DEA Investigating Breach of Law Enforcement Data Portal

An anonymous reader quotes a report from KrebsOnSecurity: The U.S. Drug Enforcement Administration (DEA) says it is investigating reports that hackers gained unauthorized access to an agency portal that taps into 16 different federal law enforcement databases. KrebsOnSecurity has learned the alleged compromise is tied to a cybercrime and online harassment community that routinely impersonates police and government officials to harvest personal information on their targets. On May 8, KrebsOnSecurity received a tip that hackers obtained a username and password for an authorized user of esp.usdoj.gov, which is the Law Enforcement Inquiry and Alerts (LEIA) system managed by the DEA. According to this page at the Justice Department website, LEIA "provides federated search capabilities for both EPIC and external database repositories," including data classified as "law enforcement sensitive" and "mission sensitive" to the DEA.

A document published by the Obama administration in May 2016 (PDF) says the DEA's El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement, as well as the Department of Defense and intelligence community. EPIC and LEIA also have access to the DEA's National Seizure System (NSS), which the DEA uses to identify property thought to have been purchased with the proceeds of criminal activity (think fancy cars, boats and homes seized from drug kingpins). The screenshots shared with this author indicate the hackers could use EPIC to look up a variety of records, including those for motor vehicles, boats, firearms, aircraft, and even drones.

From the standpoint of individuals involved in filing these phony EDRs, access to databases and user accounts within the Department of Justice would be a major coup. But the data in EPIC would probably be far more valuable to organized crime rings or drug cartels, said Nicholas Weaver, a researcher for the International Computer Science Institute at University of California, Berkeley. Weaver said it's clear from the screenshots shared by the hackers that they could use their access not only to view sensitive information, but also submit false records to law enforcement and intelligence agency databases. "I don't think these [people] realize what they got, how much money the cartels would pay for access to this," Weaver said. "Especially because as a cartel you don't search for yourself you search for your enemies, so that even if it's discovered there is no loss to you of putting things ONTO the DEA's radar."

Just user and password?

[fermion]

The security protocol for the government must be random. For the people I know, they have a US laptop and security token. To gain access for my trusted traveler account, I need user name, password, and faceid on my phone. That this level of data can be accessed with third factor authentication is criminal. If the hackers were using a stolen laptop or other credential, that would be different. But stolen credentials are to be reported and disabled immediately.

Re:

[darkpixel2k]

But stolen credentials are to be reported and disabled immediately.

I'm excited to invest in your new company that sells an exciting new product that somehow knows the moment anyone's credentials have been stolen so users can report them for disablement immediately. I excitedly await version 2.0 that can automatically disable credentials the moment it detects they are stolen. Kindly send me your routing number so I can deposit funds immediately.

Re:

[fermion]

I hope you donâ(TM)t have a security clearance. Those that do have a responsibility to keep track of their stuff and report if it is lost or stolen. At that point it is a simple matter to revoke the credential. Also my AirTag reports if it is left behind at an insecure location of removed.

Re:

[Anonymous Coward]

I hope you donâ(TM)t have a security clearance. Those that do have a responsibility to keep track of their stuff and report if it is lost or stolen. At that point it is a simple matter to revoke the credential. Also my AirTag reports if it is left behind at an insecure location of removed.

I don't have a security clearance, but I work with people who do and I can do my job just fine with them sanitizing the classified information into an "example use case". I refuse to partake in any job where someone can claim I leaked information (right or wrong, see Hillary Clinton) and I suddenly have to defend myself against years, decades, or life in prison because of bullshit political posturing...or defend myself against the "court of public opinion".

Let's hope you don't have a security clearance w

Re:

[BoogieChile]

The task of reporting on and preventing a credential from being used from an IP address it has no business being used from is not particularly new thing.

How did they get the SECOND factor?

[mamba-mamba]

So username and password. That is one factor. How did they get the SECOND factor? They do have two factor authentication, right? I can't even check my gmail without two factor authentication...

