Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Government Privacy

A Government Watchdog Spent $15,000 To Crack a Federal Agency's Passwords In Minutes (techcrunch.com) 62

An anonymous reader quotes a report from TechCrunch: A government watchdog has published a scathing rebuke of the Department of the Interior's cybersecurity posture, finding it was able to crack thousands of employee user accounts because the department's security policies allow easily guessable passwords like 'Password1234'. The report by the Office of the Inspector General for the Department of the Interior, tasked with oversight of the U.S. executive agency that manages the country's federal land, national parks and a budget of billions of dollars, said that the department's reliance on passwords as the sole way of protecting some of its most important systems and employees' user accounts has bucked nearly two decades of the government's own cybersecurity guidance of mandating stronger two-factor authentication. It concludes that poor password policies puts the department at risk of a breach that could lead to a "high probability" of massive disruption to its operations.

The inspector general's office said it launched its investigation after a previous test of the agency's cybersecurity defenses found lax password policies and requirements across the Department of the Interior's dozen-plus agencies and bureaus. The aim this time around was to determine if the department's security defenses were enough to block the use of stolen and recovered passwords. [...] To make their point, the watchdog spent less than $15,000 on building a password-cracking rig -- a setup of a high-performance computer or several chained together -- with the computing power designed to take on complex mathematical tasks, like recovering hashed passwords. Within the first 90 minutes, the watchdog was able to recover nearly 14,000 employee passwords, or about 16% of all department accounts, including passwords like 'Polar_bear65' and 'Nationalparks2014!'. The watchdog also recovered hundreds of accounts belonging to senior government employees and other accounts with elevated security privileges for accessing sensitive data and systems. Another 4,200 hashed passwords were cracked over an additional eight weeks of testing. [...]

The watchdog said it curated its own custom wordlist for cracking the department's passwords from dictionaries in multiple languages, as well as U.S. government terminology, pop culture references, and other publicly available lists of hashed passwords collected from past data breaches. By doing so, the watchdog demonstrated that a well-resourced cybercriminal could have cracked the department's passwords at a similar rate, the report said. The watchdog found that close to 5% of all active user account passwords were based on some variation of the word "password" and that the department did not "timely" wind down inactive or unused user accounts, leaving at least 6,000 user accounts vulnerable to compromise. The report also criticized the Department of the Interior for "not consistently" implementing or enforcing two-factor authentication, where users are required to enter a code from a device that they physically own to prevent attackers from logging in using just a stolen password.

This discussion has been archived. No new comments can be posted.

A Government Watchdog Spent $15,000 To Crack a Federal Agency's Passwords In Minutes

Comments Filter:
  • So the same Government agency that mandated and forced 3rd party civilian suppliers to implement strong password measures and MFA, has neither?

    Why again? What, the civilian systems are somehow less important?

    • *government systems
    • Civilian or government these agencies are still just made up of people sometimes falliable, and sometimes dumb people and they still inherit years of tech debt and bad practices that are hard to break ("it's always worked before, I'm not gonna be the guy who breaks everything") but again, just people showing up and trying to do their job.

      Now those aren't excuses but just some explanations. Issues like this are the reason every major department has an inspector general. If you are saying we should give the

      • Civilian or government these agencies are still just made up of people sometimes falliable, and sometimes dumb people and they still inherit years of tech debt and bad practices that are hard to break.

        Hard to break? You mean hard to swallow that excuse.

        Government IT audits have been producing D-grade report cards since the fucking 90s.

        And it's far from a "fallible" excuse when that same Government demands and mandates strong password validation and MFA to secure civilian systems. Let's stop pretending the Government has no money to spend to simply Do What They Mandate. A couple hundred million taxpayers would probably disagree.

        They shouldn't be given any more resources right now beyond what it takes to

        • Government demands and mandates strong password validation and MFA to secure civilian systems.

          Should they not? Is that not a good thing?

          Let's stop pretending the Government has no money

          Departments get the money they are assigned and almost always it's assigned to specific purposes. I would have lot's of money for projects if I just stopped paying my mortgage eh?

          We get it, "government bad". That's the solution to all our problems after all...

          • Government demands and mandates strong password validation and MFA to secure civilian systems.

            Should they not? Is that not a good thing?

            Never said that. I'm criticizing the hypocrite in this case, not the logical process mandated. That whole "Rules for Thee" reference I made before wasn't clear?

            Let's stop pretending the Government has no money

            Departments get the money they are assigned and almost always it's assigned to specific purposes. I would have lot's of money for projects if I just stopped paying my mortgage eh?

            We get it, "government bad". That's the solution to all our problems after all...

            D-grade report cards are issued. And then ignored, except for all those screaming "Holy shit! We're insecure! Give us money!"

            Lather, rinse, and repeat for Greed's overly predictable actions over the last decade or two. If Government spending were that reliable, 100 million citizens wouldn't be screaming daily for audits of the Fed.

