A CIA-backed technology company has found logins and passwords for 47 government agencies strewn across the Web — available for hackers, spies and thieves.
Recorded Future, a social media data mining firm backed by the CIA’s venture capital arm, says in a report that login credentials for nearly every federal agency have been posted on open Internet sites for those who know where to look.
“The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce,” the company says.
The company says logins and passwords were found connected with the departments of Defense, Justice, Treasury and Energy, as well as the CIA and the Director of National Intelligence.
In a blog, the company reported:
“Recorded Future identified the possible exposures of login credentials for 47 United States government agencies across 89 unique domains.
“As of early 2015, 12 of these agencies, including the Departments of State and Energy, allowed some of their users access to computer networks with no form of two-factor authentication. The presence of these credentials on the open Web leaves these agencies vulnerable to espionage, socially engineered attacks, and tailored spear-phishing attacks against their workforce.
“The findings by Recorded Future were gained using the company’s Web Intelligence Engine which scans more than 680,000 Web sources in seven languages. Recorded Future arms information security teams with real-time threat intelligence so you can proactively defend your organization against cyber attacks.”
Recommendations
The company also recommended steps to address security concerns:
- Recommended Actions › Enable multi-factor authentication and/or VPNs [virtual private networks]
- Require Government employees to use stronger passwords and change with greater regularity.
- Gauge and define use of government email addresses on third-party sites.
- Maintain awareness of third-party breaches and regularly assess exposure.
- Ensure Robot Exclusion Standard (robots.txt) is set for government login pages to prevent listing of webmail/Web-services in search engines.
The full report can be downloaded at: https://www.recordedfuture.com/government-credentials-report/
