Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Leak DHS Staff Directory, Claim FBI Is Next (csoonline.com)

Posted by timothy on from the soon-we'll-leak-your-mailing-address dept.

itwbennett writes: On Sunday, the name, title, email address, and phone number of more than 9,000 DHS employees, with titles ranging from engineers, to security specialists, program analysts, InfoSec and IT, all the way up to director level was posted on Twitter. 'The account went on to claim that an additional data dump focused on 20,000 FBI employees was next,' writes CSO's Steve Ragan. The hacker told Motherboard that the data was obtained by "compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place."

50 of 81 comments (clear)

  1. Useless without link by davebarnes · · Score: 1

    Where is the link to the list?

    --
    Dave Barnes 9 breweries within walking distance of my house
    1. Re:Useless without link by Anonymous Coward · · Score: 2, Funny

      https://www.ashleymadison.com/ ;)

  2. Data security by Anonymous Coward · · Score: 1

    But remember your personal data is safe... (apart from history showing the complete opposite) We didn't just consolidate all the personal data into one easily stealable.. I mean navigable database using lowest bidder software, I am sure no-one could profit from peoples personal information we haven't so no-one else can.

    pfft, data security laws and regulations are just so unnecessary and backdoors into encryption and digital security can only be used by the "good guys" never fear! apart from when we want you to!

  3. Sad state of affairs by daq+man · · Score: 3, Insightful

    I don't know which is worse, that outfits like the DHS and FBI have such lousy cyber security that this can happen or that someone thinks that publishing this stuff is helping their cause.

    1. Re:Sad state of affairs by bws111 · · Score: 2

      Is this stuff even supposed to be a secret? My company has a link to the employee directory (containing names, titles, email addresses, and phone numbers) right on the home page of their web site.

    2. Re:Sad state of affairs by U2xhc2hkb3QgU3Vja3M · · Score: 3, Insightful

      I think they're doing this to shame the DHS and FBI and at the same time show the world that this kind of thing is possible even without government-approved backdoors.

    3. Re:Sad state of affairs by 110010001000 · · Score: 2

      That doesn't seem like a good idea. Spam harvesters, spam phone calls from recruiters/sales/etc.

    4. Re:Sad state of affairs by Z00L00K · · Score: 1

      What if it's a honeytrap?

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    5. Re:Sad state of affairs by ATMAvatar · · Score: 3, Interesting

      That largely depends on their cause. If the cause is to show how insecure the DHS is or to damage its reputation, then mission accomplished.

      --
      "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
    6. Re:Sad state of affairs by Impy+the+Impiuos+Imp · · Score: 2

      A honeypot, like Winnie the Pooh getting his hand stuck in one?

      --
      (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    7. Re:Sad state of affairs by PolygamousRanchKid+ · · Score: 1

      . . . now if they could do this to the NSA . . . that would be like winning the PowerBall.

      But alas, the NSA is the difficult one to get in the Beanie Baby set . . .

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    8. Re:Sad state of affairs by edtice1559 · · Score: 1

      DHS has such a poor reputation, are you really sure it can be damaged further. They probably have a statement on their web site that you are required to go through a metal detector before trying to hack into their personnel records, unless you are over 70 years old. And they thought that would keep the data safe!

    9. Re:Sad state of affairs by Loconut1389 · · Score: 1

      Public employees typically have their salaries posted even. If the list doesn't include NoC/UoC or undercover people, this might not be that bad.

    10. Re:Sad state of affairs by Frosty+Piss · · Score: 1

      Indeed official staff names, titles, emails, and phone numbers are ALL things that are available to the public through staff directories or FOIA. Much about nothing, and if the "hackers" actually think they hacked something secret, they are most likely just script kiddies who found a public server of a honey pot.

      --
      If you want news from today, you have to come back tomorrow.
    11. Re:Sad state of affairs by WindBourne · · Score: 1

      Depends on who the hackers are? If they are from Russia, China, North Korea, then it helps them a great deal. Otherwise, no.

      --
      I prefer the "u" in honour as it seems to be missing these days.
    12. Re:Sad state of affairs by The-Ixian · · Score: 2

      Not to mention fodder for spear phishing attacks.

      This already happened to us and we are a small company (around 100 employees). An attacker grabbed information from our web site (company directory of C levels), waited until the xmas holiday to initiate an e-mail harvest attack which netted them valid addresses from auto-replies (complete with authentic sigs).

      Then an e-mail was crafted which appeared to be a thread in progress by two of the higher-ups. The thread was all forged, of course, but the signature was spot on and the whole the whole thing looked pretty legit.

      It was only because we do regular phishing audits that it failed. The message was submitted to our internal junk check address (which goes to me) for analysis.

      The accounting person intimated later that they were about to go through with the money transfer... kinda scary stuff.

      --
      My eyes reflect the stars and a smile lights up my face.
    13. Re:Sad state of affairs by RabidReindeer · · Score: 1

      ... available if requested since these are government employees and the public has a duty of oversight.

      Wrong. This is 21ST Century USA. The public has the right to stay at home and shut up. If they want to travel or assemble, they must do so under careful government oversite. The government can look after itself.

      The government is required to know all about the people, but only a Terrorist-loving traitor would want information on the government. That information should be classified, along with bus schedules, weather reports, pictures of government buildings and monuments and other possible sources of information that might usable by the enemy.

    14. Re:Sad state of affairs by daq+man · · Score: 1

      It is a secret where I work and I'm not doing anything as spooky as the FBI or DHS. There are a good many reasons that a company don't want an employee directory publishing:

      1) For people with unusual names someone can figure out where you live and target you at home where security is weaker.

      2) Phishing using info from the directory to seem legit. "Hi Joe, this is Tom from shipping. Fred from accounting asked me to call you..."

      3) Hacking attempts, people's usernames may well be the username part of the email address.

      etc..

  4. But trust us with the keys to your back doors by The-Ixian · · Score: 4, Funny

    We will keep them super ultra extra mega secure... promise.

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:But trust us with the keys to your back doors by ZeroWaiteState · · Score: 1

      They aren't back doors. They're front doors with super ultra extra mega locks. Double top secret probation.

  5. "if you don't want to be tracked..." by Anonymous Coward · · Score: 4, Interesting

    For years since the Snowden disclosures we have repeatedly heard from the government If you don't want to be tracked, turn off your phone".. And you have no expectation of privacy when using tools designed to protect your privacy.

    So let's see here. "If you want privacy, don't work for civil-rights violating organizations". "You have no expectation of privacy if you work for the NSA, DHS, or are a congressman/woman who has voted to strip away our civil rights".

    I won't shed half a tear if the shoe shifts to the other foot once in a while.

    1. Re:"if you don't want to be tracked..." by bobbied · · Score: 2

      Shesh AC, seriously if you don't want to be tracked, don't carry around a RF transmitter which is turned on in your pocket, don't connect to the internet and don't walk down a public street. Anybody can track you in public if they want.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  6. Hackers leak DHS directory, claim FBI is next by U2xhc2hkb3QgU3Vja3M · · Score: 4, Funny

    Great, I've been waiting forever for Mulder's email address. I want to ask him if he knows where his towel is.

    1. Re:Hackers leak DHS directory, claim FBI is next by Anonymous Coward · · Score: 1

      Funny how forum nerds never learn the effects of nostalgia and choose instead to bitch endlessly. Maybe it's just the conservative ones on slashdot.

    2. Re:Hackers leak DHS directory, claim FBI is next by The-Ixian · · Score: 1

      I agree with you about the first 2 episodes, but the 3rd one was brilliant! Loved it! That was a real return to the old days.

      --
      My eyes reflect the stars and a smile lights up my face.
    3. Re:Hackers leak DHS directory, claim FBI is next by Tablizer · · Score: 1

      that old lady hag with the long face

      It's unfair that people don't seem to mind aging male actors much if they are established. But viewers are brutal to most aging female actors, even well-known ones. Men are simply less judged on appearance. Perhaps it's human nature and we are just hard-wired that way.

      Perhaps we shouldn't be so cynical about the seeming non-idealistic sides of biology: we are merely talking animals with just enough extra smarts to trick ourselves into thinking we are not driven by "primitive" urges.