            Government isn'

            • Never said that. I'm criticizing the hypocrite in this case, not the logical process mandated. That whole "Rules for Thee" reference I made before wasn't clear?

              Great, but to what end? What does pointing out the hypocrisy accomplish and do you really think the people at Interior are twirling their moustaches and thinking "Oh those poor peasants have to follow the rules while we get our poor passwords and continue working on early 2000's software. Muahahahaha"

              100 million citizens wouldn't be screaming daily for audits of the Fed.

              All that means is 230 million don't care or know the other 100m are just garnering for political points and 90m of those 100m probably don't know what the Fed actually does or why it's there (case in point why

    • Yeah. NIST 800-171. I thought government security standards are even more stringent than for contractors. 800-171 is a real pain with all the MFA and log checking daily, weekly, monthly, etc. Don't they have auditors for themselves? Wouldn't the "Government watchdog" report on the auditors as well as the individual agency departments? I'd like to know what admin is in charge of enforcing the password policies and how much are they paid?
      • Yeah. NIST 800-171. I thought government security standards are even more stringent than for contractors. 800-171 is a real pain with all the MFA and log checking daily, weekly, monthly, etc. Don't they have auditors for themselves? Wouldn't the "Government watchdog" report on the auditors as well as the individual agency departments? I'd like to know what admin is in charge of enforcing the password policies and how much are they paid?

        I see you've been living in the same trenches I have for years now. And with all the same outstanding, obvious, and rather annoying questions. Really does make you wonder sometimes about the futility of it all.

        Doubt CMMC will change a damn thing. It's been neutered quite a bit since conception.

      • I give credit to the DOI's IG office for sponsoring this audit into their own systems. At least the IG is taking previous failures seriously and looking at ways to prove to the suits in the DOI that their systems are STILL vulnerable.

        According to the report, the Department of the Interior provided the password hashes of every user account to the watchdog, which then waited 90 days for the passwords to expire — per the department’s own password policy — before it was safe to attempt to crack them.

        So this was not a white hat pen attempt. This was a specific proof-of-vulnerability to management that just because they had complex password requirements and only stored hashed values that their single factor authentication was NOT secure.

        So, kudos to the IG team for continu

        • Yea I agree and even then that 15k amount is very conservative. They possibly just bought over the counter equipment to show what even a terrorist organization could have access to. With all the excess mining rigs out there or just using serious government money could easily break into all these systems.
    • by gweihir ( 88907 )

      This is people with big egos and small skills because they think they _personally_ are important due to their positions. Hence, of course, _they_ do not need to follow the rules, they are to good for that. Kind of like the company where the C-Levels did not need to use 2FA when travelling but anybody else did. Squashed that with a "red" finding they did not like very much, but audit is really hard to touch.

  • by Joe_Dragon ( 2206452 ) on Wednesday January 11, 2023 @07:11PM (#63201136)

    how much crypto can that system mine?

  • by Darth Technoid ( 83199 ) on Wednesday January 11, 2023 @07:19PM (#63201170)

    how about fire all executives who don't enforce good security?

    I mean, what's wrong with requiring basic security measures? with severe penalties for lax operations and enforcement.

    ya know, expect decent levels of management. ... i know .. it's too much to ask for :(

  • by FeelGood314 ( 2516288 ) on Wednesday January 11, 2023 @08:23PM (#63201376)
    I am actually surprised that the success rate of this study is so low.
    I got in a fight with the IT department at a security company I was working at over their password and login policies. They required:
    One capital letter and one small
    One number and one symbol
    To change the password every 2 months
    Most people will create a good work password once but when you ask them to change the password they eventually resort to common English word, first letter capitalized, followed by a symbol and then a number that they increment. I've surveyed employees and found 60% of people follow this pattern and another 20% follow it with a close variant.

    Presented with this evidence IT did not change their policies. Why because this is the standard way of doing things. If they changed and were hacked then IT would be to blame but if they follow the same policies as pretty much everyone else then their asses are covered.


    Side note: I did get in some trouble for using the term CYA and explaining it to them.
    • by gweihir ( 88907 )

      To change the password every 2 months

      There are now numerous recommendations to _not_ do that, including from the well-known security standards like BSI and NIST because it _decreases_ security. (Why? Just try to come up with an attack where this actually helps. Then consider that people will invest less effort in a temporary password compared to a long-term one.)

      Too many people are sticking with the meaningless and damaging ritual though. In one case I had to advise an audit-customer (I do internal audit as a service, among other things) to ge

      • by syntap ( 242090 )

        >> To change the password every 2 months
        > There are now numerous recommendations to _not_ do that, including from the well-known
        > security standards like BSI and NIST because it _decreases_ security. (Why? Just try to
        > come up with an attack where this actually helps.

