A government watchdog hacked a US federal agency to stress-test its cloud security


Share post:

A U.S. government watchdog stole more than one gigabyte of seemingly sensitive personal data from the cloud systems of the U.S. Department of the Interior. The good news: The data was fake and part of a series of tests to check whether the Department’s cloud infrastructure was secure.

The experiment is detailed in a new report by the Department of the Interior’s Office of the Inspector General (OIG), published last week.

The goal of the report was to test the security of the Department of the Interior’s cloud infrastructure, as well as its “data loss prevention solution,” software that is supposed to protect the department’s most sensitive data from malicious hackers. The tests were conducted between March 2022 and June 2023, the OIG wrote in the report.

The Department of the Interior manages the country’s federal land, national parks and a budget of billions of dollars, and hosts a significant amount of data in the cloud.

According to the report, in order to test whether the Department of the Interior’s cloud infrastructure was secure, the OIG used an online tool called Mockaroo to create fake personal data that “would appear valid to the Department’s security tools.”

The OIG team then used a virtual machine inside the Department’s cloud environment to imitate “a sophisticated threat actor” inside of its network, and subsequently used “well-known and widely documented techniques to exfiltrate data.”

“We used the virtual machine as-is and did not install any tools, software, or malware that would make it easier to exfiltrate data from the subject system,” the report read.

The OIG said it conducted more than 100 tests in a week, monitoring the government department’s “computer logs and incident tracking systems in real time,” and none of its tests were detected nor prevented by the department’s cybersecurity defenses.

“Our tests succeeded because the Department failed to implement security measures capable of either preventing or detecting well-known and widely used techniques employed by malicious actors to steal sensitive data,” said the OIG’s report. “In the years that the system has been hosted in a cloud, the Department has never conducted regular required tests of the system’s controls for protecting sensitive data from unauthorized access.”

That’s the bad news: The weaknesses in the Department’s systems and practices “put sensitive [personal information] for tens of thousands of Federal employees at risk of unauthorized access,” read the report. The OIG also admitted that it may be impossible to stop “a well-resourced adversary” from breaking in, but with some improvements, it may be possible to stop that adversary from exfiltrating the sensitive data.

This test “data breach” was done in a controlled environment by the OIG, and not by a sophisticated government hacking group from China or Russia. This gives the Department of the Interior a chance to improve its systems and defenses, following a series of recommendations listed in the report.

Last year, the Department of the Interior’s OIG built a custom password cracking rig worth $15,000 as part of an effort to stress-test the passwords of thousands of the department’s employees.

Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

TechCrunch Minute: Where the Apple Vision Pro stands now the launch day hype has dropped off

A few months after its launch, how is Apple’s Vision Pro faring? The company’s ambitious bet on...

Investors are growing increasingly wary of AI

After years of easy money, the AI industry is facing a reckoning. A new report from Stanford’s Institute...

Paraform raises $3.6M seed round to connect startups with recruiter networks

Layoffs usually drive attention and sympathy towards affected employees, but rarely does anyone talk about what happens...

Meta’s ‘consent or pay’ tactic must not prevail over privacy, EU rights groups warn

Ahead of a full meeting of the European Data Protection Board (EDPB) this week (April 16 and...

Tesla is laying off more than 10% of its global workforce

Tesla is laying off thousands of workers as it tries to simultaneously cut costs and boost productivity,...

Bluesky now allows heads of states to sign up for the social network

Social networking platform Bluesky lifted its ban on sign-ups for heads of state over the weekend. This...

OpenAI opens Tokyo hub, adds GPT-4 model optimized for Japanese

OpenAI is expanding to Japan, with the opening of a new Tokyo office and plans for a...

ShareChat’s valuation drops below $2 billion in new funding

Social media startup ShareChat’s valuation has cratered below $2 billion from nearly $5 billion in a new...