U.S. DHS and FBI staff see their directory info stolen by pro-Palestine hacktivists. The self-styled DotGovs group says it broke into DoJ networks to leech the data, via spear-phishing plus social engineering.

The hackers also say they still have a load more info that remains unpublished. At least, for now.

Is it worrying that none of the three three-letter agencies are perturbed? Their official statements seem soothing and full of calm. Yet the hack sounds really simple.

In IT Blogwatch, bloggers point and laugh at yet another gov-opsec fail. Not to mention: Polygon Shredder...

Your humble blogwatcher curated these bloggy bits for your entertainment.

[Developing story: Updated 6:56 am PT with more comment]



What’s the craic? Steve Ragan investigates—Hackers leak DHS staff directory, claim DOJ is next:

The staff directory is exactly what you think it is

An account on Twitter posted a [DHS] staff directory with 9,355 names. [It then] went on to claim that...20,000 FBI employees was next.

…

The...staff directory is exactly what you think it is...name, title, email address, and phone number [of] engineers...security specialists, program analysts, InfoSec...IT, all the way up to director level.

…

The FBI staff directory...contains 22,175 names, email addresses, and titles.



We first heard about the claim before the leak happened. Joseph Cox has his source—Hacker Plans to Dump Alleged Details of 20,000 FBI, 9,000 DHS Employees:

Hackers claiming a pro-Palestine political stance

The hacker also claims to have downloaded hundreds of gigabytes of data from a...DOJ computer, although that data has not been published.

…

The job titles...cover all sorts of different departments [including] contractors, biologists, special agents, task force officers, technicians, intelligence analysts, [and] language specialists.

…

The data was obtained, the hacker [said], by first compromising the email account of a DoJ employee. ... The hacker used the DoJ email account to contact [me]. “So I called up, told them I was new and I didn't understand how to get [in]. ... They asked if I had a token code, I said no, they said that's fine—just use our one.”

…

Back in October, hackers claiming a pro-Palestine political stance broke into the email account of...John Brennan. This was followed by a prank, in which calls to...James Clapper would be forwarded to the Free Palestine Movement.

…

The DHS emailed...the following comment from spokesperson S.Y. Lee: "We take these reports very seriously, however there is no indication...that there is any breach of sensitive or personally identifiable information."



An anti-Israel motive again? Greg Otto cycles in to add heat and pressure, with Feds investigating hacktivists' info dump:

This is for Palestine, Ramallah, West Bank, Gaza

The information was taken from a Justice Department computer...after pro-Palestinian hackers broke [in] using social engineering.

…

At the beginning of the first [dump] the hackers claim, “This is for Palestine, Ramallah, West Bank, Gaza. This is for the child that is searching for an answer.”



As it became clear how easy it was to break in, foreigners are laughing. Foreigners like tikabass:

I’m sure Americans feel safer now

That's tight security!



I'm sure americans feel safer now, knowing the professionalism of the guys protecting their lives, property and borders.



But wait. Shaun Nichols sheepishly wonders if it’s as bad as all that—Did a hacker really pwn the FBI, US Homeland Security and the DoJ?:

By itself, it's not a hugely damaging collection

As we've seen in recent incidents, not all hacked info is worthy of mass hysteria.

…

[It] just sounds like directory information. ... It seems these records, at least, are not something terribly sensitive and, in some cases, that contact info could already be available for people to look up online.

…

By itself, it's not a hugely damaging collection, though the hacker claims to have a lot more data. [But] it has not been released yet. We don't know what...clearance this account may have had to view sensitive information.

…

There's also the fact that the DoJ doesn't think anything is amiss. ... [But] should the hacker produce 200GB of internal documents, the DoJ will have a huge mess on its hands.



The claimed hacker group has plenty to say for themselves. Tweeting as @DotGovs, they say:

We won't stop until they cut relations with Israel

well folks, it looks like @TheJusticeDept has finally realized their computer has been breached after 1 week.

…

stay mad @TheJusticeDept @FBI @DHSgov 8)

…

how you like that huh @TheJusticeDept #FreePalestine

…

Be sure to tweet #FreePalestine to bring awareness to all the kids dying by Israeli bombs that the US government funds!

…

its boring in the deserts of dubai

…

top security by @TheJusticeDept here!!!

…

When will the US government realize we won't stop until they cut relations with Israel.

…

i think the government can hear #FreePalestine now hahhaha

…

that's all we came to do, so now its time to go, bye folks! #FreePalestine



Update: Another day, another report of spear-phishing plus social engineering. Paul Ducklin explains-Hacker says he’s breached DHS and FBI, leaks claimed staff data:

Personal information about your employees is a gold mine

Phishing is where you send out links or attachments in believable-looking emails in the hope that someone will...end up sucked into giving away secret information such as usernames and passwords. Spear-phishing is...with the emails made yet more believable by targeting, or tailoring...for each recipient. [It] can be as simple as getting your name right.

…

If you’re a nuclear scientist, for instance, an email about...attending a conference...is likely to attract your attention. If the crook has sufficiently many other details right...he might get to you [to] open up the dodgy website or document.

…

This breach will be more embarrassing for the DHS and FBI that it would be for most businesses. ... Not looking after employee data seems to be something of a theme at present.

…

Personal information about your employees is a gold mine for just the sort of spear-phishing attack we [just] spoke about. ... An organisational chart and an internal phone directory stolen today could be the basis of a...serious attack tomorrow.

…

The more that crooks...learn about your organisation, the more believable their attempts to talk their way in will appear.

And Finally...

Amazing, mesmerizing “Polygon Shredder”

[Does Insane mode crash WebGL for you? Hat tip: Andy Baio]