Government Comptroller In a scathing rebuke to the Department of the Interior’s cybersecurity posture, it found that it was able to hack the user accounts of thousands of employees by allowing easily guessed passwords as the department’s security policy.
A report by the Interior Department’s Office of Inspector General, which oversees the U.S. executive branch that manages the nation’s federal lands, national parks and a multibillion-dollar budget, says the department relies on passwords. has reversed nearly two decades of government cybersecurity leadership, requiring two-factor authentication as the only way to protect its most important systems and employee user accounts.
It concludes that a weak password policy puts the department at risk of a breach that could lead to a “high probability” of a massive breach of its operations.
The inspector general’s office said the Interior Department launched the probe after a previous test of the agency’s cybersecurity found lax password policies and requirements at dozens of other agencies and bureaus. This time, the goal was to determine whether the department’s security defenses were sufficient to prevent the use of stolen and recovered passwords.
Passwords themselves are not always stolen in legible form. Passwords you create on websites and online services are usually encrypted and stored in a way that makes them unreadable to humans – usually as a seemingly random string of letters and numbers – so passwords stolen through malware or a data breach cannot easily be used. additional hacks. This is called password hashing, and the complexity of the password (and the strength of the hashing algorithm used to encrypt it) determines how long a computer can take to decipher it. In general, the longer or more complex the password, the longer it takes to recover.
But watchdog officials said the department had created a “false sense of security” that its passwords were safe, based on claims that it would take more than a hundred years to recover passwords that met minimum security requirements using off-the-shelf password cracking software. in large part due to the commercial availability of computing power available today.
To make his case, the watchdog spent less than $15,000 to build a high-performance computer or several devices chained together with computing power designed to perform complex mathematical tasks such as password recovery. In the first 90 minutes, the watchdog was able to recover about 14,000 employee passwords, or about 16% of all department accounts, including passwords.
The watchdog also recovered hundreds of accounts belonging to senior government employees and others with high security privileges to access sensitive information and systems. During an additional eight weeks of testing, another 4,200 hashed passwords were cracked.
Cracking devices are not a new concept, but they require considerable computing power and power consumption to operate, and can easily cost several thousand dollars to build just a relatively simple hardware configuration. For comparison, White Oak Security spent about $7,000 on hardware in 2019 for a fairly powerful device.
When asked about the details of the device in question, a spokesperson for the inspector general’s office told TechCrunch:
The setup we used consists of two units with 8 GPUs each (16 total) and a management console. The rigs themselves run multiple open source containers where we can bring up 2, 4 or 8 GPUs and assign them tasks from the open source job distribution console. Using GPUs 2 and 3 generations behind currently available products, we achieved 240GH testing NTLM through a 12 character mask and 25.6GH testing through a 10GB dictionary and 3MB rules file before NTLM combined benchmarks. Actual speeds varied between multiple test configurations during engagement.
Password cracking devices also rely on a lot of human-readable data to compare with encrypted passwords. You can compare a list of readable words and phrases with hashed passwords using open source and freely available software such as Hashcat. For example,
'5f4dcc3b5aa765d61d8327deb882cf99'. Since this password hash is already known, the computer takes less than a microsecond to validate it.
According to the report, the Interior Department provided the password hashes of each user account to the watchdog, then waited 90 days until the passwords were safe to crack — in accordance with the department’s own password policy.
The comptroller said he compiled his own custom wordlist to crack the department’s passwords from dictionaries in several languages, as well as from US government terminology, pop culture references and other public password lists gleaned from past data breaches. (To prevent customers from reusing the same password from other websites, it’s not uncommon for technology companies to compile a list of passwords stolen in other data breaches to compare with their customers’ passwords.) By doing so, the report says, the watchdog could crack the department’s passwords with the same speed as a well-resourced cybercriminal. demonstrated what he can do.
The watchdog found that nearly 5% of all active user account passwords were based on some variation of the word “password” and that the department did not “timely” terminate inactive or unused user accounts, putting at least 6,000 user accounts at risk. compromise.
The report also criticized the Department of the Interior for not “consistently” implementing or enforcing two-factor authentication, where users are required to enter a code from a device they physically own to prevent attackers from logging in simply using a stolen password. About nine out of 10 of the department’s high-value assets are not protected by second-factor security, such as systems that would seriously impact its operations or the loss of sensitive data, the report said, and the department ultimately ignored 18 years of federal mandates, including “its own internal policies.” When the comptroller asked for a detailed report on the department’s use of two-factor authentication, the department said it did not have the information.
“The lack of prioritization of fundamental security controls has led to the continued use of single-factor authentication,” the observer concluded.
In its response, the Interior Department said it agreed with most of the inspector general’s findings and that the Biden administration was “committed” to implementing an executive order directing federal agencies to improve cybersecurity protections.