Some 269GB of data stolen from police and the Feds in America has been shared online by miscreants.

Known as BlueLeaks, the info trove consists mostly of crime intelligence material uploaded to what are known as fusion centers. The data was taken by hackers operating under the Anonymous banner, and was bunged on the DDoSecrets data-leaking site for all to see.

Fusion center sites, created in the aftermath of the September 11 terror attacks, serve as a way for state and county cops to share information with one another and, more importantly, with the FBI and US Homeland security.


Senator demands deep probe into spyware-for-cops after NSO Group touts hacking toolkit to American plod


For example, the docs in the BlueLeaks dump include bulletins from Homeland Security about tactics terrorist groups could use to side-step security measures and carry out attacks, or information from beat officers about a suspect who has gone on the run.

The authenticity of the leaked data was reportedly confirmed by an internal bulletin from the National Fusion Center Association.

“Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports,” the advisory states. El Reg has asked the NFCA for comment.

In that document, the NFCA attributes the leak to a network security breach at a small hosting and web services provider in Texas. It is said an attacker compromised the host’s web upload tool to gain access to the files of other customers, including police departments and fusion centers.

Netsential, the hosting provider named in the document, did not respond to a request for comment. ®

Sponsored: Webcast: Ransomware has gone nuclear

Follow me for more information.

Nearly three-quarters of IT professionals haven’t increased their company’s security posture during the COVID-19 pandemic – while 90 per cent highlighted remote working as a security risk, according to a survey.

On the bright side, half of those people reckoned that remote working from home has increased productivity across the board while a further third said it was at about the same level as it was pre-coronavirus.

Carried out on behalf of secure identity biz Sectigo, its Work-from-Home IT Impact Study asked 500 IT pros for their views, comprising 100 Brits, 250 Americans and 150 drawn from Germany, France and Ireland. To be eligible, each of the IT pros had to work for a company employing at least 1,000 staff.

“As C-Level executives continue to embrace the increased productivity of a distributed workforce, they need to consider new approaches to security that rely on automation and secure digital identities,” said Sectigo CEO Bill Holtz in a canned statement, omitting to mention that his firm sells automation and secure digital identity tech.

Coronavirus in Europe

We maintained or increased IT spending, say seven-in-ten pros, execs polled mid-crisis. PS: We love Microsoft most


The pandemic had an immediate impact on the IT security industry, according to the Sectigo survey, with 45 per cent of Britons saying they had to postpone planned security initiatives to apply themselves to setting up remote working tech instead. Happily, 53 per cent then reported that employee remote working productivity had increased – though a suspicious mind may wonder whether this is simply autobackslappery.

As security worries go, phishing and insecure home Wi-Fi were rated higher on the risk scale than connecting unknown personal devices to corporate networks, BYOD-style. Perhaps unsurprisingly, 82 per cent said they didn’t expect their employers to “significantly increase” security (spending) for corporate data and apps once offices reopen after the pandemic subsides; a finding explained by security already having been beefed up to cope with remote working.

Much to Sectigo’s chagrin, British respondents were mainly using traditional usernames and passwords (74 per cent) for remote authentication instead of its favoured methods, including biometrics (26 per cent) and user identity certificates (58 per cent).

A few weeks ago Sectigo let its AddTrust legacy root certificate expire, and due to a “bug in [its] system… continued providing the AddTrust External CA Root until the date of its expiration”, triggering a wave of mysterious certificate errors further down the chain of trust. ®

Sponsored: Webcast: Ransomware has gone nuclear

Follow me for more information.

police data leaks

A group of hacktivists and transparency advocates has published a massive 269 GB of data allegedly stolen from more than 200 police departments, fusion centers, and other law enforcement agencies across the United States.

Dubbed BlueLeaks, the exposed data leaked by the DDoSecrets group contains hundreds of thousands of sensitive documents from the past ten years with official and personal information.

DDoSecrets, or Distributed Denial of Secrets, is a transparency collective similar to WikiLeaks, which publicly publishes data and classified information submitted by leakers and hackers while claiming the organization itself never gets involved in the exfiltration of data.

According to the hacktivist group, BlueLeaks dump includes “police and FBI reports, bulletins, guides and more,” which “provides unique insights into law enforcement and a wide array of government activities, including thousands of documents mentioning COVID19.

As you can see in the screenshot below, a quick analysis of the BlueLeaks dump shows the data contains over millions of files including images, documents, videos, web pages, text files, emails, audio files, and more, though it’s yet to be investigated how many files are classified and are not supposed to be public.

Some alerts and guides leaked in BlueLeaks also contained intelligence on the protests, including the recent countrywide Black Lives Matter protests in the U.S. following the death of George Floyd at the time he was in the custody of Minneapolis police.

FBI data leak

Some of the U.S. agencies listed in BlueLeaks are:

  • Alabama Fusion Center
  • Austin Regional Intelligence Center
  • Boston Regional Intelligence Center
  • Colorado Information Analysis Center
  • California Narcotic Officers’ Association
  • Delaware Information and Analysis Center
  • FBI Houston Citizens Academy Alumni Association
  • FBI National Academy Association Arkansas/Missouri Chapter
  • FBI National Academy Association Michigan Chapter
  • FBI National Academy Association of Texas

It appears that the source of this massive data stems from a security breach at Houston-based web hosting company ‘Netsential Inc,’ where the webserver for National Fusion Center Association (NFCA) is hosted, security blogger Krebs reported.
Fusion centers are basically information centers that enable intelligence sharing between local, state, tribal, territorial law enforcement and federal agencies, maximizing their ability to detect, prevent, investigate, and respond to criminal and terrorist activities.

In a statement, NFCA confirmed Krebs that the “dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files.”

Netsential confirmed that a threat actor had leveraged a compromised Netsential customer user account and the web platform’s upload feature and exfiltrated other Netsential customer data, including several U.S. police agencies, including Fusion Centers.

Netsential is the same web hosting company that was previously abused by attackers to infect targeted victims with ransomware by sending spoofed spear-phishing emails disguised as NFCA.

Follow me for more information.

Stalker Online hacked! Over one million gamers' details put on sale

Stalker Online hacked! Over one million gamers' details put on sale

More than one million players of the video game Stalker Online have been put at risk after hackers offered them for sale on the darknet.

As Cybernews reports, a database containing over 1.2 million Stalker Online user records is being sold on hacking forums. Separately, another database which is said to contain more than 136,000 records from the game’s forums are also being offered for sale.

Cybernews says it found the database for sale on a popular hacking forum on May 5, with a link to a defaced page on the Stalker Online website offered as “proof” that the game’s servers had been hacked.

Defaced webpage

Defaced webpage

Defaced Stalker Online webpage: Source: Cybernews.

The security of this web server has been compromised and all your files and userdata are now in our possession.

Contact us on [REDACTED] for assistance in securing your web server. If not reach within 24 hours – data gathered will be posted publicly for all to download

Of course, a defaced webpage is not evidence of a data breach. Controversially, Cybernews purchased the user database from the hacker, and says that it was able to confirm that the samples of the Stalker Online database “are genuine and the email addresses therein are deliverable.”

Purchasing stolen data from cybercriminals makes me extremely uncomfortable. It could be argued that anyone purchasing hacked databases – whether it by security researchers, journalist, or criminal fraudsters – are encouraging further hacks to occur by generating a demand for more stolen data.

The database, which is being offered for sale for “several hundred Euros worth of Bitcoins”, contains 1,289,084 Stalker Online player records, including usernames, account passwords, email addresses, phone numbers, and IP addresses.

Passwords are MD5 hashed and salted, which is certainly better than if they were held in plaintext, but such a weak algorithm may not present much of a challenge to criminals determined to crack them.

Cybernews says that it contacted the ecommerce platform that was hosting the hacker’s online store, and it has now been taken offline. However, that’s no guarantee that it will not be offered for sale elsewhere, or that anyone else might have purchased the database.



Sign up to our newsletter
Security news, advice, and tips.

So, players of the free-to-play MMORPG, set in a post-apocalyptic world, should really consider their details are now compromised. Hackers may have not only your username, email address, and phone number. They may also have cracked your password.

