recommended reading

Memo to feds: Stop using the same passwords for personal and work accounts

Recent and future government victims of the hacker collective Anonymous may want to stop using agency passwords on nonwork websites, say officials with the Arizona Department of Public Safety, which learned that lesson the hard way.

During the weekend, hacker activists purportedly from Anonymous leaked the apparent passwords and some credit card data of federal subscribers to intelligence publisher Stratfor, according to the attackers' online messages. It is unclear whether the clients, whose government email addresses also were revealed, were using any of the passwords for federal government systems. But in Arizona, Anonymous allegedly unlocked state government systems by stealing and reusing the passwords officers used to access their personal email accounts and nonwork websites, said Officer Carrick Cook, spokesman for the police department.

"People were using the same password for a lot of different things," he said. "Cops are kind of silly when it comes to that and using the same password twice."

A former Anonymous member said some of the functioning passwords came from pornography websites. Jennifer Emick, who became a security consultant after abandoning the group's antics, said the police had registered on the explicit sites using their government e-mail addresses and government passwords. The attackers, who either operated the porn sites or hacked them, entered the customers' passwords into their corresponding government accounts to see if that would open department databases, she said. It worked, current Anonymous members confirmed.

The cyberbandits, who claimed to be angered by Arizona's tough immigration policies, were able to expose hundreds of personal email correspondences, phone numbers and passwords of officers.

"If you are going to sign up for a porn site, use a throw away email account not your real email," Emick said.

Cook said he didn't know all the details but one gateway for hackers was the officers' personal Web mail accounts. From the office, some police had forwarded work emails to their personal accounts that displayed their computer credentials. "Once they got into the work email system -- into the mainframe -- they could get into the server," he said.

After the attack, police were instructed to create stronger passwords that contained a certain number of characters, letters and numbers, Cook said. And they were prohibited from using any personal account passwords as government logins. Also, officers now must either contact the system administrator or enter a current password to change their codes. There are no password reset questions, such as, "What is your mother's maiden name?" Cook was unsure if the department has forbidden officers from forwarding work emails to personal Web mail accounts.

He acknowledged the protective measures cannot stop a person intent on penetrating department systems. "I know it's making it more difficult," Cook said, but, "It's not going to prevent another hacking issue."

During the past year, the FBI has arrested about 20 cybercrooks aligned with Anonymous, mainly in connection with attacks on sites, such as PayPal, that stopped servicing the anti-secrets publisher WikiLeaks. Most recently, on Dec. 13, bureau officials announced that they apprehended a Connecticut member for allegedly shutting down, the official fan page of the KISS performer.

Cook said more than 15 individuals around the world have been arrested on charges related to the Arizona crime.

Stratfor's website, which has been down since the weekend, is expected to remain offline another week for review and adjustment, Stratfor officials said.

"We are diligently investigating the extent to which subscriber information may have been obtained," Stratfor Chief Executive Officer George Friedman wrote on the company's Facebook page Sunday.

On Wednesday night, he posted an update, stating, "our investigation and coordination with law enforcement is ongoing." National Journal reported on Tuesday that the FBI is aware of the breach. Nextgov and National Journal are both owned by the Atlantic Media Co.

The FBI declined to comment.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.