Slashdot Mirror
US Office of Personnel Management Hacked Again
tranquilidad writes: According to a story in the Washington Post, China hacked into the computer system of the United States' Office of Personnel Management last December. This was the second major intrusion in less than a year. Personally identifiable information of approximately 4 million individuals may have been compromised. The compromised information was related to security clearances and employee records. "The FBI is working with our interagency partners to investigate this matter. We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace," an FBI spokesman said.
Government: Crap, we got hacked again. How are we supposed to protect our lists of security clearances and employee records? Its so confusing.
IT people of the wold collectively reply: ID10T Errors, you have to solve them first! Then you can protect your data.
"We take all potential threats to public and private sector systems seriously, and will continue to investigate (hang out and drink coffee) and hold accountable those who pose a threat in cyberspace, except when those posing the threat are the victims who lack any basic Internet security measures and just put any fucking thing online and expect someone else to rescue them when they get breached so hard it's news" -- Fucking Blithering Idiots
This is the NSA, we're gonna geet U h@x0r5! Also, what is a h@x0r5?
The FBI spokesman then added "Fuck them. Fuck them up their stupid asses."
HELP HELP WHO CAN I TRUST...
We're from the government and we're here to help you...
'The most terrifying words you can hear' Ronald Reagan
You mean United States citizens using hacked Chinese botnets to proxy their true identities?
Remember that all major news media outlets push a CIA agenda http://en.wikipedia.org/wiki/Operation_Mockingbird
Now that you realize the agenda, you know the truth that it was not Chinese nationals.
"...and will continue to investigate and hold accountable those who pose a threat in cyberspace,"
I am sure they will investigate. What I am not sure about is whether, "hold accountable those who pose a threat in cyberspace" means anything if history is to be believed.
I beg to be enlightened: What has my the [mighty] USA done in the past, that should make me think holding accountable in the case of China means anything really?
Now, remember we as a country, do the same stuff to other countries regularly.
Having helped the JD secure some applications is the past... I am no longer impressed by hackers who get into these systems. Many government applications use templated login IDs and even templated passwords. Account sharing is common as many of these systems cant handle simultaneous access of records. It is truly harder to not hack a government system than it is to hack one. The whole government's security audit is a FAIL in my opinion.
Not that the two are mutually exclusive, but for your governing overlords, it boils down to implementing effective strategies to protect information or having access to it.
It's not very difficult to see which side your elected leaders currently line up on.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
So, I think that the word we need to get out to the uninformed public is that hackers do not have magic powers that are impossible to defend against. Governments and Corporations responsible for these breaches keep trying to portray the hackers as if they were mad-men flying planes into buildings. How can you stop a fully loaded 747 flying at 800mph right?!?!
But that's not the case. Every single one of these breaches has been the result of mistakes made my the organization that was attacked as trivial as leaving keys in the lock of your safe with a big sign that says "Money inside!" These agencies and companies could easily, and with little monetary investment, make breaches like this nearly impossible.
In most cases the mistakes aren't even technological, they're institutional. Usually those attacked had well qualified security folks on staff who were doing their best to prevent the attack. But when the "VP of operations" (or whatever) comes in and says "The project is late, everyone's telling me it's because you're department is insisting on two factor authentication. I'm going to sign off on that and we're going to move forward" there's not much they can do.
Look at the Sony attack. You had executives of the company sitting there with the entire companies financial records down to the penny sitting on their windows desktop... WHILE their security department was telling them the entire network had an active virus infection running rampant. Basically nothing happened to any of the people responsible.
Hold Accountable != punish
It just means that once they find out WHO did it, (or who they intend to say did it) they will blame them for doing it. It doesn't mean they will bomb them back to the stone age or put them on trial it says they will hold them accountable. Whatcha gona do? Send them a bill you cannot force them to pay?
Saying "Don't look at me, that guy over there, see him? HE DID IT!" = promise kept.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
So, when are they going to go after those who pose the greatest threat to cyberspace that there has ever been?