        I give the scenario of the audit given in the article in the OP. They waited 90 days from their hash dump to ensure none of the passwords they found will be the passwords in current use against the login/email IDs. If the Departm

        • by gweihir ( 88907 )

          Completely irrelevant artificial scenario. Stolen password hashes get used within hours of theft for attacks on other sites. Nobody spends 90 (or 30) days to crack password hashes, it is just not worth the effort. I also encourage you to find out what the reasoning behind the original "90 day" and then "30 day" recommendations were. Here is a hint: These reasons do not exist anymore. Anybody that still insists on forced, time-based password changes today is simply incompetent and no excuses.

    • Many many moons ago, I was accessing a system that enforced changing your password every 35 days. Could not reuse passwords for 13 months. Had to have a capital, lower case, symbol, and a numeric. My passwords were May_86, Jun_86, Jul_86,... (not sure 86 was the right year, but you get the idea). Typical example of a self destructive policy.
  • by hazem ( 472289 ) on Wednesday January 11, 2023 @08:52PM (#63201450) Journal

    Did they give the researchers the passwd files (or other equivalent)? That alone makes the process a lot easier. And they already have all the usernames?

    More than 20 years ago there was some password cracker called something John that could quickly do a dictionary attack against the shadow file. But you had to have access to that file in the first place.

    • by syntap ( 242090 )

      From TFA: "the Department of the Interior provided the password hashes of every user account to the watchdog, which then waited 90 days for the passwords to expire — per the department’s own password policy — before it was safe to attempt to crack them.".

      So the study as-conducted assumes that the bad actor had already obtained access to some internal data, enough to get at all the hashes. I curious why the article doesn't say whether the Department also supplied all the salts or not. Whic

    • >"Did they give the researchers the passwd files (or other equivalent)? That alone makes the process a lot easier. And they already have all the usernames?"

      Apparently yes.

      If you can gain access to a hashed password file, then OF COURSE you are going to be able to crack passwords if there are enough user accounts in them. Even if the passwords are relatively strong.

      In the real world, great security is and must be kept around the hash file. And you can't just get around that with brute force guessing of

  • Password policies cannot qualify users to select good passwords. That is just not possible. It is a password quality testing failure. Things like "Password123" will be in both the "Have I been pawned" hash-list and the plaintext bad-password list from Kali. Not even checking a new password against one of these is an abject failure on the part of the software designers. Also remember that passwords selected by non-experts will very often not be very secure. In any application where you need more security, yo

  • Polar_bear65 has at least one occurrence of upper-case, lower-case, numbers, and special characters (Microsoft's definition of strong password = at one occurrence of only three of those instances). This password is also 12 characters long, which is longer than the default of 8 characters for a "strong" password. You can argue that the password should be 14 or 16 or 20 characters long, but now you are asking for stickies on monitors or in desk drawers. My point is that I don't why they picked on "Polar_be
  • You could crack those passwords in 10 minutes on a laptop with a publicly available dictionary, not sure why they spent $15k on a dedicated cracking box.

    • Going to say- a laptop may struggle trying to hash and crack 12+ character passwords with special characters on 875K accounts. Also guessing, but likely they spent most of the money on a mobo that can support several graphics cards and tons of fast storage and built a beast server/workstation to be able to hash quickly and compare the password hashes. (with todays hardware prices- $15 K doesn't go too far for these sorts of setup) The great thing is- they now own a tool for future audits! impressed they
      • by Bert64 ( 520050 )

        Depends on the hashing algorithm in use...
        If it's NTLM or any other unsalted algo, then you just need to compute the hash once and then compare it against the 850k stored hashes.

        You don't brute force all possible combinations of 12 chars, you take one of the existing dictionaries and then you apply rules which generate variations (eg if your dictionary contains "password" it will try "Password", "Password123!", "Password2023" etc and other common derivations.
        You also seed your dictionary with words/terms re

    • I think it was more that the report was written to the government agency's rather to us. I can get plenty of used hardware off ebay not to mention used hashing rigs to do this work and just trolling though github to get the software. However saying "I can crack the government with junk and $100" is an easy to ignore report. I mean hell, for more than 10 years people HAVE been doing this stuff publicly and it hasn't done any kind of serious password policy change

      So this report goes step by step on the kin

  • Cracking about 16% of passwords once you are handed the NTLM hashes is pretty normal for any organization. The point of this exercise isn't that the passwords were particularly weak (though some were) but debunking claims that the password only setup was entirely sufficient. Of course, if your attacker is dumping the password hashes from AD in a real attack you have a boatload of larger problems to deal with.
  • One-way hashes have never been a valid means of storing credentials. Passwords have insufficient entropy to survive brute force offline campaigns and there is very little an organization can do about it without pushing users to draw fulls of post-it notes.

    For better outcomes what is needed are better architecture where authenticators are simple, physically secured, isolated formally verifiable single purpose systems.

    Even more importantly secure authentication methods using zero knowledge proofs or similar

Brain off-line, please wait.

Working...