This Monday, the US Departments of Justice and Homeland Security announced that investigations were taking place regarding a hacker that broke into the American government’s computer systems and stole sensitive information about employees at the agencies.
The hacker accessed and stole information regarding 9,000 Department of Homeland Security employees online Sunday and publicized data on 20,000 FBI employees on Monday.
DHS spokesperson S.Y. Lee gave the following staement:
“We are looking into the reports of purported disclose of DHS employee contact information… We take these reports very seriously; however, there is no indication at this time that there is any breach of sensitive or personally identifiable information.”
The Department of Justice was investigating “unauthorized access of a system operated by one its its components containing employee contact information,” and added that no sensitive personally identifiable information appeared to have been compromised.
Strange statements considering that DHS data posted to the Web contained phone numbers and email addresses of past employees, though some of them hadn’t worked int he agency for years.
Motherboard did report the data theft on Sunday, claiming that a hacker had turned stolen information over to it and announced his intention to go public with the information.
According to Motherboard, the hacker was able to use the email account of a DOJ employee and social engineering to enter into the agency’s intranet and download 200GB of files. This was all explained to Motherboard by the hacker.
Motherboard is a section of Vice news focused on the future:
“With in-depth blogging, longford reporting, and video journalism, Motherboard investigates the news and events that are already affecting the years to come. We want to help you get your hands on tomorrow. Beyond that, we strive to bring our audience an honest portrait of the futures we’re racing towards.”
The hacker apparently failed to penetrate the DOJ Web portal on his own, but had the bright idea to call a government department, act like a newbie, and simply request the code for accessing the portal, which eh was given over the phone. Once inside, he gained access to the computer used by the person whose email he had compromised and gained access to DOJ’s internal network.
“It was a fairly simplistic attack combined with social engineering, but audacious when your’e going after an FBI employee,” commented chief research analyst with IT-Harvest Richard Stiennon. “It’s easy for complacency to set in at high-volume call environments such as government help desks… If you flood a help desk with password reset requests and similar requests without any negative consequences, eventually operators are going to get comfortable handing out login tokens.”
The whole situation is an indicator of the limits of even the most secure systems; the gullible employee is always the Achilles’ heel.
“All the advanced algorithms, machine learning and log aggregators can’t protect an organization from a gullible employee susceptible to the ‘Look, your shoe’s untied’ ruse,” commented Stealthbits Technologies channel marketing manager Jeff hill.
“In today’s world, the best cybersecurity strategy is to look for and identify suspicious behavior of legitimate accounts,” he added.