Account Compromises Impacting SLTT Governments
In 2015 the Multi-State Information Sharing and Analysis Center (MS-ISAC) identified approximately 25 online posts, per month, that contained email addresses and passwords belonging to U.S. state, local, tribal and territorial (SLTT) government employees. These posts generally contained plaintext email addresses and passwords, although they sometimes contained hashed passwords or other information. MS-ISAC identified the account information as belonging to SLTT government employees based on the domains in the email addresses. In almost all instances, the leaked credentials were from third-party websites where an SLTT government employee had used their official email address to login to or receive emails from the third-party and it was data from the third-party that had been posted online, not data from the SLTT government.
This continues the trend first reported on July 30, 2015, which documented a significant increase in the number of posts identified in 2015 that contained SLTT employee account information, as opposed to the number of posts identified in 2014. Based on this reporting, which may be influenced by an increase in MS-ISAC’s capabilities, it appears that third-party data breaches are becoming a significant threat to our SLTT partners.
Overall, during 2015 MS-ISAC identified 86,447 compromised SLLT accounts in 301 data dumps. As in the past, the majority of the posts were made anonymously, without a malicious cyber actor claiming credit. A few more of the posts included information as to what website was compromised, although the majority of posts also did not include this information. Perhaps not surprisingly, the number of credentials exposed by a particular post and the number of posts continue to have no correlation to one another.
During the past year, there were many notable data breaches that affected MS-ISAC members, including an instance in December when a free hosting provider was compromised and over 13 million accounts were posted online as a result. MS-ISAC identified 10,296 SLTT government accounts potentially compromised by the post and notified 121 SLTT partners of the threat.
Where is the data from?
Malicious actors sometimes find vulnerabilities in private websites and exploit them, which can result in the actors gaining access to the website’s account database. This allows the actors to access a variety of information, including login credentials. The malicious actors utilize certain websites to post the stolen data. MS-ISAC monitors some of these locations to identify lists of stolen credentials and subsequently provides victim notification.
Isn’t this data hashed?
MS-ISAC analysis of posts shows that a significant majority of identified posts disclosed user passwords in plaintext. Only a minority of the identified posts contained hashed passwords, which makes it significantly more difficult for the attackers to decipher the passwords. Hashed passwords are passwords that have been hidden through the use of a hashing algorithm.
Hashed passwords can be cracked, but an attacker would need to know what hashing algorithm was used to encrypt the passwords. If the hashing algorithm is known or has been discovered, malicious actors could use rainbow tables that have been posted online by other malicious actors and researchers. A rainbow table is a large set of precomputed tables filled with hash values that match possible plaintext passwords.
If a malicious actor knows the hashing algorithm and has large amounts of Random Access Memory (RAM) available, a hashed password could be cracked in less than five minutes. If the hashing algorithm is not known by the actor, only sophisticated actors would be able to decrypt a hashed password through brute force techniques.
Why is SLTT data on private websites and why can this be harmful?
Many SLTT government employees use their work email addresses as their account information on private websites. This does not mean that the website is affiliated with an SLTT government or that an SLTT government is compromised if this information is available online. The harm occurs if the SLTT government employee uses the same password to login to their SLTT government account(s). This is called Password Reuse.
It’s a vulnerability because malicious cyber threat actors can take advantage of a reused password if there is other associated information that identifies the person, such as an email address. Malicious actors can then search for other accounts the person uses and try to login with the same password. In some cases the actors might try to find personal accounts such as Facebook, Twitter, or banking websites. In other instances the malicious actors may try to determine where the person is employed and attempt to gain remote access, such as through a remote email or timecard access. This is a particular vulnerability when a work email address is posted with the password because the email address provides the attacker with information as to where the person works.
- Passwords should have at least ten characters and include uppercase and lowercase letters, numbers, and symbols. CIS recommends the use of 14 characters. Use different passwords for each account you access. In the event that one account is compromised, the use of different passwords will help ensure that the individual’s other accounts should not be at risk.
- Do not use words and proper names in passwords, regardless of language, or personal information, such as your name, a family member or pet’s name, etc
- Change passwords regularly — at least every 60 days; if you believe your account has been compromised change passwords immediately. Do not reuse old passwords.
- Do not allow a browser’s password manager to store your passwords; some browsers store and display passwords in clear text and do not implement password protection by default.
- Do not allow websites to automatically log in to an account; many services store this information locally and it can be exploited by attackers to gain access to accounts without a password.
- Do not share your password with anyone and do not respond to emails or phone calls asking for your login credentials. Legitimate businesses will never ask for your login credentials via these methods.
- Use multi-factor authentication consisting of something you know (password) and something you have (mobile phone, physical key, etc.), if it is offered.
- Avoid logging onto any sites on a public Wi-Fi, malicious actors will sometimes “sniff” the traffic on a public WiFi, and may be able to steal account information while a user is logging onto a site.
- At work, follow your organization's password policy and use different passwords for work and personal use. Do not use your work email when signing up for and accessing personal websites.