recommended reading

Memo to feds: Stop using the same passwords for personal and work accounts

Recent and future government victims of the hacker collective Anonymous may want to stop using agency passwords on nonwork websites, say officials with the Arizona Department of Public Safety, which learned that lesson the hard way.

During the weekend, hacker activists purportedly from Anonymous leaked the apparent passwords and some credit card data of federal subscribers to intelligence publisher Stratfor, according to the attackers' online messages. It is unclear whether the clients, whose government email addresses also were revealed, were using any of the passwords for federal government systems. But in Arizona, Anonymous allegedly unlocked state government systems by stealing and reusing the passwords officers used to access their personal email accounts and nonwork websites, said Officer Carrick Cook, spokesman for the police department.

"People were using the same password for a lot of different things," he said. "Cops are kind of silly when it comes to that and using the same password twice."

A former Anonymous member said some of the functioning passwords came from pornography websites. Jennifer Emick, who became a security consultant after abandoning the group's antics, said the police had registered on the explicit sites using their government e-mail addresses and government passwords. The attackers, who either operated the porn sites or hacked them, entered the customers' passwords into their corresponding government accounts to see if that would open department databases, she said. It worked, current Anonymous members confirmed.

The cyberbandits, who claimed to be angered by Arizona's tough immigration policies, were able to expose hundreds of personal email correspondences, phone numbers and passwords of officers.

"If you are going to sign up for a porn site, use a throw away email account not your real email," Emick said.

Cook said he didn't know all the details but one gateway for hackers was the officers' personal Web mail accounts. From the office, some police had forwarded work emails to their personal accounts that displayed their computer credentials. "Once they got into the work email system -- into the mainframe -- they could get into the server," he said.

After the attack, police were instructed to create stronger passwords that contained a certain number of characters, letters and numbers, Cook said. And they were prohibited from using any personal account passwords as government logins. Also, officers now must either contact the system administrator or enter a current password to change their codes. There are no password reset questions, such as, "What is your mother's maiden name?" Cook was unsure if the department has forbidden officers from forwarding work emails to personal Web mail accounts.

He acknowledged the protective measures cannot stop a person intent on penetrating department systems. "I know it's making it more difficult," Cook said, but, "It's not going to prevent another hacking issue."

During the past year, the FBI has arrested about 20 cybercrooks aligned with Anonymous, mainly in connection with attacks on sites, such as PayPal, that stopped servicing the anti-secrets publisher WikiLeaks. Most recently, on Dec. 13, bureau officials announced that they apprehended a Connecticut member for allegedly shutting down, the official fan page of the KISS performer.

Cook said more than 15 individuals around the world have been arrested on charges related to the Arizona crime.

Stratfor's website, which has been down since the weekend, is expected to remain offline another week for review and adjustment, Stratfor officials said.

"We are diligently investigating the extent to which subscriber information may have been obtained," Stratfor Chief Executive Officer George Friedman wrote on the company's Facebook page Sunday.

On Wednesday night, he posted an update, stating, "our investigation and coordination with law enforcement is ongoing." National Journal reported on Tuesday that the FBI is aware of the breach. Nextgov and National Journal are both owned by the Atlantic Media Co.

The FBI declined to comment.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.