Attorney Representing Whistleblowing Cops Claims Police Department Dropped Spyware On His Hard Drive

from the RAT.EXE dept

This news is infuriating if true. And its chance of being true are pretty high, considering how little cops having the whistle blown on them care for those blowing the whistle. In this case, police officials didn't just stonewall a court order to produce records. They also allegedly dropped backdoors and keyloggers onto the plaintiff's hard drive.

An Arkansas lawyer representing current and former police officers in a contentious whistle-blower lawsuit is crying foul after finding three distinct pieces of malware on an external hard drive supplied by police department officials.
In response to a discovery request, the Fort Smith Police Department was ordered to turn over numerous items, including Word documents, PDFs and emails. Attorney Matt Campbell provided an external hard drive to the PD. When it was returned to him, it contained some of what he requested, along with three pieces of software he definitely didn't request.
In a subfolder titled D:\Bales Court Order, a computer security consultant for Campbell allegedly found three well-known trojans, including:

Win32:Zbot-AVH[Trj], a password logger and backdoor
NSIS:Downloader-CC[Trj], a program that connects to attacker-controlled servers and downloads and installs additional programs, and
Two instances of Win32Cycbot-NF[Trj], a backdoor
The police department claims it has no idea how these ended up on Campbell's hard drive. It maintains its innocence despite acknowledging its computers have anti-virus software installed that should have prevented these from ending up on its drives, much less being copied to an external drive. Campbell isn't buying these proclamations. In an affidavit submitted to the court, he alleges the PD added these trojans to take control of his computer and intercept his passwords and communications.

Campbell's first attempt to have this apparent breach investigated went nowhere.
Last September, Arkansas State Police officials declined Campbell's request that the agency's criminal investigation division probe how the hard drive sent to Campbell came to be booby-trapped. "The allegations submitted for review appear to be limited to misdemeanor violations which do not rise to a threshold for assigning a case to the CID Special Investigations Unit," the commander of the CID wrote in a September 29 letter declining the request.
So, even though CID stands for "Criminal Investigation Division" and a misdemeanor is, in fact, a criminal offense, the Arkansas State Police decided that it couldn't be bothered to examine an incident that could have resulted in breaches of attorney-client privilege. "Don't bother us until it's a felony, " is the message being sent here. Even if the CID had no interest in dealing with small-time (but not really, considering the implications) misdemeanors, it could have at least referred Campbell to authorities who would be interested in pursuing this. But it didn't -- which either means it had no interest in anyone pursuing this further or knew no other entity would be interested in pursuing an investigation of the Ft. Smith PD.

Perhaps the latter is more likely. Campbell took his complaint to the district's prosecuting attorney and met similar non-results. The district attorney's office claimed it didn't have the resources to pursue this, suggesting that its limited resources will only be used to investigate those outside of the law enforcement sphere.

So, Campbell has asked the judge to hold the department in contempt of court and impose sanctions. Not only did the PD apparently drop malware on Campbell's drive, but it also skirted many of the discovery order's stipulations.
Defendants have failed to properly answer discovery requests in compliance with this Court's Order, to wit:

a. Defendants have engaged in intentional spoliation of evidence by deleting entire email accounts without allowing Plaintiffs to search the emails;

b. Defendants have engaged in ongoing, intentional spoliation of evidence by failing to preserve and provide deleted emails that, by their own admissions, were recoverable;

c. Defendants have relied upon past AFOIA responses in answering Plaintiffs' discovery requests, resulting in Defendants providing emails that have improper redactions; and

d. Defendants have failed to provide usable documents related to Capt. Alan Haney's computer, inasmuch as the external hard drive supplied to Plaintiffs contained malicious software designed to hack into Plaintiffs' counsel's computer, rendering the hard drive unsafe for Plaintiffs' use.
The affidavit goes into greater detail on all of these accusations. One of the most egregious abuses alleged is the apparently intentional deletion of the entire content of a PD official's email account.
After receiving Defendants' responses to Plaintiffs' requests, Plaintiffs reviewed the produced documents and noted that few, if any, emails from most of the Defendants had been produced, aside from what had been previously produced in response to AFOIA requests. Accordingly, Plaintiffs' counsel arranged with Defendants' counsel to meet at the FSPD with Mr. Matlock, and that meeting was scheduled for August 5, 2014.

[...]

