Posted on 06/26/2012 10:19:42 AM PDT by Altariel
EVANSVILLE — Stephanie Milan, 18, was relaxing in her family’s living room Thursday watching the Food Network when a heavily armed squad of Evansville police officers arrived on the front porch.
Dressed in full protective gear, police broke the storm door of the home at 616 East Powell Ave. — the Milans’ front door was already open on the hot summer day. They also broke a front window. They tossed a flashbang stun grenade into the living room that made a deafening blast. A short distance away, a local television crew’s cameras were rolling. The police had invited the station to videotape the forced entry of the residence.
Stephanie Milan said she managed to remain calm because she knew her family hadn’t done anything wrong. Still, she was stunned and confused.
After speaking to Milan and her grandmother, Louise, police determined those inside the house had nothing to do with their investigation.
Police were executing a search warrant for computer equipment, which they said was used to make anonymous and specific online threats against police and their families on the website topix.com.
“The front door was open. It’s not like anyone was in there hiding,” said Ira Milan, Stephanie's grandfather and owner of the property for many years. “To bring a whole SWAT team seems a little excessive.”
Ira Milan said the perpetrator of the threats likely used Stephanie’s Internet service connection from an outside location, which led police to the East Powell Avenue address.
But Police Chief Billy Bolin said, “We have no way of being able to tell that,” and the concerning Internet posts “definitely come back to that address.”
“I think it was a show of force that they are not going to tolerate this,” said Ira Milan, “But what about the residents and what they have to tolerate?”
After noting he has lived there for 30 years, Milan said, “No one has ever been arrested at my house.”
Bolin said Friday that department records indicated relatives associated with the address had criminal histories.
Mayor Lloyd Winnecke said Friday he spoke to Bolin about the incident and was satisfied that police were justified in forcibly entering the home.
“They had what they thought were very specific threats against police officers, their families and the communities,” Winnecke said.
He said police told him that the Milans’ storm door and window were being repaired at city expense.
Workers were at the Milan home on Friday repairing the storm door and broken window. Carpet inside the house was stained with black residue from the flashbang grenade.
Ira Milan said police offered to pay for the damage. Laptops and a cellphone belonging to Stephanie Milan — a May graduate of Signature School who will attend the University of Southern Indiana this fall and major in radiology — were seized in the raid and remained in police possession on Friday.
Bolin said the SWAT team used its standard “knock and announce” procedure of knocking on the wall and repeating the words “police search warrant” three times before entering.
The police chief said the procedure doesn’t require officers to wait for a response.
“It’s designed to distract,” he said.
The decision to use force
Police used what they called a law enforcement threat matrix to determine the proper response to information in the posts. One post mentioned explosives, and another specifically named Bolin and referenced the area where he lives. But no other officers’ names or addresses were identified.
Sgt. Jason Cullum, a police department spokesman, said one person had posted that he possessed explosives, and that “Evansville is going to feel the pain.” That threat, Cullum said, played a major role in dictating the police response.
Cullum said the conversation at topix.com which concerned officers began under a blog headline.
“It said, ‘EPD leak: Officers’ addresses given out,’ or something along those lines. There were some generalized comments about people not liking the police, and that didn’t really concern us,” Cullum said, but then the threats became more specific and suggested officers’ families could be at risk.
Time stamps on the postings indicated that they were made Wednesday evening. Cullum defended the department’s action.
“We brought them out and talked to them,” Cullum said of the Milans. “They were released at the scene. Investigators felt they were not involved in the posting.
“This is a little more difficult that a traditional crime scene, because we’re dealing with the Internet. They definitely weren’t expecting (a SWAT team at the door). The reason we did that is the threats were specific enough, and the potential for danger was there.
“This is a big deal to us,” Cullum said. “This may be just somebody who was online just talking stupid. What I would suggest to anybody who visits websites like that is that their comments can be taken literally.”
The search warrant
Police were executing a search warrant approved by a judge. Such warrants are routinely filed in the Vanderburgh County Clerks Office, but officials in the clerks office said Friday afternoon they had no record of a warrant served on that address.
When asked by the Courier & Press for access to the document that allowed them to force entry to the home, Bolin refused. He said it might contain information that would compromise their investigation. However, he said the document didn’t contain names of any suspects.
“We have an idea in our mind who it is, but we don’t have evidence yet,” Bolin said.
Vanderburgh County Prosecutor Nick Hermann also refused to release the warrant.
The Courier & Press filed Freedom of Information requests Friday afternoon seeking the document from the police department, clerk’s office and prosecutor’s office.
Good discipline on the password complexity but there are numerous ways to hack databases without a password. MySQL just announced a bug where it allowed access 1 out of every 256 attempts without verifying the password.
Failure to patch databases is the most common reason.
My suggestion is to never allow your database server to be connected directly to the internet even with a firewall.
storm troopers, one and all
This assumes that you are important enough for someone to go through the effort in attempting to find your router. As you pointed out, suppressing the SSID is just one layer to keep the morons out and moving to the next schmuck.
