DEA Investigating Breach of Law Enforcement Data Portal(krebsonsecurity.com)
krebsonsecurity.com
DEA Investigating Breach of Law Enforcement Data Portal
https://krebsonsecurity.com/2022/05/dea-investigating-breach-of-law-enforcement-data-portal/
10 comments
This is why law enforcement can't be trusted with arbitrary search (sorry, "scan" [eyeroll emoji]) powers
One would think that groups like cartels already have access to this system, since access seems to be available to quite literally millions of law enforcement employees nationwide.
I think Krebs misses the point a little with the discussion of MFA and PIV cards - sure, this system should absolutely have MFA, but what it really should do is not exist in the first place, and barring that, at least have scoped access control.
I think Krebs misses the point a little with the discussion of MFA and PIV cards - sure, this system should absolutely have MFA, but what it really should do is not exist in the first place, and barring that, at least have scoped access control.
The US Government pushes MFA hard. If you work in the DoD supply chain you must have MFA. I find it hypocritical that sensitive government data like this is not protected in the way the government prescribes for contractors. This is a 'what is good for the gander is good for the goose' (yes that is backward from typical) situation. Why not make use of ample resources from CISA?
https://www.cisa.gov/mfa
https://www.beyondidentity.com/blog/us-government-now-requir...
https://www.cisa.gov/mfa
https://www.beyondidentity.com/blog/us-government-now-requir...
It's backdoors all the way down.
That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.
That reporting also showed how the core members of LAPSUS$ were involved in selling a service offering fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms, mobile telephony providers and other technology firms, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.
This is a really important story. I think about all the requests government agencies make for backdoors to things ... then I read something like this ... Ick.
Krebs is funny, writing as if this is something new calling for review. https://en.wikipedia.org/wiki/Office_of_Personnel_Management...
If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.
If we assume for the moment that state-sponsored foreign hacking groups can gain access to sensitive government intelligence in the same way as teenage hacker groups like LAPSUS$, then it is long past time for the U.S. federal government to perform a top-to-bottom review of authentication requirements tied to any government portals that traffic in sensitive or privileged information.
Perhaps the ultimate LE portals to breach are the ones used for deconflicting active investigations / operations / targets / etc. across multiple departments / agencies. If someone got into one of those they could create safe zones where their activities are nearly guaranteed not to be interrupted by a random cop on patrol.
Sure, lets trust an agency with a history of abuse. Lets believe that politicians like Rudy Giuliani and George Bush had no foreknowledge of 9/11 in order to have Americans gladly give away their freedoms and go to war over false reports.
Fortunately the Good Guys are in charge now and we don't do that sort of thing anymore.
I wish there were “Good Guys” in government/politics/power/business. Unfortunately, if you find one, I can point out 10,000 that are not.