Der Spiegel published a story in yesterday's edition of their magazine that the hack on the German police surveillance system "Patras" was prompted by a senior officer spying on his daughter's internet activities.
The Patras system is used by the police to track suspects using so-called "silent" SMSs and GPS tracking devices planted on automobiles.
It appears that a senior policeman from Frankfurt am Main installed spyware onto his daughter's computer to keep an eye on her online activities.
It is unclear whether this is legal under German law. It is also unknown whether he used the famous Bundestrojaner or some sort of commercial off-the-shelf spyware.
One of his daughters friends then discovered the spyware on her computer and decided that was justification enough to hack into her father’s computer.
Upon invading her dad’s system he found a selection of sensitive security related emails that enabled access to the Patras system. Two German hackers from a group called n0n4m3 cr3w (noname crew) were arrested after the system was breached in July of 2011.
According to Der Spiegel the policeman had redirected his work emails to his home computer. I expect that this is against the rules and is almost always a bad idea.
The worst part is that such a sensitive network used to covertly track people was accessible without any sort of two-factor authentication.
You would hope that intercepting a few sensitive emails would not provide enough information to allow a VPN connection or access critical infrastructure with such ease.
It is not clear whether this incident is the one that resulted in the successful attack against Patras last summer, or whether they were in fact breached twice.
It is one thing to accept the need of law enforcement to track suspects after receiving the approval of a judge, but it is becoming clear that access to these systems is too easy. It almost invites abuse and could result in criminal cases being compromised.
With great power comes great responsibility, and hopefully the German police have implemented more strict access controls and other authorities with similar power have heard this story and will look into their own security.Follow @chetwisniewski