Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Government United States IT

Hackers Leak DHS Staff Directory, Claim FBI Is Next (csoonline.com) 81

itwbennett writes: On Sunday, the name, title, email address, and phone number of more than 9,000 DHS employees, with titles ranging from engineers, to security specialists, program analysts, InfoSec and IT, all the way up to director level was posted on Twitter. 'The account went on to claim that an additional data dump focused on 20,000 FBI employees was next,' writes CSO's Steve Ragan. The hacker told Motherboard that the data was obtained by "compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place."
This discussion has been archived. No new comments can be posted.

Hackers Leak DHS Staff Directory, Claim FBI Is Next

Comments Filter:
  • Where is the link to the list?

  • by Anonymous Coward

    But remember your personal data is safe... (apart from history showing the complete opposite) We didn't just consolidate all the personal data into one easily stealable.. I mean navigable database using lowest bidder software, I am sure no-one could profit from peoples personal information we haven't so no-one else can.

    pfft, data security laws and regulations are just so unnecessary and backdoors into encryption and digital security can only be used by the "good guys" never fear! apart from when we want you

  • by daq man ( 170241 ) on Monday February 08, 2016 @11:11AM (#51462337)

    I don't know which is worse, that outfits like the DHS and FBI have such lousy cyber security that this can happen or that someone thinks that publishing this stuff is helping their cause.

    • by bws111 ( 1216812 )

      Is this stuff even supposed to be a secret? My company has a link to the employee directory (containing names, titles, email addresses, and phone numbers) right on the home page of their web site.

      • That doesn't seem like a good idea. Spam harvesters, spam phone calls from recruiters/sales/etc.
        • Not to mention fodder for spear phishing attacks.

          This already happened to us and we are a small company (around 100 employees). An attacker grabbed information from our web site (company directory of C levels), waited until the xmas holiday to initiate an e-mail harvest attack which netted them valid addresses from auto-replies (complete with authentic sigs).

          Then an e-mail was crafted which appeared to be a thread in progress by two of the higher-ups. The thread was all forged, of course, but the signature

      • by Z00L00K ( 682162 )

        What if it's a honeytrap?

      • Public employees typically have their salaries posted even. If the list doesn't include NoC/UoC or undercover people, this might not be that bad.

      • Indeed official staff names, titles, emails, and phone numbers are ALL things that are available to the public through staff directories or FOIA. Much about nothing, and if the "hackers" actually think they hacked something secret, they are most likely just script kiddies who found a public server of a honey pot.

      • by daq man ( 170241 )

        It is a secret where I work and I'm not doing anything as spooky as the FBI or DHS. There are a good many reasons that a company don't want an employee directory publishing:

        1) For people with unusual names someone can figure out where you live and target you at home where security is weaker.

        2) Phishing using info from the directory to seem legit. "Hi Joe, this is Tom from shipping. Fred from accounting asked me to call you..."

        3) Hacking attempts, people's usernames may well be the username part of the email

    • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Monday February 08, 2016 @11:17AM (#51462367)

      I think they're doing this to shame the DHS and FBI and at the same time show the world that this kind of thing is possible even without government-approved backdoors.

    • by ATMAvatar ( 648864 ) on Monday February 08, 2016 @11:25AM (#51462431) Journal
      That largely depends on their cause. If the cause is to show how insecure the DHS is or to damage its reputation, then mission accomplished.
      • DHS has such a poor reputation, are you really sure it can be damaged further. They probably have a statement on their web site that you are required to go through a metal detector before trying to hack into their personnel records, unless you are over 70 years old. And they thought that would keep the data safe!
    • . . . now if they could do this to the NSA . . . that would be like winning the PowerBall.

      But alas, the NSA is the difficult one to get in the Beanie Baby set . . .

    • Depends on who the hackers are? If they are from Russia, China, North Korea, then it helps them a great deal. Otherwise, no.
  • by The-Ixian ( 168184 ) on Monday February 08, 2016 @11:17AM (#51462369)

    We will keep them super ultra extra mega secure... promise.

  • by Anonymous Coward on Monday February 08, 2016 @11:18AM (#51462371)

    For years since the Snowden disclosures we have repeatedly heard from the government If you don't want to be tracked, turn off your phone". [vice.com]. And you have no expectation of privacy when using tools designed to protect your privacy. [vice.com]

    So let's see here. "If you want privacy, don't work for civil-rights violating organizations". "You have no expectation of privacy if you work for the NSA, DHS, or are a congressman/woman who has voted to strip away our civil rights".

    I won't shed half a tear if the shoe shifts to the other foot once in a while.

    • Shesh AC, seriously if you don't want to be tracked, don't carry around a RF transmitter which is turned on in your pocket, don't connect to the internet and don't walk down a public street. Anybody can track you in public if they want.
  • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Monday February 08, 2016 @11:19AM (#51462379)

    Great, I've been waiting forever for Mulder's email address. I want to ask him if he knows where his towel is.

    • by antdude ( 79039 )

      I prefer Scully's. ;)

  • This is so sad (Score:4, Insightful)

    by ITRambo ( 1467509 ) on Monday February 08, 2016 @11:51AM (#51462649)
    Homeland Security seems to be anything but secure itself. Don't they have a huge budget for things like...security?
    • by Anonymous Coward

      I work for ICE, an agency under DHS. All I can say to both when it comes to their security is "you can't fix stupid." It doesn't matter how much money you throw at a problem, if you don't have anyone qualified to do something about it.

      The only reason they don't get hacked, is likely the fact that the network is such a mess you can't navigate your way through it to find anything useful. An employee directory is nothing. That's available in Outlook's GAL.

      From the article, is sounds like nothing special...

    • by AHuxley ( 892839 )
      This shows a lack of encryption. Expect the same for backdoors, trapdoors mil grade support hardware used in a domestic setting.
      Every team is been watched and tested.
      Why would any gov just allow sensitive files to be created, exist in plain text and be left just facing the open internet?
      Every level of the US gov seems to have upgraded to computers at some time. Not much thought went into just connecting the same very secure, isolated systems to the internet and then getting a no bid cloud upgrade.

  • Anti-Israel hackers.

  • Easy Hack (Score:5, Interesting)

    by byteherder ( 722785 ) on Monday February 08, 2016 @12:01PM (#51462735)
    It is not like these lists are ultra top secret. When I worked for a government agency that shall remain nameless, I had access to everyone's email address, name, phone number and work location address. We treated that information with respect for privacy just as we did more sensitive information like SS #, home address, date of birth. Email addresses certainly was not top secret.
    • Re:Easy Hack (Score:4, Interesting)

      by TubeSteak ( 669689 ) on Monday February 08, 2016 @01:03PM (#51463283) Journal

      If you gather together enough unclassified information, you can frequently distill from it facts that are considered classified.

      Like tracking the tail numbers of international flights to uncover the CIA's rendition program.

      Not to mention that a staff directory is exactly what you want for spearfishing campaigns.

    • Running exchange and looking at the address book, right?
  • by Anonymous Coward

    Nothing to hide, nothing to fear, amirite?

  • Exchange? (Score:5, Informative)

    by McGruber ( 1417641 ) on Monday February 08, 2016 @02:01PM (#51463749)

    name, title, email address, and phone number of more than 9,000 DHS employees,

    All of which are available to any DHS employee with email access, since that data is in the Outlook directory.

  • Somehow I don't think that Twitter has raised their character limit that high yet.
  • I hope the FBI is hiding the entries for undercover agents.

The last thing one knows in constructing a work is what to put first. -- Blaise Pascal