And if you made the mistake of reusing that password anywhere else on the internet, then there is a chance they could use that information to compromise your other online accounts.

Furthermore, you should obviously be aware that you might be targeted with phishing attacks, exploiting the information contained inside the database.

According to Cybernews, the makers of Stalker Online have not responded to messages related to the security reach.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Follow me for more information.

Roundup It was another week of furious firefighting in the security space, including the curious tale of a Forbes “most promising” entrepreneur indicted over alleged phishing attacks, new privacy laws in the US, software flaws and more.

VMware Tools patched for Mac bugs

Those running VMWare guest machines on Mac will want to update their software to get a security fix for VMware Tools (the software that links the guest and host machine).

A patch was released for a denial-of-service flaw (CVE-2020-3972) in Tools for Mac that would potentially allow an attacker’s code from the guest machine to crash their VM. Not a particularly bad security risk, but an annoying bug, for sure.

Mind you, this bug only appears when both the host and guest machines are running MacOS, so if you stick with Linux or Windows VMs, you won’t be encountering this flaw.

Office for Mac plays catch-up with security fixes (and a bonus Windows patch)

Earlier this month, Microsoft dropped its usual boatload of Patch Tuesday updates, sans a set for Office for Mac. A week on and Mac users were getting their patches for four CVE entries.

The most serious will be CVE-2020-1225, CVE-2020-1226, and CVE-2020-1321, which allow for remote code execution via a poisoned Excel file. While Microsoft didn’t consider these to be “critical” risks as the user has to open the file on their own, anyone who regularly sends and receives Office docs knows how easy it can be to open up a file without properly checking its source.

The fourth bug, CVE-2020-1229, allows for security feature bypass.

Those running Office for Windows should have the updates along with the other Patch Tuesday fixes, but if you haven’t got to that yet, now would be a great time.

There was also one fix from Microsoft for Windows Spatial Data Services, a set of REST APIs for working with, of course, spatial data. The elevation of privilege error (CVE-2020-1441) requires an attacker’s application to be already running on the machine, and if that is taking place, it’s already pretty much game over.

‘Anonymous’ hackers take credit for Atlanta police website takedowns

A group claiming to be part of the Anonymous movement said it was responsible for a website outage at the Atlanta, GA Police.

Local news says that the June 14 outage had the police website offline from 8:30-11:30 AM.

The AnonOpUSA Twitter account laid claim to the outage, saying it was an attack in retaliation for the death of Atlanta man Rayshard Brooks at the hands of police. These Anonymous attacks, by design, can be difficult to verify so it’s hard to say for sure who was behind the takedown or if/when they plan to strike again.

Microsoft adds rootkit scanning to Windows Defender

Good news from Redmond – Microsoft said it can scan UEFI firmware with Windows Defender Advanced Threat Protection. This means that users who run the Microsoft security suite for their antimalware needs have a way to scrub their machines for hard-to-remove rootkit infections.

This takes some doing, even for Microsoft, as chipset makers try to keep the firmware as insulated from the rest of the operating system as possible to prevent attacks and exploits.

“It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Microsoft Defender ATP,” Microsoft boasted.

Influential senator pushes for new privacy law

Sherrod Brown (D-OH), a ranking member of the powerful US Senate Committee on Banking, Housing, and Urban Affairs, said he wants the government to pass a strict new set of privacy laws.

Brown put forward a draft of what he brands the Data Accountability and Transparency Act of 2020.

The bill would call for, among other things, an outright ban on facial-recognition technology and the creation of a new Federal agency dedicated to protecting personal privacy.

The draft bill is certainly ambitious, and Brown has no shortage of sway on Capitol Hill, but we’re guessing provisions like the facial recognition ban for the requirement of audit reports for anything deemed “decision-making algorithms” will be non-starters with many in the Senate, so don’t expect this one to go into law any time soon.

Man admits to running $11m phishing fraud scam

A man from Nigeria once dubbed a rising star in the African business community admitted to operating a set of business email compromise scams that netted him and others at least $11m.

