MAJOR Justice Dept. Breach – “Time for drastic action”

0

Criminals have access to Department of Justice databases, was said. Scrotes can both write fake data and read highly sensitive information, according to a credible report.

Authentication required only a password. And that’s despite a White House mandate that all government systems should be protected by at least two-factor authentication — the deadline was late last year. Your tax dollars at work.

Cybersecurity Live - Boston

Heads must roll. In today’s SB Blogwatch, we wonder who—if someone– will carry the can.

Your humble blog watcher has curated these blog posts for your entertainment. Not to mention the modular outdoor ambient synthesizer.

DEA 2FA TLA grille

What is the craic? All aboard the Brian Krebs cycle…”DEA investigates law enforcement data portal breach“:

It's time for drastic action
Hackers received a username and password for an authorized user from [DEA’s] Law Enforcement Investigation and Alert System (LEIA). … Corresponding [DoJ]LEIA “provides federated search capabilities for both [El Paso Intelligence Center] (EPIC) and External Database Repositories”, including data classified as “Law Enforcement Sensitive” and “Mission Sensitive”. … EPIC and LEIA also have access to the DEA’s national seizure system.

Access to databases and user accounts within the Justice Department would be a major coup. but [it] would probably be much more valuable to organized crime rings or drug cartels [because] they could… also submit false records to law enforcement and intelligence agency databases.

It’s not clear why there are still sensitive government databases protected only by a username and password, but I bet this DEA portal isn’t the only culprit. … It’s high time the US federal government conducted a comprehensive review of authentication requirements. … It’s time for drastic action.

EPOS? Rob Pegoraro does the ob. Gag-“The term “EPIC FAIL” has never been used more appropriately“:

Unnamed admin at Doxbin
How did it happen? A flaw in the implementation of multi-factor authentication seems to be a major cause. … That would be a serious security risk for a webmail system, let alone a portal for a large law enforcement database.

However, federal agencies should know what to do. [An] Executive Order on Cybersecurity … in May 2021 orders: … “Within 180 days … agencies must adopt multi-factor authentication … to the maximum extent consistent with … applicable laws.”

A tip for this story came from an unnamed administrator at Doxbin – “a highly toxic online community that provides a forum for digging up personal information.” … False tips have often been used to initiate “swatting” attacks, in which hoax reports of ongoing crimes lead police to flood an apartment building with heavily armed SWAT teams. The target – or a random bystander – may end up dead in the process.

What a mess. Chris Kubecka—@SecEvangelis-agrees:

The US called on private industry to share data to increase cybersecurity as its “patriotic duty”. But they are surprised – Pikachu face when companies nod.

One big reason: The US government can’t figure out basic cybersecurity.

But 2FA is hard, yo. To let train0987 to explain:

The more agencies and departments they want to use it for… the less secure it has to be. You won’t be able to brag about giving 100,000 Podunk police departments access to your global surveillance network if all of them have to use a special secure FaceID or MFA, let alone make it work even if they have the special software/devices.

Good, but how has the password been leaked? Mr Sterling pay it further: [You’re fired—Ed.]

[I wonder if] this was a good guess, or if the username and password were intercepted by a device, or if a user was tricked into providing their username and password. It’s usually the last example… a social engineering attack.

Waiting. Break. Doc Hodlday—@DocHodl– thinks outside the box:

Is it “hacking” if you just log in with a username and password? Isn’t that just logging in?

What can you do about it? Sure sounds like Not blinking has experience in law enforcement IT:

    • Stop non-technical managers misrepresenting conditions to avoid the real work.
    • Eliminate CXO committees that prioritize career gains over security policies, people and programs. …
    • Trust accountants, auditors and technical staff more than management.
    • Enables the implementation of security standards that have been known for years.

And what else can we learn? dswins suggests something:

And that’s why, boys and girls, government “backdoors” are a BAD thing: … You just shift the attack pattern/profile from a bunch of scripted kiddies knocking on the door to a concerted effort to breach the defense. And if you then add human stupidity/fallibility…it just won’t end well.

In the meantime, @PeterHLemieux sounds pretty disgusted:

It’s pretty gross when GMail has better security than sensitive government databases.

And finally:

But is it art?

Hat tip: cow cat

Inside earlier And finally


they have read SB blog watch from Rich Jennings. Richi curates the best blog articles, best forums and craziest websites… so you don’t have to. Hate mail can be sent to @RiCHi or [email protected]. Consult your doctor before reading. Your mileage may vary. E&OE. 30

picture sauce: Automobile Italy (cc: from; leveled and cropped)

Share.

About Author

Comments are closed.