Last Monday, a self-styled hacktivist who calls himself "Penis" published the personal details of 20,000 FBI employees and 9,000 DHS personnel. "Penis" claimed that — after getting hold of a Department of Justice email account — all he had to do to snatch the data was call the Justice help desk and ask for the password.
20,000 FBI EMPLOYEES NAMES, TITLES, PHONE NUMBERS, EMAILS, COUNTRYhttps://t.co/c5mvY49P8S
— penis (@DotGovs) February 8, 2016
password is lol#FreePalestine
"I called up, told them I was new and I didn't understand how to get [into the online database where the details were stored]," the hacker told Vice.
"They asked if I had a token code, I said no, they said that's fine-just use our one."
The incident lays bare the shortcomings of the two-factor authentication system recently adopted by many American federal agencies.
The procedure requires that an individual use two distinct passwords in order to access government information — a sound policy, except that it looks like it can be easily bypassed by just ringing the IT guys.
FBI and DHS info is dropped and that's all we came to do, so now its time to go, bye folks!#FreePalestine
— penis (@DotGovs) February 8, 2016
Theoretically, federal agency personnel are forbidden from revealing a password to somebody without prior identity verification. That could be done by asking the individual who requested the password to come to the facility in person, or to provide specific details that can unequivocally prove their identity over the phone.
Still, as usual, procedures can be overridden with so-called "social engineering"- that is, chatting people into doing something they should not.
"I'm not sure it was in the protocol for the help desk to provide the token for access without significant further authentication," Leo Taddeo, an ex-FBI operative expert in cybersecurity told Nextgov.
"If you trace it back, it is a failure to follow proper protocol. It's probably someone just wanted to be helpful."
"It's the human being, no matter what we design, no matter how much we emphasize the technological solutions," he added.
"If we have users and especially help desks and system administrators that circumvent technology controls by just giving away information."
The US Justice department and Homeland Security have launched an investigation into the breach, although they have denied that the leaked information was "sensitive."
Hacker Leaks Info of 30,000 #FBI and DHS Employees https://t.co/4wrstfIWdn #security pic.twitter.com/aH32o6j8IV
— Anonymous (@GroupAnon) February 10, 2016
The hacker, whose identity is still unknown, tweeted links to the data — which includes names, phone numbers and email addresses — together with pro-Palestinian messages from the account @DotGovs.
What is clear so far is that US federal agencies' cybersecurity is in sore need of improvement.
Perhaps not casually, a 2017 budget proposal released on Tuesday by the White House suggests allocating US$26 million for "the Justice Security Operations Center; for the Identity, Credentialing, and Access Management program; to enhance information security and continuous monitoring; and for a stronger insider threat program."
