'Dozens of Email Accounts' Were Hacked At US Treasury

An anonymous reader quotes a report from Reuters: Dozens of email accounts at the U.S. Treasury Department were compromised by the powerful hackers responsible for a wide-ranging espionage campaign against U.S. government agencies, the office of U.S. Senator Ron Wyden said on Monday. In a written statement, Wyden's office said that Senate Finance Committee staff were briefed that the hack of the Treasury Department appears to have been a significant one, "the full depth of which isn't known."

Wyden, the most senior Democrat on the committee, said that Microsoft notified the agency that dozens of email accounts had been compromised and that the hackers also penetrated the systems at Treasury's Departmental Offices division, which is home to its top officials. "Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen," the statement said, although it added that the Internal Revenue Service said there was no evidence the tax agency was compromised or that taxpayer data was affected. A Wyden aide said the hackers were able to access the Treasury officials' Microsoft-hosted inboxes after taking control of the cryptographic key used by Treasury's "single sign on" infrastructure -- a service used in many organizations so that employees can access a variety of services with a single username and password. The aide quoted Treasury officials as saying Mnuchin's inbox was not among those affected. Wyden's statement contrasts Treasury Secretary Steven Mnuchin, who told CNBC earlier in the day that "the good news is there has been no damage, nor have we seen any large amounts of information displaced." He added: "I can assure you, we are completely on top of this."

What did they steal?

[nospam007]

A bunch of certificates of indebtedness and promissory notes?

A list of 'the best people'?

Re:

[bill_mcgonigle]

Hopefully the dirty details of the Blackrock deal.

Who cares?

[Murdoch5]

How many times does the point of encryption have to be driven home?
How many times does the point on running secure system have to be driven home?
How many times does the point of not running software because it's popular have to be driven home?

This hack demonstrated that peoples still don't care about security, and frankly there's no excuse because if the emails were encrypted, they'd be fine. Maybe this will be a wake up call, unlikely, as to why system need to be secure from the ground up, not the top down. Maybe this hack will finally demonstrate why SSO is not some magical solution from remembering password, or using password managers. Maybe this hack will finally demonstrate why email is one of the biggest security issues at any organization!

Re:

[Murdoch5]

Except what I'm talking about is email encryption, not the SSO cryptographic key! If users maintain a work PGP setup, then even if attackers gained access to the email it wouldn't matter, because without the private key to each of those boxes it wouldn't matter.

Re:Who cares?

[CaptQuark]

Except all those emails have to be archived and accessible for discovery and FOIA purposes. Remember Hillary Clinton got in trouble for using a separate email system for her State Department communications. None of those emails would have been archived as required by law, which some people argue is exactly why she didn't use the normal State Department email system.

Having every email encrypted with each user's private key would require their PKI system to also store a copy of the user's private key for archiving purposes, or maintain a master key that unlocks every email in the system. When a user leaves the Treasury Department, his/her email would still need to be discoverable (readable) for many years in the future.

Compromising the department's SSO, plus having the individual passwords from the compromised Outlook clients, meant meant the hackers were able to get around two layers of security and into the Exchange server hosted by Microsoft. Even if the emails were encrypted on the Exchange server, the hackers had the keys needed to access them.

---

Re:

[gtall]

No, all that need happen is the act of archiving decrypts the emails with the users' keys and then reencrypts them en mass.

Re:

[Murdoch5]

I agree

Re: Who cares?

[ToasterMonkey]

This hack demonstrated that peoples still don't read a god damned thing before posting.

+1, very true indeed, I wish more people like you would read the fucking article, but it is what it is.

Re:

[gtall]

It more likely reflects the fact that Congress and the alleged president has not mandated security for Federal Agencies by putting money behind security upgrades and holding agencies accountable for how they spent the security money.

Re:

[Murdoch5]

Yep, but the sad truth is that any government is going to be seriously lacking in the security department. In Ontario Canada we still have rules on record that state it's more secure to fax a medical document instead of email, because email is insecure.

If you can't audit it, you can't trust it.

[atrimtab]

Why does government purchase and deploy products that they cannot prove work to guard what they keep telling us is secret information?

There is no way to "trust, but verify" because you clearly cannot trust the upstream component providers. And those providers REQUIRE you sign away your rights to hold them responsible.

Re:

[ShanghaiBill]

Why does government purchase and deploy products that they cannot prove work

Software can be made more reliable and more secure, but talking about "proof" is ignorant.

Re:

[atrimtab]

Why does government purchase and deploy products that they cannot prove work

Software can be made more reliable and more secure, but talking about "proof" is ignorant.

Then never use software to guard "secret information" on non-air-gaped networks where software is used to manage every device at an administrator or root level.

Re:

[Camel Pilot]

I hear yeah here. I admin a few Redhat Servers for the gov't and we are required to install McAffee Antivirus scanning software which consumes the bulk of CPU and disk resources scanning nonstop 24/7. At one time the voluminous log output of a stig'd server created enough raw source material for it to scan that it would bring down servers being caught in a vicious circle. And I have thought that this closed-source software that runs as a privileged user is the most likely attack vector someday.

Re:

[oldgraybeard]

Because the handlers of the congressional members do not want security. They want the government to buy products from the vendors they are paid to funnel contracts to.

Re:

[gtall]

Why do we not elect Congress Critters that know the basics of information security when their jobs are mainly information processors? Failing that, they can all go through a month of information security boot camp with a final exam. If they fail, they get to do another month with another exam, and so on, until they pass. No committee assignments until they successfully pass. And they get to do it every two years because technology changes.

There will be no wakeup call.

[couchslug]

Most people are not technical, lazy and stupid. Intelligence is rare and competence extremely rares. Much of government is infested with old, non-technical people and those of the pre-internet generations are often utter Luddites.

Re:

[CaptQuark]

Don't compare all government workers to what you see in Congress members. The average age of a Federal Employee is 47.5, the average employment length is 13.5 years, and over 50% of them a Bachelor's Degree or higher. Profile of Federal Civilian Non-Postal Employees [opm.gov]

Many of them are scientists working for NASA, NOAA and the EPA, CPAs working for Treasury, doctors working for the CDC, and lawyers working for DoJ. Plus, every agency has dedicated IT professionals. Not exactly the old, ignorant, pre-inter

"I can assure you"

[cerberusss]

Treasury Secretary Steven Mnuchin added: "I can assure you, we are completely on top of this."

LOL sure man, we're assured. Steven Mnuchin is a politician and as such, cannot be believed. But besides that, let's see what people think about Steven:

“Two things have become abundantly clear: (1) obtaining a clear and transparent explanation of all of his roles, positions and dealings, is close to impossible and (2) he is a massive dick.” — Peter McCormack

Re:

[gtall]

To paraphrase Douglas Adams, Mnuchin is on top of it like a brick is above the Sargasso Sea.

Microsoft hosted?

[ayesnymous]

Does that mean they were using personal email accounts, or does Microsoft host the official government accounts?

Re:

[account_deleted]

Comment removed based on user account deletion