Slashdot Mirror
US Lawmakers Demand Federal Encryption Requirements After OPM Hack
Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.
The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.
The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.
Back doors are line anal sex. Once you've lubed up, anyone can enter.
The world's burning. Moped Jesus spotted on I50. Details at 11.
As the revelations about the failure of the IRS to fulfil the requirements of email archiving law showed, the executive branch doesn't do things just because it's told to. Let's hope this one's got teeth; a breach of a system that has not been secured according to the regulations will result in the loss of pension of all those in the chain of command above the person responsible? Sadly, hanging, drawing and quartering isn't allowed any more...
Since they have been telling us how encryption makes the government weaker (in the hands of americans) yet NOW they want to keep it all to themselves????
yeah.... too bad
have you seen my sig? there are many others like it but none that are the same
That, after statements like "The government shouldn't be hampered by encrypted communications"?
Everyone, get the popcorn ready. The government will end up contradicting itself in so many ways. This will be amazing.
and then everyweekend get a group of people together to break and leak all the encryption. field day for tinfoil hat people and maybe the government will learn their lesson after getting hacked all day everyday.
I mean, if it's good for us plebes and all ...
Lacking <sarcasm> tags,
Please stop making me load every page twice on mobile... I don't see your freaking ads anyway.
Back doors, side doors, front doors, and they'll leave the Windows open!
You know, they could just collect and hoard less data...
(Or as the Russians apparently have done, revert more sensitive systems back to paper and typewriters.)
Encryption can certainly help, preventing storage of data in plaintext, but it's not a silver bullet. The information must, at some point, be decrypted either to perform a computation, display to users or more generally to be processed automatically by electronic data systems. However, the really thorny problem with large encryption roll outs is key management. Centrally managing large numbers of secret keys and distributing them to the right people securely without breaches is a much harder problem than it might seem at first glance. In fact, most cases of "broken" encryption known to the public are the result of pilfering the keys, not breaking the crypto algorithms. With many strong ciphers now freely available, attacks against key management, not the encryption algorithms themselves, are probably of greatest interest to intelligence agencies, including our own NSA. Encryption helps, but we have to prevent attackers from getting in and exfiltrating data in the first place, encrypted or not.
who have no idea how technology works
no, the first step is to airgap sensitive information. NEVER let it onto any sort of network. EVER. Then start worrying about what operating system you're using. *BSD has had security problems in the past and more will be discovered in the future. If you do not believe this to be the case, then you're living in a fantasy world.
Even with the default settings on a vanilla install (which basically don't let you do ANYTHING productive) there are vulnerabilities ranging from minor annoyances on the window manager to showstoppers in the TCP stack. Let's not even go into the simple fact that the second you start services, or install and run software from the ports repository, you are introducing vulnerabilities to your setup, hence *BSD is NOWHERE NEAR as secure as you're apparently making out. It becomes every bit as vulnerable to hackers/worms/whatever as OSX, Linux, any other UNIX, or Microsoft Windows.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
The whole second paragraph about "calls for added security measures" is unnecessary FUD. The link goes to an article written at the end of April and could be interpreted as countering the good idea for enhanced security in the first paragraph -- a "backdoor" to the government's own data would be the two-factor authentication called for.
Pat, we all agree that forcing gov't backdoors in *all* encryption is a bad, bad thing. Not every submission needs to mention it and you sometimes just weaken your argument by poor writing.
Mr O'Neill wants to point out the apparent hypocrisy of the need for government encryption against the world and backdoors to encryption for its citizens.
He implies that you can't have one if you don't have it for the other.
Someone in Congress should point out that the intelligence agencies have a duty of care to its citizens to protect them and that means profiling them with backdoors legally obtained under current provisions of the constitution. The protection of the government agencies against intrusion by foreign powers should be hardened as much as possible.
So this is an opinion piece. The question here is do the citizens trust their own policing?
If they do, then the backdoor policy should go ahead because you have nothing to hide, do you?
If they don't, then push for the same level of privacy that the government demands for itself, allowing for terrorists to operate freely.
Cows are already out the barn door at OPM. Priority ought to be securing other .gov sites right away. What a fucked up mess!
