Hackers are believed to have successfully compromised a data portal run by the US Drug Enforcement Administration (DEA), unlocking access to a wealth of information.
As cybersecurity journalist Brian Krebs reports(Opens in a new window), the breach would have allowed attackers to prowl 16 federal law enforcement databases covering a wide variety of investigative data. How did it happen? Failure to implement multi-factor authentication seems to be a key cause.
Krebs wrote that he learned that “the alleged compromise is linked to an online cybercrime and harassment community that routinely impersonates police officers and government officials to harvest personal information about their targets.”
He said a tip for this story came from an anonymous admin of Doxbin – “a highly toxic online community that provides a forum for digging up personal information about people and posting it publicly.” Krebs further noted that this unauthorized access could be abused to upload false data on suspects, citing Nicholas Weaver’s comment.(Opens in a new window)researcher at the University of California at the International Computer Science Institute at Berkeley.
False advice has often been used to launch “swatting” attacks, in which hoax reports of ongoing crimes lead police to invade a residence with heavily armed SWAT teams. The target – or a random passerby – may end up dead in the process.
Unfortunately, Krebs has personal experience of this scenario. In 2013, in Fairfax County, Virginia, police showed up on her doorstep, guns drawn(Opens in a new window) after receiving false information that the Russians had broken in and shot his wife. The attacker was arrested after participating in an online forum run clandestinely by the FBI, then was convicted in 2016.(Opens in a new window).
The login page(Opens in a new window) for the DEA’s El Paso Intelligence Center (yes, EPIC) prompts users to log in with a government-issued personal identity verification card(Opens in a new window), but also allows traditional username and password access. The source Krebs spoke to told him that “the hacker who gained this illicit access was able to log in using only the stolen credentials, and at no time did the portal request a second authentication factor”.
Recommended by our editors
This would be a serious security risk for a webmail system, let alone a portal for a large law enforcement database. This would also count as the most accurate use of the term “EPIC fail”.
For now, the DEA is not sharing any details and has only provided a generic statement that it “takes cybersecurity and intrusion intelligence seriously.” We have submitted a request for comment to the DOJ and will update this message if and when we receive one.
However, the federal authorities should know what they need to do to solve this problem. The executive decree on cybersecurity(Opens in a new window) that the Biden administration in May 2021 issued mandates that go beyond passwords: “Within 180 days of the date of this order, agencies must adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with federal records. laws and other applicable laws”.
Do you like what you read ?
Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.