The US Department of Justice says that 32-year-old Obinwanne Okeke had a part in a number of phishing attacks and fraudulent wire transactions against a number of companies including construction gear giant Caterpillar. He pleaded guilty to one count of wire fraud.

Okeke, who was once featured in the Forbes Africa 30 most promising entrepreneurs under 30 list, was ostensibly an entrepreneur CEO of the Invictus Group of companies, but according to prosecutors was actually getting money through business email compromise schemes.

He faces up to 20 years in prison when he is slated to be sentenced in October by a Virginia Federal Court.

US government unveils pilot DNS security program for contractors

The NSA says it is in the process of running a pilot program to offer DNS security services for government contractors.

The idea, according to NSA head of cybersecurity Anne Neuberger (via NextGov), is to get better DNS security into the hands of small and mid-size contractors who don’t have the money for their own dedicated security operations but because of the government work they do are at risk of attacks. Neuberger noted that the project is still in its early phases (the NSA hasn’t even identified a service provider) but the hope is that it could reduce malware infections at government contractors by more than 90 per cent.

Tech giants graded poorly for China policy

A House Republican said that, surprise surprise, social media providers aren’t doing enough to stop Chinese propaganda.

Rep. Michael McCaul (R-TX) of the House Foreign Affairs Committee issued a series of scorecards taking Twitter (graded D-), Facebook (C+), and YouTube (C-) to task for, in his opinion, failing to crack down on pro-Communist Party material coming out of China.

Criteria include not only taking down propaganda, but also preventing officials from getting verified accounts and fact-checking posts.

“The solution is simple – deplatform CCP officials and propagandists who consistently spread lies,” said McCaul, the lead Republican on the Committee.

“Sadly, while we had some positive conversations and some steps have been taken, these companies have chosen to allow CCP officials to continue to operate on their sites instead of doing what’s right.”

Oracle subsidiary sees data cache exposed

An Oracle-owned marketing company is being cited as the source for a potentially massive exposure of data collected via web tracking.

The collection of billions of records has been attributed to unnamed companies running tools from BlueKai, whose service lets marketers track user activity to target their web ads. Apparently this was yet another case of a database not being properly secured by a customer, only to be stumbled upon later by researchers.

Oracle claims the data has since been locked down (and may have been scrubbed for personally identifying info even when it was exposed), though the fact remains that tracking records were left sitting out on the open internet for some time, and it can’t be said for sure who might have accessed it.


Sponsored: Webcast: Ransomware has gone nuclear

Follow me for more information.

Google Chrome

Google recently removed 106 more extensions from its Chrome Web Store after they were found illegally collecting sensitive user data as part of a “massive global surveillance campaign” targeting oil and gas, finance, and healthcare sectors.

Awake Security, which disclosed the findings late last week, said the malicious browser add-ons were tied back to a single internet domain registrar, GalComm.

However, it’s not immediately clear who is behind the spyware effort.

“This campaign and the Chrome extensions involved performed operations such as taking screenshots of the victim device, loading malware, reading the clipboard, and actively harvesting tokens and user input,” Awake Security said.

The extensions in question posed as utilities offering capabilities to convert files from one format to the other, among other tools for secure browsing, while relying on thousands of fake reviews to trick unsuspecting users into installing them.

Furthermore, the actors behind the operation leveraged evasion techniques to avoid flagging the domains as malicious by anti-malware solutions, thereby allowing the surveillance campaign to go undetected.

In total, the extensions were downloaded nearly 33 million times over the course of three months before Awake Security reached out to Google in May.

The search giant, in response to the disclosures, has deactivated the problematic browser extensions. The full list of offending extension IDs can be accessed here.

Telemetry data has revealed that some of these extensions were active on the networks of “financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education, and government organizations,” although there’s no evidence that they were actually used to collect sensitive data.

“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” the Israel-based registrar’s owner Moshe Fogel told Reuters, which broke the development.

Deceptive extensions on the Chrome Web Store have continued to be a problem, what with bad actors exploiting it for malvertising and other data-stealing campaigns.

Earlier this February, Google removed 500 malware-ridden extensions after they were caught serving adware and sending users’ browsing activity to attacker-controlled servers. Then in April, the company yanked another set of 49 extensions that masqueraded as cryptocurrency wallets to steal Keystore information.

It’s recommended that users review extension permissions by visiting “chrome://extensions” on the Chrome browser, consider uninstalling those that are rarely used, or switch to other software alternatives that don’t require invasive access to browser activity.

Follow me for more information.

Web skimming is a common class of attacks generally aimed at online shoppers. The principle is quite simple: malicious code is injected into the compromised site, which collects and sends user-entered data to a cybercriminal resource. If the attack is successful, the cybercriminals gain access to shoppers’ payment information.

To make the data flow to a third-party resource less visible, fraudsters often register domains resembling the names of popular web services, and in particular, Google Analytics (google-anatytics[.]com, google-analytcsapi[.]com, google-analytc[.]com, google-anaiytlcs[.]com, google-analytics[.]top, google-analytics[.]cm, google-analytics[.]to, google-analytics-js[.]com, googlc-analytics[.]com, etc.). But attack of this kind were also found to sometimes use the authentic service.

To harvest data about visitors using Google Analytics, the site owner must configure the tracking parameters in their account on, get the tracking ID (trackingId, a string like this: UA-XXXX-Y), and insert it into the web pages together with the tracking code (a special snippet of code). Several tracking codes can rub shoulders on one site, sending data about visitors to different Analytics accounts.

Recently, we identified several cases where this service was misused: attackers injected malicious code into sites, which collected all the data entered by users, and then sent it via Analytics. As a result, the attackers could access the stolen data in their Google Analytics account. We found about two dozen infected sites worldwide. The victims included stores in Europe and North and South America selling digital equipment, cosmetics, food products, spare parts etc.

The screenshot below shows how the infection looks — malicious code with the attacker’s tracking code and tracking ID:

Screenshot 1

The attacker tries to hide their malicious activity using a classic anti-debugging technique. Screenshot 2 shows code for checking whether Developer mode is enabled in the visitor’s browser. The code in the screenshot above is executed only if the result is negative.

Screenshot 2

Curiously, the attackers left themselves a loophole — the option to monitor the script in Debug mode. If the browser’s local storage (localStorage) contains the value ‘debug_mode’==’11’, the malicious code will spring into life even with the developer tools open, and will go as far as to write comments to the console in clumsy English with errors. In screenshot 3, the line with the ‘debug_mode’ check follows the implementation of the RC4 encryption algorithm (used to encrypt the harvested data before sending it).

Screenshot 3

If the anti-debugging is passed, the script collects everything anyone inputs on the site (as well as information about the user who entered the data: IP address, UserAgent, time zone). The collected data is encrypted and sent using the Google Analytics Measurement Protocol. The collection and sending process is shown in screenshot 4.

Screenshot 4

The stolen data is sent by invoking the send event method in the ‘eventAction’ field.

The function signature in this case is:

ga('send', 'event', { 'eventCategory': 'Category', //Protocol Parameter: ec; Value type: text; Max Lenght: 150 Bytes 'eventAction': 'Action', //Protocol Parameter: ea; Value type: text; Max Lenght: 500 Bytes 'eventLabel': 'Label' //Protocol Parameter: el; Value type: text; Max Lenght: 500 Bytes });

This leads to an HTTP request being sent to the URL

In the above-described case, malicious code is inserted into a script on the infected site in “readable” form. In other cases, however, the injection can be obfuscated. Malicious code also can be downloaded from a third-party resource. Screenshot 5 shows an example obfuscation option. In this variant, a call to a malicious script from firebasestorage.googleapis[.]com is inserted into the infected site.

Screenshot 5

After deobfuscation, we obtain a similar script with the same distinctive comments. Part of its code is presented in screenshot 6 (a different tracking ID is used).

Screenshot 6

What’s the danger

Google Analytics is an extremely popular service (used on more than 29 million sites, according to BuiltWith) and is blindly trusted by users: administrators write * into the Content-Security-Policy header (used for listing resources from which third-party code can be downloaded), allowing the service to collect data. What’s more, the attack can be implemented without downloading code from external sources.

