By Stephen Owsinski
Someone savvy and sinister came uninvited and unannounced to the Washington, D.C. Metro Police Department recently. And their bold intrusion remains an awakening and thought-provoking experience.
Some might say not even the police are safe from hackers. This would be a fair assessment, but the reality is that technology anywhere belonging to anyone is relatively vulnerable. Recently, it was discovered that the day former President Obama held a cyber security summit in February 2015, he was unwittingly doing so as the whitehouse.gov website account lapsed in its security certificate—an accounting omission by White House IT folks. Albeit different than a breach, this underscores the false sense of security when examining the Ps and Qs of an operating system and how it could falter. As a citizen, imagine trying to access whitehouse.gov and receiving a red-bannered ominous-looking message warning of a security issue.
D.C. Metro Police unfortunately found out they had a breach when agency technology gurus determined that roughly 70 percent of city surveillance cameras were invaded by hackers, who held the system hostage one week before President Donald Trump’s inauguration.
Although D.C. police disclosed the breach, spokespeople have not revealed the extent of damages, or if ransom demands were actually made. City officials did, however, claim no ransom was paid to anyone.
Just as its name implies, ransomware infiltrates a technology-based system (computer, camera network, telephone system, etc.) hacked by a tech-savvy source who typically demands a sum of money or non-monetary action. Once demands are met, a locked operating system is restored to normal capacity. In the case of the D.C. Metro cops, police administration opted out of playing the hostage-taking game. Instead, IT staff took down the entire system, gutted every bit of software, and rebooted the network with success.
Yet the hard truth remains—an outsider breached the D.C. police network and held hostage 123 of its 187 cameras perched throughout the jurisdiction. The objective of Metro police surveillance cameras is to oversee the bustle in our nation’s capital, and when detected, preempt nefarious activity. With the system held hostage, any number of things may have erupted without it being recorded for law enforcement investigative use. Moreover, things could have gotten out of hand well before D.C. cops were even aware.
Besides any ransom demands, was this also a play to garner attention and embarrass not only law enforcement but also elected politicos working in our nation’s governmental hub? A “look what I can do” message?
Becoming a Thing for Public Safety Professionals
In addition to the D.C. Metro police hacking incident, the Washington Post published an expose regarding hacking the 9-1-1 system that effectively deploys a program called TDoS attack (telephony-denial-of-service attack), which denies 9-1-1 callers from getting emergency services by hampering the system’s infrastructure. Conceiving such a catastrophe is unspeakable, and yet it can be done remotely by overwhelming a 9-1-1 system with false calls, thus blocking authentic callers from getting through. Adding to the problem is human nature; genuine callers needing emergency aid exacerbate the hacking by continually calling 9-1-1 until they get through, flooding an already overrun 9-1-1 system.
Deploying the TDoS attack results in the hacker demanding ransom in exchange for ceasing 9-1-1 blocking efforts. The Department of Homeland Security and FBI have already investigated such an incident. Engineers in the realm of 9-1-1 infrastructure busily blueprint countermeasures to detect and thwart TDoS hacks. We can only hope they and others expediently design and employ countermeasures before innocent lives are lost to misuse of technology in the hands of miscreants.
Similarly, trending in recent years is the concept known as SWATting, whereby an anonymous caller compels (pranks) the police department to dispatch an emergency response to a location under the guise of a major crime in progress. Naturally, this endangers plenty of cops and citizens. The pranksters, whose objective is to basically toy with the police, use cell phone technology to mask their identities. Taxpayer assets—police, fire, and EMS—are wasted. NetworkWorld published an interesting article on this childish ploy.
Hacking is not a new thing for cops to investigate. However, the magnitude of sophistication and frequency are astounding and can strain already limited resources. Similar to identity theft, the investigations can be time-consuming and take a lead investigator far and wide before getting in the airspace of the suspect(s). Overall, these crimes are the opposite of those warranting traditional methods. Police are chasing data that hopefully leads to a face instead of pursuing a face leading to an identity, resulting in arrest. An evolving landscape affording absolute anonymity can be daunting for investigators, making chasing phantoms in the wind an arduous task. Logically, preemptive strategies in IT and cyber security are underscored.
