FDJ News
source document reporting...
SHARE THIS PAGE

OPSEC Fail: LAPD Kept user ID and Password to Big Data Policing Software on Office Whiteboard, Broadcast to CNN Viewers

June 26, 2014 19:45:48 UTC
Share :
Comment :
LAPD datamining password leak on CNN
Credit:CNN. Cropped screenshot of LAPD Captain II John Romero being interviewed by CNN while inside the LAPD’s Real Time Analysis and Critical Response Division (yellow circle added by FDJ).

On April 21, 2014, CNN interviewed Los Angeles Police Department Captain II John Romero[1] from within the LAPD’s Real Time Analysis and Critical Response Division (“RACR”),[2] the office responsible for LA’s “big data policing” efforts.[3] As shown in the screenshot above, serving as a backdrop for the interview was an LAPD whiteboard containing information that could be useful to a hacker seeking to hijack data from the LAPD. Most significant, the whiteboard shows the user ID “training” and the password “camsstudent”, which correspond to a “lans computer login” (LAN is an acronym for Local Area Network). The whiteboard also displays an LAPD folder path for “camsdesktop” data.

Captain Romero’s interview was part of a “City of Tomorrow” segment broadcast June 6, 2014, on CNN.[4] The segment centered on the LAPD’s use of automatic license plate readers (ALPRs) and datamining software called Palantir, “[a] powerful application that can claim the CIA as an early investor.”[5] The LAPD uses ALPRs to log the GPS coordinates of people as they drive through the city.[6] The license plate numbers and GPS coordinates of the vehicles are loaded into a database that can be searched using Palantir. “Anybody who is a vehicle owner in a public place and has passed a license plate reader will be in our dataset,”[7] said Captain Romero. “Over the course of a day the LAPD can scan tens of thousands of license plates across the city.”[8]

The CNN segment shows LAPD Sergeant Jason O’Brien using Palantir to search for data on a burglary suspect.[9] “After searching over a hundred million datapoints, Palantir displayed an impressive web of information,” said CNN reporter Rachel Crane.[10] Palantir’s interface resembles a web search engine with datasets labeled People, Vehicles, Locations, Crime, Arrests, FIs (Field Interview Reports), Citations, Bulletins, Tips, and Everything (view screenshot).[11] The video also shows Sergeant O’Brien accessing the LAPD’s automatic license plate reader database to map the past locations of the burglary suspect, which go back as far as March 2011.[12]

The text of the leaked user ID and password (i.e., “training” and “camsstudent”) suggests that they grant access to a training environment for the LAPD’s Computer Analysis Mapping System (“CAMS”). The folder path “.../esri/camsdesktop/data” likely relates to the LAPD’s CAMS Desktop applications developed by ESRI, a “supplier of Geographic Information System software, web GIS and geodatabase management applications.”[13] According to an ESRI press release dated October 2, 2006, “[t]he [CAMS] intranet application is accessible from any of more than 6,300 department-wide computers. Users can view maps, query information, conduct easy-to-use analysis, and generate reports. Information including crime incidents, crime and arrest locations, recovered vehicles, citations, traffic accidents, calls for service, and more...”[14]

Key questions relating to the training environment remain unanswered: Does it reside on an air-gapped LAN within the RACR facility, or is it accessible over the LAPD intranet? If not air-gapped, can it be accessed over the internet? Aside from accessibility, does it utilize live data?

Regardless of how the LAPD may answer the above questions, keeping a password—any password—on an office whiteboard in plain sight is deeply troubling. Haphazardly allowing CNN to film the password for a national news broadcast is more troubling still. Captain Romero told CNN that the LAPD “cannot just go searching for you or anyone else without a reason because we have a lot of data for people who have done nothing.”[15] But the whiteboard on display during the interview casts doubt upon the LAPD’s ability to keep its data private.

FDJ News coordinated with the American Civil Liberties Union (“ACLU”) of Southern California to have the LAPD notified of its password leak. In response, the LAPD changed the login and assured the ACLU that it will be educating all LAPD employees with regard to cybersecurity.

This is not the first time the LAPD has exhibited lax password security. In response to California Public Records Act[16] requests sent by the Electronic Frontier Foundation (“EFF”) and the ACLU of Southern California, the LAPD disclosed two documents containing login instructions for its automatic license plate reader terminals installed in patrol cars. The first document instructs officers to enter a user ID of “LAPD” and a blank password.[17] The second document, dated two years later, instructs officers to enter “LAPD” in both the user ID and password fields.[18]

Updated June. 26, 2014: After this article was published, the LAPD informed the ACLU of Southern California that the login is to a training environment that cannot be accessed outside the LAPD.

Share :
Comment :
1.

See Romero, John - official website of THE LOS ANGELES POLICE DEPARTMENT. LAPD [website], http://www.lapdonline.org/lapd_command_staff/comm_bio_view/46856 (last accessed: Jun. 26, 2014).

2.

See Crane, Rachel. (Jun. 6, 2014, 10:57am - 11:00am PDT). City of Tomorrow [news broadcast]. CNN, available at http://www.cnn.com/video/data/2.0/video/tech/2014/05/25/cot-la-license-plates.cnn.html (last accessed: June 14, 2014), 00:00:58-00:01:02. RACR is located at 500 East Temple Street, Los Angeles, CA 90012. See RACR Division’s VIP Tour of the Regional Crime Center NA09245rh - official website of THE LOS ANGELES POLICE DEPARTMENT. (Sept. 15, 2009). LAPD [website], http://www.lapdonline.org/september_2009/news_view/42847 (last accessed: Jun. 26, 2014); Grand Opening of new facility for Real-Time Analysis and Critical Response Division NR09453rh - official website of THE LOS ANGELES POLICE DEPARTMENT. (Sept. 15, 2009). LAPD [website], http://www.lapdonline.org/september_2009/news_view/42863 (last accessed: Jun. 26, 2014).

