New York City police have arrested a NYPD detective for hiring an email hacking service to pinch the login details for at least 43 personal email accounts and one cell phone belonging to at least 30 individuals.
Edwin Vargas, 42, of Bronxville, New York, is accused of having paid $4,050 via PayPal to an illicit hacking service between March 2011 and October 2012.
According to a statement from Preet Bharara, the US Attorney for the Southern District of New York, Federal Bureau of Investigations (FBI) agents arrested Vargas outside his home on Tuesday.
Officials said that 19 of Vargas' alleged targets are current NYPD officers, one is retired from the NYPD, and another is an administrative staff member of the NYPD.
Vargas allegedly used the login credentials to peek into at least one personal email account belonging to a current NYPD officer. He also allegedly accessed another victim's online cellular telephone account.
Law enforcement officials said that when they checked out the hard drive on Vargas' NYPD computer, they also found that his Gmail account Contacts section included a list of at least 20 email addresses, along with what looks like telephone numbers, home addresses, and vehicle information corresponding to those email addresses.
The list also contained what seem to be passwords for the email addresses.
Vargas also allegedly accessed the federal National Crime Information Center (NCIC) database to get information about at least two NYPD officers and then paid email hacking services to filch their logins.
The detective has been charged with one count of conspiracy to commit computer hacking and one count of computer hacking. Each count carries a maximum sentence of one year in prison.
US Attorney Bharara said in the statement that it's pretty darn bad when the cops themselves are the ones breaking the laws they're paid to enforce:
As alleged, Detective Edwin Vargas paid thousands of dollars for the ability to illegally invade the privacy of his fellow officers and others.
He is also alleged to have illegally obtained information about two officers from a federal database to which he had access based on his status as an NYPD detective.
When law enforcement officers break the laws they are sworn to uphold, they do a disservice to their fellow officers, to the Department, and to the public they serve, and it will not be tolerated.
FBI Assistant Director-in-Charge George Venizelos also said in the statement that gosh, you'd think you'd be able to trust your coworkers if your workplace is a police department:
As alleged, the defendant illegally acquired log-in information for the email accounts of dozens of people, including police department co-workers.
Of all places, the police department is not a workplace where one should have to be concerned about an unscrupulous fellow employee.
Unlike the email accounts, the defendant didn't need to pay anyone to gain access to the NCIC database. But access is not authorization, and he had no authorization.
Let's assume that Naked Security readers won't fall for pitches from such email hacking services, such as this charmingly misspelled/garbled one:
If you want to know someone's email password than get it right now. How to hack? No, you don't have to do that, let our experts to hack your requested password in less than 48 hrs and you will be charged with $100
How do these services work?
Some of them, in their marketing materials, put up lists of techniques that include brute-force attack, keylogger installation, dictionary attacks, sniffing (if the hacker and the victim share the same wireless network, such as in a workplace or cyber cafe), and/or social engineering techniques.
Unfortunately, if the allegations prove true, it sounds as though the NYPD not only harbored one bad apple; it also has plenty of staff who might well have fallen for one or more of the email hacking services' techniques.
As far as protecting ourselves from having our accounts breached, the tried and true advice holds: keep on top of patches; don't click on phishy links or open phishy email; make sure you're using a password management program to generate convoluted, hard-to-guess passwords; and/or read Graham Cluley's piece about cooking up your own.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)
Better still, follow the advice I saw on a cartoon on Wednesday:
Sorry, your password must contain a capital letter, two numbers, a symbol, an inspiring message, a spell, a gang sign, a hieroglyph and the blood of a virgin.