Just two days before Director of National Intelligence James Clapper was to appear before the Senate Select Committee on Intelligence and offer an assessment of worldwide threats, a hacker threatened to release information on 20,000 FBI employees and 9,000 who work for the Department of Homeland Security (DHS).
The anonymous hacker claimed to have data – including telephone numbers, job titles and email addresses – gleaned from a Justice Department system, according to a report by Vice's Motherboard.
The timing could not be worse for Clapper,” Gabe Gumbs, vice president of strategy at Identity Finder, told SCMagazine.com via Monday email. “There needs to be more outreach to the professional security community and a move away from relatively smaller number of people that currently occupy the echo chamber.”
Prepared remarks showed the intelligence chief would identify threats within cyber and technology, citing the “consequences of innovation and increased reliance on information technology in the next few years.”
The hack certainly raises the question as to how hackers continue to get their hands on sensitive data at the DHS and the FBI, which Gumbs attributed to a lack of “serious focus on protecting data at it source.”
By now “we know that persistent attackers will penetrate defenses,” he said. “This attack highlights poor application of basic data minimization efforts.”
Thomas Ristenpart, Cornell tech professor and a member of the Cornell Tech Security Group, told SCMagazine.com in emailed comments that “Usually, these attacks use one of a variety of standard techniques like leveraging known software vulnerabilities or social engineering.”
In this case, the hacker managed to obtain the data by compromising a Justice Department staffer's email, Motherboard reported. Then he social engineered his way into the agency's web portal by calling the appropriate department, claiming to be a new employee, and was given the department's token code, which he used to log in to a PC and from there a virtual machine. From there, access was easy, using the original hacked email account credentials to select one of three computers to infiltrate. He claimed to copied 200GB out of 1TB of files from databases on the DoJ's intranet.
“Many organizations could not identify one set of data from another. Not identifying and labeling data as being sensitive means that companies are per-occupied instead with identifying attacks on networks and systems,” said Gumbs. “This, like many attacks began by first gain legitimate access to sensitive data. That data was never classified as such and so it was not any more protected.”
Gumbs said “The most surprising aspect of this breach is the response or lack thereof. Much like the OPM breach, there are a lot of people whose personal lives are going to be affected by this.”
Ristenpart called it “critical that the Department of Justice and FBI constantly update and improve their security practices to make sure they're using the best defenses available.”
He called to collectively “put pressure on government and private industry to be better stewards of the vast amounts of data collected to provide vital services.”
And, he said, “we should consider minimizing the amount of data collected as well. This requires holding both government and private companies accountable for bad security practices.”