      --
      Table-ized A.I.
    4. Re:Hackers leak DHS directory, claim FBI is next by losfromla · · Score: 1

      So, it's not unfair after all?

      --
      Only I can judge you.
    5. Re:Hackers leak DHS directory, claim FBI is next by cyberchondriac · · Score: 1

      I think it's been rather disappointing and a bit dull, but it has been many years since I've watched it. I can't believe after all they've been through and seen, suddenly Muldar is so quick to just discount everything now (except Roswell). And that last episode was just weird. I would've thought that with only 6 episodes to air, they'd stick to the primary story arch.
      OTOH, it beats the snot out of watching American Idol.

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    6. Re:Hackers leak DHS directory, claim FBI is next by antdude · · Score: 1

      I prefer Scully's. ;)

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  7. Re:Muslim hackers or just thoughtless idiots by MitchDev · · Score: 4, Insightful

    If American citizens can;t have privacy, then neither can the government.

  8. This is so sad by ITRambo · · Score: 3, Insightful

    Homeland Security seems to be anything but secure itself. Don't they have a huge budget for things like...security?

    1. Re:This is so sad by Anonymous Coward · · Score: 1

      I work for ICE, an agency under DHS. All I can say to both when it comes to their security is "you can't fix stupid." It doesn't matter how much money you throw at a problem, if you don't have anyone qualified to do something about it.

      The only reason they don't get hacked, is likely the fact that the network is such a mess you can't navigate your way through it to find anything useful. An employee directory is nothing. That's available in Outlook's GAL.

      From the article, is sounds like nothing special... some idiot's account was probably exempted from smartcard authentication and his password was compromised. Then they used DHS's "Workplace as a Service" to open a VM workstation and download the GAL.

      Yes, it's that easy: https://workplace.dhs.gov

    2. Re:This is so sad by edtice1559 · · Score: 1

      What he probably means by nobody competent is that nobody who has that role is competent. Somebody who has a marketing degree who works in accounting might complain about the marketing spend saying "we have nobody competent." Of course this person may or may not be competent to do marketing, but they work in accounting. I think you are being a language lawyer.

    3. Re:This is so sad by Tablizer · · Score: 2

      The author didn't claim that was their area of work. I know enough about "adjacent" IT groups in my work-place to often determine who's slacking or unskilled. But, that doesn't mean I'm in a position to do anything concrete about it. Merit is only part of the "office game". Office life is Dilbert.

      --
      Table-ized A.I.
    4. Re:This is so sad by AHuxley · · Score: 1

      This shows a lack of encryption. Expect the same for backdoors, trapdoors mil grade support hardware used in a domestic setting.
      Every team is been watched and tested.
      Why would any gov just allow sensitive files to be created, exist in plain text and be left just facing the open internet?
      Every level of the US gov seems to have upgraded to computers at some time. Not much thought went into just connecting the same very secure, isolated systems to the internet and then getting a no bid cloud upgrade.

      The same contractors will now offer to clean up, rent security systems back over the same networks they had to look after.

      Long term expect a lot of gov staff to get a gov chat down by undercover random foreigners with heavy accents, diplomats, press with "questions", new friends making an offer.
      It will all be a gov trap with offers of cash, holidays, tools and methods.
      All gov workers will have to report such contact in detail and as quickly as possible.
      Any material been lost and talked about in the press can be used as a cover for a huge loyalty test. The attempt to turn its own workers first and often.
      For that the theatrics of how a hidden gov worker was found has to be made public. Then the honey traps, new friends, chat downs can start at every city, state and federal level.
      Who will respond and who will report what and how quickly.

      --
      Domestic spying is now "Benign Information Gathering"
  9. Surprise Surprise by OverlordQ · · Score: 1

    Anti-Israel hackers.

    --
    Your hair look like poop, Bob! - Wanker.
  10. Easy Hack by byteherder · · Score: 4, Interesting

    It is not like these lists are ultra top secret. When I worked for a government agency that shall remain nameless, I had access to everyone's email address, name, phone number and work location address. We treated that information with respect for privacy just as we did more sensitive information like SS #, home address, date of birth. Email addresses certainly was not top secret.

