Security Experts:

Leaked Government Credentials Abundant on Public Web

Government Logins Found on Public Web

Login credentials belonging to 47 United States government agencies have been discovered on the public Web, intelligence firm Recorded Future said Wednesday.

In an analysis of 660,000 pieces of information collected from 17 different paste sites, including the popular Pastebin site, Recorded Future found login credentials for 89 unique domains possibly belonging to government agencies that had been posted over a one-year period ending Nov. 3 2014.

The Department of Energy appears to be the most affected, with email and password combinations of nine different domains exposed on these sites, followed by the Department of Commerce, with seven domains.

The company has shared its findings with the majority of the affected agencies between late 2014 and early 2015.

"It's unclear when specific attacks occurred or if the original attacker had attempted to leverage any stolen information," Recorded Future researchers wrote in its report (PDF).

Recorded Future told SecurityWeek that it did not test any logins for ethical and legal reasons.

"We're highlighting that of the 705 credentials we identified, it is very likely that some were valid," Recorded Future's Scott Donnelly told SecurityWeek. "Combined with the lack of protections for remote log-ins for both privileged and unprivileged users at many federal agencies, this is alarming."  

The exposures occurred outside of agencies' control and not the result of breached government systems, Recorded Future said. While some of the government agencies were specifically targeted by hacktivist groups, most of the exposed credentials were included in data dumps that frequently accompany attacks on popular third-party websites. In those cases, it appeared government employees used their work email addresses to register for online services.

Researchers analyzed domains associated with the Office of Professional Management and discovered multiple instances of clear test or hashed passwords. Recorded Future recommended agencies adopt multi-factor authentication and VPNs for remote access to its systems, to require users to select strong passwords and change them frequently, and to monitor third-party breaches to determine their level of exposure.

Cyberattack detection is no longer just about monitoring what is happening on your network, but also monitoring externally for email addresses, PII, and intellectual property that would indicate a compromise had occurred, said Ken Westin, senior security analyst at Tripwire. One way to do that is to integrate and aggregate threat intelligence data from Pastebin and similar sites into their SIEM systems. "Monitoring the Internet, specifically paste sites and forums for activity related to these sites for corporate domain names, is becoming increasingly common," he said.

With studies showing that about half of online users reuse a single password, it's very likely that even though the passwords came from third-party services, they are—or were at some point—valid credentials for government networks, researchers said.

"Reuse of passwords can be a huge problem for anyone, but for a government employee, the consequences might have national security implications," said Tim Erlin, director of IT security and risk strategy at Tripwire.

While Pastebin is good at removing sensitive information immediately, there are plenty of attackers who monitor these sites in near-real-time and could get to the information before they are removed, Westin noted. Recorded Future noted it was difficult to gauge the extent of the exposure for that reason. And some paste sites don't bother policing content being posted and won't remove sensitive information.

The credentials could potentially be used by people interested in acts of espionage to breach agency networks. While some of the affected agencies have VPNs, two-factor authentication, and other security measures in place, there are enough who don't, making these attacks a possibility. A majority of the exposed passwords were weak, making it trivial to decode the hashes, Recorded Future said.

The fact that these credentials were publicly posted is all the more worrying when considering the Office of Management and Budget report in February which found that 12 government agencies do not require privileged users to log in with two-factor authentication or other stronger schemes. The agencies include the General Services Administration, USAID, and the departments of State, Veterans Affairs, Agriculture, Housing and Urban Development, Transportation, Treasury, Health and Human Services, Energy, Interior, and Homeland Security. All of them were among the 47 agencies whose login credentials had been published online, Recorded Future said.

Highly organized, deeply funded attackers will use these credentials for secondary breaches against government agencies and gain deep access, said Richard Blech, CEO of SecureChannels. If the third-party sites had encrypted the credentials, the data dumps wouldn't have had any impact. If the agencies applied secure login mechanisms such as multi-factor authentication, then the fact that the passwords were exposed wouldn't be such a problem, he said. "What harm will we do to ourselves and other nation-states through sloppy security?" Blech asked.

*Updated with commentary from Recorded Future. Additional reporting by Mike Lennon

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.