IT Professionals and Cyber Gurus
No matter who you are or where you may be, the IT profession has never been more handsome in terms of marketability, job security, and robust compensation packages due to expertise in comprehending computer innards, detecting intrusions, identifying malware, overcoming threats, eradicating bugs, and repairing hacker incursions. All police agencies should employ techno gurus.
Austin, Texas police investigated and arrested a 20-year-old perpetrator in the alleged hacking of over 100 cars. APD’s High Tech Crime Unit detectives worked the details and ultimately came away with an IP address belonging to a friend of a friend who was laid off from Texas Auto Center, a dealership that had access and the ability, known as “bricking,” to remotely reconfigure cars via hacking into a component it installed in hundreds of vehicles. This served as yet another unique instance of what is being constructed electronically and how folks bent on rocking someone’s world can easily do so. The disgruntled suspect in this case faced “computer intrusion charges” filed by Austin’s High Tech Crime Unit detectives.
As pretty much everyone knows and is equally disgusted by, there are evil people out there who use computers to facilitate their wares and addictions, such as child pornography and predation. Other than preempting a mass fatality incident by identifying and arresting suspects via computer investigations, I can see no more rewarding aspect of police techno units than nabbing child predators and the despicable preying on youngsters from a laptop.
These types of cases involve apprehending violators and forensically dissecting their computers for evidentiary assets. Police agencies employ experts in this field who are getting more adept in computer science nuances and advancements; the proverbial cat-and-mouse intrigue ensues.
What Side of the Fence?
As in any profession, one can use his/her marketable techno skills for good or evil. What side of the fence will anyone with cyber and IT expertise choose? In the D.C. police example, we see both nefarious types armed with significant technological know-how, and we also see IT gurus hired by governments to stave off network attacks and conduct damage control, should the former type hack a system like the D.C. example.
According to Wired.com, a research team discovered a huge vulnerability in Volkswagen automobiles. It posits that VW engineering has left keys in car components that, if hacked by the nefarious type, allow easy, wireless access to 100 million VW cars manufactured since 1995. Besides Volkswagen, other car manufacturers have the same vulnerability to theft via hackers tapping into auto instrumentation. I suspect car makers already have IT experts working to correct this problem. Conversely, police departments employ technical instrumentation to virtually stop a car in its tracks, cutting down on police pursuits and the perils they pose. Los Angeles police employ/deploy a laser-guided tracking device that effectively decreases the dangers of police chases by simply tracking stolen autos and other crime-related vehicles via a GPS gadget launched by police cruisers at the rear of a fleeing car. Breaking off active pursuits and covertly tracking vehicles in question results in safer methodologies and unsuspecting apprehension of perpetrators.
Reported by The Guardian, the Chinese have their hands in the fray—on the wrong side of the fence. Chinese hackers were able to remotely dabble with the mirrors and brakes of a Tesla automobile. Just imagine the potential mayhem should any number of cars be controlled by illicit-minded hackers from a safe distance without identity.
Whether it stems from intellectual curiosity, runaway egos, or deeply embedded anti-government sentiment, hackers are profoundly talented in manipulating electronic technology and are well-versed in cloaking their identities. Government entities, however, also possess sharp-minded IT sorts who found their wares tested in police department settings. Each tech-savvy individual has the same choice to use their skills to benefit humanity and not be a self-serving, childish, basement-dwelling prankster.
Stephen Owsinski is a Senior OpsLens Contributor and retired law enforcement officer whose career included assignments in the Uniformed Patrol Division and Field Training Officer (FTO) unit. He is currently a researcher and writer.
To contact or book OpsLens contributors on your program or utilize our staff for your story, contact [email protected]