Web intelligence company Recorded Future found the possible exposure of username/password login credentials for 47 government agencies across 89 unique domains on the open web, according to a new report.
The company analyzed 17 “paste sites” from November 2013-November 2014 using open source intelligence collection and analysis. It shared its discoveries with most of the affected agencies in late 2014 and early 2015.
A “paste site” is a “Web application that allows a user to store and share plain text. These sites are regularly used to share snippets of code,” the report said.
The largest one is Pastebin, but dozens of others exist. The paste was often removed after a short period of time, Recorded Future said.
“In many cases, our research identified the immediate removal of the credentials by sites such as pastebin.com. However, to Recorded Future’s knowledge, no efforts are made to contact government agencies whose credentials may be posted on a paste site.”
Although Pastebin attempts to monitor its content, similar sites do not and the information likely still circulates among the original attackers and in private circles, the company said.
“In practice, paste sites have become a dumping ground for stolen credentials, and Facebook has begun mining them to enhance user security.”
Many of these government domains do not use authentication tools to prevent unauthorized access.
A February Office of Management and Budget (OMB) report to Congress noted 12 agencies did not require most privileged users to log in with two-factor authentication. This includes the General Services Administration (GSA), USAID, and the departments of State, Veterans Affairs, Agriculture, Housing and Urban Development, Transportation, Treasury, Health and Human Services, Energy, Interior, and Homeland Security.
All 12 of these agencies had domains paired with passwords on the open Web in late 2013 and 2014, the report said.
“The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce. While some agencies use VPNs, two-factor authentication, and other tokens to provide a safety net, many agencies lag behind as cited by the OMB report to Congress,” Recorded Future said.
At the time of analysis, the Department of Energy had the widest exposure, “with email/password combinations for nine different domains identified on the open Web,” the report said. The Department of Commerce was the second worst, with seven domains exposed.
Most exposures came from vulnerabilities in third-party websites when employees use a government email account to register for Web-based services.
In most of the exposed credentials, the passwords were weak, “making it trivial for cyber criminals to decode their hashes using lookup tables and easily obtainable password cracking tools,” Recorded Future said.
Recorded Future cited studies showing 50 percent of Americans use the same username/password combination to access multiple sites, including their employers’ networks. If a third-party website’s username/password database is hacked and the employee uses the same login credentials on that website as at work, the credentials could allow unauthorized access to the employer’s networks.
Analysts conducted the research by using the company’s index of over 660,000 open Web sources with lists of government domains identified on data.gov. The searches combined a mix of terms associated with credential exposure and technical tools to identify references to government credentials.
The search included domains associated with the Office of Personnel Management (OPM) and it, too, was paired with multiple clear text or hashed passwords in the analysis.
These leaked credentials originated from a variety of attackers, according to the report. This ranges from “hacktivists” with political motivations to actors claiming affiliation with the hacker collectives LulzSec, SwaggSec, Wikileaks, and Anonymous.
However, many of the leaked credentials were the result of attackers exploiting targets of opportunity on vulnerable third-party sites, services, and individuals without specifically targeting government credentials. That included a natural history museum, a sports news site, and individual government employees.
“Often, these attacks leverage freely-traded exploits against unpatched sites and servers,” the report said.
The report recommended several actions to mitigate these risks:
- Enable multi-factor authentication and/or (VPNs);
- Require government employees to use stronger passwords and change with greater regularity;
- Gauge and define use of government email addresses on third-party sites;
- Maintain awareness of third-party breaches and regularly assess exposure; and
- Ensure Robot Exclusion Standard (robots/txt) is set for government login pages to prevent listing of webmail/Web-services in search engines.
The company noted that although some agencies are using protective measures “many credentials with easily discoverable logins remain posted to social media, forums and paste sites.”