As this Court may recall, Defendants cancelled this scheduled meeting on August 1, 2014, via email to Plaintiffs' counsel. Plaintiffs' counsel contacted this Court on August 4, 2014, in an effort to have the August 5 meeting date honored. Defendants' counsel responded on that same date, contending that there was nothing untoward or suspicious about the last-minute rescheduling and that Court intervention into the matter was not needed.
Except there was something suspicious about this last-minute rescheduling.
The meeting between Plaintiffs, Defendants, and Mr. Matlock was rescheduled for August 28, 2014. On August 5, 2014, however, Maj. Chris Boyd, Sr., retired from the FSPD. On August 28, when Plaintiffs' counsel asked Mr. Matlock to pull up Maj. Boyd's email account, Defendant Jarrard Copeland immediately asked Mr. Matlock whether Boyd still had an email account, to which Mr. Matlock replied that he did not. Mr. Matlock further informed Plaintiffs' counsel that the emails had been deleted. When pressed on this issue, Mr. Matlock confirmed that they were deleted after Maj. Boyd's retirement on August 5, 2014.
On top of that, Mr. Matlock was still telling other cops he would to be in town during the day he told the plaintiffs he wouldn't be available (August 5), according to emails obtained by Campbell. Then, suddenly, he was completely unavailable.
That this was intentional spoliation is bolstered by the fact that, as late as 6:10 PM on August 4, 2014, Mr. Matlock was planning on being at the SPD 'by lunch' on August 5, 2015, and was communicating with other officers about doing specific tasks on the afternoon of August 5…

It was not until 9:06 AM on August 5, 2014 - the date originally scheduled for the meeting and four days after Defendants had cancelled the meeting that Mr. Matlock informed anyone that he was taking that entire day off as a 'discretionary day.' And it was not until on or about August 19, 2014, when Plaintiffs' counsel requested Mr. Matlock's payroll record for the period covering August 5, that the SPD Payroll Department was actually informed that Mr. Matlock had taken a discretionary day two weeks prior. Interestingly, this is the only discretionary day that Mr. Matlock has taken in the last three-plus years.
Given the amount of obstruction and non-compliance alleged in this affidavit, it's really not that surprising that someone -- with or without approval from superiors -- loaded tainted software onto Campbell's hard drive. Sure, there's a case to be made for stupidity rather than malice, but with the other obfuscation detailed in Campbell's affidavit, the scale is definitely leaning towards the latter.

Hopefully, the court will examine these accusations closely, considering no other entity that could hold the PD responsible for its alleged misconduct seems willing to move forward with an investigation.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 23 Apr 2015 @ 4:37pm

    Just another day at the P.D.

    What else would you expects from the sadistic killers and torturers who make up the bulk of police forces? The truth? Bwahahahaha.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2015 @ 5:00pm

    He should have loaded the spyware onto a virtual machine and monitored where the traffic was going.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 24 Apr 2015 @ 7:55am

      Re:

      This is what I was going to suggest, although if the spies are halfway competent, it will just end up talking to a server in a third party cloud rather than a location that is obviously incriminating.

      But there's a reasonable chance that the spies aren't that competent, given that they installed malware that was easily discoverable.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2015 @ 5:18pm

    Two possibilities:

    One, this is incompetence, in which case an investigation is sorely needed to determine how a well know virus got on the hard drive while in police custody.
    Two, this is intentional, in which case an investigation is needed to determine who to fire and charge for the blatant criminal activity.
    Either way, an investigation is needed.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Apr 2015 @ 11:08pm

      Re: Two possibilities:

      Given the actions of police forces elsewhere regarding this kind of information, I'm not inclined to give the benefit of the doubt to these criminal actions.

      The police are supposed to keep the peace, not keep the peace to whatever standard we want, because fuck you, that's why.

      reply to this | link to this | view in chronology ]

  • icon
    You are being watched (profile), 23 Apr 2015 @ 5:21pm

    Getting real tired of this

    The courts should just award the plaintiff the case after bullshit like this instead of going ring-a-round with the police. It's been fairly obvious that they have already broken several laws.

    reply to this | link to this | view in chronology ]

  • identicon
    Zonker, 23 Apr 2015 @ 5:29pm

    For once, the CFAA could be properly applied to obtain a federal felony conviction against the Fort Smith Police Department for attempting to illegally access a protected computer using malware. We just need to convince the DOJ to take the case...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2015 @ 6:21pm

    Hey techdirt people your missing a juicy little tidbit here .
    Which is the computer security tech in the employ of the P.D. also went to a conference and attended classes on dealing with whistleblowers and leaks just a little bit before the drive was sent .