Before this is over, you'll be lucky to keep secret what's in your head.
(Programmers don't have much of a lobby like the NRA)
It is no secret that the governments of the world are incompetent, run by C grade leaders and functionaries.
Folks who get a thrill weaponizing local police. And telling nerds not if, but when they will outlaw encryption algorithms.
Because THEY are the only ones that can be trusted (when they're not checking the license plate scanners to see where their girlfriend was last night).
The only thing they know how to do is print money. And blame others:
'Look over there that OTHER person/country/organization/theory/weapon/ is the problem.'
'It is not the D's or the R's who are the cause of your descending standard of living.'
'We are not responsible for next generation being unable to think critically.'
Programmers are their natural enemy because we can intercept their secrets.
Unmask their affairs.
Question their asinine assumptions statistically.
Create trustworthy non-inflatable money supply that is borderless and the worst sin: taxless.
We can't be trusted with even 8MB of real memory on a CNC (talk with Fanuc if you're interested)
and in the near future we must be licensed and accounted for at all times. Maybe jailed pre-emptively.
They'll do their best to mess up programming profession (One of U.S.'s fairly successful industries) in the name of defense despite an appalling record of missing most world events. You saw them mess with healthcare and same will happen to programming if you are complacent!
DISCLAIMER: I am not a network security expert and I'm talking from a layman's position concerning network security.
There are two issues with air-gapping the OPMI database. The first is just data-entry. An SF-86, which is the form to apply for a security clearance, is 122 pages, not including the instructions and the authorization for the government to access your medical records and to run a credit check on you. If you air-gap that system you have to hire someone to either run OCR scans or enter all that data by hand into the database.
The second is data transmission. Investigators have to verify all of the data on that SF86 and conduct in-person character interviews with whomever the applicant lists as character interviews. That's particularly a problem with military personnel as they tend to move from location to location a lot more often than other individuals. Let's say your character witness is Joe Schmuckatelly who lives in California and you live in Nebraska. It's easier and less expensive for the regional office in Nebraska to put the file on the network and request the regional office in California to interview Joe, than it is for the Nebraska office to mail it through USPS to the California office.
Only two things are infinite, the universe and human stupidity, and I'm not entirely sure about the universe - Einstein
Dammit, I hit submit instead of "continue edit."
The other point with data-entry is that each renewal for a security clearance, either due to the clearance expiring or to a periodic random review, requires a new and updated SF-86.
Concerning data transmission, the network is also much cheaper than flying a single investigator all around the country to interview folks in a timely manner. As it is, getting a security clearance takes anywhere from 3-6 months, longer if the investigator finds an irregularity. I'd estimate an air-gap would add at least another month or two to the process accounting for snail-mail transmission times.
As someone who's information was compromised, I absolutely agree the information should have been better protected. I'm just not sure an air-gap is the appropriate measure to take in this case.
Again, I'm not a network security expert.
Only two things are infinite, the universe and human stupidity, and I'm not entirely sure about the universe - Einstein
You make an excellent point. A corollary is a bit of a counter-point. Sometimes you DON'T need to decrypt it, and in those cases you shouldn't be able to.
The most obvious example is passwords. You store those as salted hashes which can't be decrypted. You don't need to know what their password is, you only need to know if it's the same as what they entered or not . We can apply the same principle to data we use for fraud prevention. We want to know if this transaction attempt is coming from the same device / os / ip / location that the legitimate user normally uses. We don't have to store their previous data, only a hash so we can see if the new attempt matches or not.
The OPM didn't need to store details of the applicants' past indiscretions. They could have simply encoded it as a risk score, 1-5. That's like a hash of the narrative, in a aay, irreversible but still useful. Then people couldn't be blackmailed or outed with the information.
oh, I do agree that there are circumstances (such as specific use cases as you mention) where rapid access to data would be required, but in that case, what about a compromise? Keep the airgap, just extract the data as needed and send it on a closed feed such as eDX (which has end to end encryption using a key the enquirer supplies). The enquirer doesn't even need to access the database. This can be done by an operator with local access. The legal profession uses something a bit less fanciful, DX in this case involves a courier (as in one single person who's basically surgically attached to the pouch to which he has no internal access) travelling nonstop from source to sink. A DX courier could make across the States from LA to NYC in a day.
