Tech Company Finds Leaked U.S. Gov't Logins, Passwords Online
How private and secure are the e-mail conversations involving U.S. government officials? Not very private -- or secure -- at all, according to Recorded Future, a CIA-backed tech company that used its Web Intelligence Engine to survey the landscape.
Recorded Future identified the possible exposure of login credentials for 47 United States government agencies across 89 unique domains. This data was identified through open source intelligence collection and analysis of 17 paste sites including Pastebin.com from November 2013 to November 2014. A paste site is a Web application that allows a user to store and share plain text.
At the time of the company's analysis, the Department of Energy had the widest exposure, with e-mail/password combinations for nine different domains identified on the open Web. The Department of Commerce was the second hardest hit with seven domains suffering exposures.
“As of early 2015, 12 of these agencies, including the Departments of State and Energy, allowed some of their users access to computer networks with no form of two-factor authentication,” the firm reported. “The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce."
Criminals Move Quickly
We turned to Ken Westin, senior security analyst at advanced threat protection firm Tripwire, to get his thoughts on the news. He told us there are massive amounts of information available on the Internet from various data breaches that allow attackers to easily identify and correlate a variety of personal information.
“Personal e-mail addresses, social media accounts and other data may also be available as well as work e-mail and login credentials from other breaches,” Westin said. “Pastebin searches bring up a number of compromised accounts from recent breaches, but it's likely these credentials are no longer valid. However, many threat actors monitor Pastebin and other similar sites in real-time, so when new credentials are posted they can correlate this information and act on them quickly.”
Tapping User Behavior Analytics
Igor Baikalov, chief scientist at security analytics firm Securonix, told us there are indeed millions of user credentials posted on the Web, and hundreds of millions more available for sale. You don't really need CIA-backed technology to scan those for .gov e-mails, and you most likely will find a lot more than a few hundred of them, he said.
“In fact, security-conscious companies have been doing just that for years: scanning every known dump site for their employees' credentials based on work e-mail and other company data, such as credit card or account numbers that might be posted up for sale,” Baikalov said. “What these companies also did was to implement user behavior analytics (UBA) solutions as an additional line of defense. UBA is watching for anomalies in user behavior, and if the user credentials fall in the wrong hands, it can detect account compromise and prevent a potentially devastating attack.”
How To Combat the Threat
How can organizations defend against the sophisticated abilities to correlate personal data from a variety of sources? Brad Taylor, CEO of cloud-based managed security firm Proficio, told us the fundamental problem is that government employees are using combinations of their e-mails and weak passwords for login credentials.
“Hackers are finding the former and breaking the latter,” he said. “We recommend the adoption of two-factor authentication and complex passwords to stop this madness.”
Tripwire’s Westin said many CIOs are integrating and aggregating threat intelligence data from Pastebin and similar sites into their SIEM (security information and event management) to alert system administrators when accounts may be compromised. Monitoring the Internet, specifically paste sites and forums for activity related to these sites for corporate domain names is becoming increasingly common, he said.
“Cyberattack detection is no longer just about monitoring what is happening on your network, but also monitoring externally for e-mail addresses, PII [personal identifying information] and intellectual property that could be precursors to an attack or indicators of compromise,” Westin said. “The reality is that malware often shares many of the same files and libraries as legitimate software so identifying a threat involves a correlation of multiple file changes and behavior. Organizations that haven't yet implemented these kinds of capabilities often have a blind spot in their cybersecurity visibility."
Image credit: Department of Homeland Security.
Posted: 2015-06-26 @ 3:49am PT
By deploying business VPN technology, companies can over come cyber attack. It does not only equip employees with secure remote access but also keep the information secure and protected online.