    1. Re:Easy Hack by TubeSteak · · Score: 3, Interesting

      If you gather together enough unclassified information, you can frequently distill from it facts that are considered classified.

      Like tracking the tail numbers of international flights to uncover the CIA's rendition program.

      Not to mention that a staff directory is exactly what you want for spearfishing campaigns.

      --
      [Fuck Beta]
      o0t!
    2. Re:Easy Hack by Tablizer · · Score: 2

      Public employees and the work of the public paid for by the people is public information.
      And if I want to call up my public slave and ask them what they're working on today, how their day's going, what project their hacking on, etc....
      That's the right of the people to do. Anytime, for anyone...

      It seems you are a staunch conservative or libertarian. You may not like the government (and perhaps civilization in general), but gov't employees are human beings and citizens, and thus deserve a degree of dignity and respect.

      Further, if they are treated with disrespect, then it will cost more to hire decent talent to compensate for an unpleasant working environment, and thus increase the burden on tax payers. Surely that should concern you anti-government and anti-tax types in a practical sense.

      And they'd end up spending most their day explaining specific work decisions to clueless people in the general public who don't have enough knowledge of the work processes and subject matter, and thus will second-guess all day based on superficial issues.

      I suggest you think through the fuller aspects your demands.

      --
      Table-ized A.I.
    3. Re:Easy Hack by byteherder · · Score: 1

      I totally agree with you. The agencies of the government need to be transparent but the day to day working of each individual government employee does not need to be public. If you work in Dept of Homeland Security, I want you protecting the homeland. If you work in the FBI, I want you arresting criminals. I don't need to know the details if you were on a stake out last night or investigating leads or testifying in court, those are details your supervisor needs to know. I need to know that you are doing your job and that the department is transparent in its function and mission. That's all.

    4. Re:Easy Hack by sabbede · · Score: 1

      Running exchange and looking at the address book, right?

  11. Re:Muslim hackers or just thoughtless idiots by Anonymous Coward · · Score: 1

    Good point! Also probably some Buddhists and Christians. This is bad news.

  12. Re:Hillary's server? by NotQuiteReal · · Score: 4, Funny

    Heh, maybe Hillary will point out that HER server wasn't breached, but other government servers have been.

    --
    This issue is a bit more complicated than you think.
  13. Lulz by Anonymous Coward · · Score: 1

    Nothing to hide, nothing to fear, amirite?

  14. Re:Hillary's server? by edtice1559 · · Score: 3, Insightful

    She paid a private organization to secure her server. And everybody knows that private industry is better at everything than government. I think this just goes to show that the government should privatize email! Why are they criticizing Hillary for adopting one of their sacred policies?

  15. Exchange? by McGruber · · Score: 4, Informative

    name, title, email address, and phone number of more than 9,000 DHS employees,

    All of which are available to any DHS employee with email access, since that data is in the Outlook directory.

    1. Re:Exchange? by ZeroWaiteState · · Score: 1

      If you think about, it's all metadata really. No actual communications were stolen.

  16. Re:Hillary's server? by ZeroWaiteState · · Score: 1

    Its only real function was to be secure from third-party subpoenas. Hillary wasn't afraid of Russians getting her emails; it is well known that Russians were all over the state.gov unclassified email system. Russians generally know how to keep stuff secret, and they have so many ways of spying on people that securing your email probably isn't sufficient to keep them out anyway. As for the classified system, well, who knows. When you look at some of the people she got this data from, you wonder whether anyone at all is using the classified system. She was worried primarily about Republicans getting access to the emails, not Russians. The server was wiped prior to being given to the FBI, and Clinton was able to independently select which emails to turn over to investigators. So, taking into account her threat model, the private server was a success.

  17. Not posted on Twitter by thisisauniqueid · · Score: 1

    Somehow I don't think that Twitter has raised their character limit that high yet.

  18. What, they got a hold of the GAL? by sabbede · · Score: 1

    I hope the FBI is hiding the entries for undercover agents.