Thanks to Dave Ries, I caught up with a story from CBSNEWS that happened last year involving a security flaw in a law firm. According to the story, it took nine minutes for Daniel Oppenheimer to strangle himself to death with the zipper of his jail-issued jumpsuit in a La Habra, California police holding cell in January 2015.
An unnamed attorney, charged with defending the city, made notes on his computer. He described what he saw in the grainy footage from the badly placed surveillance cameras covering the inmate’s cell. The attorney noted that he saw “shadows” of a person walking past Oppenheimer’s cell on two separate occasions - minutes apart - as he died. But those shadows weren’t mentioned in the district attorney’s report that investigated any potential criminal wrongdoing by the police department into the inmate’s death.
Could someone have stopped Oppenheimer from hanging himself? The attorney worked for Ferguson, Praet & Sherman, which specializes in defending alleged police misconduct, and marked the notes as “work product.” The notes were put in a folder marked “do not forward to new counsel.” Apparently, someone didn’t want anyone to see what the attorney wrote.
And that might’ve been the end of it -- a two-line notation in a folder that nobody else would have even known about -- if it wasn’t for a major flaw in the law firm’s security.
From the surveillance footage, the jailer calls for help just moments after discovering the dying inmate. Chris Vickery, a security researcher, discovered the attorney’s notes and the surveillance footage among a large number of internal law case files that were inadvertently made accessible on the web.
Vickery said the video showed that someone walked past the prisoner's cell twice and did nothing to stop the suicide. He stated in a blog post that "...you can clearly see their reflections in the plexiglass as they walk by." The first reflection moves past six minutes before the jailer raised the alarm according to Vickery.
As lead security researcher of the MacKeeper security research team, he has found hundreds of databases left open on the Internet without passwords. He informs companies so they can secure their leaky systems, then blogs about his discoveries.
He found a handful of law firms that were inadvertently leaking their own case files. But what set this law firm apart was the sheer volume of data he found. He said the firm was insecurely synchronizing its backup systems across the Internet without a password.
The law firm shut down the data stream after Vickery sent an e-mail disclosing the leak. It did not respond to his e-mail.
The Orange County district attorney’s investigation into Oppenheimer’s death included a timeline of events leading up to and in the immediate aftermath of his death, but it did not mention any reflections or shadows. The report, issued in September following his death, concluded that there was “no evidence” of criminal culpability on the part of La Habra’s police department.
The article's author said he made numerous attempts to reach Ferguson, Praet & Sherman by phone and e-mail, but did not get a response from the firm.
Anyone reading this surprised by that?
As an added bonus, a related story shows you what a Cellebrite phone extraction report looks like.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology