10 comments

[ 3.9 ms ] story [ 33.1 ms ] thread
This is a really important story. I think about all the requests government agencies make for backdoors to things ... then I read something like this ... Ick.
One would think that groups like cartels already have access to this system, since access seems to be available to quite literally millions of law enforcement employees nationwide.

I think Krebs misses the point a little with the discussion of MFA and PIV cards - sure, this system should absolutely have MFA, but what it really should do is not exist in the first place, and barring that, at least have scoped access control.

This is why law enforcement can't be trusted with arbitrary search (sorry, "scan" [eyeroll emoji]) powers
Sure, lets trust an agency with a history of abuse. Lets believe that politicians like Rudy Giuliani and George Bush had no foreknowledge of 9/11 in order to have Americans gladly give away their freedoms and go to war over false reports.
Fortunately the Good Guys are in charge now and we don't do that sort of thing anymore.
I wish there were “Good Guys” in government/politics/power/business. Unfortunately, if you find one, I can point out 10,000 that are not.
It's backdoors all the way down.

That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.

Krebs is funny, writing as if this is something new calling for review. https://en.wikipedia.org/wiki/Office_of_Personnel_Management...

If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.

Perhaps the ultimate LE portals to breach are the ones used for deconflicting active investigations / operations / targets / etc. across multiple departments / agencies. If someone got into one of those they could create safe zones where their activities are nearly guaranteed not to be interrupted by a random cop on patrol.