Hackers Leak DHS Staff Directory, Claim FBI Is Next

itwbennett writes: On Sunday, the name, title, email address, and phone number of more than 9,000 DHS employees, with titles ranging from engineers, to security specialists, program analysts, InfoSec and IT, all the way up to director level was posted on Twitter. 'The account went on to claim that an additional data dump focused on 20,000 FBI employees was next,' writes CSO's Steve Ragan. The hacker told Motherboard that the data was obtained by "compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place."

Useless without link

[davebarnes]

Where is the link to the list?

Re:

[Anonymous Coward]

https://www.ashleymadison.com/ [ashleymadison.com] ;)

Data security

[Anonymous Coward]

But remember your personal data is safe... (apart from history showing the complete opposite) We didn't just consolidate all the personal data into one easily stealable.. I mean navigable database using lowest bidder software, I am sure no-one could profit from peoples personal information we haven't so no-one else can.

pfft, data security laws and regulations are just so unnecessary and backdoors into encryption and digital security can only be used by the "good guys" never fear! apart from when we want you

Sad state of affairs

[daq man]

I don't know which is worse, that outfits like the DHS and FBI have such lousy cyber security that this can happen or that someone thinks that publishing this stuff is helping their cause.

Re:

[bws111]

Is this stuff even supposed to be a secret? My company has a link to the employee directory (containing names, titles, email addresses, and phone numbers) right on the home page of their web site.

Re:

[110010001000]

That doesn't seem like a good idea. Spam harvesters, spam phone calls from recruiters/sales/etc.

Re:

[The-Ixian]

Not to mention fodder for spear phishing attacks.

This already happened to us and we are a small company (around 100 employees). An attacker grabbed information from our web site (company directory of C levels), waited until the xmas holiday to initiate an e-mail harvest attack which netted them valid addresses from auto-replies (complete with authentic sigs).

Then an e-mail was crafted which appeared to be a thread in progress by two of the higher-ups. The thread was all forged, of course, but the signature

Re:

[Z00L00K]

What if it's a honeytrap?

Re:

[Impy the Impiuos Imp]

A honeypot, like Winnie the Pooh getting his hand stuck in one?

Re:

[RabidReindeer]

... available if requested since these are government employees and the public has a duty of oversight.

Wrong. This is 21ST Century USA. The public has the right to stay at home and shut up. If they want to travel or assemble, they must do so under careful government oversite. The government can look after itself.

The government is required to know all about the people, but only a Terrorist-loving traitor would want information on the government. That information should be classified, along with bus schedules, weather reports, pictures of government buildings and monuments and other possible sources of infor

Re:

[Loconut1389]

Public employees typically have their salaries posted even. If the list doesn't include NoC/UoC or undercover people, this might not be that bad.

Re:

[Frosty Piss]

Indeed official staff names, titles, emails, and phone numbers are ALL things that are available to the public through staff directories or FOIA. Much about nothing, and if the "hackers" actually think they hacked something secret, they are most likely just script kiddies who found a public server of a honey pot.

Re:

[daq man]

It is a secret where I work and I'm not doing anything as spooky as the FBI or DHS. There are a good many reasons that a company don't want an employee directory publishing:

1) For people with unusual names someone can figure out where you live and target you at home where security is weaker.

2) Phishing using info from the directory to seem legit. "Hi Joe, this is Tom from shipping. Fred from accounting asked me to call you..."

3) Hacking attempts, people's usernames may well be the username part of the email

Re:Sad state of affairs

[U2xhc2hkb3QgU3Vja3M]

I think they're doing this to shame the DHS and FBI and at the same time show the world that this kind of thing is possible even without government-approved backdoors.

Re:Sad state of affairs

[ATMAvatar]

That largely depends on their cause. If the cause is to show how insecure the DHS is or to damage its reputation, then mission accomplished.

Re:

[Ed Tice]

DHS has such a poor reputation, are you really sure it can be damaged further. They probably have a statement on their web site that you are required to go through a metal detector before trying to hack into their personnel records, unless you are over 70 years old. And they thought that would keep the data safe!

Re:

[PolygamousRanchKid]

. . . now if they could do this to the NSA . . . that would be like winning the PowerBall.

But alas, the NSA is the difficult one to get in the Beanie Baby set . . .

Re:

[WindBourne]

Depends on who the hackers are? If they are from Russia, China, North Korea, then it helps them a great deal. Otherwise, no.

But trust us with the keys to your back doors

[The-Ixian]

We will keep them super ultra extra mega secure... promise.

Re:

[ZeroWaiteState]

They aren't back doors. They're front doors with super ultra extra mega locks. Double top secret probation.

"if you don't want to be tracked..."

[Anonymous Coward]

For years since the Snowden disclosures we have repeatedly heard from the government If you don't want to be tracked, turn off your phone". [vice.com]. And you have no expectation of privacy when using tools designed to protect your privacy. [vice.com]

So let's see here. "If you want privacy, don't work for civil-rights violating organizations". "You have no expectation of privacy if you work for the NSA, DHS, or are a congressman/woman who has voted to strip away our civil rights".

I won't shed half a tear if the shoe shifts to the other foot once in a while.

Re:

[bobbied]

Shesh AC, seriously if you don't want to be tracked, don't carry around a RF transmitter which is turned on in your pocket, don't connect to the internet and don't walk down a public street. Anybody can track you in public if they want.

Hackers leak DHS directory, claim FBI is next

[U2xhc2hkb3QgU3Vja3M]

Great, I've been waiting forever for Mulder's email address. I want to ask him if he knows where his towel is.

Re:

[Anonymous Coward]

Funny how forum nerds never learn the effects of nostalgia and choose instead to bitch endlessly. Maybe it's just the conservative ones on slashdot.

