MAJOR Justice Dept. Breach — ‘Time for Drastic Measures’

Criminals have access to Justice Department databases, we’re told. Scrotes can write fake data as well as read highly sensitive information, said a credible report.

Authentication only required a password. That’s despite a White House mandate that all government systems should at least be protected by two-factor authentication—the deadline was the end of last year. Your tax dollars at work.

Heads must roll. In today’s SB Blogwatch, we wonder who—if anyone—will carry the can.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Outdoor ambient modular synth.

DEA 2FA TLA BBQ

What’s the craic? All aboard the Brian Krebs cycle—“DEA Investigating Breach of Law Enforcement Data Portal”:

It’s time for drastic measures
Hackers obtained a username and password for an authorized user of [DEA’s] Law Enforcement Inquiry and Alerts (LEIA) system. … According to [DoJ], LEIA “provides federated search capabilities for both [El Paso Intelligence Center] (EPIC) and external database repositories,” including data classified as “law enforcement sensitive” and “mission sensitive.” … EPIC and LEIA also have access to the DEA’s National Seizure System.

Access to databases and user accounts within the Department of Justice would be a major coup. But [it] would probably be far more valuable to organized crime rings or drug cartels [because] they could … also submit false records to law enforcement and intelligence agency databases.

It’s not clear why there are still sensitive government databases being protected by nothing more than a username and password, but I’m willing to bet … this DEA portal is not the only offender. … It is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements. … It’s time for drastic measures.

EPIC? Rob Pegoraro makes the ob. gag—“Never has the term ‘EPIC FAIL’ been more accurately used”:

Unnamed administrator at Doxbin
How did this happen? A failure to implement multi-factor authentication seems to be a key cause. … That would be a serious security risk for a webmail system, much less a portal for a large law-enforcement database.

The feds should, however, know what they ought to be doing. [An] executive order on cybersecurity … in May of 2021 mandates: … “Within 180 days … agencies shall adopt multi-factor authentication … to the maximum extent consistent with … applicable laws.”

A tip for this story came from an unnamed administrator at Doxbin—“a highly toxic online community that provides a forum for digging up personal information.” … False tips have often been used to initiate “swatting” attacks, in which hoax reports about crimes in progress lead to police swarming a residence with heavily armed SWAT teams. The target–or a random bystander–can wind up dead in the process.

What a mess. Chris Kubecka—@SecEvangelis—agrees:

The US asked private industry to share data to increase cybersecurity as their “patriotic duty.” But they are surprised-Pikachu face when businesses nope out.

One big reason: The US Government can’t figure out basic cybersecurity.

But 2FA is hard, yo. Let Train0987 explain:

The more agencies and departments they want this to work for … the more insecure it has to be. You won’t be able to brag about giving 100,000 podunk police departments access to your global surveillance network if all of them have to use special secure faceid or MFA, much less make it work even if they have the special software/devices.

Okay, but how did the password leak? Mister Sterling pays it forward: [You’re fired—Ed.]

[I wonder if] this was a good guess, or if the username and password was intercepted from a device, or if a user was tricked into giving their username and password. Usually, it is the last example, … a socially engineered attack.

Wait. Pause. Doc Hodlday—@DocHodl—thinks outside the box:

Is it “hacking” if you just use a username and password to login? Isn’t that just logging in?

What can be done about it? Sure sounds like Unblinking has experience in law enforcement IT:

    • Terminate non-technical managers who misrepresent conditions to avoid doing the real work.
    • Eliminate CXO committees that prioritize career gain over security policy, staff, and programs. …
    • Trust auditors, examiners, and technical staff more than you trust management.
    • Allow implementation of security standards that have been well known for years.

And what else can we learn? dstwins suggests something:

And this, Boys and Girls, is why government “backdoors” are a BAD thing: … You just shift the attack pattern/profile from a few script kiddies that knock on the door, to a concerted effort to breach the defenses. And then when you add human stupidity/fallibility to the mix … it’s just not going to end well.

Meanwhile, @PeterHLemieux sounds pretty disgusted:

It’s pretty disgusting when GMail has better security than sensitive government databases.

And Finally:

But is it art?

Hat tip: cowcat

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Automobile Italia (cc:by; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi