LAPD Exposes Login To Data Harvesting Software During Interview With CNN
from the as-secure-as-Darth-Helmet's-luggage dept
The Los Angeles Police Department has obtained tons of data over the past several years and that amount of data increases exponentially every year. In addition to its criminal databases, it also collects thousands of license plate time-and-location data points every day and has deployed other forms of surveillance (like Stingray devices), gathering even more data surreptitiously.
Of course, the LAPD feels it can be trusted with all of this data. It claims to have controls in place to prevent unauthorized access to information related to non-criminal Los Angeles citizens. Working with Palantir, the LAPD has instant access to a vast amount of gathered data — a database so impressive it spent a bit of time bragging about it to a CNN reporter. (via Lowering the Bar)
The CNN video shows LAPD Sergeant Jason O’Brien using Palantir to search for data on a burglary suspect.”After searching over a hundred million datapoints, Palantir displayed an impressive web of information,” said CNN reporter Rachel Crane. Palantir’s interface resembles a web search engine with datasets labeled People, Vehicles, Locations, Crime, Arrests, FIs (Field Interview Reports), Citations, Bulletins, Tips, and Everything (view screenshot). The video also shows Sergeant O’Brien accessing the LAPD’s automatic license plate reader database to map the past locations of the burglary suspect, which go back as far as March 2011.
With all this information come strict controls, or so the LAPD would like you to believe.
Captain Romero told CNN that the LAPD “cannot just go searching for you or anyone else without a reason because we have a lot of data for people who have done nothing.”
And yet, during this same CNN taping, the LAPD shows just how careless it is about protecting data. Written on a whiteboard for anyone to see is the login and password to its CAMS (Computer Analysis Mapping System) training system.
While this may be training access only and wholly separated from the actual system and its hundreds of millions of datapoints, it’s still not a good idea to leave logins and passwords publicly displayed. Sure, whoever wrote it probably thought no one but cops undergoing training would ever see it (along with the filepath to the CAMS data), but the person or persons OKing the interview should have made a sweep of anything the camera might see. It’s simply lousy operational security and it’s the sort of thing you never want to see an entity with access to “hundreds of millions of datapoints” do.
Even if additional steps are needed to complete an internet based attack, information on the whiteboard certainly peals [sic] back one layer of security blocking the way to private data. Above all else, the LAPD keeping a password—any password—on an office whiteboard in plain sight is deeply troubling. Haphazardly allowing CNN to film the password for a national news broadcast is more troubling still… [T]he whiteboard depicted in the CNN video casts doubt upon the LAPD’s ability to keep its data private.
Freedom du Jour points out that the LAPD’s negligent attitude towards security has been encountered before. Documents acquired by the EFF and ACLU showed that officers were given the following name and password to log into their ALPR terminals.
Name: LAPD
Password: [blank]
Two years later, the LAPD decided the system might need a password.
Name: LAPD
Password: LAPD
These are the people who claim they can ensure hundreds of millions of datapoints won’t be accessed without authorization, thanks to policies and strong statements given to credulous CNN reporters. But this shows that the LAPD’s security measures border on nonexistent and its interest in protecting the data of Los Angeles citizens is minimal.
Filed Under: cnn, lapd, los angeles police department, passwords, privacy, security
Comments on “LAPD Exposes Login To Data Harvesting Software During Interview With CNN”
Give them a break. The changed the username and password from the default
Name: admin
Password: admin
to the much more secure
Name: LAPD
Password: LAPD
Login: GUEST
Re: Re:
No way… it can’t be. Jesus Christ, that is just Babytown frolics.
Maybe we can sneak the Master Control Unit into the LAPD system and just let it run amok.
Couldn’t be any worse, right?
Re: Re:
Or maybe the Central Scrutinizer?
So change it again.
Try “1234”.
Re: So change it again.
That is the same password I have on my luggage!
Let’s be very clear here.
For the training password for their COMS system, they have the user id: “training” and the password “comsstudent”.
I think the most important question we need to ask is: Why the f*** did you need to write that down on the whiteboard? LAPD officers can’t remember that if you tell them?
Re: Re:
I don’t know about the LAPD specifically, but a lot of police departments have an official policy of not hiring very intelligent officers (as in literally if you score above a certain amount on an IQ test–and sometimes the cutoff is below 100–you don’t get the job) because smart people might end up doing something dangerous like thinking for themselves rather than following orders.
Re: Re: Re:
I know.
The latest excuse I heard was that people with higher IQ’s tend to quit the jobs after shorter periods of time. Talk about misidentifying a symptom as the problem.
Re: Re: Re: Re:
Actually I could totally believe that, much like Mason notes above, the smart ones are likely to actually think about what they’re being asked/ordered to do, and assuming they’re not sadists and/or sociopaths, that is likely to lead to them quitting(since reporting corrupt cops to corrupt cops isn’t likely to help, and they’d know it).
Re: Re: Re:
Yep, saw a documentary about a guy who wanted to be a cop and both his town and state refused him for being too smart, that he would get bored.
Thankfully in my Canadian province, cops need to take 3 years of college before even hitting the academy (even have to take Calc I) and even then it doesn’t mean they’ll become a cop. 3/4 of them end up in private security(they can’t have guns here).
Only problem is we have an overload of private security these days, the other day I saw this obviously roid’d agent with an all black suit with SECURITY in what must have been 64 inches font in white in the back IN A SUPERMARKET.
Re: Re: Re:
Yep, its true. Tested for LASD, scored very high,like top 1%, background in network security, university degree. Denied.
Just saying…
Re: Re:
This is clearly a classroom setting. It’s a non-story from a security standpoint. But from a 4th Amendment standpoint it still is.
Re: Re: Re:
It’s a non-story from a security standpoint
Given their lack of technical savvy, why do you assume their training environment does not contain actual information? I have seen plenty of data breaches that involved training and testing environments that were simply subsets of production databases.
Re: Re: Re:
“It’s a non-story from a security standpoint.”
Not true. There are two fairly major security issues here. First, “training systems” and “production systems” are frequently the exact same system, but with special accounts used for training purposes. Having a login to a training account makes it easier to to obtain logins to production accounts or to the database itself.
Second, and more worrying, it exhibits a cavalier attitude to security that more than likely permeates the entire organization. Security conscious people do not relax their standards because “training”. Security is a matter of overall habit, not something that is conditionally applied.
Not that this mitigates blame, but… I have no doubt that someone… a line producer or video editor… spotted this chestnut and allowed it to remain. Prevailing attitude: “Not my job to blur it, unless you ask me specifically.”
Re: Re:
Maybe someone in management told him that he wasn’t paid to think and he gave them what they wanted?
Luggage
[King Roland has given in to Dark Helmet’s threats, and is telling him the combination to the “air shield”]
Roland: One.
Dark Helmet: One.
Colonel Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Colonel Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Colonel Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Colonel Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Colonel Sandurz: Five.
Dark Helmet: So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!
…
President Skroob: Did it work? Where’s the king?
Dark Helmet: It worked, sir. We have the combination.
President Skroob: Great. Now we can take every last breath of fresh air from Planet Druidia. What’s the combination?
Colonel Sandurz: 1-2-3-4-5
President Skroob: 1-2-3-4-5?
Colonel Sandurz: Yes!
President Skroob: That’s amazing. I’ve got the same combination on my luggage.
Dark Helmet, Colonel Sandurz: [looks at each other]
Training person is a moron too
Who writes “Cdrive/programfiles/” when describing file locations… extremely non-technical people.
Furthermore, who uses “carriage return” to describe hitting the enter key these days?
This training session was clearly designed for morons by morons.
Re: Training person is a moron too
ok, i take back the carriage return part – looking more closely, i see they’re uses an escape sequence &??newline& to represent the CR in an expression (can’t read the ?? part)
Re: Training person is a moron too
Obviously you have not taken many Microsoft or Cisco training classes over the years
Lets be fair...
They are cops, not IT security gurus. I mean, I had a job working with a branch of state police where the Shift head told me after being reported for the 5th time setting up his laptop to automatically log him in (getting around the windows policies because we had to give him admin access) that people who are going to break in his car will most likely steal the shotgun that is bolted and locked into the floor than the laptop sitting on the front seat booted up and running.
Yeah…that happened. Another one also wanted me to sign a contract that I wouldn’t steal any of his pirated software.
Don't Cheapen Real Security Screw-ups
Who cares? I have run IT training many times where I put the shared login up on a whiteboard. It’s pretty standard practice to have an isolated training instance and to load dummy data so you don’t have to worry about specific user rights.
Save all the hate for real security screw-ups. Piling on to this one just looks like petty cop-hating.
Re: Don't Cheapen Real Security Screw-ups
First, why do you assume that their training environment is all dummy data?
Second, assuming that a bad security practice is acceptable because you engage in it takes a special kind of narcissism.
Re: Re: Don't Cheapen Real Security Screw-ups
Michael, name calling isn’t very productive. It’s an easy thing to do while cloaked in the anonymity of the internet (and while disregarding Techdirt’s request to use your real name), but I wonder if you would speak to someone like that in person.
Back to the LAPD: Why do you assume it isn’t dummy data? In addition to leading classes, I have also attended dozens and NEVER ONCE has the training system had real data. We don’t even use real data in our dev environments– only UAT and production have real data. AFAIK, this is industry standard. If they have real data on a training instance, THAT is the REAL mistake.
Re: Re: Re: Don't Cheapen Real Security Screw-ups
First, my name is actually Michael.