    This is pure preplanned coordinated malice .

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Apr 2015 @ 6:38pm

    "Don't bother us until it's a felony," is the message being sent here.
    That's what the CFAA is for!

    reply to this | link to this | view in chronology ]

  • icon
    Padpaw (profile), 24 Apr 2015 @ 12:11am

    these blueshirts have no right to call themselves police officers.

    reply to this | link to this | view in chronology ]

    • icon
      Padpaw (profile), 24 Apr 2015 @ 12:16am

      Re:

      wanted to add. when the methods in place of a lawful society refuses to reign in rogue organizations like the police here.

      That's when people start taking the law into their own hands since the actual police refuse to and turn a blind eye to crime in their ranks.

      If this keeps up, there will be a lot more cops getting shot by citizens that feel like they have no options for dealing with said criminals in their ranks

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Apr 2015 @ 5:25am

    Misdemeanor? WTF?

    How, given the way the law is frequently interpreted, is this not at least one felony under the CFAA?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Apr 2015 @ 5:49am

    Good job checking the hard drive before randomly plugging it in.

    If handing over contaminated evidence is common, lawyers would have to decon everything coming from the pd.
    Allergens/pollutants on files and letters or some blankets courtesy of old 'Poxy down in evidence.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Apr 2015 @ 6:43am

    Matlock is handling the case? Really?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Apr 2015 @ 6:46am

    By lunch on August 5, 2015 is an awfully long time in the future don't you think?

    reply to this | link to this | view in chronology ]

  • identicon
    Reality bites, 24 Apr 2015 @ 8:32am

    Fact: Pigs lie... All the time, for fun and profit

    Feral's want a new car, they lie and steal one, they want cash, they steal yours.

    Time for a pig hunt.

    reply to this | link to this | view in chronology ]

  • identicon
    Rekrul, 24 Apr 2015 @ 10:48am

    Any computer owner today who hasn't disabled Autorun is an idiot. Autorun was the single most stupid idea Microsoft ever had and I've surprised that they never got sued over it. With Autorun disabled, malware on an external drive is a non-issue unless you're actually dumb enough to double-click on it.

    Even with Autorun enabled, if the drive didn't contain an Autorun.inf file in the root directory, those programs would never be executed unless someone double-clicked on them.

    reply to this | link to this | view in chronology ]

  • icon
    tqk (profile), 25 Apr 2015 @ 12:29am

    Umm, no, considering extenuating circumstances, I'll put it down to inconclusive.

    Sure, there's a case to be made for stupidity rather than malice, but with the other obfuscation detailed in Campbell's affidavit, the scale is definitely leaning towards the latter.

    Yes, it's messy. Yes, it's damnably suspicious. Yes, the lawyer should pursue it. Yes, the cops could be doing something dastardly.

    But really, this's MS Windows. All it would take is someone (any someone) bringing in a personal laptop or USB key (infected) and plugging it in and anything it "spoke to" is now boned. I would not expect cops to understand how to secure the overall system. Do they even employ IT people? I'd doubt it.

    An OS that sees "blah.jpg.exe" as "blah.jpg" to the user AND an executable to the OS is just asking for disaster. I'd look to the server logs for illumination, but if that's Windows server, I'd go to the router, then ISP logs instead, and I wouldn't be confident of finding a definitive answer.

    That OS, in all its various forms, is a ... Well, I'll just say it's not to be believed in any way, shape or form, to be polite. Yes, I'm an anti-Windows bigot. Sue me.

    reply to this | link to this | view in chronology ]

  • icon
    GEMont (profile), 25 Apr 2015 @ 12:40am

    If it quacks like a duck...

    Can't imagine why anyone would be surprised by any of the actions taken by the authorities in this situation.

    It doesn't even matter what the investigation was about.

    All the police corruption is due entirely to the War on Drugs.

    During the first prohibition, - booze - the cops were the most corrupt organization in America.

    During the second prohibition - drugs - the cops are the most corrupt organization in America.

    Without the War on Drugs, cops would have to go back to earning a barely subsistence level income.

    With the benefits of the War on Drugs, cops, lawyers, judges, politicians, businessmen, can all reap hundreds of thousands of dollars in extra income yearly through graft, playing the mule, or by simply "looking the other way".

    When the cops are getting more income annually from the mob than from the public, they no longer work for the public.

    This is obviously the case today.

    ---

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.