DoJ fiddles while FBI & DHS burn (after trivial hack of U.S. employee data)

Attorney General Loretta E. Lynch heads the DoJ, which denies there was a PII breach. But wait, who’s that hiding behind the curtain?

FBI U.S. DHS hack DotGovs

“The department is looking into the unauthorized access of a system operated by one of its components containing employee contact information. This unauthorized access is still under investigation; however, there is no indication at this time that there is any breach of sensitive personally identifiable information.”

Credit: United States Department of Justice

U.S. DHS and FBI staff see their directory info stolen by pro-Palestine hacktivists. The self-styled DotGovs group says it broke into DoJ networks to leech the data, via spear-phishing plus social engineering.

The hackers also say they still have a load more info that remains unpublished. At least, for now.

Is it worrying that none of the three three-letter agencies are perturbed? Their official statements seem soothing and full of calm. Yet the hack sounds really simple.

In IT Blogwatch, bloggers point and laugh at yet another gov-opsec fail. Not to mention: Polygon Shredder...

curated these bloggy bits for your entertainment.
[Developing story: Updated 6:56 am PT with more comment]


What’s the craic? Steve Ragan investigates—Hackers leak DHS staff directory, claim DOJ is next:

An account on Twitter posted a [DHS] staff directory with 9,355 names. [It then] went on to claim that...20,000 FBI employees was next.

The...staff directory is exactly what you think it is...name, title, email address, and phone number [of] engineers...security specialists, program analysts, InfoSec...IT, all the way up to director level.

The FBI staff directory...contains 22,175 names, email addresses, and titles.


We first heard about the claim before the leak happened. Joseph Cox has his source—Hacker Plans to Dump Alleged Details of 20,000 FBI, 9,000 DHS Employees:

The hacker also claims to have downloaded hundreds of gigabytes of data from a...DOJ computer, although that data has not been published.

The job titles...cover all sorts of different departments [including] contractors, biologists, special agents, task force officers, technicians, intelligence analysts, [and] language specialists.

The data was obtained, the hacker [said], by first compromising the email account of a DoJ employee. ... The hacker used the DoJ email account to contact [me]. “So I called up, told them I was new and I didn't understand how to get [in]. ... They asked if I had a token code, I said no, they said that's fine—just use our one.”

Back in October, hackers claiming a pro-Palestine political stance broke into the email account of...John Brennan. This was followed by a prank, in which calls to...James Clapper would be forwarded to the Free Palestine Movement.

The DHS emailed...the following comment from spokesperson S.Y. Lee: "We take these reports very seriously, however there is no indication...that there is any breach of sensitive or personally identifiable information."


An anti-Israel motive again? Greg Otto cycles in to add heat and pressure, with Feds investigating hacktivists' info dump:

The information was taken from a Justice Department computer...after pro-Palestinian hackers broke [in] using social engineering.

At the beginning of the first [dump] the hackers claim, “This is for Palestine, Ramallah, West Bank, Gaza. This is for the child that is searching for an answer.”


As it became clear how easy it was to break in, foreigners are laughing. Foreigners like tikabass:

That's tight security!

I'm sure americans feel safer now, knowing the professionalism of the guys protecting their lives, property and borders.


But wait. Shaun Nichols sheepishly wonders if it’s as bad as all that—Did a hacker really pwn the FBI, US Homeland Security and the DoJ?:

As we've seen in recent incidents, not all hacked info is worthy of mass hysteria.

[It] just sounds like directory information. ... It seems these records, at least, are not something terribly sensitive and, in some cases, that contact info could already be available for people to look up online.

By itself, it's not a hugely damaging collection, though the hacker claims to have a lot more data. [But] it has not been released yet. We don't know what...clearance this account may have had to view sensitive information.

There's also the fact that the DoJ doesn't think anything is amiss. ... [But] should the hacker produce 200GB of internal documents, the DoJ will have a huge mess on its hands.


The claimed hacker group has plenty to say for themselves. Tweeting as @DotGovs, they say:

well folks, it looks like @TheJusticeDept has finally realized their computer has been breached after 1 week.

stay mad @TheJusticeDept @FBI @DHSgov 8)

how you like that huh @TheJusticeDept #FreePalestine

Be sure to tweet #FreePalestine to bring awareness to all the kids dying by Israeli bombs that the US government funds!

its boring in the deserts of dubai

top security by @TheJusticeDept here!!!

When will the US government realize we won't stop until they cut relations with Israel.

i think the government can hear #FreePalestine now hahhaha

that's all we came to do, so now its time to go, bye folks! #FreePalestine


Update: Another day, another report of spear-phishing plus social engineering. Paul Ducklin explains-Hacker says he’s breached DHS and FBI, leaks claimed staff data:

Phishing is where you send out links or attachments in believable-looking emails in the hope that someone will...end up sucked into giving away secret information such as usernames and passwords. Spear-phishing is...with the emails made yet more believable by targeting, or tailoring...for each recipient. [It] can be as simple as getting your name right.

If you’re a nuclear scientist, for instance, an email about...attending a conference...is likely to attract your attention. If the crook has sufficiently many other details right...he might get to you [to] open up the dodgy website or document.

This breach will be more embarrassing for the DHS and FBI that it would be for most businesses. ... Not looking after employee data seems to be something of a theme at present.

Personal information about your employees is a gold mine for just the sort of spear-phishing attack we [just] spoke about. ... An organisational chart and an internal phone directory stolen today could be the basis of a...serious attack tomorrow.

The more that crooks...learn about your organisation, the more believable their attempts to talk their way in will appear.

And Finally...

Amazing, mesmerizing “Polygon Shredder”
[Does Insane mode crash WebGL for you? Hat tip: Andy Baio]


You have been reading IT Blogwatch by , who curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk.
Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.