Specifically, that is the various government organizations (not just U.S. but they top the list) that have worked tirelessly to ensure that there is no secure software on the net. Mandating bad encryption, finding and hoarding security faults to better spy on the populace, etc.
... take a look at the bottom of this page.
Total Federal personnel (thousands) = 4,185
It little behooves the best of us to comment on the rest of us.
OPM manages a lot of stuff for government contractors too.
For instance, OPM is a "central point" for things like background checks for security clearances.
Trying to think, what the guys like Benjamin Franklin or Thomas Jefferson would've said, had anybody told them, that mere 200 years later the Republic they founded will have millions of Federal-government employees and that the collective spending of governments will dance around 50% of the nation's GDP...
Oh, some of those aren't employees, but are contractors. Sure, that changes everything...
In Soviet Washington the swamp drains you.
I mean, I know only pedophiles and terrorists use encryption in the those Dark Places of the internet, but they might consider at least giving it a try, if only on a temporary basis.
sigh ! one more story about fecklessness with peoples personal details. I understand they may have stolen a bunch of clearance records, but how many new clearances did they upload ?
Nullius in verba
Should we be so concerned with what they took?
How about we be a little more concerned with what they inserted?
I wonder how many Ministry of State Security agents are now vetted for U.S. high security clearances?
This happened before when one of NASA's HR people left their laptop with every employees information in an unencrypted file in their car and it was stolen. We got 2 whole years of credit monitoring.
I love Jesus, except for his foreign policy.
mainframe surrounded by servers in a underground building emp protected with no windows personal fingerprint and retinal log in and ident.
and most important of all NOT NETWORKED data sniker net with armed couriers if need be. Maybe that would do the trick.
The US Government claims it was China, but has offered no evidence. We should not just assume the US Government is telling the truth, because it seldom does.
If I had to venture a guess, I would suspect Israel long before I suspected China. Israel is no friend to the US, and is keenly interested in developing enemy lists. This would fit very well with those initiatives.
as a federal govt worker, I can assure you that affirmative action is to blame for this. If you only knew how bad it is in the fed govt. If you only knew. The blacks don't really have to work much. And management makes white workers do the blacks' work. And the software, OMG, the software. They give minorities the jobs writing the specs. And god it is an unholy mess.
Remember the revelation of the name of US military personnel by a self proclaimed Islamic State Hacking Division ?
http://www.military.com/daily-...
Are the Chinese working for Islamic State terror group?
Doesn't the USA have some sort of national agency, to protect the information security of the country, against foreign attacks ? Too busy intercepting dick pics and spying on ex's I suppose ...
Federal personnel records: Some of the personnel records (the change forms, personnel actions) are stored in an online system which can be accessed online, via a username and password for each employee. A security requirement is that the password has to be changed every 90 days. And for YEARS, whenever the password was changed, the system would send a plain text email that included the new password, "for verification". Complaints about this obvious and basic security breach fell on deaf ears for about four years, until it was finally fixed. This is what we deal with.
So, I think that the word we need to get out to the uninformed public is that hackers do not have magic powers that are impossible to defend against. Governments and Corporations responsible for these breaches keep trying to portray the hackers as if they were mad-men flying planes into buildings. How can you stop a fully loaded 747 flying at 800mph right?!?!
But that's not the case. Every single one of these breaches has been the result of mistakes made my the organization that was attacked as trivial as leaving keys in the lock of your safe with a big sign that says "Money inside!" These agencies and companies could easily, and with little monetary investment, make breaches like this nearly impossible.
In most cases the mistakes aren't even technological, they're institutional. Usually those attacked had well qualified security folks on staff who were doing their best to prevent the attack. But when the "VP of operations" (or whatever) comes in and says "The project is late, everyone's telling me it's because you're department is insisting on two factor authentication. I'm going to sign off on that and we're going to move forward" there's not much they can do.
