Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Crime Databases Government United States

DEA Investigating Breach of Law Enforcement Data Portal (krebsonsecurity.com) 31

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets. On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA. According to this page at the Justice Department website, LEIA "provides federated search capabilities for both EPIC and external database repositories," including data classified as "law enforcement sensitive" and "mission sensitive" to the DEA.

A document published by the Obama administration in May 2016 (PDF) says the DEA's El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community. EPIC and LEIA also have access to the DEA's National Seizure System (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins). The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley. Weaver said it's clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases. "I don't think these [people] realize what they got, how much money the cartels would pay for access to this," Weaver said. "Especially because as a cartel you don't search for yourself you search for your enemies, so that even if it's discovered there is no loss to you of putting things ONTO the DEA's radar."

This discussion has been archived. No new comments can be posted.

DEA Investigating Breach of Law Enforcement Data Portal

Comments Filter:
  • The security protocol for the government must be random. For the people I know, they have a US laptop and security token. To gain access for my trusted traveler account, I need user name, password, and faceid on my phone. That this level of data can be accessed with third factor authentication is criminal. If the hackers were using a stolen laptop or other credential, that would be different. But stolen credentials are to be reported and disabled immediately.
    • But stolen credentials are to be reported and disabled immediately.

      I'm excited to invest in your new company that sells an exciting new product that somehow knows the moment anyone's credentials have been stolen so users can report them for disablement immediately. I excitedly await version 2.0 that can automatically disable credentials the moment it detects they are stolen. Kindly send me your routing number so I can deposit funds immediately.

      • by fermion ( 181285 )
        I hope you donâ(TM)t have a security clearance. Those that do have a responsibility to keep track of their stuff and report if it is lost or stolen. At that point it is a simple matter to revoke the credential. Also my AirTag reports if it is left behind at an insecure location of removed.
        • by Anonymous Coward

          I hope you donâ(TM)t have a security clearance. Those that do have a responsibility to keep track of their stuff and report if it is lost or stolen. At that point it is a simple matter to revoke the credential. Also my AirTag reports if it is left behind at an insecure location of removed.

          I don't have a security clearance, but I work with people who do and I can do my job just fine with them sanitizing the classified information into an "example use case". I refuse to partake in any job where someone can claim I leaked information (right or wrong, see Hillary Clinton) and I suddenly have to defend myself against years, decades, or life in prison because of bullshit political posturing...or defend myself against the "court of public opinion".

          Let's hope you don't have a security clearance w

      • The task of reporting on and preventing a credential from being used from an IP address it has no business being used from is not particularly new thing.

  • So username and password. That is one factor. How did they get the SECOND factor? They do have two factor authentication, right? I can't even check my gmail without two factor authentication...
    • It could be a number of things. Poor 2FA implementations (more common than you'd think), a compromised phone/stolen token, bruteforcing 2FA pages which don't handle bruteforcing correctly, or even just downright lack of 2FA altogether.
      • Oh -- and let's not forget advanced phishing proxies which handle 2FA.
      • After posting I went back and read TFA. As it turns out, the portal allowed access with the username and password only (no other factors required).
        • The DEA’s El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement. All federal users are required to use PIV cards to access gov't information systems, but what do you do about state, local, and tribal law enforcement users?

          - Send each user to the GSA to get approved PIV cards? ($30+ each) -- very secure but very expensive for each office.
          - Allow approved RSA tokens? Requires each office to purchase RSA tokens and the gov'

  • by awwshit ( 6214476 ) on Thursday May 12, 2022 @05:05PM (#62527566)

    Hey US Government, you might want to have your right hand meet your left hand. It is CISA's MFA May after all. Time to do yourself what you force all contractors to do.

    https://www.cisa.gov/blog/2022... [cisa.gov]

    And tomorrow is FIDO Friday. Get with the times.

  • Do unto them, as they do unto us.

    Im laughing all the way to weaponizing this leak to use against any other attempts to create such databases. After all if they can't keep this system secure then they don't have any business building any more.

    Fyck the DEA.

    • And fyck civil forfeiture/seizure in general if not preceded by a determination of guilt at trial. Suspicion shouldn't be enough to steal people's property.
  • I hope witness protection program data is better protected than that. Indeed, cartels would pay a lot for that data.
  • Backdoors (Score:5, Insightful)

    by dstwins ( 167742 ) on Thursday May 12, 2022 @05:58PM (#62527730) Homepage
    And this Boys and Girls is why government "backdoors" are a BAD thing.. because you just shift the attack pattern/profile from a few script kiddies that knock on the door, to a concerted effort to breach the defenses.. And then when you add Human stupidity/fallibility to the mix. Well, its just not going to end well.
    • They're a GOOD thing if they inhibit their ability to steal people's property without trial. Seized assets = stolen assets.
  • Then maybe the Justices will realize a right to privacy is a good thing

"There is no statute of limitations on stupidity." -- Randomly produced by a computer program called Markov3.

Working...