Hackers Leak DHS Staff Directory, Claim FBI Is Next

itwbennett writes: On Sunday, the name, title, email address, and phone number of more than 9,000 DHS employees, with titles ranging from engineers, to security specialists, program analysts, InfoSec and IT, all the way up to director level was posted on Twitter. 'The account went on to claim that an additional data dump focused on 20,000 FBI employees was next,' writes CSO's Steve Ragan. The hacker told Motherboard that the data was obtained by "compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place."

Useless without link

[davebarnes]

Where is the link to the list?

Re:Useless without link

https://www.ashleymadison.com/ ;)

Re:Useless without link

https://twitter.com/DotGovs/st...

Re:Useless without link

Myth, nothing there to see, keep moving, keep moving... I d actually like to see if two or three names are not being misrepresented...

Data security

But remember your personal data is safe... (apart from history showing the complete opposite) We didn't just consolidate all the personal data into one easily stealable.. I mean navigable database using lowest bidder software, I am sure no-one could profit from peoples personal information we haven't so no-one else can.

pfft, data security laws and regulations are just so unnecessary and backdoors into encryption and digital security can only be used by the "good guys" never fear! apart from when we want you to!

Re: Data security

"Hacker that wishes to remain anonymous" ... I'm quite sure these government employees wanted to remain anonymous too.

Sad state of affairs

[daq+man]

I don't know which is worse, that outfits like the DHS and FBI have such lousy cyber security that this can happen or that someone thinks that publishing this stuff is helping their cause.

Re:Sad state of affairs

[bws111]

Is this stuff even supposed to be a secret? My company has a link to the employee directory (containing names, titles, email addresses, and phone numbers) right on the home page of their web site.

Re:Sad state of affairs

[U2xhc2hkb3QgU3Vja3M]

I think they're doing this to shame the DHS and FBI and at the same time show the world that this kind of thing is possible even without government-approved backdoors.

Re:Sad state of affairs

[110010001000]

That doesn't seem like a good idea. Spam harvesters, spam phone calls from recruiters/sales/etc.

Re:Sad state of affairs

[Z00L00K]

What if it's a honeytrap?

Re:Sad state of affairs

Is this stuff even supposed to be a secret? My company has a link to the employee directory (containing names, titles, email addresses, and phone numbers) right on the home page of their web site.

You sir, need to find a company in the 21st century then. That kind of thing is fine for the Flintstones, but these days, you are asking for trouble.

Re:Sad state of affairs

[ATMAvatar]

That largely depends on their cause. If the cause is to show how insecure the DHS is or to damage its reputation, then mission accomplished.

Re:Sad state of affairs

[Impy+the+Impiuos+Imp]

A honeypot, like Winnie the Pooh getting his hand stuck in one?

Re:Sad state of affairs

What if it's a honeytrap?

Wait are you saying the hackers are being honeydicked?

Re:Sad state of affairs

Is this stuff even supposed to be a secret? My company has a link to the employee directory (containing names, titles, email addresses, and phone numbers) right on the home page of their web site.

It is pretty annoying to have direct email addresses and phone numbers listed, but email servers already deal with a saturation of spam. Names and titles seem like they should be publicly available information if anyone wants to publish it. Individual salaries should also be available if requested since these are government employees and the public has a duty of oversight.

Re:Sad state of affairs

[PolygamousRanchKid+]

. . . now if they could do this to the NSA . . . that would be like winning the PowerBall.

But alas, the NSA is the difficult one to get in the Beanie Baby set . . .

Re:Sad state of affairs

[edtice1559]

DHS has such a poor reputation, are you really sure it can be damaged further. They probably have a statement on their web site that you are required to go through a metal detector before trying to hack into their personnel records, unless you are over 70 years old. And they thought that would keep the data safe!

Re:Sad state of affairs

[Loconut1389]

Public employees typically have their salaries posted even. If the list doesn't include NoC/UoC or undercover people, this might not be that bad.

Re:Sad state of affairs

[Frosty+Piss]

Indeed official staff names, titles, emails, and phone numbers are ALL things that are available to the public through staff directories or FOIA. Much about nothing, and if the "hackers" actually think they hacked something secret, they are most likely just script kiddies who found a public server of a honey pot.

Re:Sad state of affairs

[WindBourne]

Depends on who the hackers are? If they are from Russia, China, North Korea, then it helps them a great deal. Otherwise, no.