As for data entry: this has to be done anyway, and depending on the sensitivity, varying clearances have to be met anyway so keeping that in-house shouldn't be a problem if the data is that important.
Sources: been there, done that, never had a breach. Disclosure: I (still) handle thousands of pages worth of legal documentation having previously represented in courts across England. I've come across solicitors firms who send documents via email(!) and even Facebook(!!). I've also dealt with some of the worst offenders one of whom sent me an entire case file on the WRONG CLIENT, by REGULAR MAIL.
Still shaking my head over that one.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
The SF-86 is an online form. How are you going to airgap that?
what more is there to say? They will still fuck it up.
what, me personally? By not using it.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
So you have nothing to add but catty comments with no value. It was all posturing with not practical thought just to pump yourself up. This is why women avoid IT like the plague.
If Congress again passes a requirement for departments to do something but refuses to fund it then the executive branch can't do anything.
Not true. The agency can cut spending elsewhere to implement the requirement. Which is what Congress wants the IRS to do, while the IRS want to use the excuse of no new funding to maintain things as they are. It all just theatre.
If you air-gap that system you have to hire someone to either run OCR scans or enter all that data by hand into the database.
Or someone does a malware scan of electronic media and if all clear they walk the media past the air gap.
Let's say your character witness is Joe Schmuckatelly who lives in California and you live in Nebraska. It's easier and less expensive for the regional office in Nebraska to put the file on the network and request the regional office in California to interview Joe.
Why is the entire file necessary for the interview? A relevant excerpt, only what the applicant claims with respect to Joe, can be walked back across that air gap and sent to the regional office. The interview results then get walked past the air gap and merged/appended to the file. Naturally what really gets walked across is a large number of excerpts and data to merge/append.
In short air gaps allow for electronic data input and output, just in a very controlled and monitored manner.
The SF-86 is an online form. How are you going to airgap that?
Entry occurs on the public side of the gap. An applicant's data gets transferred to electronic media and walked across the gap. The applicant's data then get merged into the air gapped database that holds *everyone's* data.
:-)
Remember, before cat-5 cables we had station wagons loaded with tapes and it worked quite well.
And the horse seems to be happily running free somewhere thousands of miles beyond the barn door.
If this works like many IT security efforts, we'll spend millions replacing the barn door with a bank vault door. And then leave the window next to it open
As perpenso already noted-- you can move some of the data temporarily across the gap. Even whole files for people whose investigations are currently in progress. But given that reinvestigations are only every 5+ years, data that isn't immediately required can be isolated from the internet. In that case, if you suffer a data breach you still let out a bunch of confidential information on people, but you don't let *all* of it out on *everybody*. And some inputs to the database (e.g. invesitgation results that aren't needed for other investigators) can be swept to the isolated side on a regular basis.
The trouble is, those same Republicans have derailed national cyber security regulations since Obama has been in office. It's all been channeled through the US Chamber of Commerce.
So that was pretty much the end of it. The Obama administration declared some executive orders, but that clearly did not have much impact. Up until this latest incident the Party of Ignorance (R) got what they wanted: keep you hands off my bidness.
So no one should be very surprised that this happened. There is no bright line between big government and big business when it comes to matters like cybersecurity. Particularly with the amount of outsourcing going on. Don't forget that the OPM breach was not simply in a government network, but at security contractor USIS.
The DHS/OPM/whatever are doing everything they can to cover up what really happened, so the trail to the contractors has been rather effectively hidden. They primarily want to keep evidence of their vast incompetency out of the public eye. That is taking precedence over remedial action to address the breach. This is why they are leaving the roughly 4 million government employees at risk just hanging in the breeze. If they were to do the responsible thing and help the victims it would reveal how extensively they failed.
Remember, horribly incompetent government security contractors are the new normal: Blackwater in Iraq, the TSA meatheads who infest airports, and now this. No one should be surprised. And they should be even less surprised when no one is held accountable and nothing changes.
