With just a password needed to access police databases, the FBI got basic security wrong
Someone in the FBI's own IT department is probably having a very bad week.
Hackers earlier this month were able to access a US law enforcement arrest database, and posted screenshots to Twitter -- including some high-profile arrestees, like hacker Jeremy Hammond, convicted for his part in the Stratfor leak. It wasn't just that arrest database. The hackers, according to Wired, also gained access to a police file transfer service, and an instant messaging service for police, and a real-time intelligence-sharing platform, among others.
The one-stop shop law enforcement gateway, known as LEEP (Law Enforcement Enterprise Portal), is accessible from the web and, indeed, from any computer or network.
So easy is it to access, in fact, that the government has its own domain name: LEO.gov.
The FBI says on its website that it's "located in one centralized location," and accessible by "a single sign-on process -- using one username and one password for many different resources and services."
It's not clear how many authorized users there are, but the number is likely to be in the many hundreds of thousands.
Exactly how the hackers got access to the database remains a mystery. When asked by Wired, the hackers did not respond.
According to NextGov, getting access to the system "does not require multifactor authentication, such as using a password and another form of ID like a smart card."
One theory is that they may have accessed the FBI-run law enforcement portal like any other user would have done: with a username and password.
The hackers first hit the public scene when they gained access to the personal AOL email account of CIA director John Brennan. A number of documents were later acquired by whistleblowing site WikiLeaks and posted online.
The hackers didn't stop there, either. CNN reports that the hackers were able to access the email account of FBI deputy director Mark Giuliano. Email accounts are often the final port of call for password reset messages, making it a prime target for anyone who wants to get access to other systems.
But even most email accounts and social networking sites have two-factor authentication, a system whereby the user gets a notification on a trusted device -- like a phone -- to add an extra layer of security on top of a username and password. And without that code, you can't log in.
What's more surprising is that the FBI trumpets two-factor authentication as one of the prime ways of keeping data safe.
"Cyber criminals...obtain passwords more often than you think. Which is why it's important to add another level of protection between the cyber criminal and you," says the FBI's own website.
What isn't surprising is that the FBI didn't follow its own advice, and it doesn't follow standard industry advice.
Apple, Amazon, Dropbox, eBay, Facebook, Google, LinkedIn, Microsoft, PayPal Skype, Snapchat, Twitter, Yahoo, YouTube are just some of the bigger names which offer two-factor authentication. In fact, most companies do. It's only a fraction of firms that don't.
An FBI spokesperson said they had no comment beyond the Friday statement, which was:
"We have no comment on specific claims of hacktivism, but those who engage in such activities are breaking the law. The FBI takes these matters very seriously. We will work with our public and private sector partners to identify and hold accountable those who engage in illegal activities in cyberspace."