3.

See Crane, Rachel. (Jun. 6, 2014, 10:57am - 11:00am PDT). City of Tomorrow [news broadcast]. CNN, available at http://www.cnn.com/video/data/2.0/video/tech/2014/05/25/cot-la-license-plates.cnn.html (last accessed: June 14, 2014), 00:00:23-00:00:26 (CNN graphic using phrase “big data policing”); Willon, Phil. (Sept. 17, 2009). LAPD opens new high-tech crime analysis center. L.A. Times Blog [website], http://latimesblogs.latimes.com/lanow/2009/09/crime-lab.html (last accessed: Jun. 26, 2014).

4.

See Crane, Rachel. (Jun. 6, 2014, 10:57am - 11:00am PDT). City of Tomorrow [news broadcast]. CNN, available at http://www.cnn.com/video/data/2.0/video/tech/2014/05/25/cot-la-license-plates.cnn.html (last accessed: June 14, 2014); Fair use clip of whiteboard available at https://youtu.be/WPb96YCFuEo (last accessed: Jun. 26, 2014).

5.

Id., 00:01:07-00:01:12.

6.

See Bond-Graham, Darwin & Winston, Ali. (Feb. 27, 2014). Forget the NSA, the LAPD Spies on Millions of Innocent Folks. LA Weekly [website], http://www.laweekly.com/2014-02-27/news/forget-the-nsa-la-cops-spy-on-millions-of-innocent-folks (last accessed: Jun. 26, 2014); Lynch, Jennifer. (Mar. 19, 2014). Los Angeles Cops Argue All Cars in LA Are Under Investigation. Electronic Frontier Foundation [website], https://www.eff.org/deeplinks/2014/03/los-angeles-cops-argue-all-cars-la-are-under-investigation (last accessed: Jun. 26, 2014); Sledge, Matt. (May 7, 2013). License Plate Reader Lawsuit Aims To Get LAPD, LA County Sheriff To Turn Over Secret Records. The Huffington Post [website], http://www.huffingtonpost.com/2013/05/07/license-plate-reader-lawsuit_n_3230790.html (last accessed: Jun. 26, 2014); Downs, David. (Mar. 2006). Dragnet, Reinvented. Wired [website], http://archive.wired.com/wired/archive/14.03/lapd.html (last accessed: Jun. 26, 2014).

7.

See Crane, Rachel. (Jun. 6, 2014, 10:57am - 11:00am PDT). City of Tomorrow [news broadcast]. CNN, available at http://www.cnn.com/video/data/2.0/video/tech/2014/05/25/cot-la-license-plates.cnn.html (last accessed: June 14, 2014), 00:01:55-00:02:02 (LAPD Captain II John Romero).

8.

See id., 00:00:52-00:00:58 (CNN reporter Rachel Crane).

9.

See id., 00:01:25-00:01:51.

Id., 00:01:25-00:01:33.

See id., 00:01:05 and 00:01:17.

See id., 00:01:40 and 00:01:46.

Esri. Wikipedia [website], http://en.wikipedia.org/wiki/Esri (last accessed: Jun. 26, 2014).

ESRI. (Oct. 2, 2006). Los Angeles Police Department Gains Geographic Advantage Using ESRI Software. Business Wire, available at http://www.businesswire.com/news/home/20061002006156/en/Los-Angeles-Police-Department-Gains-Geographic-Advantage (last accessed: Jun. 26, 2014). Note: Since the time of the 2006 ESRI press release, the LAPD has expanded its computer hardware infrastructure. See ITD Organization - official website of THE LOS ANGELES POLICE DEPARTMENT. LAPD [website], http://www.lapdonline.org/information_technology_division/content_basic_view/6434 (last accessed: Jun. 26, 2014) (“Information Technology Division supports the Department’s network of Local Area Networks (LANs) consisting of more than 7,600 workstations in more than 65 locations throughout the City, 80 servers; 1,200 stand-alone computers; 100 LANs; 20 WinFrame sites; over 900 printers; 29 legacy systems; access to 32 remote county, state and federal systems; Internet access; the Department’s Intranet; and a host of development projects.”).

Crane, Rachel. (Jun. 6, 2014, 10:57am - 11:00am PDT). City of Tomorrow [news broadcast]. CNN, available at http://www.cnn.com/video/data/2.0/video/tech/2014/05/25/cot-la-license-plates.cnn.html (last accessed: June 14, 2014), 00:02:02-00:02:08 (Captain John Romero).

See CAL. GOV. CODE §§ 6250- 6270, available at http://www.leginfo.ca.gov/cgi-bin/displaycode?section=gov&group=06001-07000&file=6250-6270 (last accessed: Jun. 26, 2014).

See Pips Technology. (Nov. 1, 2009). User Guide: Automatic License Plate Recognition Vehicles (ALPR). EFF FOIA Release, available at https://www.documentcloud.org/documents/1355312-nov-01-2009-pips-lapd-alpr-vehicle-userguide.html (last accessed: Jun. 26, 2014).

See Dolan, Stephen. (Oct. 4, 2011). Email to LAPD RE: ALPR vehicle Operating Instructions. ACLU FOIA Release, available at https://www.documentcloud.org/documents/1355313-oct-04-2011-lapd-email-re-alpr-vehicle-operating.html (last accessed: Jun. 26, 2014).