The FBI’s InfraGard program, which facilitates the sharing of information about cyberthreats and some physical threats between relevant, vetted parties throughout the public and private sector, has suffered a serious hacker breach.
According to a report published by Krebs on Security, the criminals behind the attack not only gained access to the FBI’s InfraGard system in such a manner that they could impersonate the CEO of a major company while sending internal messages to other InfraGard members, but are now also offering the nearly-90,000-FBI InfraGard user database for sale on the dark web – exposing to whoever obtains it the names and private contact information of tens of thousands of people involved in protecting critical infrastructure in the US.
This breach is more than just embarrassing – it is dangerous. According to its own fact sheet, InfraGard “connects critical infrastructure owners, operators, and stakeholders with the FBI to provide education, networking, and information-sharing on security threats and risk,” and its membership is supposed to be tightly controlled; only parties who are vetted and approved by the FBI are supposed to be allowed to join the program and access relevant data. In fact, the FBI informs all applicants to the program that it will conduct periodic security risk assessments of members including checks of local, state, and federal criminal history, and other security-related database checks.
Somehow, however, criminals not only got into the system, but also managed to download a treasure trove of sensitive information. According to Krebs, the seller of the stolen information claims to have gained access by impersonating the CEO of a major American financial corporation and applying for InfraGard membership using the true name, Social Security Number, birthdate, and mobile phone number of the party being impersonated; the impersonated party themselves states that they were never contacted by the FBI during the vetting process.
The criminal claims to have submitted the application to the FBI in November, and been approved for access in December – despite the FBI stating that it can take up to 3 months for applications to be vetted.
After gaining access, the criminal was allegedly able to utilize a Python-language script to exploit an Application Programming Interface (API) offered by the site, and, by doing so, the criminal was able to automate the download of all available information.
This incident highlights several important points:
1. Even the best security folks sometimes mess up. The proximate cause of the breach appears to be that the FBI failed to properly vet an applicant; how long would it have taken, for example, for someone at the FBI to have placed a phone call to the user at his or her known office number? Early in my career, Yitzhak Shamir, the late former Prime Minister of Israel, warned me that “The smartest people often make the stupidest mistakes.” – in the realm of cybersecurity, I have seen his words ring true countless times.
2. If the criminal applied for membership with an email address not belonging to the domain of the impersonated party’s employer then the FBI should also not have approved the application (Infraguard requires SMS and/or email for multi-factor authentication; as the phone number on record was controlled by the impersonated individual, not the criminal, the legitimacy of the email address should have been critically important); if the criminal did, in fact, use an email address bearing the official domain then someone or something at the CEO’s organization, or possibly a DNS record, has also been breached.
3. Perhaps most importantly, this incident reminds us that cybersecurity folks can do things right 87,000 times and make a mistake only once, but that once can lead to an embarrassing and dangerous situation that undermines the trust built during the 87,000 prior successes. The odds are always against us cyber-defenders – remember, we have to win every battle, hackers who are attacking have to win only once.