Government credentials show up on paste sites
While much attention has been paid to the very public attacks on government agencies, particularly the breach at the Office of Personnel Management, less has been made of the whereabouts of the exfiltrated data. So how easy is it for John Doe to get his hands on the information let loose in these attacks? Extremely, it seems, according to one recent report.
Security threat analyst Recorded Future, using open source intelligence on 17 paste sites over a single year ending in November 2014, discovered possible exposure of 47 U.S. government agencies across 89 unique domains. The Energy Department alone had email/password combinations on the sites for nine different domains.
A paste site gives users -- usually programmers and coders -- a place to store and share short items in plain text. Pastebin is the best known of these, though there are dozens of others. Anyone on the web can access them, and large companies such as Facebook have started to mine them for information to make their own sites more secure.
Credentials that grant access to agency networks have become a major target for Black Hats because they more easily open up an organization’s data. In fact, most of the sophisticated attacks on government agencies were enabled by attackers who had privileged account information.
Hackers in search of credentials often target agency contractor or business partner sites, as those organizations' employees are given agency access privileges for certain uses. And Recorded Future, in fact, found that most of the exposures at the paste sites were from these kinds of third-party websites, along with government employees using their government email accounts to register for web-based services -- a growing security concern in itself.
The Recorded Future study can’t specify the actual damage from all of this posted information, but it’s easy to infer the possibilities.
Much of the potential damage could be significantly lessened with the use of fairly simple security steps such as requiring two-factor authentication for network access. However, as the Recorded Future report pointed out, OMB has found that many major agencies don’t employ this safeguard for privileged access. The OPM breach was directly tied to this lack of two-factor authentication.
Recorded Future shared the results of its analysis with the government and agencies last year, well before it made them public. It also made a list of helpful suggestions for agencies to protect themselves against the effects of the paste site exposures:
- Enable multi-factor authentication and/or VPNs.
- Require government employees to use stronger passwords that change with greater regularity.
- Gauge and define use of government email addresses on third-party sites.
- Maintain awareness of third-party breaches and regularly assess exposure.
- Ensure Robot Exclusion Standard (robots.txt) is set for government login pages to prevent listing of webmail/web-services in search engines.
All good suggestions. How many would you guess will be standard operating procedure at agencies a year from now?
Mudge to the rescue!
One of the other problems that plague government, along with industry at large, is being able to gauge the quality and reliability of the software it acquires. As last year’s Open SSL Heartbleed affair showed, even well established software can be vulnerable.
Peter Zatko, known affectionately in security circles by his hacker handle Mudge, is leaving his job at Google to help the government create a CyberUL, a cyber version of the famous Underwriters Laboratory that is considered a stamp of approval for the worthiness of many products. He first made his announcement on Twitter.
Zatko went to Google via the Defense Advanced Research Projects Agency, where he was developing technical skills and techniques for use in cyber combat. Before that he was with BBN Technologies and other security research companies.
Not much is yet known of what Zatko will be doing for the government, but he was reportedly a member of the L0pht hacker collective in the 1990s, which published a paper that described a possible model for a CyberUL.
Posted by Brian Robinson on Jul 06, 2015 at 11:06 AM