A government vigilante has published a scathing rebuke of the Department of the Interior’s cybersecurity posture, finding that it was able to crack thousands of employee user accounts because the department’s security policies allow easy-to-guess passwords such as 'Password1234'.
He report by the Interior Department’s Office of Inspector General, tasked with overseeing the US executive agency that manages federal lands, national parks and a multibillion-dollar budget, said the department’s reliance on passwords as the only way to protect some of its most important systems and employee user accounts has defied nearly two decades of the government’s own cybersecurity guidance of requiring stronger two-factor authentication.
It concludes that poor password policies put the department at risk of a breach that could lead to a “high probability” of massive disruption to its operations.
The inspector general’s office said it launched its investigation after a previous test of the agency’s cybersecurity defenses found lax password policies and requirements at the more than a dozen agencies and offices of the Department of the Interior. The goal this time was to determine if the department’s security defenses were sufficient to block the use of stolen and recovered passwords.
The passwords themselves are not always stolen in their readable form. Passwords you create on websites and online services are typically encrypted and stored in a way that makes them unreadable to humans, typically as a string of seemingly random letters and numbers, so passwords stolen by malware or a breach of data cannot be easily used in more tricks. This is called password hashing, and the complexity of a password (and the strength of the hash algorithm used to encrypt it) determines how long it can take a computer to crack it. In general, the longer or more complex the password, the longer it will take to recover it.
But surveillance staff members said that relying on claims that passwords that meet the department’s minimum security requirements would take more than a hundred years to recover using commercial password-cracking software has created a “false sense of security.” that their passwords are secure, in large part due to the commercial availability of computing power available today.
To prove its point, the watchdog spent less than $15,000 building a password-cracking platform, a high-performance computer configuration or several chained together, with the computing power designed to perform complex mathematical tasks, such as recover encrypted passwords. In the first 90 minutes, the watchdog was able to recover almost 14,000 employee passwords, or about 16% of all accounts in the department, including passwords like 'Polar_bear65' Y 'Nationalparks2014!'.
The watchdog also recovered hundreds of accounts belonging to senior government officials and other accounts with elevated security privileges to access sensitive data and systems. Another 4,200 scrambled passwords were cracked during an additional eight weeks of testing.
Password cracking equipment not a new concept, but they require considerable computing power and power consumption to run, and can easily cost several thousand dollars to build a relatively simple hardware setup. (For comparison, white oak security spent about $7,000 on hardware for a reasonably powerful platform in 2019).
Password cracking platforms also rely on massive amounts of human-readable data to compare against scrambled passwords. Using open source and freely available software like Hashcat you can compare lists of readable words and phrases against encrypted passwords. For example, 'password' becomes '5f4dcc3b5aa765d61d8327deb882cf99'. Because this password hash is already known, it takes less than a microsecond for a computer to confirm it.
According to the report, the Department of the Interior provided password hashes for each user account to the watchdog, which then waited 90 days for the passwords to expire, per the department’s own password policy, before it was safe to try. decipher them.
The watchdog said it built its own custom word list to crack the department’s passwords for multi-language dictionaries, as well as US government terminology, pop culture references and other publicly available lists of passwords. data collected from previous data breaches. (It’s not uncommon for tech companies to also collect lists of passwords stolen in other data breaches to compare against their own set of encrypted customer passwords, as a way to prevent customers from reusing the same password from other websites.) . thus, the watchdog demonstrated that a well-resourced cybercriminal could have cracked the department’s passwords at a similar rate, according to the report.
The watchdog found that about 5% of all active user account passwords were based on some variation of the word “password” and that the department failed to “timely” terminate inactive or unused user accounts, leaving the least 6000 vulnerable user accounts. engage.
The report also criticized the Department of the Interior for “inconsistently” implementing or enforcing two-factor authentication, where users must enter a code from a device they physically possess to prevent attackers from logging in using only a stolen password. The report said that nearly nine out of 10 of the department’s high-value assets, such as systems that would severely impact its operations or the loss of sensitive data, were not protected by some form of second-factor security, and the department was a result that disregarded 18 years of federal mandates, including his “own domestic policies.” When the watchdog requested a detailed report on the department’s use of two-factor authentication, the department said the information did not exist.
“This failure to prioritize a critical security control led to the continued use of single-factor authentication,” the watchdog concluded.
In its response, the Department of the Interior said it agreed with most of the inspector general’s findings and said it was “committed” to implementing the Biden administration’s executive order directing federal agencies to enhance their security defenses. cyber security.
Read more:
