Hacktivists have targeted the Cincinnati Police Department after last week’s police shooting of Paul Gaston. Gaston was shot and killed by Cincinnati police on Wednesday, February 17, 2016 after he “failed to comply” with the responding officer’s commands, according to the police department. Hacktivists in retaliation have publicly posted the personal data of more than 50 Cincinnati Police officers.
Paul Gaston reportedly appeared to be driving under the influence after crashing into multiple objects and finally a utility pole. He was fatally shot after allegedly reaching for a gun on his waistband. Police later discovered that the gun was actually a Springfield BB gun.
Since the incident, a group called Anon_Verdicti has posted personal information of 52 Cincinnati Police officers and ohio.gov on Pastebin. The information includes names, titles, age, social media accounts, addresses, phone numbers and family member's personal details. After Pastebin removed the information, attackers reposted it on another paste site: quickleak.se.
Anon_Verdict stated in a video on YouTubeii that they will "dump as many officers as we see fit for each situation. We will not only release the officer who murdered the citizens' information but we will release those that have stood by in the department that did not speak up."
Anon_Verdict has claimed on Twitteriii that they are holding additional information until an indictment decision is made about the involved police officers. If the officers are not indicted, Anon Verdict has threatened to dump personal information about police officers in other districts.
Reasons for Concern
At the moment, it's uncertain how the hacktivists obtained this information about the Cincinnati police. There are two possibilities. The first is the group used Google to locate this information via public sources. The second is the group leveraged an attack method know as SQL injection to extract information from Cincinnati Police Department and Ohio.gov SQL databases.
OWASP lists SQL injection as the number one web vulnerability. SQL is an attack targeting web applications taking advantage of poor application coding where the inputs are not sanitized, therefore exposing application vulnerabilities. SQL injection is the most famous type of injection attack which can also include LDAP or XML injections. The idea behind a SQL injection is to modify an application SQL query in order to access or modify unauthorized data or run malicious programs. Most web applications rely on databases where the application data is stored and being accessed by SQL queries and modification of these queries can result in taking control of the application. For example, an attacker would be able to access the application's backend database with administrator access, run remote commands on the server, drop or create objects in the database, and more.
Over the last year, hacktivists have increased activity around social and political issues. Given the amount of media attention police shootings attract, they serve as fodder for cyber-attacks. Protests have now taken to the digital world via attacks that include denial of service and SQL attacks. Hacktivist work to spread their message through defacements, doxing SQL injection and denial of service attacks.
- Denial of Service
What's Expected Next
It’s expected that these attacks will continue as a greater audience becomes more aware of Paul Gaston’s death. It’s expected that attackers will release more information about Cincinnati police officers – and perhaps other police departments involved in similar cases - and conduct both digital and physical protests around the police department.
Recommended Steps for Organizations at Risk
This attack points out the need to deploy a web application firewall against all types of web-based attacks.
WAFs are design to prevent OWASP top 10 vulnerabilities, but since these are known and today’s threats are becoming more sophisticated, we listed a few requirements from industry leading WAF:
- An integrated hybrid solution from multi-vector attacks combining DDoS with web-based exploits such as website scraping, Brute Force and HTTP floods.
- Goes beyond IP to develop a device fingerprint enabling precise activity tracking over time
- Automatically generates updated policy rules in real time
- Shortest time from deployment to security
- Has a synchronization mechanism among all security controls for real time updates
Under Attack and in Need of Expert Emergency Assistance?
Radware offers a full range of solutions to help networks properly mitigate attacks similar to these. Our attack mitigation solutions provide a set of patented and integrated technologies designed to detect, mitigate and report todays most advanced cyber threats. With dedicated hardware, fully managed services and cloud solutions that protect against attacks, Radware can help ensure service availability. To understand how Radware's attack mitigation solutions can better protect your network contact us today.