Experts found Government Credentials on the Open Web too easily

Pierluigi Paganini June 29, 2015

Recorded Future discovered that credentials stolen in a number of breaches and belonging to government agencies are available online on several paste sites.

According to analysts at Recorded Future, the credentials stolen in several data breached related to 100 US government domains are available online on a number of paste sites and on other websites. Recorded Future has already reported its discovery to the Government, the findings of the analysis conducted are disconcerting because the credentials were available online for at least 12 months, from November 2013 to November 2014, exposing government employees and agencies at risk of cyber attacks.

Open source intelligence analysis allowed experts at Recorded Future to find the precious credential either in clear text or hashed email-password combinations belonging to individuals at 47 agencies. The credentials belonging to the government personnel were found on 17 different paste sites, including Pastebin.

The experts highlight also that the bad habit to reuse the credentials over several web services has aggravated the situation. In many cases, the stolen credentials were siphoned in different data breaches of third-party websites.

“The leaked credentials came from a range of vectors both targeted and untargeted. Government agencies have been specifically targeted by hacktivists with political motivations – such as individuals associated with #OpSaveGaza, and #OpLeak. Other leaks came from actors claiming affiliation with LulzSec, SwaggSec, Wikileaks and Anonymous. However, many credentials are just included in email and password dumps from hacks that lacked targeting and exploited a target of opportunity on a vulnerable third-party site, service, or individual.” states the report.

“If a third-party website’s username/password database is hacked and the employee used the same login credentials on that website as at work, those credentials could allow unauthorized access to the employer’s network,” the report said.

The researchers found paired email-password combinations for dozen agencies.

“Recorded Future identified the possible exposures of login credentials for 47 United States government agencies across 89 unique domains. As of early 2015, 12 of these agencies, including the Departments of State and Energy, allowed some of their users access to computer networks with no form of two-factor authentication.“The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce,” states the report published by Recorded Future titled “Government Credentials on the Web.” “While some agencies employ VPNs, two-factor authentication, and other tokens to provide a safety net, many agencies lag behind as cited by the OMB report to Congress.”

The majority of the credentials allows the access to non-classified networks, according to the experts dozen of agencies that haven’t implemented a two-factor authentication to protect their online resources. The Government department affected by the data breaches are the Department of Energy, the Commerce Department, the General Services Administration, the USAID, the State Department, Veterans Affairs, Agriculture, Health and Human Services, Housing and Urban Development, Transportation, Treasury,  Energy, Interior and also the Homeland Security.

OPM government credentials online affected agencies

The Department of Energy was the most exposed on the web with email/password combinations for nine different domains identified on the Internet, meanwhile the Department of Commerce was the second one with seven domains.

OPM government credentials online

The circumstance is embarrassing, while the security industry was discussing about the recent hack of the Office of Personnel Management (OPM) that caused the exposure of millions of federal employees’ personal records, the analysis conducted by Recorded Future revealed that a number of OPM credentials were also found in the clear online.

“Recorded Future analyzed a range of domains associated with the Office of Professional Management. was found paired with multiple clear text or hashed passwords in our open source analysis”

The websites containing the precious credentials have already removed the content once informed, but it is likely that the data are still available in numerous hacking forum.

“While the information may be removed from a paste site, it likely still circulates in private circles and is available to the original attackers,” Recorded Future said. “Due to the lack of context with most publicly announced data exfiltration, it’s unclear when specific attacks occurred or if the original attacker had attempted to leverage any stolen information.”

Let me close with a few simple suggestions provided by the experts at Recorded Future:

  • Enable multi-factor authentication and/or VPNs. Require Government employees to use stronger passwords and change with greater regularity.
  • Gauge and define use of government email addresses on third-party sites.
  • Maintain awareness of third-party breaches and regularly assess exposure.
  • Ensure Robot Exclusion Standard (robots.txt) is set for government login pages to prevent listing of webmail/Web-services in search engines.
  • Require Government employees to use stronger passwords and change with greater regularity.

Enjoy the report!

Pierluigi Paganini

(Security Affairs – OPM hack, Government credentials)

you might also like

leave a comment