Slashdot Mirror
SF86 Data Captured In OPM Hack
Etherwalk writes: The security clearance process in the United States includes filling out the 127-page SF86 form, which includes things like the citizenships of all your relatives and housemates, foreign contacts and financial interests, foreign travel, psychological and emotional health, illegal drug use, and many other matters. The recent breach by the Chinese Government apparently included that information for all executive employees up to cabinet level. It's pretty much a gold mine for intelligence work and social engineering of any kind.
SF86? Is that some 8086 variant?
So, what exactly do they mean by "breach". Someone got into some systems? Once there, did they take copies of data? That's a lot of data. Why didn't anyone see the mass exodus of gigabytes? The weasel worded breathless media reports are just dripping with a lack of specificity and reek of "omg phear the evil hackerz!" - they feel more designed to generate fear than inform. I view the whole thing with a jaundiced, skeptical eye.
Sacred cows make the best burgers.
it's Out There. All of it.
The SF86 data is essentially designed to track and identify every aspect of federal employees lives and backgrounds which would make them a target of extortion or blackmail by foreign intelligence.
Instead of keeping those records in distributed and isolated/compartmentalized silos(where the scope of any individual security failure would be non-catastrophic) where the cost-to-benefit ratio of data ex-filtration was much less attractive: they consolidated all of this data in one place where a single chink in the armor would allow an adversary to acquire the sum total knowledge in existence of their entire classified documents workforce...
TLDR: Morons put the 2nd largest and most expensive collection of blackmail material in the history of mankind(The Vatican "Archives" being the obvious #1) in a single place behind a padlock("hacker proof security" seems about as elusive to find in the wild as big foot) and then act shocked when they essentially gift wrapped a knife to cut through the fog of war for APT.
The ironic implication of this now is that the best defense against security threats is to disqualify anyone who had a security clearance previously from owning one an either:
A) Clean slate. Go back to the old way of doing things(until this happens again) and get a fresh batch of leverage,err... I mean "federal employees".
or
B) Abolish the idiotic system entirely. The spying incidents which the system was designed in reaction too were conspicuous absent of any spies who would have failed the background check process.
Get rid of ITAR/USML while you're at it!
Hell, why not just say "fuck it"?
Take the MAD approach and open source everything. When Predator drones are being 3d printed in people's basement the tree of liberty should get watered way more often.
Maybe without the illusion of secrecy, the nonsense secret squirrel playground games which caused WWII and WWIII will finally stop. While China is embroiled in a domestic insurgency/civil war America can laugh all the way to the bank.
Hey I thought OPM stood for Other People's Money.
"U.S. officials privately said China was behind it."
Which officials, and why won't they speak on-record? Because they know that, stupidly, they've said that cyber-attacks could be seen as an act of war. And none of them are stupid enough to directly declare war on China on the basis of fuck-all evidence beyond "we got hacked, looked like the last hop had a whois somewhere in China".
This isn't enough to put in the papers, this isn't enough to act upon, but fuck if the US won't let *that* stand in their way.
You have NO WAY of knowing whether China are doing this, officially or not. When you do, you can make news stories and bring it up in international committees. Until then, it's some Chinese kid who's found a good source of credit card data to buy some Steam games for all the fuck you know.
Dickheads like these "officials" are either a) trying to put so much implication into people's heads that people just assume you ARE at war with China or b) have fuck-all to go on and speak carelessly and dangerously.
I'm not American, nor Chinese. But, fuck, this is a slippery slope if every time some hacker in Beijing touches your systems you're going to cry wolf and accuse China of officially stealing sensitive data.
What's the matter? Been too long since you had a decent enemy who could shoot back?
really, no reason whatsoever to believe the government of china did it. Lot's of others with more motive for instance.
So if someone uses an ip "located" in the US is the US government responsible? Obviously not. Even if it were a known government ip, the likelihood is just as great (actually greater) that it was just a hacked machine being used by someone else.
Don't give the lay public the idea that WE HAVE ANY FUCKING IDEA "WHO" did this, we don't.
With security like this, who needs Snowden?
The NSA has been hacking pretty much everybody in the world and their little sister, so nobody should be shocked when the same thing happens to us.
The real kicker is the perennial lecture from clueless politicians about how we should put back doors into all our private sector encryption so law enforcement can take a peek whenever it likes. Because our information will be safe with the government. *snort*
Doubtful. The OPM has been negligent in this area for decades. And they are not the only agency.
A bottom - to - top review and security renovation is critically needed, and should cost closer to $100Bn than not if it's done right. Everything, from .mil and DOD to mainline agencies and even .gov customer service sites, everything.
And not a review. A complete reimagining and reinstallation.
Not going to happen in this Administration, as they fear any analysis.
The fiasco of our former Secretary of State running a private server at their own residence for official email is a example of the utter and total lack of actual information security in our government, a situation that (or should be) intolerable.
But, politics.
deleting the extra space after periods so i can stay relevant, yeah.
You're assuming that the USA has the best cyberwarfare and cyberdefense capabilities. And you're wrong. China, for one, has already widely proven to be better. I wouldn't be surprised if Russia was too, and maybe even some smaller nations, after all North Korea ridiculed a giant american corporation just 6 months ago.
The only times we've ever heard of the US actually doing anything were with Stux and its variants, and that was always after they had done their damage. There really wasn't much of anything else, so there's no real way to know who's better because of the clandestine nature of these operations anyway.
At the very least, we know the Chinese are prolific, but we have no idea if the Chinese are better, the Russians, the United States, the Israelis... heck, maybe the Brits upstaged everyone. It's impossible to know.
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
Most background information is not self-volunteered, it is gathered by FBI agents, etc., at their own discretion.
Worse, this is all gathered to identify risks, especially those such as potential blackmail and extortion opportunities.
Some of these forms will be for employees (or prospective employees) that were denied clearances, because they were at risk. Now the risk is significantly increased, clearance or not.
ps - there are two good reasons to deny clearance to a transgendered individual:
0. Any ambiguity about their identity is a question to completely answer. For what I hope are obvious reasons. Background investigations should show continuity of identity at a minimum .
1. A transgendered individual may indeed have two lives, 'before' and 'after'. Which will they assume after a clearance is granted? An ambiguity that might disqualify someone from at least the highest clearances...
The agencies and branches most demanding of security clearances need no excuses such as bigotry or discrimination to deny clearances to anyone. They can be sufficiently paranoid for a host of other reasons. It may comfort some to accuse them of improper behavior, but it need not be the real reason.. And it's not uncommon to let requests simply lay on the table, unresolved. In some cases, denials might even compromise an agency.
deleting the extra space after periods so i can stay relevant, yeah.
The folk at OPM should have been well aware that someone, somewhere would really like to get their hands on that information. The lack of protection mentioned in the news around OPM records is simply hilarious.
You'd think that the sort of data that OPM stores would be kept on air-gapped machines in a prepper's-fantasy facility without cell phones, under a mountain, etc... but no, that would be too logical. Instead, they may as well have stored the stuff on a public library computer.
Whoever hacked OPM is not only laughing themselves silly at all the stuff that is in those files, they also have job security for next 20 years to sift through 14 million records. Well done, OPM!
Unfortunately, the next likely step by the government will be to augment OPM's budget 500%, just as with all the other agencies that failed the US population repeatedly. We only have ourselves to blame, we voted them into those positions in the first place.
... you're placing this at the feet of Republicans and Democrats when you don't know bullshit from wild honey.
OPM is not a fucking Super PAC.
It's the government. It's federal employees, managers, administrators, people who, by and large, are not subjected to turnover.
You're not going to solve this with the goddam vote.
Go home.
It little behooves the best of us to comment on the rest of us.
Actually we DO know that China was able to hack the US government networks multiple times and retrieve top secret information, including the F-35 blueprints ( www.rt.com/news/223947-snowden-pentagon-china-hack ). We have no proof that the opposite happened.
No, it's sulfur hexaoctacontafluoride.
If the NSA spent their time making the cyber defenses of this country stronger instead of making it weaker with compromised encryption, rampant back doors, etc., there's a good chance this data breach would not have happened.
The % of the background check that is the self-volunteered information isn't important, but the fact it exists and can be very compelling in the wrong hands.
Help Brendan pay off his student loans
He's probably referring to the amount of bandwidth used to move the data. Honestly someone should have been watching for mass uploads or downloads.
The breach occurred in December, was detected IIRC in April. Plenty of time to move data slowly and prioritize what you take, making you less likely to show a bandwidth spike.
Some SF86 data has been copied? By definition this data is no longer secret. In the world of intelligence twisted legal logic does not work, such as announcing that the data is still secret and, thus, should remain classified. Beans have been spilled, make a first step and admit it.
The second and last step, In order to prevent blackmail is to make the data available for public. Once it is public, nobody can blackmailed.
Does the place you work have two or more completely separate networks with no access between the inside & outside ones, requiring you two have two PCs on your desk, one for searching Google for how an API works or posting to /., and another you do your sensitive work work on? Probably not.
After 9/11 there was talk about setting up federal systems this way... clearly that still hasn't happened as once you breach a single PC inside of the corporate network, even if that PC doesn't have access to your target data, it and it's users permissions can be used to climb the ladder to find someone who does have data and use them.
Help Brendan pay off his student loans
"U.S. officials privately said China was behind it."
Which officials, and why won't they speak on-record?
An on-the-record statement is a much bigger diplomatic statement. We don't usually speak on-the-record about the hostile or criminal acts of a foreign power unless we have a very good diplomatic reason to. We know that Putin backs Kaderov, a thuggish head of state who personally tortures people on exercise equipment and disappears reporters critical of his regime, but it would be unusual to have the White House announce that Putin was doing that. It would also require us to be prepared for the inevitable PR backlash based on US torture at Guantanamo Bay, for example. If we make a public announcement, China is more likely to engage in more severe public criticism of us.
International relations turn out to be more complex than "let's call the other guys on their shit."
The word I used was 'reimagining'.
As in 're imagining'.
Please read my posts. Skimming them yields unpredictable results.
deleting the extra space after periods so i can stay relevant, yeah.
I had a minimal security clearance when I was in the military. As a civilian I had to do some work on a government facility and had to fill these papers out again. I am not sure why I had to fill them out as I did not encounter anything that should be secret. Anyhow, I filled out the paperwork (as did several other people) and I did so completely honestly. What I find odd is that I was approved though I did need to go to a couple of interviews. I was completely open about my drug history, my affairs, etc...
"So long and thanks for all the fish."
Instead, they may as well have stored the stuff on a public library computer.
Thanks, asshole. That is where I keep my financial data. I will have to change that now. Now I will have to store it at Google's "free" data storage "in the cloud." At least it will be secure there.
"So long and thanks for all the fish."
I worked for the government for 40 years and had a top secret clearance. IMHO security clearances were pretty much worthless. I had people working for me that should have not been cleared however, I had no direct evidence to keep them from obtaining a clearance. They were pretty much a rubber stamp. I expect you could google and find out most of the stuff contained in the clearance (which I never saw).
The recent breach by the Chinese Government
This has been proven conclusively?
"If any question why we died, Tell them because our fathers lied."
So... The US government isn't cool about having its info compromised. I say tough shit for them -- it's nice to see them stewing for a change.
That's the whole point of self reporting. If they know about it you can't be blackmailed because, well you already reported it. The real value is now you can plan how to approach and try to compromise someone. What will be important is ensuring people report attempts to use the data against them, i. e. traditional counter-intel.
I'm a consultant - I convert gibberish into cash-flow.
SF86 data is extraordinarily sensitive. What they mean is that the attackers made off with a database of the financial problems, drug habits, family problems, hidden crimes, and sex fetishes of anybody that's working on anything sensitive.
Shouldn't that kind of stuff be only on paper, locked inside some kind of... you know... financial problems drug habits family problems hidden crimes and sex fetishes room?
Tabloid fascination with personal problems or consensual crimes, 'sin' for short --- this whole ability to ruin someone by leaking factual information --- is a known vulnerability of the human condition. One no one wants to fix (it involves losing the moral high ground) or even admit that it is a problem. This means past indiscretions can through blackmail, be used by murders to conceal their crimes, or even drive a blackmailed sociopath on by degrees, to commit murder. In the best of cases it hands the rudder to the most oafish bullies, for the dumbest of reasons. And some brilliant and capable, even trustworthy people find themselves in shit.
Looks like the USG has handed over it all. Beware, my friend, shit winds are a-comin'
I recommend Peter McWilliams' book AIN'T NOBODY'S BUSINESS IF YOU DO: The Absurdity of Consensual Crimes in a Free Country, placed on the web with the deceased author's permission, to help sort out (culturally) what should be an actionable --- or blackmail-worthy --- crime. Also check out this (failed) submission on the DEA and my suggestion to implement duress codes (like a blackmail canary) into society.
<blink>down the rabbit hole</blink>
Come on guys/gals, it's obvious that this was a honey pot. They didn't catch a bear but I'm sure there are dragon prints all over the place and major laughter from team USA.
Actually we DO know that China was able to hack the US government networks multiple times and retrieve top secret information, including the F-35 blueprints ( www.rt.com/news/223947-snowden-pentagon-china-hack ). We have no proof that the opposite happened.
You'd have said the same thing about the US/UK cracking Enigma during WW2.
The Chinese might very well be better at this stuff than the US. However, we really have no way of knowing. These sorts of things tend to be covert in nature, and sometimes it is in your interests to brag, and at other times it is in your interests to play your cards close to your chest.
Most background information is not self-volunteered, it is gathered by FBI agents, etc., at their own discretion.
Simply looking at trends around this would be very useful in sneaking moles into government jobs, since it tells you what the FBI typically investigates.
Well then, if all these employees have done nothing wrong, then they have nothing to hide, do they?
If they have indeed done something wrong, then they should be prosecuted to the full extent of the law.
Problem solved, you're welcome.
Prove anything by multiplying Huge Number times Tiny Number
Obviously air-gapping would help a lot here. However, I hear a lot of talk of encryption, and I don't really see how that would help.
Encryption really only protects data at rest. Encrypting your backup tapes before mailing them to a repository prevents their loss in transit, which is a significant risk.
On the other hand, if I encrypt my hard drive that isn't going to do me any good at all if somebody hacks into the system while that drive is mounted. Personnel records seem at least reasonably likely to be accessed regularly.
I absolutely read that as reimaging. You said "reimagining and reinstallation", but look at it contextually. You would re-image a drive and re-install. If you were re-imagining you would expect the next word to be at that same "level"- for instance, "reimagining and reimplementing" or something.
It's spelled correctly and works fine, but it's definitely not the best way to communicate it because it segues into that easy misunderstanding- something that wouldn't have occurred to me if I was writing it, either.
It's not "snooping", you opt into it.
"Most background information is not self-volunteered, it is gathered by FBI agents, etc., at their own discretion."
First, I'm not sure if this is correct. I'd be surprised if the FBI actually gathers info as part of clearance investigations, for instance.
But more importantly, the leak was SF86 data, right? That would be the forms, not every little detail of every mundane investigation.
Ding ding! Obviously this information wasn't valuable at all since these jackalopes did fuck all to secure it right? Say, I wonder if any of those people who have these clearances have family overseas in areas where they might be vulnerable? Think they reported it? Money issues that might be revealed by salary vs debt? The list is ENDLESS but since they placed it on an internet accessible machine it's obvious that the data was worthless to these idiots. I REALLY REALLY think we need to see a head on the chopping block speaking into a large microphone to a large panel of lawyers and congress critters explaining to the 14million some off people why they were so fucking stupid! Even if you don't have a clearance you can easily be impacted by this just by having a friend or a family member that does and mentioned you to someone while they were being investigated. Truly the size of this blunder is beyond measure and I'm dying to see some SOB stand up and give us ANY sort of reason why this data was available on a system that wasn't air gapped. Who designed this steaming pile of shit and who approved it? Pretty please tell us as I bet there about 14million pitchforks and torches warming up somewhere to kick their ass. I want to see NAMES not this airy fairy shit of telling us they're investigating it and OBTW it happened 6 fucking months ago! Incompetent needs to be retired for this one and an entirely new word created just for these tools. Oh but wait they say they will give some sort of credit protection, that's a real comfort to some poor fuck who's elderly parents perhaps live in China or South Korea or any number of places where they might be vulnerable. Maybe it's time for some criminal charges? Gah this makes my head explode!
Build it, Drive it, Improve it! Hybridz.org
And youmissed my point.
The entire security process of our federal government needs to be changed, replaced, re-imagined, bottom to top, alkyl agencies, entirely.
Are you still thinking this most recent example is just a problem? Or is it a symptom?
Big picture. Big problem. Solve it all or don't bother.
deleting the extra space after periods so i can stay relevant, yeah.
China flexes their hacking skills while security researchers in the USofA worry they'll be jailed as terrorists by their own government?
Yup, I see no problem here.
I tried every decent and legal way I could think of to resolve the issue w/the business before I rented the chicken suit
I have no shame. I can not be blackmailed. I am running for a state office and am ramping up to do this. My entire platform (varied) is based on a single piece of paper. One side is everything I have done wrong (major things only). The other side is what I have learned from these experiences.
"So long and thanks for all the fish."
That might just be because the American hacker-spooks are good enough to not get caught. Or it might be because the Chinese retain tighter control of information, so any breaches on their side are not made known to the public - they choose to keep such things secret rather than endure public humiliation of their government.
There was that hack on a Russian oil pipeline control system many years ago that caused a bit of damage. They learned from us what was possible.
Let's have a third Central Intelligence Agency to connect it all together. We can call it Uber Homeland Security to avoid confusion with the second one. Sadly that's more likely than your idea of a complete change because of all the entrenched political appointees from both sides.
We had a chance in 2001/2002 when the CIA was shown to have dropped the ball, but it was led by a guy who was good friends with a cheerleader turned President who didn't have the guts to cut out the dead wood.
They probably already had it. Some bright spark probably got a promotion for outsourcing all the data entry to somewhere overseas as has been done with medical records on occasion.
If somewhere around half the population didn't change their name at some time of their lives you'd have a point.
As for point one, merely moving cities or changing jobs gives a lot of people a 'before' and 'after'.
I seriously doubt that most countries, including mine, have all that data in a digital format. For better or worse, most of the world still runs either on paper forms or no paper trail at all.
An SF-86 is what you fill out if you're getting a security clearance. If it is SECRET level, they pull a credit report, criminal check, and send postcards to your relatives and references asking questions about you.
If it is TOP SECRET they send investigators out to talk to former neighbors, friends and relatives instead of sending a post card. They do a real investigation.
The big question is whether or not the results of those investigations are kept in the system with the forms. You know, sort of one big file on an individual. My best guess would be "yes".
Learning HOW to think is more important than learning WHAT to think.
Yes, it does! What needs to happen is the clueless logic that Compliance (i.e. NIST 800-53, ICD-503, SOX, PCI-DSS, etc) IS Security needs to change.
Compliance != Security
Apparently the OPM was "accredited" under FISMA so that at one point they were "compliant" so that, in government/regulatory speak, means you are secure...
I fail to see any reason to change anything as long as we keep throwing more and more useless and idiotic regulations and compliance mechanisms at the problem, eventually it will be so impossible to do anything, maybe we'll be secure in that we can't even build anything to function...
Folks, you are missing a major point: if the hack was originated from China, then the grunt of consequences will be on cleared Chinese Americans. You see, most of them still have family members back home thus they're incredibly exposed to manipulation. And U.S. is well aware of that. So government might start dropping those clearances - people's jobs will be in jeopardy.
Do they actually ask people about this stuff or is the result of background checks?
I would think the right answer for someone working on anything sensitive would be "Sure, I like to smoke pot, I like porn and kinky sex, and I don't give a shit who knows." The person who isn't hiding anything can't be blackmailed.
But I suppose many of these may be family problems -- my wife is a drunk and when she's on a bender I've caught her tag-teaming the Mexican lawn crew, or my son goes down to the park and sniffs bike seats. Or pathological behavior, like the married father of 4 who likes to hit cruising spots to blow other men.
The standard SF-86 is 127 pages long. You may add continuation pages as needed for additional information.
The form may also be completed online in the eQip system. Instructions here are a bit of fun, especially section 2.
Since the information collected becomes more voluminous and more personal the higher the clearance being requested, the risk and potential damage from disclosure also increases.
deleting the extra space after periods so i can stay relevant, yeah.
Exactly. A transformational approach.
deleting the extra space after periods so i can stay relevant, yeah.
"Most background information is not self-volunteered, it is gathered by FBI agents, etc., at their own discretion."
First, I'm not sure if this is correct. I'd be surprised if the FBI actually gathers info as part of clearance investigations, for instance.
But more importantly, the leak was SF86 data, right? That would be the forms, not every little detail of every mundane investigation.
The FBI doesn't do most of the investigations-- there are various investigating agencies and contractors depending on who you're going to do the cleared work for, but they do indeed do detailed investigations. I've been interviewed a few times for people's investigations, and mostly they ask benign things that you'd be willing to tell anyone (do you know about spouses/partners/dating habits, ever seen the person drink, ever seen them drunk, are they quiet vs. outgoing, do they overshare), but there are probably cases where they get into a lot of personal details if you give them something that might lead down a juicy path.
I don't think the US had anything to do with the Enigma project, despite Mathew McConaghty's movie. If anyone deserves the credit it would be the Polish, French and Great Britain.
Between the questions they ask on SF86 and the medical records that someone grabbed recently . . .
I don't see how anyone could fill out that form without missing something that could be exposed in medical records or a little PI work. Then they are threatened with exposing their error and 5 years in jail.http://yro.slashdot.org/story/15/06/12/2210230/sf86-data-captured-in-opm-hack#
End MGM. Get prospective parents of boys to Google: Men do complain
I don't know the details. I do think that Ultra was more of a UK thing, and Magic was more of a US thing. However, I'm sure there was a fair bit of knowledge sharing going on.