Public Sector Not Up to Modern Challenges

The head of IT responsible for the OPM hack was quoted "nobody told us to" when asked why security was not tightened. Homeland said they were debating the use of social media for vetting immigrants when asked why the San Bernardino murderers were allowed in the country. More recently Homeland got hacked... if one has the info on people one can get the dirt on them and then that person would own a piece of the tribal leadership. I'm sure our public sector employees are so comprimised that they could be asked to do anything and would have to comply. How many of them could actually WORK if they lost their jobs? How many of them would get full benefits and retirement if found out and fired?


======================================================

9000+ Department of Homeland Security staff have their details leaked by hacker
By: Graham Cluley | comment : 1 | February 08, 2016 | Posted in: Alerts
homeland-security.jpeg


Any time you interact with an organisation that has “security” in their name, it’s understandable that you would expect them to be good at security. Right?

You would hope them to be shining examples for everyone else about how to do things right, how to batten down the hatches and protect sensitive information from falling into the hands of the bad guys.

But, as the US Department of Homeland Security (DHS) has just found out – things aren’t always that simple.

As CSO Online reports, this weekend a hacker dumped a staff directory including the names, job titles, email addresses and phone numbers of over 9,000 DHS workers on the net.

And then, to make sure that everyone knew about it, the hacker tweeted a link to the information along with the encryption password (perhaps unsuprisingly the password chosen by the hacker was “lol”).

dhs-contact-details.jpeg


As Motherboard explains the anonymous hacker claims to have downloaded hundreds of gigabytes of data from Department of Justice servers, and is threatening to release the contact details of a further 20,000+ FBI employees.

According to that media report, the hacker first compromised the email account of a Department of Justice employee, but was unable to access an online portal without an access token.

A simple social engineering trick came to the hacker’s rescue:

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”

It makes you want to weep, doesn’t it? What is the purpose of providing your staff with authentication tokens if they see no problem in sharing token codes with each other?

According to the hacker, he was then able to login and using the credentials from the already compromised email account, access other computers including his victim’s work machine.

“I clicked on it and I had full access to the computer,” the hacker said. Here the hacker could access the user’s documents, as well as other documents on the local network.

The databases of supposed government workers were on a DoJ intranet, the hacker claimed.

Journalist Joseph Cox at Motherboard verified that the leaked data appeared to be legitimate by ringing a number of the staff listed in the dumped staff directory.

Clearly it shouldn’t have been as easy as it appears to have been to access the Department of Justice’s computer systems and retrieve the contact details of thousands of DHS workers.

It’s easy to imagine how armed with the email addresses, job titles and phone numbers of DHS staff that malicious cybercriminals and state-sponsored hackers could launch attacks targeting workers.

Much more needs to be done to instill proper security practices and prevent such incidents from occurring again.

Of course, we shouldn’t also forget that there is more than one way to skin a rabbit. In this instance, hackers showed just how easy it was to scoop up the names, job titles and contact details of DHS workers by hacking into government systems.

But it’s also the case that government staff might be putting themselves at further risk through the information they willingly share online.

For instance, just take a look at LinkedIn – where many business people are happy to share details of their job roles and how they can be contacted.

When I looked up “Department of Homeland Security” on LinkedIn, I received more than 21,000 results.

linkedin-dhs.jpeg


Even if a hacker can’t access your staff directory by breaking into your organisation’s network, never forget that they might be able to find out your employee’s information via other routes.

From:
http://www.hotforsecurity.com/blog/...ail&utm_term=0_8106850f4a-02432ae277-62402897
 
U.S. Blows $5.7 Bil on Cyber
Defense System That Doesn’t Work

Judicial Watch, by Staff
Original Article
Posted By: KarenJ1- 2/9/2016 5:43:32 PM Post Reply
Reckless government spending is at full throttle with the example du jour a $5.7 billion cyber defense system created to protect computers at federal agencies against hackers. Despite its mind-boggling price tag the system is seriously flawed and uses features already available in much cheaper commercial-grade products, according to a federal probe made public recently. The problem, besides sticking it to taxpayers for the exorbitant cost, is that the multibillion-dollar system simply doesn’t work. Nevertheless, the bloated agency handling this particular boondoggle, the Department of Homeland Security (DHS), insists the program, National Cybersecurity Protection System (NCPS), is effective despite its...
 
There is little downside for failure in government employment. As long as you avoid any PC violations, you cannot be fired, even for serious breaches. How many VA employees were fired? I believe three. IRS? None that I am aware of.

In the private sector, fear of getting fired, the company going broke, etc are powerful motivators. In government, you can spend billions on an obamacare website that doesn't work and you just demand more money. Or blow a critical web security project. Oh well, go surf some porn and count how many days until your pension starts.
 
I doubt any private sector has what it takes to build a big new nuclear power plant if that's what we need.

You do realize that all the nuclear power plants built for utilities in the United States have been built by the private sector. They are also operated by the private sector.

All the proposed nuclear power plants in the U.S. for utilities (most are on hold) such as the ones being forward from Duke Power will be built by the private sector.
 
Back
Top