breaking news

Pike County murders: 2nd grandmother posts bond, released from jail

Investigation: Ransomware costs Riverside thousands, hinders access to police systems


Two cyber attacks on Riverside’s fire and police department servers have hamstrung law enforcement in ways previously unknown to the public, including the possibility Riverside could permanently lose access to one of the state’s police computer networks if attacked again, a Dayton Daily News investigation found.

The ransomware cyber attacks in April and May — which have cost the city tens of thousands of dollars — shut down the police department’s records management system used to create and store investigative reports.

The attacks forced Riverside police officers to use a backup system on the Ohio Law Enforcement Gateway, a statewide computer database operated by the Ohio Attorney General’s Bureau of Criminal Investigation for local police departments. But four days after the Dayton Daily News revealed the May cyber attack hit the city, the AG’s office revoked the city’s access to the gateway to shield the network from damage and protect confidential information from exposure, a spokeswoman said.

» Pike County shooting victims: A closer look at the 8 who died

The Dayton Daily News investigation found police not only lost the ability to access and print past reports — as acknowledged by police Chief Frank Robinson in public statements — but at one point lost the ability to make digital reports altogether. Losing the gateway forced officers to hand write reports and type incident narratives into Microsoft Word so that they could be scanned into the system once restored, an internal memo said.

By the time Robinson made his statement in July, the ability to make digital reports was resolved by getting the usual records system back up and running, he said. But the AG’s office had not then — and still has not now — fully restored access to the gateway network, meaning the department can’t fully use other gateway functions unmentioned by Robinson to the public.

The gateway “is our backup reporting system, the system we use to create photo lineups for investigations, how we enter evidence that needs to be processed at the BCI lab and the quickest way to obtain criminal history on suspects,” Major Matt Sturgeon wrote in a May 24 email to the fire chief and assistant city manager. “This is really hampering (our) effectiveness.”

“This is vital!” Sturgeon wrote nearly a month later.

In a memo to the chief this week after the Dayton Daily News brought its findings to the department, Sturgeon told the chief that the gateway’s loss has impacted operations, “but we have found the means to make due by other paths.”

Officers now use another computer program to create photo lineups, according to the memo. Instead of directly accessing criminal history on the gateway, officers now radio dispatch and wait to obtain the information. And instead of using the gateway to make state crime lab requests and receive finished lab reports, the department had to make handwritten lab requests. Until last month, officers had to pick up the completed reports at the state crime lab in Madison County.

“The loss in no way leaves our citizens vulnerable when they call for police services,” Sturgeon wrote in the memo.

Robinson reiterated this in an interview Tuesday: “I think the main thing we want to make sure people understand is that we are doing exactly what we should be doing every day to make sure the public is as safe as possible. There’s no slack in how we’re responding or prioritizing our calls or anything like that.”

The Dayton Daily News used Ohio’s public records laws to obtain more than 250 pages of internal city emails and memos. The newspaper’s examination and subsequent interviews also found:

• In order to protect the gateway, the AG’s office has a three-strike policy for agencies that fall victim to cyber attacks. The AG “does not have a remediation” to restore gateway access after a third strike. The attacks in April and May count as strikes No. 1 and No. 2, meaning if Riverside is hit again, the department will be “permanently blocked” from the gateway, unless the AG’s office is satisfied the issues are remedied.

• Agencies that use the gateway are required to notify the AG’s office of security breaches, but an AG spokeswoman said the state was not contacted about either ransomware attack. City Manager Mark Carpenter this week said he was “surprised” by the spokeswoman’s statement, because city staff had internal discussions about the need to alert the state. Assistant City Manager Chris Lohr later acknowledged Riverside “may have overlooked notifying” the AG.

• The AG’s office learned about the attacks through news reports and suspended Riverside’s gateway access on May 14 — four days after the Dayton Daily News revealed the second attack to the public and 10 days after Riverside’s computer network was compromised for the second time. Matthew Curtin, a Columbus-based cyber-security expert, applauded the AG’s office for yanking access, calling it “a pretty good example of how a provider of sensitive information governs access to its information.”

