On Saturday a group known as “Anonymous”, and related to “The Anti Security Movement” or “AntiSec,” released a number of documents stolen from 76 law enforcement web sites in 11 states, most hosted or maintained by a single company.
County sheriffs maintained 57 of the hacked sites. Four of the hacked sites were state sheriffs’ associations in Alabama, Arkansas, Kansas and Missouri.
Anonymous described this online release:
“A week after we defaced and destroyed the websites of over 70 law enforcement agencies, we are releasing a massive amount of confidential information that is sure to embarass, discredit and incriminate police officers across the US. Over 10GB of information was leaked including hundreds of private email spools, password information, address and social security numbers, credit card numbers, snitch information, training files, and more. We hope that not only will dropping this info demonstrate the inherently corrupt nature of law enforcement using their own words, as well as result in possibly humiliation, firings, and possible charges against several officers, but that it will also disrupt and sabotage their ability to communicate and terrorize communities.”
Anonymous gives this self-description in this video.
AntiSec posted YouTube videos about their attack on law enforcement in retaliation for “persecution of suspected Anonymous members”:
- Antisec – message to Missouri Sheriff
- 7000+ Accounts and 70 Police sites taken down in the name of AntiSec
Hacked Site Summary
One company played a key role in almost all of the hacked sites.
Watchdog.org reviewed the sites listed by Anonymous and found direct or indirect connections to an Arkansas firm, Brooks-Jeffrey Marketing for nearly all the sites.
BJM’s own web site, bjmweb.com, was not online late Sunday evening. Earlier Sunday Watchdog.org captured a screen showing one of Brook-Jeffrey’s business areas was government web sites.
BJM was responsible for hosting many of the hacked web sites and maintains internet domain registration for most of them.
On Monday a representative from Brooks-Jeffrey said “no statement is available currently” but offered to send a statement about the hacking incident at a later date.
The only hacked site we could not find a direct or indirect connection to BJM was sheriffcomanche.com, which did not use BJM as a domain registrar and is privately listed by an Australian company. On Sunday watchdog.org was not able to connect to that site.
The following is a summary of the 76 unique sites Anonymous claimed to hack:
Two Brooks-Jeffrey Marketing sites in Arkansas:
Seventy-four websites in various states (state assignments for offline sites are tentative):
- Alabama, 4. State sheriffs’ association and 3 county sheriffs.
- Arkansas, 33. State sheriffs’ association, 5 counties, 22 county sheriffs, 2 cities, 3 other.
- California, 2. Police Officers Association of L.A.; Regional Community Policing Institute.
- Georgia, 2. Floyd and Meriwether County sheriffs.
- Illinois, 1. Knox County Sheriff.
- Kansas, 5. State sheriffs’ association, 4 county sheriffs.
- Louisiana, 1. Cameron Parish Sheriff’s Office.
- Missouri, 10. State sheriffs’ association, 9 county sheriffs.
- Mississippi, 10. 10 county sheriffs.
- Oklahoma, 1. Comanche Sheriff.
- Tennessee, 1. McMinn County Sheriff.
- Unknown: 4. 3 county sheriffs (states not certain), 1 unknown site.
Most of the sites appeared to be part of BJM’s “MostWantedWebsite” sites or “MostWantedGovernmentWebsites.com.”
On sites that were not identified as “MostWanted” a BJM logo appeared on several with an indication they were hosting the web site.
A common thread among all the web sites was sharing of information about “Most Wanted Fugitives” and local registered sex offenders.
The Anonymous AntiSec page found late Saturday provided five different kinds of information:
- Shoot the Sheriff File
- Plesk Password File
- Snitch Crime Report
- Missouri Sheriffs’ Accounts
- Email browsing
The files were part of a “BitTorrent” option to download everything in a 7.4 GB file.
But early Sunday morning much of the information could be viewed online via a web interface. By Sunday afternoon those pages appeared to be unreachable.
The torrent download from late Sunday revealed an additional file, academy.tar.gz.
The academy files were mostly Missouri-related and ranged over a number of police training topics, including:
- Crime Scenes in Jails
- Faces of Meth
- IEDs in America
- Introduction to Sheriffs and Jails
- See Red: Is Your Anger a Problem?
- Sexual Harassment Training for Supervisors
- Terrorism & WMD Online Documents
- Understanding Hostage Incidents
The statistics on the extracted academy folder:
- 8,457 files
- 532 folders
- 2.13 GB
Shooting the Sheriffs File (4600 lines)
This file lists the sites allegedly hacked and contains a number of taunting statements about the UNIX approach used to extract the information.
Six credit cards were listed that supposedly had been stolen from the online store at mosheriffs.com. The names, social security numbers, addresses and e-mail addresses were given along with the credit card numbers.
The hackers listed a number of taunting and technical narrative comments with many of the UNIX commands used to extract information from the mosheriffs.com system, such as:
- “You know what it is, its a stickup”
- “Gimme the keys to you house”
- “Why yes these are jail IPS syncing their inmate roster files to the web”
- “Just in case anyone wanted to play with their online store. We sure did.”
- “On to server number two… rooting your box all over again.”
- “Root logged in … They are on to us… But can never stop us”
- “Lets see how they attempted to secure their new server”
- “This time we’re not gonna hesitate to pull the trigger”. (About two dozen following statements wiped out files on various websites.)
- “That’s a lesson you learn, comin straight from the slums. And it don’t stop till we get full freedom”
Plesk Pasword File (1500 lines)
Brooks-Jeffrey Marketing may have used Plesk as part of Web sites hosting management for the various law enforcement agencies.
Anonymous gave the PHP scripts that were their “Plesk mass password dumper!!!” and offered an explanation for their technical feat:
“See Plesk has this ridiculously insecure default behavior to store all system/ftp/mail/cpanel/protected directory passwords in cleartext inside a mysql database called `psa`. The plesk master admin password is also stored in cleartext on a file on their server at /etc/psa/.psa.shadow. So we wrote some quick scripts to dump the passwords from a massive vhost into a nicely formatted human readable .txt file. ENJOY!!”
The categories of dumped passwords included:
- FTP/SSH usernames and passwords
- Plesk control panel login passwords
- .htpasswd protected directories
- Email password database for http://webmail.mostwantedgovernmentwebsites.com
Snitch Crime Report (1028 lines)
Most of the examples gave explicit details.
Names and addresses were included in the Anonymous files, but without knowing case specifics, we do not repeat names and addresses here to protect the integrity of the cases.
“XXXXX, a wanted parolee can be captured at XXXXX in Cape Girardeau, MO. Residence of XXXXX, girlfriend of XXXXX. XXXXX has a warrant for failure to appear to 2 court dates. Bond forteiture hearing 1/XX/11.”
“I think the lady who robbed the athens walgreens is XXXXX livin on county road XXX in the single wide trailer, rumour in the nieghborhood is she was recently arrested for DUI and having pills so after lookin at the pic we think its her,any questions feel free to email me! my family is tired of the constant traffic and discomfort of livin next to them “
“XXXXX, a resident of XXXX, AR, 20 years old, has been having sexual intercourse with an underage girl. Her name is XXXXX.”
Missouri Sheriffs’ Accounts (55,000 lines)
Anonymous makes this claim about this large file:
“7000+ accounts from missouri online training academy database (mosheriffs.com) all law enforcement officers. usernames, cleartext and non-generated passwords, home addresses, etc etc. GO!!!”
Watchdog’s analysis shows this file contains:
- 5945 usernames and passwords
- 6898 email addresses
- 6792 phone numbers
- 2124 Social Security Numbers
Emails for each of the hacked sites could be viewed by selecting a site and drilling down to the various accounts and emails, including attachments.
Watchdog looked through Emails of several of the sites and found a variety of spam and work-related emails from several of the county sheriffs’ web sites.
To avoid releasing any information that might be germane to ongoing investigations by law enforcement, perhaps the email from Pratt County, Kansas, would serve as a good example since it only shows a single test of their tips system.
On the Anonymous site the Pratt County Sheriff’s E-mails could be selected:
Some email accounts had several selections, but this one only had a “cur” option, perhaps for “current”:
Selecting the single email from the list shows it was only a test of the system:
The statistics on what was extracted from the 6 GB mail.tar.gz file from the torrent download late Sunday for 56 of the hacked sites:
- 181,069 files
- 2,898 folders
- 13.3 GB
List of sites allegedly hacked with locations by state
(20th Judicial District Prosecuting Attorney’s Office)
[same as mostwantedwebsites.net]
(Peace Officers Association Of L.A County)
(Regional Community Policing Institute)
(Ste. Genevieve County Sheriff’s Office)
(Van Buren County Sheriff’s Office)
On Sunday afternoon several of the sites were not functioning.
- faoret.com (unknown purpose)
“Site coming soon”
- Kansas law enforcement sites hacked by “Anonymous”; information leaked, Kansas Watchdog, Aug. 8, 2011.
- AntiSec hackers dump data after hacking police websites, Computerworld, Aug. 7, 2011.
- AntiSec Attacks U.S. Law Enforcement Agency Web Sites, Releases 10GB Data, International Business Times, Aug. 7, 2011.
- Group says it hacked websites of U.S. law enforcement agencies, Los Angeles Times, Aug. 6, 2011.
- AntiSec Hackers Release 10GB of Law Enforcement Data, PC Magazine, Aug. 6, 2011.
- Group Hacks Missouri Sheriff’s Association (video), KOMU TV, July 31, 2011.
Contact: Earl F Glynn, [email protected], KansasWatchdog.org