Look at the Sony attack. You had executives of the company sitting there with the entire companies financial records down to the penny sitting on their windows desktop... WHILE their security department was telling them the entire network had an active virus infection running rampant. Basically nothing happened to any of the people responsible.
Heads must roll. Lots of them. This kind of cra... no, fuck it. (CAPS LOCK and salty language modes ***ENABLED***) This kind of SHIT is FUCKING unacceptable. WHY THE FUCK was this information STORED on computers connected to the internet? We need a shakeup of all the stupid, worthless fuckups who made it possible to steal this information in the first place.
At the very least, the information should not have been stored in a way that could be viewed, it should be hashed like passwords with a very strong algorithm, that way when you're talking to the person in question, and he tells you his SSN is 123-45-6789 and he was born 1/1/80, you aren't looking at a copy of that information on a screen. You ENTER that information, and the computer tells you either YES or NO that that matches the database. Storing them in plain text or even encrypted, (where if you have the key, you have the plain text,) is stupid. No copy of it should be stored where another computer can connect to it. EVER. What a bunch of fucking ass-clown amateurs. Really.
If this shit were LOCKED UP, instead of floating around in the cloud, (or on internet-connected computers, which is basically the same thing, from the hackers' point of view,) this COULD not have happened, at least not this way, not with impunity, not with anonymity. This level of incompetence CANNOT go unredressed.
We should do several things, starting IMMEDIATELY: 1. We need a LAW passed to stop all identity theft. It starts with this: If you are a bank, credit union, or other financial organization, and you OPEN, START, INITIATE, or in any other way COMMENCE doing business with ANYONE whose identity you haven't verified with MULTIPLE official documents, IN PERSON, you are committing a 1st DEGREE FELONY, and the person opening, (etc.) the account, that person's supervisor, all the way up to the CEO will go to fucking PRISON. Or if that's too draconian, then just say if you cannot PROVE you verified, you cannot contact, harass, sue, pursue in any way shape or form, nor report adverse information on said person to any reporting agency of any kind, when the individual concerned DOES NOT pay you back.
So if you go online, apply for a credit card, and you get it, and go buy $50,000 worth of stuff, and they can't prove that they met you IN PERSON, IN THE FLESH, and that they verified you are whom you say you are, they're out $50,000 and the fact that that happened, any such losses, must be r
nobody sees the difference with the usual folks found in HR
I just sent an Email to Bruce Schneier on this issue and I guess it makes sense to add it to this discussion:
Hello Bruce,
I see you recently take part in the crypto and cyber war discussion.
I think it is important to look at history: Military Intelligence/General Staffs have been covertly reading letters probably since letters were sent by courier. Something like 1550 A.D. or probably earlier. The U.S. general staff were reading telegrams since the 1920s. The Austrian Empire had a "black chamber" for covertly opening and re-sealing letters 200 years ago. So did the British and the Russians. Maria Stuart was sentenced to death on the basis of an opened letter sent to an agent provocateur. The U.S. gained a superior negotiating position by reading ciphered japanese telegrams in the 1920s in the fleet size limitation talks.
Now, I am quite positive we COULD design+build un-hackable operating systems, CPUs, USB-like interfaces, ethernet interfaces, RAMs and so on. See the L4 operating system, which attempts to prove correct the entire operating system kernel. INRIA has attempted to mathematically prove correct a C compiler.
Also, we need to get rid of using the C language ASAP. In practical use it is a hellhole of insecurity. Both Apple and Mozilla are doing excellent work with the Swift and Rust languages. These languages are "memory safe", which eliminates about 50% of exploits in the CVE database.
BUT - if there were a truely secure computer/OS/compiler on the free market, this would enable everybody to build encrypted communications endpoints aka. "cipher machines". The U.S. general staff would be mightily offended by millions of arabs having a "strong" cipher machine in their homes. So they currently facilitate the subversion of the Windows, Linux, OSX, iOS, Solaris kernels by covert means (double-paid software engineers in these projects).
