You Only Need One Password to Access the Allegedly Hacked Law Enforcement Databases
Users can access a number of homeland security and law enforcement databases from a single website with a single password.
The U.S. government recently lassoed together a bunch of intelligence streams inside an FBI website now implicated in an alleged hack of arrest records, personnel data and other confidential material.
The goal of the revamp was to accelerate information sharing among authorized national security personnel, but the new arrangement may have sped too much data to the wrong people.
Hacker activists claim to have broken into the Law Enforcement Enterprise Portal, or LEEP, a one-stop-shop for exchanging sensitive, unclassified information across all levels of government.
As reported last year, a network upgrade allows authorities nationwide to log into one website, LEO.gov, and, with one password, travel to other law enforcement and homeland security systems.
Hacktivists, acting in protest of violence against Palestinians, say they copied and leaked information from several of those systems.
One member of the hacker group, who calls himself Cracka, tweeted screenshots of a system for booking offenders and a redacted report from the Virtual Command Center -- a site for managing active shooter and other emergency situations, as well as a link to contact details for some 3,000 law enforcement and military members.
“It is now possible to use a single sign-on identity in LEEP and gain access to a number of other services that are sensitive but unclassified,” said Paul Wormeli, a Justice Department consultant. “So, if they indeed got into LEEP, then the rest of this is accurate.”
It is unclear what security hole allowed Cracka and the gang inside, but entrance does not require multifactor authentication, such as using a password and another form of ID like a smart card.
"Users can gain access to LEEP by logging in using a single sign-on process -- using one username and one password for many different resources and services within the LEEP," the Information Sharing Environment program, part of the Office of the Director of National Intelligence, previously announced.
The program's annual report, released in late September, added that agencies "worked to align the nation’s sensitive but unclassified networks. These networks -- the Homeland Security Information Network, Regional Information Sharing Systems, Law Enforcement Enterprise Portal, and Intelink -- are now interoperable, providing an array of services and information through a simplified sign-on using existing credentials by over 400,000 registered users."
According to CNN, law enforcement users of the portal received notices their personal data may have been compromised.
Despite the reported breach, Thomas J. O'Reilly, the retired head of the government's counterterrorism suspicious activity reporting system, said consolidating accounts makes sense when trying to quickly put together puzzle pieces.
"The single sign-on makes the world of intelligence, of fusion of the homeland security far more effective and efficient," he said. That said, when a single system can offer up tons of information, additional ID checks -- "certain firewalls, if you will" -- should be activated, "as you get deeper into the system.”
O'Reilly, now director of the Police Institute at Rutgers University, said there are other ways to contain leaks besides shutting off the flow of information.
For example, when accessing reports gathered by the "See Something, Say Something" public awareness campaign, authorities can log in and see a suspect's name, vehicle and location. However, there is a separate sign-on mechanism required to check the individual's criminal record, he said.
"The reality of it is the security issues are going to be there," O'Reilly said. "The question is -- are you unlocking a 1-gallon container or are you unlocking a 5-gallon container of information. I don't think you can have too much information sharing in a well thought-out business process."
He said he does not have inside knowledge about the alleged hack.
FBI officials on Monday had no comment on bureau website access controls or the alleged hack beyond a statement made Friday that "those who engage" in such hacktivism activities "are breaking the law" and that the FBI will work with other agencies and industries "to identify and hold accountable those who engage in illegal activities in cyberspace."
The same group of self-described teen hackers taking credit for the incident claimed responsibility in October for hacking into the CIA director's home AOL account. The hacktivists dumped CIA head John Brennan's background check application form and a cache of position papers online, none of which date to his term in office, the agency said.
(Image via Maksim Kabakou/Shutterstock.com)