Re:Sad state of affairs

[The-Ixian]

Not to mention fodder for spear phishing attacks.

This already happened to us and we are a small company (around 100 employees). An attacker grabbed information from our web site (company directory of C levels), waited until the xmas holiday to initiate an e-mail harvest attack which netted them valid addresses from auto-replies (complete with authentic sigs).

Then an e-mail was crafted which appeared to be a thread in progress by two of the higher-ups. The thread was all forged, of course, but the signature was spot on and the whole the whole thing looked pretty legit.

It was only because we do regular phishing audits that it failed. The message was submitted to our internal junk check address (which goes to me) for analysis.

The accounting person intimated later that they were about to go through with the money transfer... kinda scary stuff.

Re:Sad state of affairs

[RabidReindeer]

... available if requested since these are government employees and the public has a duty of oversight.

Wrong. This is 21ST Century USA. The public has the right to stay at home and shut up. If they want to travel or assemble, they must do so under careful government oversite. The government can look after itself.

The government is required to know all about the people, but only a Terrorist-loving traitor would want information on the government. That information should be classified, along with bus schedules, weather reports, pictures of government buildings and monuments and other possible sources of information that might usable by the enemy.

Re:Sad state of affairs

[daq+man]

It is a secret where I work and I'm not doing anything as spooky as the FBI or DHS. There are a good many reasons that a company don't want an employee directory publishing:

1) For people with unusual names someone can figure out where you live and target you at home where security is weaker.

2) Phishing using info from the directory to seem legit. "Hi Joe, this is Tom from shipping. Fred from accounting asked me to call you..."

3) Hacking attempts, people's usernames may well be the username part of the email address.

etc..

Re:Sad state of affairs

It helps the cause by showing the DHS and FBI that if they want to take away the privacy of US citizens, that they themselves shall not have any privacy either. It's fair game.

But trust us with the keys to your back doors

[The-Ixian]

We will keep them super ultra extra mega secure... promise.

Re:But trust us with the keys to your back doors

"Wait! Is that an ad for peanuts? Click!" The state of the National Encryption Key Depository? Fully withdrawn.

Re:But trust us with the keys to your back doors

[ZeroWaiteState]

They aren't back doors. They're front doors with super ultra extra mega locks. Double top secret probation.

"if you don't want to be tracked..."

For years since the Snowden disclosures we have repeatedly heard from the government If you don't want to be tracked, turn off your phone".. And you have no expectation of privacy when using tools designed to protect your privacy.

So let's see here. "If you want privacy, don't work for civil-rights violating organizations". "You have no expectation of privacy if you work for the NSA, DHS, or are a congressman/woman who has voted to strip away our civil rights".

I won't shed half a tear if the shoe shifts to the other foot once in a while.

Re:"if you don't want to be tracked..."

[bobbied]

Shesh AC, seriously if you don't want to be tracked, don't carry around a RF transmitter which is turned on in your pocket, don't connect to the internet and don't walk down a public street. Anybody can track you in public if they want.

Re:"if you don't want to be tracked..."

... Anybody can track you in public if they want.

I'm not afraid of anybody tracking me. I'm not afraid of anybody carrying a gun tracking me, although I want to know. I am afraid of everybody with a gun, a badge and a prison tracking me.

Hackers leak DHS directory, claim FBI is next

[U2xhc2hkb3QgU3Vja3M]

Great, I've been waiting forever for Mulder's email address. I want to ask him if he knows where his towel is.

Re:Hackers leak DHS directory, claim FBI is next

I tried to watch the new episodes but the magic, quality dialog/plots, and the life in Mulder and Scully is clearly long gone.

The whole thing needs to be Kevorkian'd.

Re:Hackers leak DHS directory, claim FBI is next

Funny how forum nerds never learn the effects of nostalgia and choose instead to bitch endlessly. Maybe it's just the conservative ones on slashdot.

Re:Hackers leak DHS directory, claim FBI is next

Maybe it's just the conservative ones on slashdot.
I see this all the time here. Take for example MS finally putting in decent TTY support right into the OS and native SSH. The endless bitching about how they are not being innovative. I for one am very glad it is happening. They are finally getting out of the 'not invented here' realm and actually competing with what is out there. MS is at its best when it does so. Over on soylent it can go either way. It really depends on who comments first. It is kinda sad when I have to swing by reddit to get a decent opinion instead of the slagfest that this site is.

I have not seen the new episodes yet. I assume they will be fairly 'hit the marks' x-files. That is what this about nothing more. Just more of the same. Which is a good thing for this sort of show at this point. Like if they were to make more babylon 5. I would not expect much. But would enjoy it.

Re:Hackers leak DHS directory, claim FBI is next

[The-Ixian]

I agree with you about the first 2 episodes, but the 3rd one was brilliant! Loved it! That was a real return to the old days.

Re:Hackers leak DHS directory, claim FBI is next

[Tablizer]

that old lady hag with the long face

It's unfair that people don't seem to mind aging male actors much if they are established. But viewers are brutal to most aging female actors, even well-known ones. Men are simply less judged on appearance. Perhaps it's human nature and we are just hard-wired that way.

Perhaps we shouldn't be so cynical about the seeming non-idealistic sides of biology: we are merely talking animals with just enough extra smarts to trick ourselves into thinking we are not driven by "primitive" urges.

Re:Hackers leak DHS directory, claim FBI is next

He and that old lady hag with the long face are at Fox studio. It's a national disgrace to let such old old persons pretend to be what they used to be last century. A disgrace.

emphasis mine, but seriously, that is your nation. especially sports and hollywood! you espouse a culture of forever young and that you never grow old, and that no one wants to actually progress to a new level of maturity (look at your presidential candidates) in fact the rest of the world sees this every day as all of us import your media.

you seem to think that its only one show but you refuse to open your eyes as your politicians rehash the exact same ideas to you with new flashy names and everyone seems to think your government is making progress (when at best your stagnant, quite possibly regressing... especially if for some reason trump makes it to office.)

Re:Hackers leak DHS directory, claim FBI is next

[losfromla]

So, it's not unfair after all?

Re:Hackers leak DHS directory, claim FBI is next

[cyberchondriac]

I think it's been rather disappointing and a bit dull, but it has been many years since I've watched it. I can't believe after all they've been through and seen, suddenly Muldar is so quick to just discount everything now (except Roswell). And that last episode was just weird. I would've thought that with only 6 episodes to air, they'd stick to the primary story arch.
OTOH, it beats the snot out of watching American Idol.

Re:Hackers leak DHS directory, claim FBI is next

... that last episode was just weird ...

For me, the last episode was the humanoid lizard were-human: If you're referring to it, you missed the examination of the human condition via comedic relief. Given the original story, where so many monsters were real, the new-found enthusiasm for "monsters aren't real" is against the theme of the show, I'll grant you. Mulder tends to chase monsters that cause death and destruction, it's certainly what started him chasing this monster. But this 'monster' is actually the victim of a human monster (a serial killer) and is forced to deal with the dangers unique to humans (unemployment, homelessness, retirement, false personas, imminent mortality, revenge, rat-race lifestyle, existential angst). It is a comment on the fake monsters and scientific inadequacy that interrupt Mulder's "want to believe". I think Mulder learns that monsters do exist, but they're not what he spent his life searching for.

... they'd stick to the primary story arch.

Most shows have 'filler' episodes that maybe provide character definition but nothing else.. I think in a visual medium, there's a limit to story complexity, so it's necessary to provide episodes that keep the actors busy and provide relief from the complexity.

Re:Hackers leak DHS directory, claim FBI is next

[antdude]

I prefer Scully's. ;)

Re:Muslim hackers or just thoughtless idiots

[MitchDev]

If American citizens can;t have privacy, then neither can the government.

I doubt the FBI would care...

...they're too busy running child pornography websites.

This is so sad

[ITRambo]

Homeland Security seems to be anything but secure itself. Don't they have a huge budget for things like...security?

Re:This is so sad

I work for ICE, an agency under DHS. All I can say to both when it comes to their security is "you can't fix stupid." It doesn't matter how much money you throw at a problem, if you don't have anyone qualified to do something about it.

The only reason they don't get hacked, is likely the fact that the network is such a mess you can't navigate your way through it to find anything useful. An employee directory is nothing. That's available in Outlook's GAL.

From the article, is sounds like nothing special... some idiot's account was probably exempted from smartcard authentication and his password was compromised. Then they used DHS's "Workplace as a Service" to open a VM workstation and download the GAL.

Yes, it's that easy: https://workplace.dhs.gov

Re:This is so sad

You criticize your own organization because, "[they] don't have anyone qualified to do something about it"; a bold stance on your own competency. Then move on to talk about how uninteresting this data leak is, thus proving that even when someone does spearfish privileged access, they didn't get anywhere.

So which is it? Did this hacker get nowhere or are you incompetent? Not to say they are mutually exclusive.

Re:This is so sad

[edtice1559]

What he probably means by nobody competent is that nobody who has that role is competent. Somebody who has a marketing degree who works in accounting might complain about the marketing spend saying "we have nobody competent." Of course this person may or may not be competent to do marketing, but they work in accounting. I think you are being a language lawyer.

Re:This is so sad

[Tablizer]

The author didn't claim that was their area of work. I know enough about "adjacent" IT groups in my work-place to often determine who's slacking or unskilled. But, that doesn't mean I'm in a position to do anything concrete about it. Merit is only part of the "office game". Office life is Dilbert.

Re:This is so sad

[AHuxley]

This shows a lack of encryption. Expect the same for backdoors, trapdoors mil grade support hardware used in a domestic setting.
Every team is been watched and tested.
Why would any gov just allow sensitive files to be created, exist in plain text and be left just facing the open internet?
Every level of the US gov seems to have upgraded to computers at some time. Not much thought went into just connecting the same very secure, isolated systems to the internet and then getting a no bid cloud upgrade.

The same contractors will now offer to clean up, rent security systems back over the same networks they had to look after.

Long term expect a lot of gov staff to get a gov chat down by undercover random foreigners with heavy accents, diplomats, press with "questions", new friends making an offer.
It will all be a gov trap with offers of cash, holidays, tools and methods.
All gov workers will have to report such contact in detail and as quickly as possible.
Any material been lost and talked about in the press can be used as a cover for a huge loyalty test. The attempt to turn its own workers first and often.
For that the theatrics of how a hidden gov worker was found has to be made public. Then the honey traps, new friends, chat downs can start at every city, state and federal level.
Who will respond and who will report what and how quickly.

Re:This is so sad

I posted as the AC above. My apology for not being clear. By "They" I meant the staff that works in the NOC, SOC, and other enterprise service groups. I work in field support. I'm the one that cleans up their constant messes.

But then why aren't I the guy in charge? Because those positions are geographically located other places in the country, and I have no intention of moving. Especially since I'm overpaid and underutilized. Giving me plenty of time to read on Slashdot and about my various hobbies. :) Federal work does have it's perks.

The data was uninteresting, and my point was that they should have been able to get much more interesting data. Most users in law enforcement have access to a lot of SPII from various "For Official Use: Law Enforcement Sensitive" databases. It's not technically classified, so it's all on the unclass network. The problem is that it's so disorganized, most users have problems trying to find what they're looking for, and they work here.

Basically, the government has security through obscurity more than any technical solutions.

Surprise Surprise

[OverlordQ]

Anti-Israel hackers.

Re:Surprise Surprise

Sounds good, wher do I sign up, someone's gotta fight the Hasbara lies of the Isreali shills.

Easy Hack

[byteherder]

It is not like these lists are ultra top secret. When I worked for a government agency that shall remain nameless, I had access to everyone's email address, name, phone number and work location address. We treated that information with respect for privacy just as we did more sensitive information like SS #, home address, date of birth. Email addresses certainly was not top secret.

Re:Easy Hack

[TubeSteak]

If you gather together enough unclassified information, you can frequently distill from it facts that are considered classified.

Like tracking the tail numbers of international flights to uncover the CIA's rendition program.

Not to mention that a staff directory is exactly what you want for spearfishing campaigns.

Re:Easy Hack

Public employees and the work of the public paid for by the people is public information.
And if I want to call up my public slave and ask them what they're working on today, how their day's going, what project their hacking on, etc....
That's the right of the people to do. Anytime, for anyone.
Oh wait, the USA govt has become self aware and is only out for itself now and at your expense.
Looks like you're the slaves now.
Sucks to be you.
You better revolt.
Because they're clearly no longer listening at the ballotbox or soapbox.

Re:Easy Hack

[Tablizer]

Public employees and the work of the public paid for by the people is public information.
And if I want to call up my public slave and ask them what they're working on today, how their day's going, what project their hacking on, etc....
That's the right of the people to do. Anytime, for anyone...

It seems you are a staunch conservative or libertarian. You may not like the government (and perhaps civilization in general), but gov't employees are human beings and citizens, and thus deserve a degree of dignity and respect.

Further, if they are treated with disrespect, then it will cost more to hire decent talent to compensate for an unpleasant working environment, and thus increase the burden on tax payers. Surely that should concern you anti-government and anti-tax types in a practical sense.

And they'd end up spending most their day explaining specific work decisions to clueless people in the general public who don't have enough knowledge of the work processes and subject matter, and thus will second-guess all day based on superficial issues.

I suggest you think through the fuller aspects your demands.

Re:Easy Hack

[byteherder]

I totally agree with you. The agencies of the government need to be transparent but the day to day working of each individual government employee does not need to be public. If you work in Dept of Homeland Security, I want you protecting the homeland. If you work in the FBI, I want you arresting criminals. I don't need to know the details if you were on a stake out last night or investigating leads or testifying in court, those are details your supervisor needs to know. I need to know that you are doing your job and that the department is transparent in its function and mission. That's all.

Re:Easy Hack

[sabbede]

Running exchange and looking at the address book, right?

Re:Muslim hackers or just thoughtless idiots

Good point! Also probably some Buddhists and Christians. This is bad news.

yawn

Sounds like someone just took a look at the outlook address book.

Re:Hillary's server?

[NotQuiteReal]

Heh, maybe Hillary will point out that HER server wasn't breached, but other government servers have been.

Lulz

Nothing to hide, nothing to fear, amirite?

Re:Hillary's server?

As far as she knows.... it wasn't breached.

Re:Hillary's server?

[edtice1559]

She paid a private organization to secure her server. And everybody knows that private industry is better at everything than government. I think this just goes to show that the government should privatize email! Why are they criticizing Hillary for adopting one of their sacred policies?

Exchange?

[McGruber]

name, title, email address, and phone number of more than 9,000 DHS employees,

All of which are available to any DHS employee with email access, since that data is in the Outlook directory.

Re: Exchange?

Are you saying an employee leaked this information then? Please speak up.

Re:Exchange?

[ZeroWaiteState]

If you think about, it's all metadata really. No actual communications were stolen.

Re:Exchange?

name, title, email address, and phone number of more than 9,000 DHS employees,

All of which are available to any DHS employee with email access, since that data is in the Outlook directory.

I think the better question is why they all share a single name, title, email address, and phone number.

Re:Hillary's server?

From what I've seen of these sorts of things, Hillary's private server was indeed probably more (or rather, less horribly in-) secure. And of course the problems with SMTP email go way beyond who's server you're using.

Re:Muslim hackers or just thoughtless idiots

This!

Organizations

It's good that they're starting by exposing terrorist organizations and whatnot, but what happens when they decide to start attacking innocents?

Re:Hillary's server?

[ZeroWaiteState]

Its only real function was to be secure from third-party subpoenas. Hillary wasn't afraid of Russians getting her emails; it is well known that Russians were all over the state.gov unclassified email system. Russians generally know how to keep stuff secret, and they have so many ways of spying on people that securing your email probably isn't sufficient to keep them out anyway. As for the classified system, well, who knows. When you look at some of the people she got this data from, you wonder whether anyone at all is using the classified system. She was worried primarily about Republicans getting access to the emails, not Russians. The server was wiped prior to being given to the FBI, and Clinton was able to independently select which emails to turn over to investigators. So, taking into account her threat model, the private server was a success.

"How it was accessed" ? LOL

Obviously they beat someone and tortured them for an email account password..... /I am sure the victim has 30 hostile witnesses that it never happened, who were in on it.

cat's need taurine

[haedus]

Probably just a political maneuvering power grab by some other organization inside the US with no particular national loyalty... that's my 'speculation' it's stuff like this that makes people afraid... and fear can lead to foolish actions... *shrug*

Not posted on Twitter

[thisisauniqueid]

Somehow I don't think that Twitter has raised their character limit that high yet.

What, they got a hold of the GAL?

[sabbede]

I hope the FBI is hiding the entries for undercover agents.

angus says

that old lady hag with the long face

droopy, aye. her nasty teats hurt mine eyes!

despair.