Re:

[cyberchondriac]

I think it's been rather disappointing and a bit dull, but it has been many years since I've watched it. I can't believe after all they've been through and seen, suddenly Muldar is so quick to just discount everything now (except Roswell). And that last episode was just weird. I would've thought that with only 6 episodes to air, they'd stick to the primary story arch.
OTOH, it beats the snot out of watching American Idol.

Re:

[The-Ixian]

I agree with you about the first 2 episodes, but the 3rd one was brilliant! Loved it! That was a real return to the old days.

Re:

[Tablizer]

that old lady hag with the long face

It's unfair that people don't seem to mind aging male actors much if they are established. But viewers are brutal to most aging female actors, even well-known ones. Men are simply less judged on appearance. Perhaps it's human nature and we are just hard-wired that way.

Perhaps we shouldn't be so cynical about the seeming non-idealistic sides of biology: we are merely talking animals with just enough extra smarts to trick ourselves into thinking we are not driven by "primit

Re:

[losfromla]

So, it's not unfair after all?

Re:

[antdude]

I prefer Scully's. ;)

Re:Muslim hackers or just thoughtless idiots

[MitchDev]

If American citizens can;t have privacy, then neither can the government.

Re:

[Anonymous Coward]

Good point! Also probably some Buddhists and Christians. This is bad news.

This is so sad

[ITRambo]

Homeland Security seems to be anything but secure itself. Don't they have a huge budget for things like...security?

Re:

[Anonymous Coward]

I work for ICE, an agency under DHS. All I can say to both when it comes to their security is "you can't fix stupid." It doesn't matter how much money you throw at a problem, if you don't have anyone qualified to do something about it.

The only reason they don't get hacked, is likely the fact that the network is such a mess you can't navigate your way through it to find anything useful. An employee directory is nothing. That's available in Outlook's GAL.

From the article, is sounds like nothing special...

Re:

[Ed Tice]

What he probably means by nobody competent is that nobody who has that role is competent. Somebody who has a marketing degree who works in accounting might complain about the marketing spend saying "we have nobody competent." Of course this person may or may not be competent to do marketing, but they work in accounting. I think you are being a language lawyer.

Re:

[Tablizer]

The author didn't claim that was their area of work. I know enough about "adjacent" IT groups in my work-place to often determine who's slacking or unskilled. But, that doesn't mean I'm in a position to do anything concrete about it. Merit is only part of the "office game". Office life is Dilbert.

Re:

[AHuxley]

This shows a lack of encryption. Expect the same for backdoors, trapdoors mil grade support hardware used in a domestic setting.
Every team is been watched and tested.
Why would any gov just allow sensitive files to be created, exist in plain text and be left just facing the open internet?
Every level of the US gov seems to have upgraded to computers at some time. Not much thought went into just connecting the same very secure, isolated systems to the internet and then getting a no bid cloud upgrade.

The

Surprise Surprise

[OverlordQ]

Anti-Israel hackers.

Easy Hack

[byteherder]

It is not like these lists are ultra top secret. When I worked for a government agency that shall remain nameless, I had access to everyone's email address, name, phone number and work location address. We treated that information with respect for privacy just as we did more sensitive information like SS #, home address, date of birth. Email addresses certainly was not top secret.

Re:Easy Hack

[TubeSteak]

If you gather together enough unclassified information, you can frequently distill from it facts that are considered classified.

Like tracking the tail numbers of international flights to uncover the CIA's rendition program.

Not to mention that a staff directory is exactly what you want for spearfishing campaigns.

Re:

[Tablizer]

Public employees and the work of the public paid for by the people is public information.
And if I want to call up my public slave and ask them what they're working on today, how their day's going, what project their hacking on, etc....
That's the right of the people to do. Anytime, for anyone...

It seems you are a staunch conservative or libertarian. You may not like the government (and perhaps civilization in general), but gov't employees are human beings and citizens, and thus deserve a degree of dignity an

Re:

[byteherder]

I totally agree with you. The agencies of the government need to be transparent but the day to day working of each individual government employee does not need to be public. If you work in Dept of Homeland Security, I want you protecting the homeland. If you work in the FBI, I want you arresting criminals. I don't need to know the details if you were on a stake out last night or investigating leads or testifying in court, those are details your supervisor needs to know. I need to know that you are doing you

Re:

[sabbede]

Running exchange and looking at the address book, right?

Re:Hillary's server?

[NotQuiteReal]

Heh, maybe Hillary will point out that HER server wasn't breached, but other government servers have been.

Re:Hillary's server?

[Ed Tice]

She paid a private organization to secure her server. And everybody knows that private industry is better at everything than government. I think this just goes to show that the government should privatize email! Why are they criticizing Hillary for adopting one of their sacred policies?

Re:

[ZeroWaiteState]

Its only real function was to be secure from third-party subpoenas. Hillary wasn't afraid of Russians getting her emails; it is well known that Russians were all over the state.gov unclassified email system. Russians generally know how to keep stuff secret, and they have so many ways of spying on people that securing your email probably isn't sufficient to keep them out anyway. As for the classified system, well, who knows. When you look at some of the people she got this data from, you wonder whether a

Lulz

[Anonymous Coward]

Nothing to hide, nothing to fear, amirite?

Exchange?

[McGruber]

name, title, email address, and phone number of more than 9,000 DHS employees,

All of which are available to any DHS employee with email access, since that data is in the Outlook directory.

Re:

[ZeroWaiteState]

If you think about, it's all metadata really. No actual communications were stolen.

Not posted on Twitter

[thisisauniqueid]

Somehow I don't think that Twitter has raised their character limit that high yet.

What, they got a hold of the GAL?

[sabbede]

I hope the FBI is hiding the entries for undercover agents.