lolloj - Fotolia
US authorities have downplayed a Department of Justice (DoJ) data breach, saying no sensitive data was exposed.
On the weekend of 6-7 February 2016, a hacker or hacker group using the Twitter handle @DotGovs claimed to have downloaded the details of thousands of FBI and Department of Homeland Security (DHS) employees from a DoJ database.
Subsequently, DotGovs posted links to what it claimed was a directory of more than 9,000 DHS employees and a directory of more than 22,000 FBI employees.
The FBI list included the names, job titles, phone numbers and email addresses of nearly 1,300 intelligence analysts and almost 1,800 special agents, reported Business Insider.
Security commentators pointed out, however, that the information was not sensitive and could have been collected from a variety of public online sources.
Independent security consultant Graham Cluley said although the data was not sensitive, it could be used by cyber criminals and state-sponsored hackers to target employees.
“Much more needs to be done to instil proper security practices and prevent such incidents from occurring again,” he wrote in a blog post.
This includes educating employees not to put themselves at risk through the information they willingly share online on social media such as LinkedIn.
Cluley said a search for “Department of Homeland Security” on LinkedIn yielded more than 21,000 results, proving that it may not be necessary to break into an organisation’s network to find out employee information.
The breach also appeared to have been socially or politically motivated, rather than as some other form of criminal activity, with some DotGovs tweets including pro-Palestinian messages, reported SlashGear.
DoJ confirms data breach
In a statement, the DoJ confirmed the data breach, but said there was no indication of any breach of sensitive personally identifiable information.
“The department takes this very seriously and is continuing to deploy protection and defensive measures to safeguard information. Any activity that is determined to be criminal in nature will be referred to law enforcement for investigation,” the statement said.
DotGovs is reported to have first compromised the email account of a DoJ employee and then used social engineering to log into a DoJ web portal.
Richard Beck, QA
Security commentators said it was likely that the DoJ employee’s credentials were compromised using a phishing attack.
A hacker claiming to be responsible for the breach told news site Motherboard that he called a support desk, said he was a new employee, and was given an access code. The hacker claimed he had used the credentials of the already hacked email account to access a DoJ database and download around 200GB of files.
While the directory listings already published are not cause for concern, security commentators said it is unknown what other data the hacker might have downloaded, which could potentially be a real problem.
Businesses need to raise cyber security awareness
Security commentators said all the data published by DotGovs so far could have been acquired by simply compromising an email account.
Although US authorities have downplayed the breach, the fact that a DoJ computer was compromised and security systems bypassed has once again put the spotlight on the security of US government systems.
News of the breach has also prompted renewed calls for public pressure on government and private industry to be better stewards of the vast amounts of data collected.
The cyber security of US government systems has been under increased scrutiny since the massive data breaches at the Office of Personnel Management in 2014 and 2015.
Richard Beck, head of cyber security at UK national training firm QA, said the reported breach is the latest in a series of recent high-profile breaches of US security attributable to human error.
“One way organisations can try to limit the impact social engineering is to increase staff awareness of cyber threats,” he said.
A recent QA study revealed that one-fifth of UK-based IT decision makers felt the biggest threat to their organisation’s security in 2016 would be human error.
“Educating staff on how to detect and deter common threats like social engineering or phishing attacks could prove invaluable in helping to defend an organisation,” said Beck.
“All companies should be teaching employees a ‘cyber security code’ until it becomes instinctive,” he said, adding that the government’s 10 steps to cyber security would be a good place to start.
The need for multi-factor authentication
Leo Taddeo, chief security officer at security firm Cryptzone and a former FBI agent, said the best defence against this type of attack is to deploy user access controls that go beyond two-factor authentication (2FA) to check multiple attributes before allowing access.
“By checking multiple attributes, an enterprise can create a digital identity that is almost impossible to socially engineer,” he said.
For example, Taddeo said that before allowing access, enterprises can check the user’s location, the time of day and the computer’s configuration, patch level and use of antivirus.
“By creating this digital identity, a network is less likely to be fooled and is better protected from bad user behaviour,” he said.
Read more about security awareness
- The PCI security council has published a guide to help organisations better educate employees on information security.
- Cyber security awareness is still in its infancy in most organisations despite the quick returns it can deliver, says the Sans Institute.
- A continual security awareness training programme is important for an enterprise’s culture.
- Security awareness training can be effective, but how should enterprises select the right third-party programme?