3 min read

9000+ Department of Homeland Security staff have their details leaked by hacker

Graham CLULEY

February 08, 2016

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
9000+ Department of Homeland Security staff have their details leaked by hacker

Any time you interact with an organisation that has “security” in their name, it’s understandable that you would expect them to be good at security. Right?

You would hope them to be shining examples for everyone else about how to do things right, how to batten down the hatches and protect sensitive information from falling into the hands of the bad guys.

But, as the US Department of Homeland Security (DHS) has just found out – things aren’t always that simple.

As CSO Online reports, this weekend a hacker dumped a staff directory including the names, job titles, email addresses and phone numbers of over 9,000 DHS workers on the net.

And then, to make sure that everyone knew about it, the hacker tweeted a link to the information along with the encryption password (perhaps unsurprisingly the password chosen by the hacker was “lol”).

dhs-contact-details

As Motherboard explains the anonymous hacker claims to have downloaded hundreds of gigabytes of data from Department of Justice servers, and is threatening to release the contact details of a further 20,000+ FBI employees.

According to that media report, the hacker first compromised the email account of a Department of Justice employee, but was unable to access an online portal without an access token.

A simple social engineering trick came to the hacker’s rescue:

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine – just use our one.”

It makes you want to weep, doesn’t it? What is the purpose of providing your staff with authentication tokens if they see no problem in sharing token codes with each other?

According to the hacker, he was then able to login and using the credentials from the already compromised email account, access other computers including his victim’s work machine.

“I clicked on it and I had full access to the computer,” the hacker said. Here the hacker could access the user’s documents, as well as other documents on the local network.

The databases of supposed government workers were on a DoJ intranet, the hacker claimed.

Journalist Joseph Cox at Motherboard verified that the leaked data appeared to be legitimate by ringing a number of the staff listed in the dumped staff directory.

Clearly it shouldn’t have been as easy as it appears to have been to access the Department of Justice’s computer systems and retrieve the contact details of thousands of DHS workers.

It’s easy to imagine how armed with the email addresses, job titles and phone numbers of DHS staff that malicious cyber-criminals and state-sponsored hackers could launch attacks targeting workers.

Much more needs to be done to instill proper security practices and prevent such incidents from occurring again.

Of course, we shouldn’t also forget that there is more than one way to skin a rabbit. In this instance, hackers showed just how easy it was to scoop up the names, job titles and contact details of DHS workers by hacking into government systems.

But it’s also the case that government staff might be putting themselves at further risk through the information they willingly share online.

For instance, just take a look at LinkedIn – where many business people are happy to share details of their job roles and how they can be contacted.

When I looked up “Department of Homeland Security” on LinkedIn, I received more than 21,000 results.

linkedin-dhs

Even if a hacker can’t access your staff directory by breaking into your organisation’s network, never forget that they might be able to find out your employee’s information via other routes.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read