– News about Quincy Massachusetts from Quincy Quarry News.

Hacking rubes for big bucks is easy!
Image via YouTube

Quincy Quarry exposés City of Quincy e-security lapses.

The reasons for this latest Koch Maladministration exposé are two.

One is the ransomware/denial of service attack inflicted on the City of Quincy last month and which was surely exacerbated by the city’s woefully inadequate computer system security practices.

And the other reason was news broken by a local broadcast news outlet a week later that $3.5 million was cyberheisted from the City of Quincy’s employee retirement fund almost exactly two years earlier as well as that the heist was only discovered last October, eight months afterwards.

Quincy Quarry’s cyber hound on the job!
A Quincy Quarry News file photo

Accordingly, the Quincy Quarry sicced its cyber e-hound on things to see what could be found.

And boy were things found.

The Quarry’s cyber look-see focused on a selected group of over thirty-one City of Quincy email accounts of key city personnel as well as the personal email accounts of the so-targeted city employees that were so uncovered along the way.

For example, using one’s city email address in one’s personal LinkedIn profile is a wholly inappropriate practice but was found to have been done by a number of the City of Quincy personnel who were reviewed by the Quarry’s cyber expertise.

At the same time, so far anyway, there have not been any finds of anyone using one’s City of Quincy email account to sign up for NSFW online social media platforms such as OnlyFans or Scissr.

At least not yet anyway.

Of interest in the meanwhile: it is only fair to note that some of the personal email account names found along the way ranged from amusing to downright embarrassing. 

Is that chad hanging – or not?
A 2000 election Free Republic image

At the same time, in a rare showing of discretion, Quincy Quarry will not publish them and so for a change will not exposé those who once used or might still be using these ill-advised email account names.

Conversely, serious disconcerting findings include that sensitive personal data of those behind accounts that were variously compromised were compromised roughly a half dozen times on average, including often enough the successful hacking of the passwords for individual accounts.

For example, a password for the City of Quincy-administered email account of a former city official that is widely assumed to have been used to pull off a $3.5 million Business Email Compromise (BEC) cyberheist roughly a couple of months AFTER this person left the Quincy Retirement Board and so no longer had any apparent ties to the City of Quincy was found to have been compromised roughly a year before the cyberheist in February of last year and then put up for sale on the Dark Web.

A Dark Web denizen
A Yahoo file photo

Granted, the password so hacked may not be the one used to pull off the heist. 

Even so, the availability of City of Quincy email account passwords for sale on the Dark Web is variously indicative of likely inadequate system security precautions as well as apparent sloppy personal practices by at least some of those using the City of Quincy’s computer systems is troubling.

Profoundly troubling.

Further troubling, arguably the most compromised City of Quincy email accounts per the Quarry’s Dark Web investigation were for Quincy Mayor Thomas P, Koch and his brother-in-law Quincy Police Chief Paul “The Beav” Keenan. 

Quelle surprise …

Graphic presentation of email account compromises of city email accounts reviewed by Quincy Quarry – more red is not good.  Click on image for a larger view.
A Meltego flow chart graph

.

Surprisingly, “The Beav” was not a computer nerd in high school
A North Quincy High School yearbook photo

At the same time, Quincy Quarry must note that after the ransomware hack of the City of Quincy’s computer system the City of Quincy has instituted new security upgrades after the $3.5 million was apparently wired overseas via bits and bytes.

For example, the City of Quincy recently moved to a using captcha-based multiple steps approach for outsiders to use to contact city officials rather than the city’s former simple and thus risky posting of the email addresses of a number of city employees and officials on the City of Quincy’s website.

Also, during a recent presentation led by Quincy Mayor Thomas P. Koch’s Chief of Staph Pinocchio Walkbacker and the head of the city’s Information Technology Department, it was noted that the city was moving towards (finally, ed.) implementing multi-factor authentication to access the city’s computer systems (e.g., city employee email accounts).

Additionally, when pressed at a city council hearing on the ransomware attack, the city’s IT department director said that upping the efforts to educate those using city computers on how to engage in more secure practices as well as pressing users to update their passwords regularly were, well, in the works.

.

Yet again on the hook …
A file photo

At the same time, it is only fair to note that all manner of leaks have already happened, including the $3.5 million cyberheist “leak” and which local taxpayers are looking likely to at least partially have to make good on this loss.

Put another way, the cows have fled the barn and are now on the menu at Mickey D’s.

Further, it would thus clearly appear that Walkbacker’s claim during a presentation to the City Council that sensitive city employee information is not available for sale on the Dark Web is mistaken given that Quincy Quarry’s data security expertise found that sensitive personal data of city employees are surely available for sale on the Dark Web, especially if one knows how and where to look.

Then again, such a clear misstatement by Pinocchio should not come as a great surprise to anyone who has monitored his assertions over the years.

Five out of five on the Pinocchio scale
Image care of The Washington Post’s Fact Checker

QQ disclaimer