Criminals Exploiting FBI Emergency Data Requests

I’ve been writing about the problem with lawful-access backdoors in encryption for decades now: that as soon as you create a mechanism for law enforcement to bypass encryption, the bad guys will use it too.

Turns out the same thing is true for non-technical backdoors:

The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police accounts to send emails to companies requesting user data. In some cases, the requests cited false threats, like claims of human trafficking and, in one case, that an individual would “suffer greatly or die” unless the company in question returns the requested information.

The FBI said the compromised access to law enforcement accounts allowed the hackers to generate legitimate-looking subpoenas that resulted in companies turning over usernames, emails, phone numbers, and other private information about their users.

Tags: , , ,

Posted on November 12, 2024 at 7:05 AM13 Comments

Comments

Bart November 12, 2024 8:53 AM

This makes me wonder how many subpoenas are ever actually checked for authenticity. Anyone can print a piece of paper that looks like a subpoena.

postscript November 12, 2024 9:08 AM

Not just personal info being stolen – Brian Krebs pointed out they are also using these data requests to freeze and plunder bank accounts.

BCS November 12, 2024 11:30 AM

The penalty for this sort of crime should be the sum of impersonation of a police officer and also what an officer would get for abuse of power if they had done the same thing with it.

But are the criminals even someplace they can get arrested? 🙁

Clive Robinson November 12, 2024 11:42 AM

The big problem is that “oversight” is not really possible.

In the US there is the notion of “exigent circumstances” a dictionary definition of it is,

“Exigent circumstances : are urgent situations that allow police to enter, search, or seize without a warrant.”

Put simply the person requesting the information claims “iminant danger” of life etc, as their authority to demand the information.

The way such are communicated to major social media and other electronic communications companies, are such that the companies can not “check” if the request is valid or not.

This is not last century, we have reasonably reliable security mechanisms that will,

1, Effectively close the loop hole.
2, Increase the speed of response.
3, Ensure effective traceability.

All of which are desirable to society.

So the obvious question is,

“Why over the past quarter century have such systems not been put in place?”

I’ll let others make their own judgements, based on the past behaviours of both the FBI and DoJ.

yet another bruce November 12, 2024 1:29 PM

I believe that if a law enforcement officer loses control of her/his sidearm it is considered a big deal. More so if the sidearm is found to have been used in the commission of a crime.

Losing control of an account with elevated privileges is potentially more dangerous, especially in places where handguns are relatively easy to obtain. The article linked did not say anything about whether officers and agents whose accounts were compromised faced any sort of disclipline.

Cybershow November 12, 2024 2:02 PM

Here’s a good example of why identity is a second class
key to authorisation, compared to observed behaviour.
What you do is what’s authentic not what another expects.

Someone phrased it very nicely in an interview I did
on the show last week, that “Your privileges are only
the sum total of the good you have done so far, and
your power to do harm is only as much as you’re prepared
to burn”.

Isn’t that what Bruce has tended toward here? Behaviour
not identity?

I don’t know how we got so hung-up on “identity” the digital
world. It’s a legacy thing from the timesharing days.

And that’s why “biometrics”, which is a username not even a password,
is such a dumb idea.

https://cybershow.uk/blog/posts/secrets

Joseph Kanowitz November 14, 2024 6:00 PM

ב”ה,
Subpoenas could save Google and miscellaneous cloud providers trillions on storage costs.

Joseph Kanowitz November 14, 2024 6:04 PM

ב”ה,
Due to NHI fervor and “foreign actors” scrutiny, subpoenas could also save said foreign actors and OpenAI $trillions on storage costs, while expanding the budgets of cooperating law enforcement agencies, all for the cost of one lawyer in USA.

ResearcherZero November 15, 2024 2:14 AM

Please can I have the Call Detail Records and location data for the following individuals.? …

‘https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/

ResearcherZero November 15, 2024 3:35 AM

@Clive Robinson

Re: “Why over the past quarter century have such systems not been put in place?”

Hands up anyone who wants some money?

‘https://breakingdefense.com/2024/11/exclusive-how-the-pentagon-quietly-spent-1-billion-of-inflation-relief-money/

The roots of the problem can be traced to 1993, when the Pentagon, looking to reduce costs, urged defense companies to merge and 51 major contractors consolidated to five giants.

Prices for equipment increased and profits soared.

“What level of profit are we talking about?”
https://www.cbsnews.com/news/weapons-contractors-price-gouging-pentagon-60-minutes-transcript-2023-05-21/

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.