Friday, February 12, 2016

Keeping the Country Safe

Many federal agencies, including Justice, recently switched on two-factor authentication intended to stop hackers from busting into government databases with merely a password. But that second factor for identification isn’t all that safe, when it only takes a call to the help desk for a second form of authorization, say security experts.

Now, a hacktivist, who wishes to remain nameless, claims that technique is exactly what he used to break into a computer containing contact information on some 9,000 DHS personnel and 20,000 FBI employees.

The hacker already had a password for a Justice employee’s email account, according to Motherboard, which first reported the breach Feb. 7. From the account, he attempted to log into a restricted department website. When he couldn’t enter, he dialed the relevant help desk.

[...]

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine—just use [this] one.”

[...]

“I’m not sure it was in the protocol for the help desk to provide the token for access without significant further authentication,” Leo Taddeo, former FBI special agent in charge of the special operations and cyber division, told Nextgov.

  Defense One
One can only hope not.
“The weakest point is the user,” said Taddeo, now chief security officer for cyber firm Cryptzone. “It’s the human being, no matter what we design, no matter how much we emphasize the technological solutions—if we have users and especially help desks and system administrators that circumvent technology controls by just giving away information.”
Surely someone will at least get demoted?

...but hey, do what you want...you will anyway.

No comments: