A hacker has made good on his promise to publish information on 20,000 FBI agents and 9,000 Department of Homeland...
Security employees following a social engineering attack on the Department of Justice.
The leaked information includes names, email addresses, phone numbers and job descriptions for thousands of individuals. The hacker claimed to have obtained the information by first compromising a Department of Justice (DOJ) email account.
From there, the individual used a surprisingly simple social engineering attack to access the DOJ intranet. The hacker claimed that all it took was a phone call to the DOJ, pretending to be a new employee who couldn't access the DOJ Web portal.
"So, I called up, told them I was new and I didn't understand how to get past [the portal]," the hacker told Motherboard. "They asked if I had a token code; I said no, [and] they said that's fine -- just use our one."
The hacker said this token allowed full access to the DOJ intranet, including about 1 TB of data. Due to limited time, the hacker only downloaded 200 GB of data, which included the FBI and Department of Homeland Security (DHS) employee info, but the hacker claimed the database also included military emails and credit card numbers.
Before the data was fully leaked, a DHS spokesman told SearchSecurity, "We are looking into the reports of purported disclosure of DHS employee contact information. We take these reports very seriously; however, there is no indication at this time that there is any breach of sensitive or personally identifiable information."
After the data was leaked, the DHS had no additional comment.
Chris Blow, senior security advisor for Rook Security Inc., in Indianapolis, said this incident proves that no one is safe and secure from social engineering attacks.
"There isn't a piece of technology that can be put in place. To help mitigate social engineering, you need people who are aware and educated," Blow said. "The best way to authenticate users remotely cannot be based on trust alone. Trust, but verify."
David Martin, security expert and director at NSFOCUS IB, based in Santa Clara, Calif., said any enterprise authentication policy should include some form of multifactor authentication.
"Many enterprise organizations implement a two-factor authentication system, where the user must combine 'what they know' with 'what they have' in order to establish their identity," Martin said, adding that a unique password or answer to a security question should be combined with an electronic token from a device in the user's possession for verification. "Also, some organizations require approval from the user's manager or department head before granting access to the target system. In this particular instance, it seems a token system was in place, but the procedure to require the token prior to granting access was not followed."
Experts widely agreed that the best way for enterprises to mitigate social engineering attacks, such as the one to which the DOJ fell victim, is through education and strong authentication policies. However, experts also noted that the DOJ could have benefitted from better isolation of sensitive data on its intranet.
Blow said that any attempt to isolate sensitive data needs to begin with a proper data classification policy.
"Once that's been established, a secure area needs to be carved out for the confidential data, with very strict access control lists around it," Blow said. "That should be audited at least quarterly, if not more. Following the principal of least-privilege will be a great help to many organizations. If a user says they require access to this share, proper business justification, along with at least a couple of higher-up approvals, would help keep this data under control as well."
Morey Haber, vice president of technology at BeyondTrust Inc., based in Phoenix, said all enterprises can learn lessons from this government breach.
"The government, like literally any other organization, can be hacked. Many attacks are opportunistic, but the government is generally targeted because they are the government," Haber said. "In this case, a system compromise and social engineering -- leveraged as a pair -- allowed for a deeper hack to be committed. Most commercial organizations would have probably fallen to the same threat. We expect the government to be more secure than businesses, but in reality, they are just people, too, and many times lack training and expertise to defend against these attacks, too."
Learn more about social engineering penetration testing.