When police send Emergency Data Requests (EDRs) to communications companies like Verizon or Google, they attest that a victim is in danger of serious bodily harm or death unless certain private information about a suspect can be produced. An EDR blows the doors off of any requirement to attach a subpoena or court order with a judge’s signature to honor the requests. Companies usually produce the digital information of the targeted suspect with alacrity. Now the FBI is warning that hackers are worming their way into law enforcement cyber-systems in the United States and around the world, using stolen police credentials to send fake EDRs to steal the private information of innocent people. The potential exists for cybercriminals to issue fake freeze orders on people’s financial accounts, and then follow up with a seizure of assets, diverting funds to a fake custodial wallet that appears to be government-owned. For $1,000 to $3,000, a cybercriminal named Pwnstar will sell buyers police credentials for EDRs in 25 countries, including the United States. “This is social engineering at its highest level and there will be failed attempts at times,” Pwnstar assures his customers on the dark web. He presents himself as a fair businessman, offering to give refunds in the minority of attempts that fail. Krebs on Security reports that Kodex, a company founded by a former FBI agent to identify fake EDRs, found that of 1,597 EDRs it has processed, 485 failed a second-level verification. This status quo puts communications companies in a bind. Krebs writes that “the receiving company finds itself caught between unsavory outcomes: Failing to immediately comply with an EDR – and potentially having someone’s blood on their hands – or possibly leaking a customer record to the wrong person.” What can be done? First, all law enforcement agencies in the United States need to tighten up their digital hygiene to the highest professional levels. An FBI factsheet offers a detailed list of specific security steps police should take, ranging from evaluating the reliability of vendors, to being on the lookout for images that appear doctored or pasted, to strong password protocols, to phishing-resistant multifactor authentication for all services. Finally, the FBI recommends that local law enforcement agencies establish and maintain strong liaison relationships with their local FBI field office. The FBI says it is ready to identify departments’ vulnerabilities and help them mitigate threats. Comments are closed.
|
Categories
All
|