Hacker Posts Stolen Data on FBI, Homeland Security Employees Online
Monday announced they were investigating reports that a
hacker broke into government computer systems and stole
sensitive information about employees at the agencies.
The hacker posted stolen information for about 9,000 DHS
employees online Sunday and made public data on 20,000 FBI
employees Monday.
"We are looking into the reports of purported disclosure of
DHS employee contact information," DHS said in a statement
provided to TechNewsWorld by spokesperson S.Y. Lee.
"We take these reports very seriously; however, there is no
indication at this time that there is any breach of sensitive or
personally identifiable information," the department added.
A DOJ spokesperson wasn't immediately available for comment
for this story.
The department was investigating "unauthorized access of a
system operated by one of its components containing employee
contact information," DOJ spokesperson Peter Carr told The
Guardian, adding that no sensitive personally identifiable
information appeared to have been compromised
Cobweb Data
DHS data posted to the Web contained phone numbers and
email addresses of people who hadn't worked for the agency
in years, according to an examination of the information by
Kwetu Shy blog. The data also included outdated titles.
Motherboard reported the data theft Sunday, saying a hacker
had turned the stolen information over to it and announced
his intention to go public with the information.
Using the compromised email account of a DOJ employee, he
used social engineering to get into the agency's intranet and
download 200 GB of files, the hacker explained to
Motherboard.
After failing to penetrate a DOJ Web portal, the hacker said,
he phoned a government department, acted like a newbie, and
was given a code for accessing the portal by an employee.
Once inside the portal, the hacker said he gained access to
the computer used by the person whose email he had
compromised. From there, he had access to DOJ's internal
network.
Untied Shoes
As cyberattacks go, this one was an unsophisticated one.
"It was a fairly simplistic attack combined with social
engineering, but audacious when you're going after an FBI
employee," said Richard Stiennon, chief research analyst with
IT-Harvest .
It's easy for complacency to set in at high-volume call
environments such as government help desks, he told
kwetu shy blog
"If you flood a help desk with password reset requests and
similar requests without any negative consequences, eventually
operators are going to get comfortable handing out login
tokens," Stiennon explained.
This breach illustrates that no matter how secure a system is
believed to be, it always has an Achilles' heel, noted Jeff Hill,
channel marketing manager for Stealthbits Technologies.
"All the advanced algorithms, machine learning and log
aggregators can't protect an organization from a gullible
employee susceptible to the 'Look, your shoe's untied' ruse," he
told Kwetu Shy blog
Weakest Link
Organizations need to monitor employee behavior if they want
to be secure, Hill noted.
"In today's world, the best cybersecurity strategy is to look for
and identify suspicious behavior of legitimate accounts," he said.
"Believing that a security plan can realistically prevent
motivated hackers from compromising credentials in the first
place is naïve at best," Hill said.
While some organizations have turned to training to combat
employee exploitation by hackers, training is not enough,
maintained Chase Cunningham, director of cyberthreat
research and innovation at Armor , formerly FireHost.
"Government thinks it can train its workforce out of this, but
this is proof that that's not the case," he told
Kwetu shy blog.
"Government is bound by the budget it's given, so it can't
replace people with technology," he added, "even though that
would be the best solution in a lot of cases."
0 comments:
Post a Comment