Why is Snark Required?
step out from behind your AC sock and say that, bitch.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
I mean this can't happen in real life.
mfwright@batnet.com
This gets me wondering:
Is it possible to separate the fields of the SF-86 form so after they get OCR-ed, the physical documents (if any) go to a secure site [1], and if electronic, it gets printed out. Hard copies are useful for long term archiving.
Then, the online data gets split up into different databases, each not connected to the other. This is done with banking, and has helped with limiting the scope of an intrusion.
By separating the data out (preferably into physically separate data centers, and then having a query be done from different DBs, this would make the job of grabbing everything a lot tougher.
Of course, it might be wise to have the data only accessible on NIPRNet or some other WAN that is not connected to the Internet, and the forms never available via the external web. Again, not a 100% measure, but it forces an attacker to have to resort to physical compromise.
[1]: Historically, governments are top notch at physical security, so reducing computer security issues to things that require a physical presence go a long way.
The ironic thing is that if more companies used an OpenPGP variant (Symantec's PGP, GnuPG, NetPGP, and so on), it really wouldn't matter what channel stuff was sent on. They could create a FB group and stash the files as attachments, but the contents would be secure, assuming keys of a proper length and the private keys properly used/secured, for example, having a key generated and stored in a Yubikey or other cryptographic token. Even just doing document processing in a secured environment like an iOS or Android device would reduce the level of compromise of files in transit quite a bit. Nowhere near as secure as an airgap, but for a lot of items, it brings down risk to acceptable levels.
Of course, if I had access to couriers, one possibility would be to use them to exchange DVDs or other media full of cryptographically secure random numbers, and both sides just use one time pads [1]. That way, a document can be sent via a number of routes, and still be reasonably secure (although it doesn't hurt to send the sensitive stuff via offline courier anyway.)
[1]: I'd not just exchange OTP files, but a few dedicated TrueCrypt keyfiles and OpenPGP public keys. That way, there are a number of security tools available for data that doesn't need the maximum security of a OTP.
Historically, governments are top notch at physical security...
You just made me spit coffee through my new keyboard.
https://en.wikipedia.org/wiki/...
(incomplete list, LOTS of avoidable breaches, including hard drives, even LAPTOPS left on trains, paper documents left on park benches, the worst reported breach being revealed in 2008 of a 2007 loss of 25 MILLION records of benefit claimants' families (practically the entire UK population) were dispatched in the regular post on unencrypted CDs and subsequently "lost").
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Even with the default settings on a vanilla install (which basically don't let you do ANYTHING productive) [...]
A complete Unix-like system and you cannot do ANYTHING productive?
But let's makensure to include an uncrackable backdoor that only the government can use!
Nobody I know does their SF-86 form on paper. It is an online form completed through a system called "e-qip".
Learning HOW to think is more important than learning WHAT to think.
It's a good thing that you're using your full legal name here, and not some sort of a pseudonym, "ihtoit". Otherwise we'd have to believe that you're posting anonymously, like some sort of a coward.
Right, because another requirement/standard will solve this problem. It will get tossed on the pile of requirements for every new contract. It will be implemented to the letter, just like current security requirements. And it will help a bit but things still won't be "secure."
Security is fundamentally picking the level of risk you're willing to accept. The answer is uniformly "none," but strangely enough you still that network hooked up, so you end up with a 4,000 page requirements that effectively amounts to "Well, you need to make sure that _everything_ is 100% locked down and goes through 6 month review and and..."
Security works well when there's no hacks, no rushes and above all no one in the organization who says "I'm important, so these rules represent a threat to my status/are stupid/but this is _important_..." You don't think there's anyone like that in the government, do you?
Ack!
It should be clear by now that systems cannot be made perfectly hack proof. The people who make security can break security. And some people have to be trusted. People cannot be trusted.
E Proelio Veritas.
This would not be the first time events were put into motion damaging one's own side to gain political advantage. I believe this was done intentionally to allow for tighter crypto controls. Remember who you are dealing with. Sacrificing a few identity theft cases or even peoples' lives in nothing to those orchestrating stuff like this. It's all about control. The world is nutty.
Not to go down the systemd road for no reason, but I've often wondered since one large Linux company basically controls the direction of Linux development outside the kernel. and even some kernel stuff, systemd is an attempt to weaken Linux. I respect people like Theo de Raadt because he doesn't give a toss about pleasing anyone. He's a hardliner and for good reason. Not allowing binary blobs in the kernel is smart. We're doomed unless we stand up or start developing alternatives much like LibreSSL/OpenBSD.
Except for your SSN in the lower right corner (which is a crude "yes I filled out the form and didn't forget this page" token, much like initialing each page of a contract)
Really. They have half a dozen pages for foreign travel. If you've not traveled out of the US in the last 7 years, then those pages will be blank. Ditto for jobs and residences. I suspect a LOT of people filling out the SF86 have lived in the same place and worked in the same place (or maybe 2 instances).
The 127 page thing is an acrobat fillable document and is clearly a "physical instance" of some sort of online form (e.g. the eQIP form).
For all I know the backend database has "room" for X pages of form data and if you go past that, you "see attached sheets".
To Better Secure.
Translation: ICT Director and CIO and CFO have signed off on INSECURE, sloppy practices for 8 years. Fire them all. They have compromised a lot. Lets see if they attached disclaimers to the final report. Repeat and rinse for other depts.
Agreed. Once someone has the clearance, that should be the bit that remains online, and secured. Only if there is an actual investigation into said person should responsible people have access to the air gapped information. Leaving it all online 24/7 is insanely stupid and inept. It's just making the target that much more attractive to thieves. It would be a bit like advertising you had an empty house piled high with boxes of pseudofed with the only security being a thirty year old lock.
Is it possible to separate the fields of the SF-86 form so after they get OCR-ed, the physical documents (if any) go to a secure site [1], and if electronic, it gets printed out. Hard copies are useful for long term archiving.
If you're going through OPM you fill out the SF86 online on a system called eQIP-- you get a pdf at the end that you can print and keep, but they collect all the data electronically. No OCR involved.
eQIP has its own problems-- the default passwords for entry are based on data that anybody can look up about you. You're supposed to change them so that when you submit your stuff for reinvestigation you use passwords that you made up, but given that they have specific password requirements (3 passwords) and reinvestigation is every 5+ years, you might as well just bang on they keyboard and then ask for a password reset when it's time to do it again.
So if the U.S. government had a backdoor into your computer, and if they left it online where it was found by hackers. Then everyone's computer would be hackable and could no longer be used on the internet. Would the U.S. government be liable for replacing all of the computers and paying for all of the lost productivity while waiting for a new computer?
that is my full legal name, fool.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
The same people that are trying to make everyone code... do any of them know what coding is, let alone what encryption is? I think not!
There are several other problems.
1) When you come back to enter more data and expect the fields to be populated (the form takes a day or two to fill out the first time).
2) When you need access to something and the manager of that element has to look at your file to approve it.
3) When you get a new security manager and they have to approve it.
Your basically taking us back to the paper office days. In that time it was really easy to not put two and two together because cross referencing information was really hard.
It certainly is your option to not have a federal job. I've had three employers over the last decade and all three have lost my PII, not sure how different it is.
There are several other problems. 1) When you come back to enter more data and expect the fields to be populated (the form takes a day or two to fill out the first time).
Again, fill out the form on the public side. Completely filled out. It doesn't need to got into the database until then.
2) When you need access to something and the manager of that element has to look at your file to approve it.
(a) The people who need to access it can be on the air gapped side, analysts and such.
(b) One person's data can be extracted from the database, walked across the gap, and sent to someone who needs it. The point of the gap is to isolate the database with everyone's records, and the monitor/supervise data coming from and being sent to public networks. Individual records being worked on at a given moment can outside. Expose of data being minimized.
3) When you get a new security manager and they have to approve it.
Such people can work on the air gapped side.
Your basically taking us back to the paper office days. In that time it was really easy to not put two and two together because cross referencing information was really hard.
Again, I think the people doing the cross referencing, analysis, etc can be on the air gapped side. They can be a team with members from all relevant departments and agencies.