It's no surprise that careless government employees use their .gov email addresses to sign up for all sorts of personal accounts. But when those insecure third party services are breached by hackers---and if those employees were foolish enough to reuse their .gov passwords, too---that carelessness can offer a dead-simple backdoor into federal agencies, with none of the usual "sophisticated Chinese attackers" required.
The security intelligence firm Recorded Future on Wednesday released a report that details its scouring of online email addresses and passwords revealed when hacker groups breach third party websites and dump their booty on the web. Searching through those user data dumps from November 2013 to November 2014 on public websites like Pastebin---not even on dark web sites or private forums---Recorded Future found 224 government staffers' data from 12 federal agencies that don't consistently use two-factor authentication to protect their basic user access.
Those leaked government email addresses were taken from the breached innards of sites for bikeshare programs, hotel reviews, neighborhood associations and other low-budget, insecure sites where government employees had signed up with their .gov accounts. Each breach opens federal staffers to the targeted phishing emails that are often the first step in an attack on an agency. And Recorded Future analyst Scott Donnelly points out that if any of the hundreds of staffers who used their government emails on those sites also reused their agency password, the result could be a fully exposed set of login credentials offering access to a government agency's network.
"You only need one to work to begin a social engineering campaign," says Donnelly, referring to a hacker's ability to hijack an account and impersonate the user to gain further access to an agency's network. "These are piles of credentials sitting out there on the open web."
Recorded Future admits that it doesn't know how many of the leaked credentials---dumped by hacker groups such as Anonymous, LulzSec and SwaggSec---actually include working passwords for government agencies. But he points to studies that show about half of Internet users do reuse passwords and says that many of the passwords that Recorded Future spotted appeared to be strong ones, not throwaways created for insecure accounts. Many of the leaked passwords may also have been encrypted with hashing functions that render them unreadable. Donnelly said that Recorded Future hadn't broken down which passwords had been hashed or what type of encryption was used. Some hashed passwords can still be deciphered with techniques like rainbow tables that precompute password hashes to crack their encryption.
Despite those serious caveats to their findings, Donnelly said they decided to release the results in the wake of a February study by the Office of Management and Budget, which found that a dozen federal agencies allowed the majority of users with high network privileges to log onto their networks without using two-factor authentication.
Cross-referencing those findings with their own study, Recorded Future tallied the publicly leaked credentials of those dozen agencies that failed to fully implement two-factor authentication. The results included 35 users' credentials, for instance, for the Department of Veteran Affairs, and 47 each for the Department of Health and Human Services and the Department of Homeland Security.
The insecurity of federal agencies has become a topic of renewed anger as the full scope of the hacker breach of the Office of Personnel Management has come clearer over the past weeks. Fully 18 million federal workers' data is now believed to have been compromised in the attack, which has been attributed to Chinese hackers who quietly lurked in the agency network for more than a year.
But as Recorded Future's study is meant to demonstrate, even basic security measures are still eluding federal agencies. If many of them had better policies requiring two-factor authentication, the leak of their users' credentials in third-party breaches wouldn't represent a serious security risk. "Hackers take the path of least resistance," says Donnelly. "Two-factor authentication solves almost all these problems."
