In early August, “Flash Gordon” (@s7nsins on Twitter) contacted me to say that he discovered a leak involving the House of Representatives.
In light of all the talk about Russia trying to hack our elections, I decided that we probably should notify the House right away in case there was any kind of sensitive files exposed. At the very least, Flash had informed me that there were email addresses and passwords in the exposed intranet files, although the passwords were not in plain text, he reported. Ironically, perhaps, the exposed material contained more than 17,000 references to “security,” including cybersecurity attacks.
Notifying the House of their leak was one of those misadventures in notification that I should probably write a book about one day. Calling the House switchboard and asking to speak to whomever was responsible for their cybersecurity resulted in me being bounced from extension to extension for the next hour or so. No one seemed to know what office I should be connected to. And in the middle of this frustrating weirdness, an intern, who shall go nameless, even said to me that the cybersecurity team already knew that the intranet was leaking and they were probably working on it. What??
Eventually I found someone who was willing to take a message. Within a few hours, I received a call back from someone who was actually involved in cybersecurity. He told me that I should have asked for the “Chief Administrative Officer of the House.” I told him that they needed to review with the switchboard how to direct or escalate calls, as I doubt most callers would know to ask for that chief administrative officer, and when people get bounced all over the effing place, they may give up and not notify the House of a leak.
The person I spoke with agreed and said the feedback was helpful and that he had never heard that before.
Well sure. He probably never heard it before because everyone else gave up before they ever got through to him.
In any event, they locked down the leak and I decided not to report publicly on everything at the time.
But then last week, yet another researcher (Lee Johnstone, @Cyber_War_News on Twitter) got in touch with me and told me that the House was leaking. This leak appeared to involve a different IP address and a backup directory.
The files reportedly contained a number of usernames and passwords, although once again, the passwords were not plain text. And unlike the first leak, this had sql databases for several members of Congress: Rep Dave Joyce of Ohio, Rep. Billy Long of Missouri, and Rep. Richard Neal of Massachusetts.
According to Johnstone:
The three subdomains leaked by congress are joyce.house.gov, long.house.gov, neal.house.gov, then there is also configuration files for carter.house.gov.
Configuration files within all subdomains file systems show that they are connecting to a shared database as the root user with a common password [actual password redacted by DataBreaches.net] and that this appears repeated for each installation of drupal being used.
Somewhat curious as to what would happen when I called the House and asked for the Chief Administrative Officer of the House, I called the House switchboard. My request for the Chief Administrative Officer of the House was transferred to a recording identifying the extension as “First Call.” I duly left a detailed message my name/number, their IP address and port, and said that I would be reporting on it because this was the second time in a few months that researchers were finding and contacting me about leaks from the House – and the files contained usernames and passwords.
I asked them to get back to me.
I fully anticipate that if and when they do call me, there will be an attempt to minimize the importance of these leaks, so let me state clearly that yes, I realize that the material leaked may not be the most sensitive, although since I haven’t gone through it all, I can’t be sure of that.
And it’s not like people might ever re-use their passwords, right? Oh wait…
It’s now noon on Monday, and I received no call back yesterday or today. And as of my last check, the door is still wide open. So I’ve decided to report on this now and tweet it to members of Congress. Maybe their staff can get through to the right person to secure their data.
Update 1:38 pm. One of my followers on Twitter has a contact in the Chief Administrative Office, it seems, and he alerted the contact, who said he’ll check into it. That would be nice.
Update 5:14 pm. More than 24 hours after I called them, the data now appear to have been secured, although I’m not sure whether it would have been secured if not for a follower’s contact.
Great work, again.