U.S. Drug Enforcement Agency (DEA) is investigating a potential law enforcement system data breach associated with an online harassment community that impersonates police officers.
KrebsOnSecurity journalist Brian Krebs received a tip that hackers gained unauthorized access to the esp.usdoj.gov data portal, the Law Enforcement Inquiry and Alerts (LEIA) system.
Krebs obtained the information from the administrator of the Doxbin cyberbullying community identified as “KT” with links to the LAPSUS$ hacking group.
Doxbin members post personal information online and participate in “swatting,” while LAPSUS$ was responsible for high-profile data breaches on Microsoft, NVIDIA, Okta, Samsung, and others.
LAPSUS$ also sells a service for making Emergency Data Requests to tech companies, social media platforms, and mobile service providers. The imposters trick organizations by claiming that the data requests could not wait for warrants because of their emergency nature.
Krebs reported the alleged intrusion to the DEA, the Department of Justice (DOJ), and the Federal Bureau of Investigations (FBI).
Without clarifying the situation, the anti-drug agency responded that it takes any alleged intrusion into DEA computer systems seriously and would investigate the incident.
DEA law enforcement system data breach could allow criminals to submit false records
LEIA provides federated search capabilities and has access to 16 different federal law enforcement databases, including DEA’s El Paso Intelligence Center (EPIC) law enforcement system.
Additionally, EPIC and LEIA have access to DEA’s National Seizure System (NSS), which tracks property acquired through proceeds of crime.
Consequently, the attackers could access sensitive data, including “law enforcement sensitive” and “mission sensitive” information.
Additionally, the attackers could leverage the law enforcement system to submit false records, according to Nicholas Weaver, an International Computer Science Institute researcher at the University of California, Berkeley.
The researcher noted that criminals could use the breached law enforcement system to search motor vehicles, boats, firearms, aircraft, and drone records.
The attackers could also profit from selling access to cartels for searching and exposing their rivals to the DEA.
“I don’t think these [people] realize what they got, how much money the cartels would pay for access to this,” Weaver said.
Krebs also suggested that the data breach likely exposed more databases because the compromised law enforcement system was among 3,330 data inventories hosted by the DOJ. However, only a few were login portals, with many being information resources.
DEA system does not require two-factor authentication
The informant told Krebs that the law enforcement system did not require two-factor authentication. Although the portal allows users to log in using safer methods such as Personal Identity Verification (PIV) cards.
Krebs suggested that nation-state hackers could access sensitive information just like LAPSUS$ hackers. He indicated that the data breach was an eye-opener to the appalling security practices of the federal government.
“The United States government is in urgent need of leadership on cybersecurity at the executive branch level — preferably someone who has the authority and political will to eventually disconnect any federal government agency data portals that fail to enforce strong, multi-factor authentication,” Krebs said.
However, he acknowledged the challenges of implementing a robust security program. The investigative reporter attributed the implementation challenge to many users accessing the law enforcement system across various units and technologies.
Thus, implementing stricter computer security requirements could inadvertently lock many users out of the law enforcement system.
“It’s not going to be as simple as just turning on multi-factor authentication for every user, thanks in part to a broad diversity of technologies being used across the law enforcement landscape,” Krebs said.
Dave Cundiff, CISO at Cyvatar, noted that security is “a balance between being able to maintain the privacy or productivity of the data, while securing it against attack.”
Cundiff added that the data breach highlighted the critical nature of the entire cyber security ecosystem.
“Any database of this type will provide a treasure trove of data and be highly sought after by attackers,” he said. “You could have the strongest door and lock on the front door, in this case the use of a Personal Identity Verification card, but if you leave the back door with a simple pin and tumbler lock the attacker has a simple ingress. Providing reduced security anywhere in the chain defeats having any stricter security elsewhere.”
Baber Amin, COO at Veridium, said the data breach occurred because of the failure to enforce multi-factor authentication. “This is akin to putting the best ANSI grade 1 lock on your door but leaving the window next to the door wide open,” Amin said.
Noting that the PIV card could have prevented the data breach, Amin recommended “facial biometrics, smart phone, and a user-defined pin in some combination.”
