A New York City police detective from the NYPD pleaded guilty on Friday to paying $4,000 for email hacking services that got him into at least one colleague's email account and one mobile phone.
According to a statement put out by the Attorney General, the detective, Edwin Vargas, used PayPal to hire someone to hack login details for at least 43 personal email accounts and one mobile phone belonging to at least 30 individuals, including 20 current or former NYPD officers and one administrative employee.
Vargas, 42, of Bronxville, NY, was arrested in May for ordering up the hacking between March 2011 and October 2012.
He could be looking at up to a maximum of two years in prison: one year each for a count of conspiring to commit computer hacking and another count of computer hacking.
At the time of his arrest, the Attorney General said that when law enforcement checked out the hard drive on Vargas's NYPD computer, they found that his Gmail account Contacts section included a list of at least 20 email addresses, along with what looked like telephone numbers, home addresses, vehicle information corresponding to those email addresses, and email account passwords.
Vargas also allegedly accessed the federal National Crime Information Center (NCIC) database to get information about at least two NYPD officers.
Manhattan US Attorney Preet Bharara said in the statement that being on the NYPD doesn't give police any special dispensation to break the law that taxpayers pay them to uphold:
He accessed a law enforcement database without authorization and paid hackers to illegally obtain e-mail login information for his fellow officers and others. Vargas’s guilty plea today and his forthcoming punishment make clear that those who illegally invade others’ privacy, including members of law enforcement, will not escape prosecution.
Vagas was a bad apple, but his guilty plea brings to light more than one crooked cop.
The A.G. didn't go into detail about how the email hacking services managed to steal login details, but phishing and social engineering are tried and true methods to go about this slimy work.
As it is, such services advertise techniques including brute-force attacks, keylogger installation, dictionary attacks, sniffing (if the hacker and the victim share the same wireless network, such as in a workplace or cyber cafe), and/or social engineering techniques.
An in-depth defence strategy can help lower the risk from those vectors within organizations.
For example, let's hope that since Vargas's arrest, the NYPD has laid down the law about not clicking on phishy links or opening phishy email attachments, and not using overly simple passwords and/or using passwords on multiple sites.
Let's hope they've ramped up training on:
- Questioning and reporting suspicious behavior.
- Refraining from sharing work-related details on social networks.
- Not using work devices for personal activities.
- Protecting access to different types of data with strong and separate passwords.
- Segmenting the network so that if attackers compromise an employee with access to one network segment they can't access more sensitive ones.
- Not letting attackers go undetected as they work their way through the organizational phone book until they hit pay dirt. Employees should have one point of contact to whom they can send all reports of phishing expeditions, whether those attempts come via phone or email.
For more thoughts on hardening an organization's defences, whether you're talking about a widget maker or a police department, check out Sophos's Practical IT guide to planning against threats to your business.Follow @NakedSecurity
Image of NYPD detective badge by Flickr user Scoutnurse.