Second, I was not name calling. Bad security practice is bad security practice. Writing down a username and password combination is simply bad practice – it is insecure. It is particularly insecure to do it somewhere that a CNN camera is going to be. Using the rational that you have done it as evidence that it is ok is narcissistic.
As far as the dummy data? I am glad to hear you have only worked in environments in which training data is not at least partially actual data. It is also absolutely bad practice. I can let you know that after working in the legal and IT departments of software companies, major multi-media companies, health care companies, government contractors, and a state motor vehicle department, the only place I have seen this ALWAYS followed is at a couple of software companies.
If you live in the united states, I can almost guarantee that you have personal information stored in training and test environments.
Re: Re: Re:2 Don't Cheapen Real Security Screw-ups
First, in my opinion you’re not in keeping with the spirit of the “real name” request (and, in my opinion, you know this).
Second, you called me “a special kind of narcissist.” Technically you only implied it, I suppose.
Shared training credentials leaking via the CNN report is a total red herring. There are so, so, so many reasons not to have training accounts on production systems and to not have real data on training instances that anyone who does this (company prohibition or no) is lazy and unprofessional. The bonus is, if this is done, there’s no reason to worry about training credentials being revealed.
Really, what’s the alternative? Create unique training accounts and high-entropy passwords for every user for every class? How will these credentials be transmitted to the user? If it’s in writing, you know some third party would eventually get their hands on that and blow it out of proportion too (even if these unique accounts were deleted at the end of the training session since the bias on the internet seems to be to assume that everyone who is not you is a complete moron).
Re: Re: Re: Don't Cheapen Real Security Screw-ups
I don’t see where he engaged in name-calling.
“It’s an easy thing to do while cloaked in the anonymity of the internet”
If the internet has shown us anything, it’s that it’s equally easy to do when you are using your real name. Anonymity doesn’t enter into it.
Re: Re: Re:2 Don't Cheapen Real Security Screw-ups
Yo! FENDERSON!!
Where does Techdirt have a “‘real name’ request” or “request to use your real name” ? Is there something like that in the account signup process? ‘Cause I’ve never seen that–otoh, I’ve never bothered to get an account here, either.
If there actually was some kind of “real name policy” here, I think I might be philosophically opposed. Further, I kinda, sorta, just suspect Masnick might be philosophically opposed, too.
Re: Re: Re:3 Don't Cheapen Real Security Screw-ups
Huh? What does Techdirt’s policies have to do with anything? I was talking about the notion that making people use their real names (which is impossible to do anyway) will stop them from being assholes. It doesn’t.
Re: Re: Re:4 Don't Cheapen Real Security Screw-ups
I can assure you.
I am an asshole in person too.
Re: Re: Re:4 Don't Cheapen Real Security Screw-ups
Did you actually read the comments of the person, this soi-disant “Matt Goff”, to whom you were replying? (He made these weird claims.)
Or is actually reading comments too much like actually reading court opinions?
Re: Re: Re: Don't Cheapen Real Security Screw-ups
I agree. Not once have I been in a training class with ‘real’ data. This isn’t that awesome of a story.
Re: Re: Re: Don't Cheapen Real Security Screw-ups
The only time I have seen training systems that used dummy data were third party training. Every internal training system I have seen has always been a full or partial clone of a production system. In fact the training system is almost never a separate system just for training. Usually it is a test or development environment. Hell I have even seen training done on a production system.
Sure best practice would be to have a separate training system with dummy data, but most of the world doesn’t work that way because management just see’s it as a extra unnecessary cost. Much like electronic/software security in general.
your data is safe
No one got unauthorised access to our database
Right, they got a valid username and password so they are authorised
You don’t show login credentials, regardless if they are for practice, and in a supposedly isolated training environment. First off, you are now training people wrong, second, never assume that “isolated environment” is as isolated as your wishful thinking would have it.
But what i find is more important is the passwords mentioned at the bottom of the article. Not only do they suck, but this is a shared login? No way to track who did what and when. Utter and complete bullshit. Probably by design.
And they aren’t IT gurus? They don’t have to be, they just need to be reasonably educated users, but that is too hard for them, and apparently their apologists. But let’s roll with the “not IT gurus”: How the hell cam you reasonably expect them to do anything legally or in the proper fashion while they are pursuing their favorite new bugaboo, “cyber”crime?
Look, if the cops aren’t good at what they are doing, you don’t defend them, you replace them, if they refuse to be educated. They’ll nail you for any ridiculous (even perceived or made up) infraction if they don’t like the way you look. But rules or sensible behavior for cops? Oh my, no.
Maybe the first thing he should have taught them is how to create a secure password /log-in , It makes sense from a training stand point to teach the new guys who may not be tech savvy how to create a better more secure password, just my opinion .. leading and training by example and teaching good habits would be considered a better alternative dummy data or not.
My cat provides better passwords than that. Seriously LAPD?