Hackers reportedly gain access to Drug Enforcement Administration data portal

Hackers are believed to have managed to compromise a data portal run by the US Drug Enforcement Administration (DEA), unlocking access to a vast amount of information.

As cybersecurity journalist Brian Krebs reports(Opens in a new window), the breach would have allowed the attackers to prowl through 16 federal law enforcement databases covering a wide variety of investigative data. How did this happen? The lack of implementation of multi-factor authentication seems to be a key cause.

Krebs wrote that he has learned that “the alleged compromise is linked to an online cybercrime and stalking community that routinely poses as police and government officials to collect personal information about their targets.”

He said a tip for this story came from an anonymous administrator of Doxbin: “a highly toxic online community that provides a forum for digging up people’s personal information and posting it publicly.” Krebs further noted that this unauthorized access could be abused to upload false data on suspects, citing a comment by Nicholas Weaver.(Opens in a new window)researcher at the University of California at the Berkeley International Institute of Computer Science.

Red herrings have often been used to initiate “crush” attacks, in which false reports of crimes in progress lead police to invade a residence with heavily armed SWAT teams. The target, or a random bystander, may end up dead in the process.

Unfortunately, Krebs has personal experience with that scenario. In 2013, police from Fairfax County, Virginia, showed up at her door with guns drawn.(Opens in a new window) after receiving a false tip that the Russians had broken in and shot his wife. The perpetrator was caught after participating in a clandestine online forum run by the FBI and was subsequently sentenced in 2016.(Opens in a new window).

The login page(Opens in a new window) for the DEA El Paso Intelligence Center (yes, EPIC) invites users to log in with a government-issued Personal Identity Verification card(Opens in a new window), but also allows traditional login and password access. The source Krebs spoke to told him that “the hacker who gained this illicit access was able to log in with only the stolen credentials, and at no time did the portal request a second factor of authentication.”

Recommended by Our Editors

That would be a serious security risk for a webmail system, let alone a portal to a large police database. It would also count as the most accurate use of the term “EPIC fail”.

For now, the DEA is not sharing any details and has only provided a generic statement saying that it “takes cyber security and breach reporting seriously.” We have sent a request for comment to the Department of Justice and will update this post when we receive it.

However, the feds should know what they should do to fix this. The executive order on cybersecurity(Opens in a new window) that the Biden administration issued in May 2021 mandates that go beyond passwords: “Within 180 days of the date of this order, agencies will adopt multi-factor authentication and encryption for data at rest and in storage. transit, to the maximum extent compatible with federal registration laws and other applicable laws.”

SecurityWatch<\/strong> newsletter for our top privacy and security stories delivered right to your inbox.”,”first_published_at”:”2021-09-30T21:22:09.000000Z”,”published_at”:”2022-03-24T14:57:33.000000Z”,”last_published_at”:”2022-03-24T14:57:28.000000Z”,”created_at”:null,”updated_at”:”2022-03-24T14:57:33.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs”>

Do you like what you are reading?

Enroll in security surveillance newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, offers or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.

Leave a Reply

Your email address will not be published.