SweepWizard, an app that law enforcement used to coordinate raids, left sensitive information about hundreds of police operations publicly accessible.

Last September, law enforcement agents from five counties in Southern California coordinated an operation to investigate, raid, and arrest more than 600 suspected sex offenders. The mission, Operation Protect the Innocent, was one of the largest such raids in years, involving ​​over 64 agencies. According to the Los Angeles Police Department, it was coordinated using a free trial of an app called SweepWizard.

The raid was hailed as a success by Chief Michael Moore of the LAPD at a press conference the following week. But there was a problem: Unbeknownst to police, SweepWizard had been leaking a trove of confidential details about the operation to the open internet.  

The data, which the LAPD and partners in the regional Internet Crimes Against Children (ICAC) Task Force uploaded to SweepWizard, included private information about the suspects as well as sensitive details that, in the wrong hands, could tip off suspects as to when they were going to be raided and cast suspicion on people who had not yet been convicted of any crime. 

The SweepWizard app, built by a company called ODIN Intelligence, is meant to help police manage multi-agency raids. But WIRED found that it didn’t just expose data from Operation Protect the Innocent; it had already leaked confidential details about hundreds of sweeps from dozens of departments over multiple years. The data included personally identifying information about hundreds of officers and thousands of suspects, such as geographic coordinates of suspects’ homes and the time and location of raids, demographic and contact information, and occasionally even suspects’ Social Security numbers. All this data was likely exposed due to a simple misconfiguration in the app, according to security experts.

The Los Angelese Police Department said it was unaware of the problem until WIRED reached out for comment. In a phone call, Captain Jeffery Bratcher, commanding officer of the LAPD Juvenile Division and project director for the ICAC Task Force, said the department is concerned and is taking the matter seriously. “Operational security is always paramount to us. We don’t want people to know when and if we are coming,” he says. 

In a separate statement, Captain Kelly Muniz of the LAPD’s Media Relations Division, said the department has suspended the use of SweepWizard until a thorough investigation is complete. According to their statement, “the department is working with federal law enforcement to determine the source of the unauthorized release of information, which is currently unclear. At this point in the investigation, it has not been determined if the third-party application or another means is the source of the unauthorized release.”

The exposed data contained the location and names of 5,770 suspects, mostly located in California. In some instances, the data included their height, weight, and eye color and indicated whether they were experiencing homelessness. For more than 1,000 of these suspects, SweepWizard also exposed their Social Security numbers. According to the data, several of these suspects were juveniles at the time of the sweeps. Arrest records and press releases confirm that several people whose names appeared in the leaked data were arrested after the raid. 

SweepWizard also appeared to have revealed the names, phone numbers, and email addresses of hundreds of law enforcement officers, as well as the operational details of nearly 200 sweeps. These details included the exact date and time of the sweep, the organizing officers, as well as information like where the pre-sweep briefings were to occur.

After verifying the data exposure, WIRED notified ODIN Intelligence, which quickly took down the app and began an investigation. After declining an interview, Erik McCauley, the CEO and founder of the company, said in a statement, “ODIN Intelligence Inc. takes security very seriously.  We have and are thoroughly investigating these claims.” He added, “Thus far, we have been unable to reproduce the alleged security compromise to any ODIN system. In the event that any evidence of a compromise of ODIN or SweepWizard security has occurred, we will take appropriate action.” McCauley did not respond to specific questions about the issue.

At the time of publication, SweepWizard’s website is no longer accessible, and the app has been removed from Google Play and Apple’s App Store.

WIRED received a tip that there was a flaw in SweepWizard’s application programming interface, or API, that allowed anyone with a specific URL to retrieve confidential law enforcement data from the app. WIRED downloaded the Android version of the app from Google Play and verified that its API endpoints were in fact returning data regardless of authentication—in other words, you didn’t need to be logged in to the app to view sensitive data about years’ worth of raids and other police operations. The data could be viewed in any web browser simply by visiting a SweepWizard URL. 

While the SweepWizard mobile app first launched in 2016, according to app store information, WIRED found data from sweeps going back to 2011, including more than 20 sweeps on Halloween over the years with names like Operation Boo, Operation Hocus Pocus, and Halloween Havoc. (Archived versions of the SweepWizard website date back to 2011.) The most recent data WIRED reviewed includes sensitive information about raids that took place on December 19, 2022. 

