Last Thursday, UK-based researcher and activist Thomas White has made available for download 2.5 GB of data stolen in a recent hack of the computer systems of the Fraternal Order of Police (FOP), the biggest police union in the United States.
White, who goes online by the handle of CthulhuSec, says he’s not the hacker behind the breach, and that he received the data dump from a source whose identity he is determined to keep secret.
He offered no more details at that time about how the hack might have happened, and said that he has still 18TB of related material that he chosen not to publish yet because it’s marked as classified or sensitive.
“We do not wish to dictate to the media how the information may be useful. I was told it should be released on the grounds the information is within the scope of public interest, in light of an ever increasing divide between the police groups and the citizens of the US. As such, we do not wish to guide the media in how to report on this. My role in this is to ensure the information is accessible to all so that a proper analysis may be done by both established media outlets and individual investigators who wish to expose any wrongdoing,” he explained.
Since the release, it was discovered that the dump contains controversial police contracts, limited personal information about some union members, and a backup of thousands of forum posts made by members on the private forum on the FOP’s website (Fop.net). Since Thursday evening, the website in question has been pulled offline.
Chuck Canterbury, the president of the FOP, has issued a statement claiming that their “data system has been hacked by the Group known as Anonymous” and that the attack “appears to have originated outside of the United States.”
“The data posted to date is merely Bargaining Contracts that we have collected and inputed into our data system and those are all available on the open web. They have however breeched all of our records and therefore we have shut down access to our entire site. We have engaged professionals to identify all the necessary steps we need to take to put our system back on line and it may take several days,” he said.
“Our professional Computer experts have identified how the hackers made access but that information cannot be distributed at this time for obvious reasons. Suffice it to say that the level of sophistication was very high.”
He also told The Guardian that the attackers “were able to feed our system a pseudo-encryption key that the system should not have accepted but did because of software errors.”
The union notified the authorities of the breach, and the FBI is looking into it.
But White took to his blog again to dispute some of the things claimed by Canterbury. He says that the attack was not carried out by Anonymous. Secondly, that the attack was not done by a UK IP address or a single IP address at all, and thirdly, that the attack was not sophisticated.
“A while ago thegrugq tweeted that any attack within the OWASP 10 should not be called sophisticated – and I agree. On those grounds, the attack was not sophisticated at all,” he noted.
“In fact, from what I know of how the attacker conducted it, you should be ashamed of how trivial it was that your servers were rooted. If your ‘computer experts’ have identified the flaw as you claim to have, you should realise you are either lying or have not hired experts if they call it sophisticated.”
He reiterated that he is at the authorities’ disposal if they want to talk about what he knows, and that he has no stake in the hack. “I didn’t commit it, and I only was told about it after the fact. Therefore, I have no conflict of interests or desire to make anyone look better or worse than the evidence is, nor am I up for any election, so I don’t have to be friendly to people I don’t like.”
“I believe the police should have corruption exposed as all other places should also have wrongdoing exposed when they are in a public office. However, the information should not be used to attack the police; it should be used to help them address their problems and correct them,” he noted beforehand.