An enormous cache of phone records obtained by The Intercept reveals a major breach of security at Securus Technologies, a leading provider of phone services inside the nation’s prisons and jails.
The materials — leaked via SecureDrop by an anonymous hacker who believes that Securus is violating the constitutional rights of inmates — comprise over 70 million records of phone calls, placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls. The calls span a nearly two-and-a-half year period, beginning in December 2011 and ending in the spring of 2014.
Particularly notable within the vast trove of phone records are what appear to be at least 14,000 recorded conversations between inmates and attorneys, a strong indication that at least some of the recordings are likely confidential and privileged legal communications — calls that never should have been recorded in the first place. Security experts from Lieberman Software, STEALTHbits and ESET explains that Securus may not be to blame.
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software :
“People are saying the massive breach of Securus prisoner phone call data breaks the promise Securus made about a superior security platform, but looking at what’s happened and what they promised that doesn’t seem to be the case.
Securus promised that only authorized users of their platform, which records and catalogs millions of phone calls made to and from prison inmates, would be able to access the data in the system. Like so many other applications Securus built a great set of controls around the good guys walking into the front door, but it’s likely this breach was about bad guys sneaking in the back.
Did Securus practice safe coding practice at every step of the way? Did they ensure that any administrative functions for the application were as secure as the user interface used by the lawyers, law enforcement staff, and government officials? The blame may not even be with Securus. Securus could have built an amazingly secure platform, but poor IT operations processes around that may have exposed it to exploits.
If it was set up on systems or databases with unchanged default passwords (all too common) or being run on unpatched systems, then all the application security in the world may not have helped. There will be a lot of finger wagging done at Securus for their role in this, but it would do us all good to step back and see this in the broader context of how we’re failing at every layer of cybersecurity.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jeff Hill, Channel Marketing Manager with STEALTHbits :
“The Securus breach illustrates the growing importance of protecting oft-neglected unstructured data. Note that the hackers obtained both structured data (phone call metadata like phone numbers, call times, and duration) and unstructured data: the actual recordings of the phone calls. Which is more sensitive, damaging, controversial? Would the legal community be nearly as concerned if the fact that a certain prisoner made a 30-minute phone call to his attorney on January 4th at 3 pm were exposed? Perhaps. But it’s far more disconcerting that the recording of that discussion – possibly replete with sensitive details of the crime and his or her defense strategy – has been made public. One hopes that breaches like Securus, Sony, and a host of other similar occurrences wake the cyber-security community up to the reality that there are far more sensitive data types than credit card numbers on today’s enterprise networks.
“The breach highlights the moral dichotomy inherent in hacktivism. The Securus hacker broke the law – ostensibly for no personal financial or other gain – but rather only to expose an injustice. This Robin Hood-esque cyber-attack theme is becoming more common as the explosion in data has exposed otherwise clandestine, nefarious activities of powerful interests to discovery and disclosure by much less traditionally powerful entities. Are the hackers that exposed the Ku Klux Klan membership list criminals or heroes? Is Edward Snowden a traitor, or icon of the civil liberties protection movement? The bottom line for the modern organization is that as the variety of cyber “bad” actors mushrooms, so do the challenges to protect their networks from intrusion. It may sound cliché to suggest that ‘every network is a potential target’ in this environment, but that cliché is rapidly transforming into reality by the day.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at IT Security Firm, ESET :
“Of course the problem we have here is how the data was compromised. If it was encrypted and someone with the authority to view or access it in the first place was able to make copies and or move this data off site, then the question should be why was the data not segregated off and stored with multi factor access or even digitally encoded for tracing purposes? If the data was not encrypted and it was accessed by someone who managed to compromise the system, then of course why it was not encrypted is the big question.
Quite often in these cases the storing of this data is governed by general rules to protect data as a whole and sadly not all data is equal. Some data needs to be protected differently than others, the data is now “in the wild” and nothing can be done about that. Securous will have to deal with the backlash of that and look at measures to protect the storage of future data in an attempt to stop this from happening again. In these circumstances access to this data could have massive repercussions due to the nature of the content and it should have been better protected.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.