A government watchdog has released a scathing rebuke of the Home Office’s cybersecurity stance, stating that it was able to breach thousands of employee user accounts because the department’s security policies allow for easily guessable passwords like “Password1234.”
The report from the Office of the Inspector General of the Department of the Interior, which is tasked with overseeing the U.S. executive agency that manages the state, national parks and a billion-euro state budget, says the department relies on passwords the only way some of its most important ones Protecting employee systems and user accounts has defied the government’s own cybersecurity policy, which mandates stronger two-factor authentication, for nearly two decades.
She concludes that poor password policies put the department at risk of a breach that could result in a “high probability” of massive disruption to their operations.
The inspector general’s office said it launched its investigation after an earlier test of the agency’s cybersecurity defenses found lax password policies and requirements at the more than a dozen agencies and Home Department offices. This time, the goal was to determine whether the department’s security measures were sufficient to block the use of stolen and recovered passwords.
Passwords themselves are not always stolen in their readable form. The passwords you create on websites and online services are usually encrypted and stored in a way that is unreadable to humans – usually as a sequence of seemingly random letters and numbers – so passwords stolen by malware or a data breach not simply can be used more hacks. This is called password hashing, and the complexity of a password (and the strength of the hashing algorithm used to encrypt it) determines how long it takes a computer to decrypt it. In general, the longer or more complex the password, the longer it will take to recover.
But Watchdog employees said that relying on claims that passwords that meet the department’s minimum security requirements would take more than a hundred years to recover using off-the-shelf password-cracking software created a “false sense of security.” that its passwords are secure in large part due to the commercial availability of the computing power available today.
To get their point across, the watchdog spent less than $15,000 building a password-cracking rig — a setup of one or more high-performance computers chained together — with the processing power needed for complex math problems like the recovery of hashed passwords. Within the first 90 minutes, the watchdog recovered nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like “Polar_bear65” and “National Parks2014!”.
The watchdog has also recovered hundreds of accounts belonging to high-level government employees and other accounts with elevated security privileges to access sensitive data and systems. Another 4,200 hashed passwords were cracked in another eight weeks of testing.
Password-cracking rigs are not a new concept, but they require significant processing power and energy consumption to function, and it can easily cost several thousand dollars just to create a relatively simple hardware configuration. For comparison, White Oak Security spent about $7,000 on hardware for a reasonably powerful rig in 2019.
When we asked for details of the rig in question, a spokesman for the Office of the Inspector General told TechCrunch:
The setup we used consists of two rigs, each with 8 GPUs (16 total) and a management console. The rigs themselves run several open source containers where we can invoke 2, 4 or 8 GPUs and assign them tasks from the open source work distribution console. Using 2nd and 3rd generation GPUs behind currently available products, we achieved pre-fieldwork combined NTLM benchmarks of 240 GHs testing NTLM over 12 character masks and 25.6 GHs over 10 GB dictionary and a 3 MB rules file. Actual speeds varied across multiple test configurations during engagement.
Password cracking rigs also rely on vast amounts of human-readable data to compare against encrypted passwords. Open-source and freely available software such as Hashcat can be used to compare lists of human-readable words and phrases with hashed passwords. For example, “password” is converted to “5f4dcc3b5aa765d61d8327deb882cf99”. Since this password hash is already known, it takes a computer less than a microsecond to confirm it.
According to the report, the Home Office submitted each user account’s password hashes to the watchdog, which then waited 90 days for the passwords to expire – according to the ministry’s own password policy – before it was safe to attempt to crack them.
The watchdog said it curated its own custom word list for cracking the department’s passwords from dictionaries in multiple languages, as well as US government terminology, pop culture references and other publicly available lists of hashed passwords from previous data breaches. (It’s not uncommon for tech companies to also collect lists of stolen passwords in other data breaches to compare with their own customers’ hashed passwords to prevent customers from reusing the same password from other websites.) The watchdog demonstrated that a well-equipped cybercriminal could have cracked the department’s passwords at a similar rate, the report said.
The watchdog found that nearly 5% of all active user account passwords were based on a variation of the word “password” and that the department did not “timely” retire inactive or unused user accounts, leaving at least 6,000 user accounts vulnerable to compromise.
The report also criticized the Home Office for “inconsistent” implementation or enforcement of two-factor authentication, which requires users to enter a code from a device they physically own to prevent attackers from logging in with just a stolen password . The report states that nearly nine out of ten of the department’s high-quality assets, such as B. Systems that would seriously impair operations or compromise the loss of sensitive data were not protected by some form of two-factor security, and the department had a result that flouted 18 years of federal mandates, including its “own internal policies.” When the watchdog asked for a detailed report on the department’s use of two-factor authentication, the department said the information didn’t exist.
“This failure to prioritize a basic security control led to the continued use of one-factor authentication,” the watchdog concluded.
In response, the Interior Department said it agreed with most of the inspector general’s findings and said it was “committed” to implementing the Biden administration’s executive order directing federal agencies to improve their cybersecurity defenses.
Continue reading: