Slashdot Mirror
SF86 Data Captured In OPM Hack
Etherwalk writes: The security clearance process in the United States includes filling out the 127-page SF86 form, which includes things like the citizenships of all your relatives and housemates, foreign contacts and financial interests, foreign travel, psychological and emotional health, illegal drug use, and many other matters. The recent breach by the Chinese Government apparently included that information for all executive employees up to cabinet level. It's pretty much a gold mine for intelligence work and social engineering of any kind.
This happened to the USofA... guess what happened to your favorite country?
SF86? Is that some 8086 variant?
The top 1% and the NSA now have competition, maybe that will be a good thing.
So, what exactly do they mean by "breach". Someone got into some systems? Once there, did they take copies of data? That's a lot of data. Why didn't anyone see the mass exodus of gigabytes? The weasel worded breathless media reports are just dripping with a lack of specificity and reek of "omg phear the evil hackerz!" - they feel more designed to generate fear than inform. I view the whole thing with a jaundiced, skeptical eye.
Sacred cows make the best burgers.
it's Out There. All of it.
The SF86 data is essentially designed to track and identify every aspect of federal employees lives and backgrounds which would make them a target of extortion or blackmail by foreign intelligence.
Instead of keeping those records in distributed and isolated/compartmentalized silos(where the scope of any individual security failure would be non-catastrophic) where the cost-to-benefit ratio of data ex-filtration was much less attractive: they consolidated all of this data in one place where a single chink in the armor would allow an adversary to acquire the sum total knowledge in existence of their entire classified documents workforce...
TLDR: Morons put the 2nd largest and most expensive collection of blackmail material in the history of mankind(The Vatican "Archives" being the obvious #1) in a single place behind a padlock("hacker proof security" seems about as elusive to find in the wild as big foot) and then act shocked when they essentially gift wrapped a knife to cut through the fog of war for APT.
The ironic implication of this now is that the best defense against security threats is to disqualify anyone who had a security clearance previously from owning one an either:
A) Clean slate. Go back to the old way of doing things(until this happens again) and get a fresh batch of leverage,err... I mean "federal employees".
or
B) Abolish the idiotic system entirely. The spying incidents which the system was designed in reaction too were conspicuous absent of any spies who would have failed the background check process.
Get rid of ITAR/USML while you're at it!
Hell, why not just say "fuck it"?
Take the MAD approach and open source everything. When Predator drones are being 3d printed in people's basement the tree of liberty should get watered way more often.
Maybe without the illusion of secrecy, the nonsense secret squirrel playground games which caused WWII and WWIII will finally stop. While China is embroiled in a domestic insurgency/civil war America can laugh all the way to the bank.
So.... China now has copies of all the self-volunteered information of every employee who ever got a security clearance. Maybe if our country didn't use security clearances SO MUCH this wouldn't be a huge deal, but we are talking about 40 million americans. When the government snoops on you, it has consequences -- like China having your information.
Meanwhile, the whole security clearance game is really just a front for discriminating against people who have the wrong opinions and lifestyles anyway. I mean really - they denied a transwoman a clearance because nobody had a history of knowing her", only "him". Really? But they didn't actually deny it, because they you'd have due process rights. They just let it sit forever. Fuck those assholes. They deserve to have their data stolen.
Sincerely,
Developer kicked off JPAS replacement project
Nothing, honey. Because he simply can't do anything about it, just like any republican candidates if they were in his position. Over the last decade the Chinese have widely proven that they have better cyberwarfare capabilities than the US. In general, you should start realizing the fact that you don't live in the "most powerful nation on earth" anymore. It's China now.
If it was that valuable, maybe they shouldn't have had it accessible to the fucking internet?
Just sayin'. You walk through the bad part of town flashing mad bank don't act surprised when you get jacked.
Hey I thought OPM stood for Other People's Money.
Most words, anyway.
Holy... Deleted... Expletives...
"U.S. officials privately said China was behind it."
Which officials, and why won't they speak on-record? Because they know that, stupidly, they've said that cyber-attacks could be seen as an act of war. And none of them are stupid enough to directly declare war on China on the basis of fuck-all evidence beyond "we got hacked, looked like the last hop had a whois somewhere in China".
This isn't enough to put in the papers, this isn't enough to act upon, but fuck if the US won't let *that* stand in their way.
You have NO WAY of knowing whether China are doing this, officially or not. When you do, you can make news stories and bring it up in international committees. Until then, it's some Chinese kid who's found a good source of credit card data to buy some Steam games for all the fuck you know.
Dickheads like these "officials" are either a) trying to put so much implication into people's heads that people just assume you ARE at war with China or b) have fuck-all to go on and speak carelessly and dangerously.
I'm not American, nor Chinese. But, fuck, this is a slippery slope if every time some hacker in Beijing touches your systems you're going to cry wolf and accuse China of officially stealing sensitive data.
What's the matter? Been too long since you had a decent enemy who could shoot back?
really, no reason whatsoever to believe the government of china did it. Lot's of others with more motive for instance.
So if someone uses an ip "located" in the US is the US government responsible? Obviously not. Even if it were a known government ip, the likelihood is just as great (actually greater) that it was just a hacked machine being used by someone else.
Don't give the lay public the idea that WE HAVE ANY FUCKING IDEA "WHO" did this, we don't.
With security like this, who needs Snowden?
Depends. Maybe that information was hosted on a Clinton public server...
The NSA has been hacking pretty much everybody in the world and their little sister, so nobody should be shocked when the same thing happens to us.
The real kicker is the perennial lecture from clueless politicians about how we should put back doors into all our private sector encryption so law enforcement can take a peek whenever it likes. Because our information will be safe with the government. *snort*
Doubtful. The OPM has been negligent in this area for decades. And they are not the only agency.
A bottom - to - top review and security renovation is critically needed, and should cost closer to $100Bn than not if it's done right. Everything, from .mil and DOD to mainline agencies and even .gov customer service sites, everything.
And not a review. A complete reimagining and reinstallation.
Not going to happen in this Administration, as they fear any analysis.
The fiasco of our former Secretary of State running a private server at their own residence for official email is a example of the utter and total lack of actual information security in our government, a situation that (or should be) intolerable.
But, politics.
deleting the extra space after periods so i can stay relevant, yeah.
The folk at OPM should have been well aware that someone, somewhere would really like to get their hands on that information. The lack of protection mentioned in the news around OPM records is simply hilarious.
You'd think that the sort of data that OPM stores would be kept on air-gapped machines in a prepper's-fantasy facility without cell phones, under a mountain, etc... but no, that would be too logical. Instead, they may as well have stored the stuff on a public library computer.
Whoever hacked OPM is not only laughing themselves silly at all the stuff that is in those files, they also have job security for next 20 years to sift through 14 million records. Well done, OPM!
Unfortunately, the next likely step by the government will be to augment OPM's budget 500%, just as with all the other agencies that failed the US population repeatedly. We only have ourselves to blame, we voted them into those positions in the first place.
... you're placing this at the feet of Republicans and Democrats when you don't know bullshit from wild honey.
OPM is not a fucking Super PAC.
It's the government. It's federal employees, managers, administrators, people who, by and large, are not subjected to turnover.
You're not going to solve this with the goddam vote.
Go home.
It little behooves the best of us to comment on the rest of us.
No, it's sulfur hexaoctacontafluoride.
For those with data stored by the OPM. You are entitled to a free copy. They have a special FOIA form to fill out to request your records. You may find that additional agencies have records too that can be gathered with separate FOIA filings.
"The recent breach by the Chinese Government apparently included that information for all executive employees up to cabinet level."
No, OPM is only one of many investigative service providers in the US. At the risk of overgeneralizing, they do investigations for the competitive service and the military. The civilian intelligence community and Federal law enforcement agencies typically do their own investigations. The FBI investigates any appointee to be confirmed by the Senate. These agencies only report minimal information to OPM, and some of them don't report at all. It's possible for an LEO, IC employee, or cabinet member to go through their whole career without an OPM investigation.
If the NSA spent their time making the cyber defenses of this country stronger instead of making it weaker with compromised encryption, rampant back doors, etc., there's a good chance this data breach would not have happened.
He's probably referring to the amount of bandwidth used to move the data. Honestly someone should have been watching for mass uploads or downloads.
The breach occurred in December, was detected IIRC in April. Plenty of time to move data slowly and prioritize what you take, making you less likely to show a bandwidth spike.
Some SF86 data has been copied? By definition this data is no longer secret. In the world of intelligence twisted legal logic does not work, such as announcing that the data is still secret and, thus, should remain classified. Beans have been spilled, make a first step and admit it.
The second and last step, In order to prevent blackmail is to make the data available for public. Once it is public, nobody can blackmailed.
"U.S. officials privately said China was behind it."
Which officials, and why won't they speak on-record?
An on-the-record statement is a much bigger diplomatic statement. We don't usually speak on-the-record about the hostile or criminal acts of a foreign power unless we have a very good diplomatic reason to. We know that Putin backs Kaderov, a thuggish head of state who personally tortures people on exercise equipment and disappears reporters critical of his regime, but it would be unusual to have the White House announce that Putin was doing that. It would also require us to be prepared for the inevitable PR backlash based on US torture at Guantanamo Bay, for example. If we make a public announcement, China is more likely to engage in more severe public criticism of us.
International relations turn out to be more complex than "let's call the other guys on their shit."
Not even slightly practical.
A complete reimaging and installation would require well over 30 petabytes of data to be regenerated (could easily be several hundred - I'm only familiar with one site, and they had over 500 TB 10 years ago, and were growing more than 1TB per week... and that was only for ONE user to do weather modeling).
DISA has been fairly good at identifying attacks. What they aren't good at is keeping insecure systems out of use.
Think they can somehow protect me.... LOL
The word I used was 'reimagining'.
As in 're imagining'.
Please read my posts. Skimming them yields unpredictable results.
deleting the extra space after periods so i can stay relevant, yeah.
Instead, they may as well have stored the stuff on a public library computer.
Thanks, asshole. That is where I keep my financial data. I will have to change that now. Now I will have to store it at Google's "free" data storage "in the cloud." At least it will be secure there.
"So long and thanks for all the fish."
I worked for the government for 40 years and had a top secret clearance. IMHO security clearances were pretty much worthless. I had people working for me that should have not been cleared however, I had no direct evidence to keep them from obtaining a clearance. They were pretty much a rubber stamp. I expect you could google and find out most of the stuff contained in the clearance (which I never saw).
The recent breach by the Chinese Government
This has been proven conclusively?
"If any question why we died, Tell them because our fathers lied."
So... The US government isn't cool about having its info compromised. I say tough shit for them -- it's nice to see them stewing for a change.
More fallout from the traitor.
SF86 data is extraordinarily sensitive. What they mean is that the attackers made off with a database of the financial problems, drug habits, family problems, hidden crimes, and sex fetishes of anybody that's working on anything sensitive.
Shouldn't that kind of stuff be only on paper, locked inside some kind of... you know... financial problems drug habits family problems hidden crimes and sex fetishes room?
Tabloid fascination with personal problems or consensual crimes, 'sin' for short --- this whole ability to ruin someone by leaking factual information --- is a known vulnerability of the human condition. One no one wants to fix (it involves losing the moral high ground) or even admit that it is a problem. This means past indiscretions can through blackmail, be used by murders to conceal their crimes, or even drive a blackmailed sociopath on by degrees, to commit murder. In the best of cases it hands the rudder to the most oafish bullies, for the dumbest of reasons. And some brilliant and capable, even trustworthy people find themselves in shit.
Looks like the USG has handed over it all. Beware, my friend, shit winds are a-comin'
I recommend Peter McWilliams' book AIN'T NOBODY'S BUSINESS IF YOU DO: The Absurdity of Consensual Crimes in a Free Country, placed on the web with the deceased author's permission, to help sort out (culturally) what should be an actionable --- or blackmail-worthy --- crime. Also check out this (failed) submission on the DEA and my suggestion to implement duress codes (like a blackmail canary) into society.
<blink>down the rabbit hole</blink>
Come on guys/gals, it's obvious that this was a honey pot. They didn't catch a bear but I'm sure there are dragon prints all over the place and major laughter from team USA.
Funny how the most respected contributors to Slashdot are being modded down while the Anonymous Coward comment "What hurr durr Obama coward doing!" is just fine. You get the forum you vote for. Enjoy it.
You'd think people would treat data like that as sensitive, but security people are remarkably bad at that. NASA lost a similar data set (at least the PII, and possibly the submitted data for SF85 and SF 85P) when a laptop containing it was stolen from a car in Washington: stolen nasa laptop. They let my personal data get out in that one, now apparently they've done it again at OPM.
Somewhat amusingly, the NASA CIO office had predicted such an incident just a few months before the laptop theft in their newsletter see page 6 of this pdf NASA OCIO newsletter
I suspect that for the vast majority of people, the SF86 info is boring and less comprehensive than you would get from a credit report from the big three.
http://www.opm.gov/Forms/pdf_fill/sf86.pdf
most of it is fairly mundane stuff that is like what you fill out on a job or loan application: where you've lived for the last 7 years, where you've worked. (and whether you were fired for cause, or evicted, etc.)
Yeah some is a bit more edgy: who your relatives are (of course, for the most part that is public record, as in birth certificates).
And, of course the oh-so-scary "are you now or have you ever in the last seven years advocated the violent overthrow of the government of the united states" kind of question. I guess if you're in your bunker preparing for Jade Helm 15 that might get you wound up.
And the "have you used illegal drugs in the last 7 years" or "do you have a problem with alcohol" or "have you received mental health treatment (except for PTSD, sexual abuse or assault, or etc.)"
your credit report and a quick inquiry to the Medical Information Bureau (the private master repository of health care information) would probably answer most of this, except for the generic kinds of "have you done something illegal and not been caught" (i.e. smoking weed) questions.
Well then, if all these employees have done nothing wrong, then they have nothing to hide, do they?
If they have indeed done something wrong, then they should be prosecuted to the full extent of the law.
Problem solved, you're welcome.
Prove anything by multiplying Huge Number times Tiny Number
Obviously air-gapping would help a lot here. However, I hear a lot of talk of encryption, and I don't really see how that would help.
Encryption really only protects data at rest. Encrypting your backup tapes before mailing them to a repository prevents their loss in transit, which is a significant risk.
On the other hand, if I encrypt my hard drive that isn't going to do me any good at all if somebody hacks into the system while that drive is mounted. Personnel records seem at least reasonably likely to be accessed regularly.
To control the USA Federal and the Governments of the States this dataset is ... needful.
We will use it wisely and only blackmail and embezzle those oligarchs for whom their children are at risk of death.
Ha ha
I absolutely read that as reimaging. You said "reimagining and reinstallation", but look at it contextually. You would re-image a drive and re-install. If you were re-imagining you would expect the next word to be at that same "level"- for instance, "reimagining and reimplementing" or something.
It's spelled correctly and works fine, but it's definitely not the best way to communicate it because it segues into that easy misunderstanding- something that wouldn't have occurred to me if I was writing it, either.
And youmissed my point.
The entire security process of our federal government needs to be changed, replaced, re-imagined, bottom to top, alkyl agencies, entirely.
Are you still thinking this most recent example is just a problem? Or is it a symptom?
Big picture. Big problem. Solve it all or don't bother.
deleting the extra space after periods so i can stay relevant, yeah.
China flexes their hacking skills while security researchers in the USofA worry they'll be jailed as terrorists by their own government?
Yup, I see no problem here.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
Sheeple are so afraid now to ask which OSen?
NSA trolls infused insecurity weaknesses into microshaft OSen did this.
Sheeple in Amerikkka are so afraid to state the obvious past hundreds of posts to even come close to discussing it.
If the Government can't keep its 'Private Cloud' safe then what the firetruck is all this 'save money put it in the cloud' or an offshore data centre.
The public should wake up that any uber mygov system is like Facebook; expect to be outed (and lucky) if you are told.
I am sure some numbskull brainwashed by power McKinsey and Gartner presentations, said save money centralize, digitalise, cut staff, tick boxes.
Well, the damage is irretrievably done, and the 'Risk' diagram was always hogwash . My bet is the UK will steam ahead to 'publish' their citizens data just like the UK. What is really galling is compartmentalization has been canned.
What we want to know is who is personally accountable - who actually lost their job out of this - or who was kept on anyway. Nepotism with (now implied blackmail) is just nasty.
Hm? Surely enough to quell the fear. Hm?
You don't care - it don't care - we all don't care. It comes crashing down. SNAFU.
Tanx
Let's have a third Central Intelligence Agency to connect it all together. We can call it Uber Homeland Security to avoid confusion with the second one. Sadly that's more likely than your idea of a complete change because of all the entrenched political appointees from both sides.
We had a chance in 2001/2002 when the CIA was shown to have dropped the ball, but it was led by a guy who was good friends with a cheerleader turned President who didn't have the guts to cut out the dead wood.
They probably already had it. Some bright spark probably got a promotion for outsourcing all the data entry to somewhere overseas as has been done with medical records on occasion.
Yes, it does! What needs to happen is the clueless logic that Compliance (i.e. NIST 800-53, ICD-503, SOX, PCI-DSS, etc) IS Security needs to change.
Compliance != Security
Apparently the OPM was "accredited" under FISMA so that at one point they were "compliant" so that, in government/regulatory speak, means you are secure...
I fail to see any reason to change anything as long as we keep throwing more and more useless and idiotic regulations and compliance mechanisms at the problem, eventually it will be so impossible to do anything, maybe we'll be secure in that we can't even build anything to function...
The problem:
Close enough for govt work apparently isn't.
What was tried.
Hire contractors to secure the systems.
Making it illegal to hack computers.
Go after folks who hack in.
Sweeping the problem under the rug and hope nobody notices.
New plan that might accually work.
Encourage friendly hackers to capture the flag.
Make hacking not only legal, but provide a bounty.
Needs a few ground rules. The hacker can not
1) intentionally damage the system or gather much more info than is necessary to prove that he was there
2) disclose or use the actual information gathered
3) disclose that the system was hacked until after a 30 day private notification of that he did
After 30 days, the hacker can disclose what he did and what he got.
This means he could say he got all the SF86's and how, but never the details of the SF86 contents.
The hacker is responsible for securing the information he has gathered and is holding.
I wonder if 30 days is too long. It certainly is not too short if you are interested in fixing the problem
From a national security standpoint, this is a two edged sword.
It would definitely make our information more secure.
It would definitely cause some embarasment.
Outside the beltway, embarasment seems a good trade for this security.
These rules may seem draconian, but I suspect they are the only thing that will actually work.
Think of it as croudsourcing the securing of our national computing infrastructure.
Or an example of something that is better done by the people than the govt.
Of course, to make this happen would require Congress to decide it is the best path among a set or unpleasant options.
Folks, you are missing a major point: if the hack was originated from China, then the grunt of consequences will be on cleared Chinese Americans. You see, most of them still have family members back home thus they're incredibly exposed to manipulation. And U.S. is well aware of that. So government might start dropping those clearances - people's jobs will be in jeopardy.
Do they actually ask people about this stuff or is the result of background checks?
I would think the right answer for someone working on anything sensitive would be "Sure, I like to smoke pot, I like porn and kinky sex, and I don't give a shit who knows." The person who isn't hiding anything can't be blackmailed.
But I suppose many of these may be family problems -- my wife is a drunk and when she's on a bender I've caught her tag-teaming the Mexican lawn crew, or my son goes down to the park and sniffs bike seats. Or pathological behavior, like the married father of 4 who likes to hit cruising spots to blow other men.
with the deceased author's permission
How does one obtain permission from a deceased author?
Does this data include contractors with security clearance?
Because reasons.
I have worked in US Uncivil service system. If you wonder how a unqualified person got selected over a qualified one. The evidence is in the SF 86. Now the only use data based on certanty is the SSN is true. Yes there are many Chinese working in R & D for the .govs, maybe the mother China was just looking for her prodigal children
Exactly. A transformational approach.
deleting the extra space after periods so i can stay relevant, yeah.
Between the questions they ask on SF86 and the medical records that someone grabbed recently . . .
I don't see how anyone could fill out that form without missing something that could be exposed in medical records or a little PI work. Then they are threatened with exposing their error and 5 years in jail.http://yro.slashdot.org/story/15/06/12/2210230/sf86-data-captured-in-opm-hack#
End MGM. Get prospective parents of boys to Google: Men do complain
I know it's the thing to do these days, to say that President Obama should resign or be impeached, but yeah. This degree of failure indicates a need to replace pretty much the entire federal bureaucracy, from the President right on down the line to the Secretary of Education, and every single person responsible for this nightmare, specifically. Understand this: NIXON resigned over less than this.
For those of you who don't know what all is on an SF 86, as someone who has filled out SEVERAL over a career, let me tell you. They now know pretty much EVERYTHING.
It's not much of a stretch to say that whoever stole this information, now knows as much about everyone who matters in terms of governance, security, the MILITARY, etc., etc., etc., as the NSA does, as the FBI does, as the CIA might, etc. etc. etc.
Just because there are no ships burning in a port does not make this any less than an ELECTRONIC PEARL-HARBOR, or if you prefer, an e-9/11.
Whoever parked ALL THE DATA in the same place should be HANGED, (at least metaphorically,) along with everyone who signed off on that. This is a CAPITAL-F FUCK UP.
What this means, as a minimum, is everyone who's still alive, who has ever tried to get a job with the government, now needs to maintain credit file monitoring for life, as EVERY SINGLE PIECE OF SENSITIVE DATA ON ALL OF US IS NOW THOROUGHLY COMPROMISED, as well as go through and (if they haven't already done so,) change every piece of identification with anyone with which he/she does business.
Will anything be done? Nope. Because this isn't really a democracy, and the government isn't REALLY accountable to us.
Have a great day.