recommended reading

Memo to feds: Stop using the same passwords for personal and work accounts

Recent and future government victims of the hacker collective Anonymous may want to stop using agency passwords on nonwork websites, say officials with the Arizona Department of Public Safety, which learned that lesson the hard way.

During the weekend, hacker activists purportedly from Anonymous leaked the apparent passwords and some credit card data of federal subscribers to intelligence publisher Stratfor, according to the attackers' online messages. It is unclear whether the clients, whose government email addresses also were revealed, were using any of the passwords for federal government systems. But in Arizona, Anonymous allegedly unlocked state government systems by stealing and reusing the passwords officers used to access their personal email accounts and nonwork websites, said Officer Carrick Cook, spokesman for the police department.

"People were using the same password for a lot of different things," he said. "Cops are kind of silly when it comes to that and using the same password twice."

A former Anonymous member said some of the functioning passwords came from pornography websites. Jennifer Emick, who became a security consultant after abandoning the group's antics, said the police had registered on the explicit sites using their government e-mail addresses and government passwords. The attackers, who either operated the porn sites or hacked them, entered the customers' passwords into their corresponding government accounts to see if that would open department databases, she said. It worked, current Anonymous members confirmed.

The cyberbandits, who claimed to be angered by Arizona's tough immigration policies, were able to expose hundreds of personal email correspondences, phone numbers and passwords of officers.

"If you are going to sign up for a porn site, use a throw away email account not your real email," Emick said.

Cook said he didn't know all the details but one gateway for hackers was the officers' personal Web mail accounts. From the office, some police had forwarded work emails to their personal accounts that displayed their computer credentials. "Once they got into the work email system -- into the mainframe -- they could get into the server," he said.

After the attack, police were instructed to create stronger passwords that contained a certain number of characters, letters and numbers, Cook said. And they were prohibited from using any personal account passwords as government logins. Also, officers now must either contact the system administrator or enter a current password to change their codes. There are no password reset questions, such as, "What is your mother's maiden name?" Cook was unsure if the department has forbidden officers from forwarding work emails to personal Web mail accounts.

He acknowledged the protective measures cannot stop a person intent on penetrating department systems. "I know it's making it more difficult," Cook said, but, "It's not going to prevent another hacking issue."

During the past year, the FBI has arrested about 20 cybercrooks aligned with Anonymous, mainly in connection with attacks on sites, such as PayPal, that stopped servicing the anti-secrets publisher WikiLeaks. Most recently, on Dec. 13, bureau officials announced that they apprehended a Connecticut member for allegedly shutting down GeneSimmons.com, the official fan page of the KISS performer.

Cook said more than 15 individuals around the world have been arrested on charges related to the Arizona crime.

Stratfor's website, which has been down since the weekend, is expected to remain offline another week for review and adjustment, Stratfor officials said.

"We are diligently investigating the extent to which subscriber information may have been obtained," Stratfor Chief Executive Officer George Friedman wrote on the company's Facebook page Sunday.

On Wednesday night, he posted an update, stating, "our investigation and coordination with law enforcement is ongoing." National Journal reported on Tuesday that the FBI is aware of the breach. Nextgov and National Journal are both owned by the Atlantic Media Co.

The FBI declined to comment.

Threatwatch Alert

Social Media Takeover

Qatar News Agency Says Hackers Published Fake Stories

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.