It’s unclear whether all SweepWizard data was exposed ahead of scheduled raids, and ODIN Intelligence did not respond to specific questions about when the data may have been publicly accessible. However, while confirming the API vulnerability, WIRED observed that data from at least one scheduled sweep had been made public. It is also unclear whether anyone used the data SweepWizard leaked to the open web for nefarious purposes.

ODIN Intelligence advertises itself as a company that develops high-tech solutions for law enforcement that “enable our communities to be safer, better informed, more organized, and crime free.” On its website, the company claims to partner with organizations like the International Association of Chiefs of Police (details of these partnerships are not available). The IACP did not respond to a request for comment. ODIN also created a product called the Homeless Management Information System (HMIS), which according to a brochure reviewed by Vice, uses face recognition to identify people experiencing homelessness. 

The company claims that its products are built by experts and secured with “state-of-the-art” security that adheres to the FBI’s Criminal Justice Information Services (CJIS) security policy for handling sensitive information. The FBI did not comment on SweepWizard’s claims of CJIS compliance. However, a policy document the agency shared with WIRED indicates that SweepWizard was likely not compliant with specific access requirements that specify who can access law enforcement information. ODIN Intelligence’s McCauley did not respond to specific questions about whether SweepWizard was CJIS-compliant.

The Yolo County District Attorney’s Office confirmed that, like the LAPD, it had used a free trial of SweepWizard during an annual sex offender sweep last November, details of which WIRED found in the exposed data. In its statement, chief deputy district attorney Jonathan Raven said that ODIN provided Yolo County with documents that explicitly stated its technology was CJIS-compliant. His office is also investigating the matter. 

Ken Munro, an ethical hacker and founder of the UK-based security research firm Pen Test Partners, says that based on how we described being able to access SweepWizard data, the error was likely caused by a simple authorization oversight. While SweepWizard was taken down before he had a chance to examine the app, Munro says that, typically, when an individual logs in to a website or app, they are assigned an access token that gets checked by the app every time their device requests data from it. According to Munro, SweepWizard was likely not checking each request for these access tokens and was simply providing data to any device that asked. 

“This is a bit of a basic technical oversight,” he says. “These sorts of authorization issues are not often seen in law enforcement.”

McCauley did not comment on how ODIN’s investigation concluded that a compromise had not occurred. However, after WIRED received his statement, we reviewed our methodology and findings about SweepWizard with Zach Edwards, an independent privacy and security researcher.  Edwards says that WIRED’s methodology is no different than what any penetration tester would have done. He adds, “They left the front, side, and back doors open.”

A Police App Exposed Secret Details About Raids and Suspects

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.
11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.

11 of the 98 issues are rated Critical and 87 are rated Important in severity, with the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release updates for its Chromium-based Edge browser.

The vulnerability that's under attack relates to CVE-2023-21674 (CVSS score: 8.8), a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) that could be exploited by an attacker to gain SYSTEM permissions.

"This vulnerability could lead to a browser sandbox escape," Microsoft noted in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug.

While details of the vulnerability are still under wraps, a successful exploit requires an attacker to have already obtained an initial infection on the host. It is also likely that the flaw is combined with a bug present in the web browser to break out of the sandbox and gain elevated privileges.

"Once the initial foothold has been made, attackers will look to move across a network or gain additional higher levels of access and these types of privilege escalation vulnerabilities are a key part of that attacker playbook," Kev Breen, director of cyber threat research at Immersive Labs, said.

That having said, the chances that an exploit chain like this is employed in a widespread fashion is limited owing to the auto-update feature used to patch browsers, Satnam Narang, senior staff research engineer at Tenable, said.

It's also worth noting that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply patches by January 31, 2023.

What's more, CVE-2023-21674 is the fourth such flaw identified in ALPC – an inter-process communication (IPC) facility provided by the Microsoft Windows kernel – after CVE-2022-41045, CVE-2022-41093, and CVE-2022-41100 (CVSS scores: 7.8), the latter three of which were plugged in November 2022.

Two other privilege escalation vulnerabilities identified as being of high priority affect Microsoft Exchange Server (CVE-2023-21763 and CVE-2023-21764, CVSS scores: 7.8), which stem from an incomplete patch for CVE-2022-41123, according to Qualys.

"An attacker could execute code with SYSTEM-level privileges by exploiting a hard-coded file path," Saeed Abbasi, manager of vulnerability and threat research at Qualys, said in a statement.

Also resolved by Microsoft is a security feature bypass in SharePoint Server (CVE-2023-21743, CVSS score: 5.3) that could permit an unauthenticated attacker to circumvent authentication and make an anonymous connection. The tech giant noted, "customers must also trigger a SharePoint upgrade action included in this update to protect their SharePoint farm."

The January update further remediates a number of privilege escalation flaws, including one in Windows Credential Manager (CVE-2023-21726, CVSS score: 7.8) and three affecting the Print Spooler component (CVE-2023-21678, CVE-2023-21760, and CVE-2023-21765).

The U.S. National Security Agency (NSA) has been credited with reporting CVE-2023-21678. In all, 39 of the vulnerabilities that Microsoft closed out in its latest update enable the elevation of privileges.

Rounding up the list is CVE-2023-21549 (CVSS score: 8.8), a publicly known elevation of privilege vulnerability in the Windows SMB Witness Service, and another instance of security feature bypass impacting BitLocker (CVE-2023-21563, CVSS score: 6.8).

"A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device," Microsoft said. "An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data."

Furthermore, Redmond has updated its guidance regarding the malicious use of signed drivers (called Bring Your Own Vulnerable Driver) to include an updated block list released as part of Windows security updates on January 10, 2023.

CISA on Tuesday also added CVE-2022-41080, an Exchange Server privilege escalation flaw, to the KEV catalog following reports that the vulnerability is being chained alongside CVE-2022-41082 to achieve remote code execution on vulnerable systems.

The exploit, codenamed OWASSRF by CrowdStrike, has been leveraged by the Play ransomware actors to breach target environments. The defects were fixed by Microsoft in November 2022.

The Patch Tuesday updates also arrive as Windows 7, Windows 8.1, and Windows RT reached end of support on January 10, 2023. Microsoft said it won't be offering an Extended Security Update (ESU) program for Windows 8.1, instead urging users to upgrade to Windows 11.

"Continuing to use Windows 8.1 after January 10, 2023 may increase an organization's exposure to security risks or impact its ability to meet compliance obligations," the company cautions.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Intel
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Qualcomm
*   SAP
*   Schneider Electric
*   Siemens
*   Synology
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues January 2023 Patch Tuesday Updates, Warns of Zero-Day Exploit

After a delay of more than a year, Intel's on-chip confidential computing feature is coming to all the major cloud providers, starting with Microsoft's Azure.

Intel launched on Tuesday its newest server chips, code-named Sapphire Rapids, which will form the backbone of server infrastructure in the public and private cloud.

The chips have built-in security features the company says will prevent attackers from stealing high-value data from computer systems, ensure regulatory compliance, and maintain data sovereignty. These 4th Gen Intel Xeon scalable processors will increase the baseline enclave, and Intel SGX will be able to accurately and securely verify application software loaded in that enclave, the chip giant said in a statement. These server chips fit in with Intel's confidential computing portfolio.

Confidential computing refers to a security mechanism where a bubble of protection is added around data as it travels over the network between computing systems. That is done through encryption. The Xeon chips add techniques to verify the integrity of code and authentication measures to ensure the data is accessible only to authorized individuals and systems.

The chips create trusted boundaries — which Intel calls trusted execution environments, or TEEs — in which code can be executed. A feature called Trust Domain Execution (TDX) locks down code in a secure enclave that can only be unlocked by those with the right keys or codes. The process of verifying and unlocking the code is called attestation.

The TDX instructions add a boundary around the virtual machine and everything in it, including the guest OS and apps in it, and removes the cloud service provider or other cloud tenants from a trust boundary, said Anil Rao, vice president and general manager for systems architecture & engineering at Intel's office of the CTO.

TDX leverages a security feature on Xeon chips called Software Guard Extensions (SGX), which is widely used today as a secure enclave to protect data in execution environments. But TDX is much larger in scope and covers a wider range of applications, such as AI in virtualized environments.

