A new report details how stolen credentials from many US government agencies turned up across the Web along with...
potential security measures to mitigate the risk.
According to a report by Recorded Future, a data mining firm based in Boston and backed by the CIA's venture capital arm, login credentials for 47 government agencies were found across 89 unique domains.
Recorded Future specifically found the stolen login info on paste sites like Pastebin, used to store and share plain text snippets but which Recorded Future said have also become "a dumping ground for stolen credentials."
The data was found over a one year period of scanning 17 paste sites ending in November 2014. Recorded Future notified the majority of affected agencies about the leaked credentials in late 2014 and early 2015.
According to a February 2015 report to Congress by the Office of Management and Budget, 12 of the 47 affected agencies did not require most privileged users to use any form of two-factor authentication during login, including the US General Services Administration, and the Departments of State, Treasury, Interior and even the Department of Homeland Security.
Recorded Future noted several OPM credentials were found in the scans. The lack of two-factor authentication has been noted as a reason why stolen credentials were used in the OPM breach, and implementation of multifactor authentication is part of the White House's proposed "30-day Cybersecurity Sprint."
Recorded Future found the Departments of Energy and Commerce had the widest exposure of stolen credentials, but most of the exposures "occurred outside the government agencies' reach due to vulnerabilities in third-party websites and employee use of government email accounts to register for a Web-based service."
The leaked credentials originated from both targeted and untargeted vectors, said Recorded Future, with many coming from email and password dumps gained through using "freely-traded exploits against unpatched sites and servers."
Recorded Future recommended not only the implementation of multifactor authentication to mitigate the risks associated with stolen credentials, but also that government agencies require employees to use stronger passwords. Additionally, agencies should "gauge and define use of government email addresses on third-party sites."