Re:

[Sauce Tin]

It could be a number of things. Poor 2FA implementations (more common than you'd think), a compromised phone/stolen token, bruteforcing 2FA pages which don't handle bruteforcing correctly, or even just downright lack of 2FA altogether.

Re:

[Sauce Tin]

Oh -- and let's not forget advanced phishing proxies which handle 2FA.

Re:

[mamba-mamba]

After posting I went back and read TFA. As it turns out, the portal allowed access with the username and password only (no other factors required).

Re:

[CaptQuark]

The DEA’s El Paso Intelligence Center (EPIC) systems in Texas are available for use by federal, state, local and tribal law enforcement. All federal users are required to use PIV cards to access gov't information systems, but what do you do about state, local, and tribal law enforcement users?

- Send each user to the GSA to get approved PIV cards? ($30+ each) -- very secure but very expensive for each office.
- Allow approved RSA tokens? Requires each office to purchase RSA tokens and the gov'

Re:

[AutodidactLabrat]

False. Drug Use and Drug Sales are coequal effects and are nearly evenly distributed among the races with WHITES outdistancing blacks, latins and asians in per capita uses [nih.gov] based on self reporting for randomized populations of college students nationwide.

Re:

[PPH]

Agreed.

All drugs should be legal and freely available.

Nope. It's just that the DEA's responsibilities should be distributed between the FDA (for legal and controlled drugs) and the FBI (illegal stuff). The FBI is in a far better position to prioritize enforcement and determine when drug problems are linked to other sorts of illegal activities.

Re: DEA should not exist

[PPH]

Nobody lives in isolation. If you sneeze your disgusting Covid-laced plgem on me, you deserve to die. On the other hand, I have no business telling you what you should not put into your body only if you accept the premise that society has no duty to administer Narcan into your poor, convulsing body lying in the gutter.

Re:

[b0s0z0ku]

And property should only be taken from people or organizations with just compensation (eminent domain) or after a fair jury trial (as part of a civil or criminal penalty). Seizures and civil forfeitures make a mockery of the Constitution.

Re:

[AutodidactLabrat]

Well remember to thank Scalia, Thomas and the rest of the right. They alone signed off on "punishing the money"

Re:

[darkpixel2k]

All drugs should be legal and freely available. The DEA produces a prison culture that affects disproportionately people of color.

All drugs should be legal and freely available because it's not the government's job to police what someone does with their own body when they aren't harming anyone or damaging property. If someone is harming someone else, it's the government's job to come clean up the mess after someone else defends themself.

MFA May

[awwshit]

Hey US Government, you might want to have your right hand meet your left hand. It is CISA's MFA May after all. Time to do yourself what you force all contractors to do.

https://www.cisa.gov/blog/2022... [cisa.gov]

And tomorrow is FIDO Friday. Get with the times.

HaHa

[AcidFnTonic]

Do unto them, as they do unto us.

Im laughing all the way to weaponizing this leak to use against any other attempts to create such databases. After all if they can't keep this system secure then they don't have any business building any more.

Fyck the DEA.

Re:

[b0s0z0ku]

And fyck civil forfeiture/seizure in general if not preceded by a determination of guilt at trial. Suspicion shouldn't be enough to steal people's property.

Witness protection program

[manu0601]

I hope witness protection program data is better protected than that. Indeed, cartels would pay a lot for that data.

Backdoors

[dstwins]

And this Boys and Girls is why government "backdoors" are a BAD thing.. because you just shift the attack pattern/profile from a few script kiddies that knock on the door, to a concerted effort to breach the defenses.. And then when you add Human stupidity/fallibility to the mix. Well, its just not going to end well.

Re:

[b0s0z0ku]

They're a GOOD thing if they inhibit their ability to steal people's property without trial. Seized assets = stolen assets.

Can they hack the Supreme Court?

[ayesnymous]

Then maybe the Justices will realize a right to privacy is a good thing