers to Defraud Social Media Companies.
Complaint-USA against Sagar Steven Singh and Nicholas Ceraolo [flashpoint.io], Case 1:23-mj-00213-MMH
(Score: 2) by aafcac on Saturday March 18 2023, @06:48PM
And maybe we shouldn't be storing so much data in one place
(Score: 2) by MIRV888 on Saturday March 18 2023, @03:05AM
I don't even want to think about what nation states are / have done.
I figure we are way more compromised than we think, but our enemies are too.
(Score: 2) by Osamabobama on Tuesday March 21 2023, @05:52PM
The reason this is a story is because the data was compromised in one 'spree.' If, on the other hand, the database had not been compromised by these two, it would have remained in use by police, who could abuse it slowly, one query at a time. Police access to the database is durable--they don't need to hurry to exploit the data before they get locked out. They will be able to use it when the need arises, whether the use is officially sanctioned or not.
The only thing keeping this database from being abused is the set of rules and laws punishing abuse. But those rules didn't deter the two perpetrators, and there will also be police officers who won't be deterred. Unless police are somehow more ethical than the rest of us, that is, but that idea has gotten really hard to defend in the last few years. Furthermore, any punishment for police abuse of the database will be much less than for hackers who aren't authorized to use the system in the first place, so the rules-based deterrent is going to be less effective on cops.
Appended to the end of comments you post. Max: 120 chars.