This is a really important story. I think about all the requests government agencies make for backdoors to things ... then I read something like this ... Ick.
One would think that groups like cartels already have access to this system, since access seems to be available to quite literally millions of law enforcement employees nationwide.
I think Krebs misses the point a little with the discussion of MFA and PIV cards - sure, this system should absolutely have MFA, but what it really should do is not exist in the first place, and barring that, at least have scoped access control.
The US Government pushes MFA hard. If you work in the DoD supply chain you must have MFA. I find it hypocritical that sensitive government data like this is not protected in the way the government prescribes for contractors. This is a 'what is good for the gander is good for the goose' (yes that is backward from typical) situation. Why not make use of ample resources from CISA?
Sure, lets trust an agency with a history of abuse. Lets believe that politicians like Rudy Giuliani and George Bush had no foreknowledge of 9/11 in order to have Americans gladly give away their freedoms and go to war over false reports.
That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.
If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.
Perhaps the ultimate LE portals to breach are the ones used for deconflicting active investigations / operations / targets / etc. across multiple departments / agencies. If someone got into one of those they could create safe zones where their activities are nearly guaranteed not to be interrupted by a random cop on patrol.
10 comments
[ 3.9 ms ] story [ 33.1 ms ] threadI think Krebs misses the point a little with the discussion of MFA and PIV cards - sure, this system should absolutely have MFA, but what it really should do is not exist in the first place, and barring that, at least have scoped access control.
https://www.cisa.gov/mfa
https://www.beyondidentity.com/blog/us-government-now-requir...
That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.
If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.