I don’t use that sort of DB. Look up KeePass on SourceForge.net. It creates an encrypted database in which all of your passwords are stored. It’s really a great little program.
I installed it on a thumbdrive which I encrypted and paired to the TPM in my secure desktop. Any passwords I need are accessed from that thumbdrive and are inaccessible unless the thumbdrive is plugged into the secure desktop, the TPM is authenticated, and the 160 bit passkey is typed in to unencrypt the database. Essentially it’s 3-factor authentication.
I also use the encrypted thumbdrive to save my MSOutlook PST/OST files, my banking credentials, MSMoney DB, and Firefox profile. Now granted if I ever lost this thing or it was otherwise destroyed, I’d be hopelessly lost, but I treat this device like I treat my wallet.
You can never be too careful.
Sadly you’re right. Even the *ahem* techs *clears throat* at Geek Squad can have questionable credentials. Never use someone who advertises on a road sign or on a public bulletin board, IMO.
Your best bet is someone who works in the industry as an engineer or administrator who does more than answer phones at a help desk. That’s not to say that help desk people aren’t technically ethical or knowledgeable, but help desk is usually where IT people 1) start their career and/or 2) end their career. I worked help desk for 6 years and have been doing engineering work for 15. If you don’t have the drive to get out of help desk you’re either a masochist or lazy.
Every database has its vulnerabilities. We tested on Oracle DB and had every password within 15 minutes. Security isn’t just passwords or encryption. They certainly help but it takes the whole picture to keep things locked up.
Key management applications help manage passwords and keepass is one. Sounds like a good system you have going there.
Most people won;t have the skills, the patience or the money to do this, but the purchase of one of the smaller wireless SonicWALLs like the TZ100W with the full security suite will present more of a challenge then most casual or semi-casual hackers and script kiddies can muster.
SonicWALL treats the wireless side as an entirely different subnet, and you must set up explicit firewall rules to allow your WLAN users access. And that’s in addition to using ACLs to allow/deny users.
SonicWALL devices are also good at detecting IP spoofing and other threats. Not cheap, but easily worth the $600 - $800 you’ll spend. www.sonicguard.com is a good resource.
If you have a network then you are important enough. You probably have banking, tax, or other personal info. If nothing else I can use your network to hack other people.
That way you get a visit from the swat commandos instead of me.
I run a security company so we see a lot of what happens.
I’d second the Sonicwall recommendation. We scan our sonicwall on a regular basis and have found it to be pretty darn good.
If nothing else dump the cheap crap verizon/comcast gives you and at least put a linksys in. Those aren’t too terrible.
I understand DB vulnerabilities but admittedly steer clear of them mostly out of ignorance but also out of a lack of need.
I don’t run any DBs on my home network anymore, esp. with all of the stories I hear and read about DB security.
In a domain environment, I force all DBAs to change the default ports to prevent script kiddies from banging on the door and enact two-factor authentication for administration (usually certs and complex passwords).
Authentication needs to be looked at with a fine-toothed comb. Passwords/phrases are old-tech. Smart cards, biometrics, and character/vision-based authentication make more sense, IMO.
It’s more about money at that point, Noumenon. When people shop for home wireless routers, they’re looking at the cheap-o $35 dLinks. Hell, anymore the ISPs are providing gateways with wireless routers built into them and controlling security from the home office. I’ve had to specifically request wired-only gateways for customers who I’ve helped to setup their home networks. That additional hardware layer of abstraction can often keep script kiddies at bay.
That's the truth. You can war-drive any apartment/condo complex and any 'burb and find a smörgåsbord of available APs. Far too many folks leave their wireless wide open.
Even up in Sandpoint, Idaho in an industrial area, I can 'see' no fewer than 8 APs, 3 of which are wide open, 2 of which are using WEP (bars of marshmallow), 2 using WPA-PSK and only one besides mine using WPA2 Enterprise.
Time to pierce the veil of Sovereign Immunity and allow victims of police overreach to get hold of those lucrative pensions. The same goes for judges rubber-stamping warrants. That might put a little more control back into the mix.
The IP they care about is the public IP address on the WAN side of the router. That can absolutely be associated with a given ISP account. It is essential that you secure the WLAN side of your network as previously suggested several times.
D!ckheads.
Wow, this didn’t get much coverge other than this article. It’s shameful.
I hope they sue that city for every last penny it has.
I know there is a big divide on the right between the pro-cop people and the jack-booted thug people.
All I can say is I USED to be pro-cop, but now I’m pretty much of the they are all jack-booted thugs school.
Because it seems that is what they aspire to be.
Our governments, fed, state and local, all need to be slapped down many, many notches.
Don’t you know it’s FAR different for the police to invade the homes of the Elite than it is for them to invade a peasant’s home?
The knights of the realm are granted the privilege to harass the serfs, not the nobles or gentry.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.