(12-10-2020, 10:21 AM)Hightop77 Wrote: In a subsequent statement, FDLE Commissioner Rick Swearingen said the agencyâ€s “investigation began last month following a complaint by Florida Department of Health that a person illegally hacked into their emergency alert system.â€
“As part of our investigation, FDLE agents served a search warrant this morning at the Centerville Court residence where Ms. Jones lives after determining the home was the location that the unauthorized message was sent from,†Swearingen said. “Agents knocked and called Ms. Jones both announcing the search warrant and encouraging her to cooperate. Ms. Jones refused to come to the door for 20 minutes and hung-up on agents.â€
“After several attempts, Ms. Jones allowed agents inside. Agents entered the home in accordance with normal protocols and seized several devices that will be forensically analyzed. At no time were weapons pointed at anyone in the home. Any evidence will be referred to the State Attorney for prosecution as appropriate,†the statement added.
I don't doubt that she sent it, but is it really hacking?
COVID data manager investigated, raided for using publicly available password
Not only does the whole state share one password, but itâ€
s posted publicly.
Florida police said a raid they conducted Monday on the Tallahassee home of Rebekah Jones, a data scientist the state fired from her job in May, was part of an investigation into an unauthorized access of a state emergency-responder system. It turns out, however, that not only do all state employees with access to that system share a single username and password, but also those credentials are publicly available on the Internet for anyone to read.
Jones on Monday shared a video of the police raid on her house as part of a Twitter thread in which she explained the police were serving a search warrant on her house following a complaint from the Department of Health. That complaint, in turn, was related to a message sent to Florida emergency responders back in November.
About 1,700 members of Florida's emergency-response team received the communication on November 10, according to the affidavit (PDF) cited in the search warrant for Jones' home. The message urged recipients to "speak up before another 17,000 people are dead. You know this is wrong. You donâ€
t have to be a part of this. Be a hero. Speak out before it's too late."
That unauthorized message was sent to the contact list for Florida's Emergency Support Function 8, or ESF-8, one of 18 groups of Florida state emergency-response personnel. ESF-8 is headed under the Florida Department of Health and coordinates public health response, including "triage, treatment, and transportation" across multiple agencies. All users in the group share the same username and password, the affidavit confirms. Investigators looked at system logs and identified an IPv6 address associated with the message, which they then determined to be connected to Jones' house.
After the raid on her home, Jones gave multiple media interviews in which she repeatedly denied having anything to do with the message. To CNN, for example, she said, "I'm not a hacker," and added that neither the tone nor the content of the message matches her communication style.
In November, when the message went out, state DOH spokesman Jason Mahon declined to answer the Tampa Bay Times' questions about "what, if anything, had been done to better secure the emergency alert system against future hacks, nor whether there have been other instances where the system had been hacked."
It now seems the Times' question may have gone unanswered because the Florida Department of Health had no answer, other than to continue bad security practices.
"All users assigned to [ESF-8 tools] share the same username and password," the affidavit cited in the search warrant confirmed. That set of login credentials apparently does not change when users resign or are fired; instead, "once [employees] are no longer associated with ESF8 they are no longer authorized to access the multi-user group."
That set of account credentials that all users share is part of a logistics operation manual that is publicly searchable and accessible on the Florida DOH's website.
A redacted screenshot from a publicly available PDF showing the login information for ESF-8 communications systems. This is the kind of information you might tack up in your cubicle—not the kind of information you want all over the Internet.
https://arstechnica.com/tech-policy/2020...s-website/