• Presently, one Riverside records clerk is authorized to access past reports on the gateway from computers in Huber Heights. The same day the Dayton Daily News reported the police department lost gateway access, the city manager emailed the police chief to “move quickly” to establish gateway access in Huber Heights. The limited access was granted on July 26, a day later.

• Riverside’s “data at rest” — essentially information stored on, but not in transit over, the police department’s network — uses “very basic controls with no encryption,” according to an email from Riverside’s IT contractor. Encryption uses a cipher, or code, to protect data and prohibit unauthorized parties from being able to read it.

Lohr, the assistant city manager, said the city is “considering” encrypting the data in coming months. He said paramedics transfer HIPAA-protected information over an encrypted connection to a web-based cloud program not hosted by the city.

Curtin, who founded Interhack Corp., called it a “bad practice” for any police department not to encrypt sensitive data.

“If you have sensitive information and you don’t protect it with anything more than a password, you are doing nothing to protect it from a number of attacks, including just stealing the thing,” said Curtin, a former Ohio State University computer science senior lecturer. “The fact that you have the password is irrelevant.”

City officials estimate gateway access could be fully restored in the next 30 to 90 days, once Riverside meets the stringent security guidelines dictated by the AG’s office.

“We have to take action, and we want to make sure we do it right,” Carpenter said this week.

“We’re looking to invest in some new equipment and building a more secure network,” Carpenter said. “In order to make the network secure, initial investment will be in the neighborhood of $50,000.”

Ransomware is a type of malware that encrypts, or locks, digital files and demands a ransom to release them, according to the FBI. Atlanta is among the largest municipal victims. Everyday users of computers can fall victim to malware, too.

“Readers should understand that cyber security is not an IT problem,” Curtin said. “The vast majority of the kind of problems we’re seeing right now come down to users being fooled into the wrong thing, including clicking on the wrong thing, going to websites that don’t make sense for them to go on, and generally doing things that are stupid.”

More local coverage:

» Pike County murders: 8 deaths, 2 years, no answers

» Ohio congressman wants to legalize marijuana across U.S.

» These Dayton-area suburbs saw the largest population gains

» 911 dispatcher reprimanded in Huber Heights dementia case



Reader Comments ...


Next Up in Local

20 indicted on drug charges in Middletown
20 indicted on drug charges in Middletown

A mass indictment of Middletown residents has resulted in nine arrests, and police are urging others to turn themselves in. Middletown Police, with the assistance of the Butler County Prosecutors Office, recently obtained indictments for numerous people for drug and weapons violations. MORE: Madison chooses to forgo legal action after regional football...
Pike County murders: 2nd grandmother posts bond, released from jail
Pike County murders: 2nd grandmother posts bond, released from jail

The second of two grandmothers arrested on suspicion of helping cover up the 2016 Pike County massacre has posted bond and is released from jail, according to court records and a jail roster. Rita Jo Newcomb, 65, posted a $50,000 surety bond Tuesday, according to a Pike County Common Pleas Court docket. Newcomb is no longer listed on the roster of...
Dayton driver in fatal Moraine police chase ejected from car on his birthday
Dayton driver in fatal Moraine police chase ejected from car on his birthday

The second deadly chase in three months involving Moraine police resulted in the driver of the suspect vehicle being ejected from the car on his birthday, records show. Michael E. Wade of Dayton – who turned 27 on Monday — was thrown from the car which wrecked at West Stewart Street and South Broadway, according to police records. RELATED...
Monroe prom night crash: Parents of student killed file lawsuit
Monroe prom night crash: Parents of student killed file lawsuit

The parents of Kaylie Jackson, the Monroe High School student killed in a prom night car crash, have filed a lawsuit against the 17-year-old Tesla driver and her parents. The civil wrongful death lawsuit, seeking compensatory and punitive damages in excess of $25,000, was filed June 1, just about one month after the fatal crash that occurred on hilly...
Smithville Road closed in Dayton after car snaps pole
Smithville Road closed in Dayton after car snaps pole

A power pole was snapped after a car crashed into it this morning on North Smithville Road. The crash was reported around 10:30 a.m. Dayton Power and Light is working to repair the damaged pole. At 11:30 a.m., Smithville was closed between Woodley and Radio roads.
More Stories