It’s thought hackers have managed to compromise a data portal run by the US Drug Enforcement Administration (DEA), unlocking access to a wealth of information.
As cybersecurity journalist Brian Krebs reports, the breach would have allowed the attackers to prowl through 16 federal law enforcement databases covering a wide variety of investigative data. How did this happen? A failure to implement multi-factor authentication seems to be a key cause.
Krebs wrote that he’s learned “the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets.”
He said a tip for this story came from an unnamed administrator at Doxbin—“a highly toxic online community that provides a forum for digging up personal information on people and posting it publicly.” Krebs further noted that this unauthorized access could be abused to upload fake data about suspects, citing commentary from Nicholas Weaver, a researcher at the University of California at Berkeley’s International Computer Science Institute.
False tips have often been used to initiate “swatting” attacks, in which hoax reports about crimes in progress lead to police swarming a residence with heavily armed SWAT teams. The target–or a random bystander–can wind up dead in the process.
Unfortunately, Krebs has personal experience with that scenario. In 2013, Fairfax County, Va., police showed up at his door, guns drawn after getting a phony tip that Russians had broken in and shot his wife. The perpetrator was caught after participating in an online forum clandestinely run by the FBI, and subsequently got sentenced in 2016.
The login page for the DEA’s El Paso Intelligence Center (yes, EPIC) invites users to log in with a government-issued Personal Identity Verification card, but also allows traditional username and password access. The source Krebs spoke to told him that “the hacker who obtained this illicit access was able to log in using the stolen credentials alone, and that at no time did the portal prompt for a second authentication factor.”
That would be a serious security risk for a webmail…