Any time you interact with an organisation that has “security” in their name, it’s understandable that you would expect them to be good at security. Right?
You would hope them to be shining examples for everyone else about how to do things right, how to batten down the hatches and protect sensitive information from falling into the hands of the bad guys.
But, as the US Department of Homeland Security (DHS) has just found out – things aren’t always that simple.
As CSO Online reports, this weekend a hacker dumped a staff directory including the names, job titles, email addresses and phone numbers of over 9,000 DHS workers on the net.
And then, to make sure that everyone knew about it, the hacker tweeted a link to the information along with the encryption password (perhaps unsuprisingly the password chosen by the hacker was “lol”).
As Motherboard explains the anonymous hacker claims to have downloaded hundreds of gigabytes of data from Department of Justice servers, and is threatening to release the contact details of a further 20,000+ FBI employees.
According to that media report, the hacker first compromised the email account of a Department of Justice employee, but was unable to access an online portal without an access token.
A simple social engineering trick came to the hacker’s rescue:
“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”
It makes you want to weep, doesn’t it? What is the purpose of providing your staff with authentication tokens if they see no problem in sharing token codes with each other?
According to the hacker, he was then able to login and using the credentials from the already compromised email account, access other computers including his victim’s work machine.
“I clicked on it and I had full access to the computer,” the hacker said. Here the hacker could access the user’s documents, as well as other documents on the local network.
The databases of supposed government workers were on a DoJ intranet, the hacker claimed.
Journalist Joseph Cox at Motherboard verified that the leaked data appeared to be legitimate by ringing a number of the staff listed in the dumped staff directory.
Clearly it shouldn’t have been as easy as it appears to have been to access the Department of Justice’s computer systems and retrieve the contact details of thousands of DHS workers.
It’s easy to imagine how armed with the email addresses, job titles and phone numbers of DHS staff that malicious cybercriminals and state-sponsored hackers could launch attacks targeting workers.
Much more needs to be done to instill proper security practices and prevent such incidents from occurring again.
Of course, we shouldn’t also forget that there is more than one way to skin a rabbit. In this instance, hackers showed just how easy it was to scoop up the names, job titles and contact details of DHS workers by hacking into government systems.
But it’s also the case that government staff might be putting themselves at further risk through the information they willingly share online.
For instance, just take a look at LinkedIn – where many business people are happy to share details of their job roles and how they can be contacted.
When I looked up “Department of Homeland Security” on LinkedIn, I received more than 21,000 results.
Even if a hacker can’t access your staff directory by breaking into your organisation’s network, never forget that they might be able to find out your employee’s information via other routes.