FBI private sector cyber threat reporting database hacked by apparently unreported cyber threat
from target-rich-environment-not-surprisingly-targeted debt
Is this irony? It kind of seems like it is. Maybe it isn’t. It could just be a coincidence. An extremely unfortunate, ironic coincidence.
Whatever it is, it doesn’t look good for the FBI, which encouraged pretty much all private companies to register as reporting entities so the FBI could (theoretically, it seems) respond to reported security threats.
FBI wants to be part of cyber Pearl Harbor discussion. Here is the latest contribution to that conversation, as first reported by Brian Krebs.
InfraGard, a program run by the US Federal Bureau of Investigation (FBI) to build partnerships for sharing cyber and physical threat information with the private sector, this week put its database of contact information on more than 80,000 members up for sale in an English- cybercrime language forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard online portal – using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.
Trust but don’t even bother to verify I guess. That’s how they—and by “they,” I mean the hacker who refers to himself as “USDoD”—gets you. A portal for private companies to report threats has been compromised using nothing more than credentials that have likely been floating around the web (dark or otherwise) for some time now.
The USDoD said it gained access to the FBI’s InfraGard system by applying for a new account using the name, social security number, date of birth and other personal details of a CEO of a company that was highly likely to be granted InfraGard membership.
The CEO in question – currently the head of a major US financial company that has a direct impact on the creditworthiness of most Americans – told KrebsOnSecurity that they were never contacted by the FBI trying to process an InfraGard application.
After gaining access, the breach began. The USDoD “asked a friend” to create a script that would pull all available user data from the database, which apparently had no defensive methods in place to prevent the script, or any siloing in place to ensure that a user’s authorized access would not allow them to get information about other users.
In an effort to increase cooperation between private sector contributors (if not the FBI itself, although there appears to be no actual FBI data/communications included in the hacking haul), InfraGard served as a quasi-social media hub for to allow private companies to share information with each other. This connection apparently facilitated the easy exfiltration of data, albeit data of debatable value.
The USDoD acknowledged that their $50,000 asking price for the InfraGard database may be a little high, given that it’s a fairly basic list of people who are already very security conscious. Also, only about half of the user accounts contain an email address, and most of the other database fields – such as social security number and date of birth – are completely blank.
While the eventual sale of this data will put the USDoD in the black, it may not be the ultimate easy-to-escape endgame with user data. The hacker takes full advantage of this impersonation to contact private sector participants in hopes of securing additional data and/or credentials that can be used for bigger and better data.
The FBI has responded to these reports without comment.
“This is an ongoing situation and we are unable to provide additional information at this time,” the FBI said in a written statement.
It’s too bad the FBI didn’t realize this until they were contacted by people who don’t work for the FBI. If the agency wants the private sector to trust it with threat reports and data, it needs to be upfront about things like this, instead of just refusing to talk about incidents it should be more proactive about.
But spending tax dollars on “cyber security furniture” only buys so much expertise. While it’s important that private sector contributors can easily share information with each other, a breach like this will only encourage them to cut the FBI out of the loop. There are obviously safer channels for communication about these issues. Allowing a hacker to make off with critical data suggests that the FBI is not only failing to fully vet contributors to its cybersecurity marketplace of ideas, but failing to ensure that the private companies it hires to deliver solutions are capable to meet the requirements of the job.
Filed under: cybertreat reporting, fbi, hacker, infragard