A number of websites associated with US police have been compromised by AntiSec hackers in apparent support of the “Occupy” demonstrations.
One of the sites targeted was the Boston Police Patrolmen’s Association (BPPA), which suffered a hack which resulted in the release of a thousand usernames and passwords. An obvious danger is that staff may be using the same username/password combinations on other sites – such as their email accounts or Facebook.
In addition, the AntiSec movement claimed in an online press release to be publishing more than 600MB of data stolen from the International Association of Chief of Police (IACP) website, including names and addresses, passwords and internal documents.
Names, addresses, phone numbers and social security numbers for police officers in Alabama have also been exposed, and a contact database associated with employees and clients of the internet company Matrix Group made public.
What’s perhaps most bizarre, however, is that a recording has come to light of a hacker phoning up one of the hacked police departments.
The caller speaks with a British accent and claims to be calling from England, via Skype (which explains the poor quality).
After being batted around the police department’s telephone system for a while, and listening to some funky muzak, he eventually ends up speaking to a public information officer.
Here is a recording of part of the call:
And here’s a partial transcript:
Caller: Your website has been defaced.
Police official: Yes, we’re in the process of uh.. investigating it, but apparently someone hacked into our website, but we’ve..
Caller: Yeah that was me.
Police official: .. shut the website down at this time.
Caller: The person who did it was me.
Police official: You hacked into the website?
Caller: Yes sir.
Police official: Would you like to tell me why you did it?
Police official: Is there a particular reason that you did it? Are you trying to prove a point? Or are you just picking on for us any particular reason? What’s the problem?
Caller: Just got a bit bored, y’know.
Police official: I can’t hear you sir.
Caller: I said, I said I got a bit bored.
Police official: You got a bit bored?
Police official: That’s fine. Alright, well.. perhaps I can break your boredom if we can trace you back and come and put you in jail, we’ll get a warrant for you – how’s that?
Caller:Well, I’m not in America.
Police official: That’s okay. That’s alright. It doesn’t make any difference where you’re at.
Caller:So you’re gonna [laughs] come and get me?
Police official: I’m gonna get on a plane in the next few minutes and head that way, start looking for you somewhere.
Caller:Bring it on.
The Boston Police department has asked all personnel to reset their passwords, and says that it is launching a full investigation into the reported incidents.
Meanwhile, the IACP website is still unavailable – clearly the site’s administrators were more comfortable with visitors seeing a holding page than the defaced version which included an anti-police rap video:
For more information on securing your website download our technical paper “Securing Websites” published by SophosLabs. In addition to advice on common attack techniques including SQL injection, the paper also discusses establishing a secure foundation for your site and how to deal with external service providers.