9 February 2016
I was really shocked when I read the LIFARS post ‘Hacker Allegedly Dumps Data of 9,000 DHS Employees’ at 5:30 this morning.
It is very remarkable how easy it was for the attacker to get access to the DHS network:
“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told the outlet. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”
From this it’s apparent that the help desk hasn’t got enough training in the procedure for verification of a caller’s identity. In addition the passing-on of the token code is a massive violation of the security procedures.
Take care! And train the help desk staff…