**Securing Virtual Machines**

SGX has been a critical element of Microsoft's Azure confidential computing offerings so far, and TDX in the newer Sapphire Rapids chips will strengthen the security in virtual machines, said Mark Russinovich, the chief technology officer at Microsoft's Azure, during the Xeon launch event.

"We look forward to being one of the first cloud providers to offer confidential services based on Intel 4th Gen Xeon scalable processors with Intel TDX later this year, enabling organizations to achieve confidentiality by seamlessly lifting and shifting their workloads without requiring any code changes," Russinovich said.

Confidential computing could be attractive to organizations concerned about high-value data and applications and services that require strong security.

"It strengthens compliance with data privacy and governance regulations and helps create a more private controlled infrastructure, even when using the public cloud," said Lisa Spelman, corporate vice president and general manager for Xeon products at Intel, during a press briefing on the new chips.

TDX will also be relevant to customers that want to activate private or regulated data in a way that doesn't breach confidentiality, Intel's Rao said.

"Think of a way in which customers use this for multiparty collaborations focused on shared analysis with data privacy," Rao said.

**From Edge to Cloud**

Rao provided some examples of sharing sensitive data securely in financial or healthcare organizations, or to share research for fraud detection. He summarized that confidential computing makes it possible to move workloads securely from the private into the public cloud while meeting data residency and compliance requirements.

Intel's 4th Gen Xeon chips will also be tied to a cloud service called Project Amber, which will help verify trust of computing boundaries from edge to cloud. It will start as an independent attestation service for Intel confidential computing technologies, Rao said. Intel plans to offer Project Amber as a pay-as-you-go feature.

The new Xeon chips will also appear in virtual machine instances in cloud services from Google, IBM, and Alibaba, but the chip maker didn't comment on whether the cloud providers would specifically offer TDX instructions.

AWS has its own confidential computing offerings, while Microsoft also has virtual machine instances with AMD’s on-chip cloud computing features.

Intel is a dominant player in the server market, with an x86 server market share of 82.5% during the third quarter of last year; its closest rival, AMD, sported a 17.5% market share, according to Mercury Research.

Intel's New Xeon Chip Pushes Confidential Computing to the Cloud

Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

**Microsoft** today released updates to fix nearly 100 security flaws in its **Windows** operating systems and other software. Highlights from the first **Patch Tuesday** of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the **U.S. National Security Agency**, and a critical **Microsoft SharePoint Server** bug that allows a remote, unauthenticated attacker to make an anonymous connection.

At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.

Of particular concern for organizations running **Microsoft SharePoint Server** is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.

But patching this bug may not be as simple as deploying Microsoft updates. **Dustin Childs**, head of threat awareness at **Trend Micro’s Zero Day Initiative**, said sysadmins need to take additional measures to be fully protected from this vulnerability.

“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”

Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.

**Satnam Narang**, senior staff research engineer at **Tenable**, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.

“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”

By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.

Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.

There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.

**Kevin Breen** at **Immersive Labs** called special attention to CVE-2023-21563, which is a security feature bypass in **BitLocker**, the data and disk encryption technology built into enterprise versions of Windows.

“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”

There are also two **Microsoft Exchange** vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”

**Adobe** released four patches addressing 29 flaws in **Adobe Acrobat** and **Reader**, **InDesign**, **InCopy**, and **Adobe Dimension**. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.

Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.

Microsoft Patch Tuesday, January 2023 Edition

Inappropriate implementation in in File System API in Google Chrome on Windows prior to 109.0.5414.74 allowed a remote attacker to bypass file system restrictions via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-0140

Use after free in Overview Mode in Google Chrome on Chrome OS prior to 109.0.5414.74 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2023-0128

Inappropriate implementation in in Permission prompts in Google Chrome on Android prior to 109.0.5414.74 allowed a remote attacker to bypass main origin permission delegation via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-0133

Inappropriate implementation in in Permission prompts in Google Chrome on Windows prior to 109.0.5414.74 allowed a remote attacker to force acceptance of a permission prompt via a crafted HTML page. (Chromium security severity: Medium)

CVE-2023-0132

Insufficient policy enforcement in CORS in Google Chrome prior to 109.0.5414.74 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

CVE-2023-0141: Stable Channel Update for Desktop

Inappropriate implementation in in Fullscreen API in Google Chrome on Android prior to 109.0.5414.74 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium)

Tag

#google