We all know this is a dangerous thing and the "cyber war domain" is essentially un-controllable.
Still, we need to address the "strong cipher machine" issue, or they (governments/general staffs) will continue to subvert commercial IT systems.
So maybe "key escrow" would not be a too bad thing after all. Because that would enable the respective(!) national intelligence/police agencies to look into communications without having to resort to making operating systems and hardware insecure.
For example, if you make an HTTPS connection from America to Egypt, both NSA and Egypt intelligence would get a copy of your HTTPS session key. It would be encrypted once with the public key of NSA and once with the public key of egypt's intelligence service. Both key-cryptograms would be sent along with the HTTPS session.
If you sent a message inside Germany, only the BND or BKA (something like the FBI) would receive your HTTPS session key.
As long as the IT thinkers are dogmatic about this issue, the government will simply run over our interests.
Kind regards
XXXXXXXXXXXX
Only 18 months of monitoring from this, and 24 from Anthem. Keep your 2017 schedule open.
Is it a rule, that there's an exception to every rule?
I worked for DHS so here is my personal viewpoint. This breech has huge implications. The first of which being that your 10 year background check covers EVERY aspect of your life, opening the way for those 4 million that were hacked to face identity theft. The info that is stored about your covers every single security question you might be asked to prove your identity. Mothers maiden name, check. Elementary school you attended, check. Every address you've lived at over the last 10 years, check - etc. The possibility of mass identity theft on a scale never seen before is very high. Second, the data was so thoroughly researched and confirmed to be accurate that it could be used in such a way to create a National Security nightmare. ( Their should be some sort of scale for type of data stolen - this would be considered rich data) Since no rock was left unturned during your employment validation - i.e. foreign contacts, the cause of your divorce, and status of your relationship with said people - it would be extremely easy to create a false identity based on this information that could have up to Top Secret Clearance. Also, since the government is employing so many contractors at this time, one could use this false identity to work in some of the most covert programs in the US. (Look at the access Edward Snowden had). Third, those whose data was hacked will now probably face increased scrutiny in other countries when (not if) this data goes public. For instance, if you have some sort of elevated clearance why wouldn't someone like (fill in the blank with a Nation that wants to cause issues with the US, Russia or China perhaps) question your reasons for being in their country? Your list of foreign contacts you give during your interview process might also be a risk in the near future if your status with the US government goes public.
With their billions of petabytes of data, they still didn't see this coming or actually know who did it. The FBI treats identity theft as a LOW PRIORITY crime, they usually advise you to get credit monitoring and then they do zero to catch the criminals.
Mark my words: Nothing will be done. BAU. Our government's policy is "you are on your own", unless you were attached by a muslim terrorist, in which case, they will spend trillions on security theater.
If telephones are outlawed, then only outlaws will have telephones.
Since we're talking about the USG, we can probably blame it completely on incompetence.
Remember, however, while utilizing H1B workers will allow you to cut your labor costs in the short term, it does come with a bit more risk than locally sourced ( read that full wage ) employees.
That risk being: The inside threat.
Your network security might be good, but if you have employees actively working against you from the inside, you're going to get hacked again and again. Folks who have a nice paying job will think twice before doing something to jeopardize their career. That's a lot of potential future earnings to put at risk. Folks who are paid a fraction of what they should be paid don't quite have the same morals or ethics.
There's a reason your financial situation is taken into consideration when you hold a security clearance. Experience has shown that those who have financial troubles tend to be a bit less trustworthy especially when someone flashes a lot of cash at them.
Captcha: Hazards
...arguments you have. Do we call it "epilleptic seizure" ?
http://www.shortnorthgallery.com/_Misc_Media/Einstein.jpg
Most of this information is available from credit reporting agencies and/or data aggregators like Axciom. Relatives are all "public records". Employment, etc., that's all in your extended credit report.