How to avoid the issues


  • Install security software. Kaspersky solutions detect malicious scripts used in such attacks as HEUR:Trojan-PSW.Script.Generic.


  • Do not install web applications and CMS components from untrusted sources. Keep all software up to date. Follow news about vulnerabilities and take recommended actions to patch them.
  • Create strong passwords for all administration accounts.
  • Limit user rights to the minimum necessary. Keep track of the number of users who have access to service interfaces.
  • Filter user-entered data and query parameters to prevent third-party code injection.
  • For e-commerce sites, it is recommended to use PCI DSS-compliant payment gateways.




Follow me for more information.

Hundreds of thousands of potentially sensitive files from police departments across the United States were leaked online last week. The collection, dubbed “BlueLeaks” and made searchable online, stems from a security breach at a Texas web design and hosting company that maintains a number of state law enforcement data-sharing portals.

The collection — nearly 270 gigabytes in total — is the latest release from Distributed Denial of Secrets (DDoSecrets), an alternative to Wikileaks that publishes caches of previously secret data.

A partial screenshot of the BlueLeaks data cache.

In a post on Twitter, DDoSecrets said the BlueLeaks archive indexes “ten years of data from over 200 police departments, fusion centers and other law enforcement training and support resources,” and that “among the hundreds of thousands of documents are police and FBI reports, bulletins, guides and more.”

Fusion centers are state-owned and operated entities that gather and disseminate law enforcement and public safety information between state, local, tribal and territorial, federal and private sector partners.

KrebsOnSecurity obtained an internal June 20 analysis by the National Fusion Center Association (NFCA), which confirmed the validity of the leaked data. The NFCA alert noted that the dates of the files in the leak actually span nearly 24 years — from August 1996 through June 19, 2020 — and that the documents include names, email addresses, phone numbers, PDF documents, images, and a large number of text, video, CSV and ZIP files.

“Additionally, the data dump contains emails and associated attachments,” the alert reads. “Our initial analysis revealed that some of these files contain highly sensitive information such as ACH routing numbers, international bank account numbers (IBANs), and other financial data as well as personally identifiable information (PII) and images of suspects listed in Requests for Information (RFIs) and other law enforcement and government agency reports.”

The NFCA said it appears the data published by BlueLeaks was taken after a security breach at Netsential, a Houston-based web development firm.

“Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise,” the NFCA wrote. “Netsential confirmed that this compromise was likely the result of a threat actor who leveraged a compromised Netsential customer user account and the web platform’s upload feature to introduce malicious content, allowing for the exfiltration of other Netsential customer data.”

Reached via phone Sunday evening, Netsential Director Stephen Gartrell declined to comment for this story.

The NFCA said a variety of cyber threat actors, including nation-states, hacktivists, and financially-motivated cybercriminals, might seek to exploit the data exposed in this breach to target fusion centers and associated agencies and their personnel in various cyber attacks and campaigns.

The BlueLeaks data set was released June 19, also known as “Juneteenth,” the oldest nationally celebrated commemoration of the ending of slavery in the United States. This year’s observance of the date has generated renewed public interest in the wake of widespread protests against police brutality and the filmed killing of George Floyd at the hands of Minneapolis police.

Stewart Baker, an attorney at the Washington, D.C. office of Steptoe & Johnson LLP and a former assistant secretary of policy at the U.S. Department of Homeland Security, said the BlueLeaks data is unlikely to shed much light on police misconduct, but could expose sensitive law enforcement investigations and even endanger lives.

“With this volume of material, there are bound to be compromises of sensitive operations and maybe even human sources or undercover police, so I fear it will put lives at risk,” Baker said. “Every organized crime operation in the country will likely have searched for their own names before law enforcement knows what’s in the files, so the damage could be done quickly. I’d also be surprised if the files produce much scandal or evidence of police misconduct. That’s not the kind of work the fusion centers do.”

Tags: , , , , , , ,

Follow me for more information.

Product categories


June 2020