Slashdot Mirror
US Lawmakers Demand Federal Encryption Requirements After OPM Hack
Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.
The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.
The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.
Back doors are line anal sex. Once you've lubed up, anyone can enter.
The world's burning. Moped Jesus spotted on I50. Details at 11.
As the revelations about the failure of the IRS to fulfil the requirements of email archiving law showed, the executive branch doesn't do things just because it's told to. Let's hope this one's got teeth; a breach of a system that has not been secured according to the regulations will result in the loss of pension of all those in the chain of command above the person responsible? Sadly, hanging, drawing and quartering isn't allowed any more...
Since they have been telling us how encryption makes the government weaker (in the hands of americans) yet NOW they want to keep it all to themselves????
yeah.... too bad
have you seen my sig? there are many others like it but none that are the same
I mean, if it's good for us plebes and all ...
Lacking <sarcasm> tags,
Back doors, side doors, front doors, and they'll leave the Windows open!
You know, they could just collect and hoard less data...
(Or as the Russians apparently have done, revert more sensitive systems back to paper and typewriters.)
no, the first step is to airgap sensitive information. NEVER let it onto any sort of network. EVER. Then start worrying about what operating system you're using. *BSD has had security problems in the past and more will be discovered in the future. If you do not believe this to be the case, then you're living in a fantasy world.
Even with the default settings on a vanilla install (which basically don't let you do ANYTHING productive) there are vulnerabilities ranging from minor annoyances on the window manager to showstoppers in the TCP stack. Let's not even go into the simple fact that the second you start services, or install and run software from the ports repository, you are introducing vulnerabilities to your setup, hence *BSD is NOWHERE NEAR as secure as you're apparently making out. It becomes every bit as vulnerable to hackers/worms/whatever as OSX, Linux, any other UNIX, or Microsoft Windows.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
DISCLAIMER: I am not a network security expert and I'm talking from a layman's position concerning network security.
There are two issues with air-gapping the OPMI database. The first is just data-entry. An SF-86, which is the form to apply for a security clearance, is 122 pages, not including the instructions and the authorization for the government to access your medical records and to run a credit check on you. If you air-gap that system you have to hire someone to either run OCR scans or enter all that data by hand into the database.
The second is data transmission. Investigators have to verify all of the data on that SF86 and conduct in-person character interviews with whomever the applicant lists as character interviews. That's particularly a problem with military personnel as they tend to move from location to location a lot more often than other individuals. Let's say your character witness is Joe Schmuckatelly who lives in California and you live in Nebraska. It's easier and less expensive for the regional office in Nebraska to put the file on the network and request the regional office in California to interview Joe, than it is for the Nebraska office to mail it through USPS to the California office.
Only two things are infinite, the universe and human stupidity, and I'm not entirely sure about the universe - Einstein
Dammit, I hit submit instead of "continue edit."
The other point with data-entry is that each renewal for a security clearance, either due to the clearance expiring or to a periodic random review, requires a new and updated SF-86.
Concerning data transmission, the network is also much cheaper than flying a single investigator all around the country to interview folks in a timely manner. As it is, getting a security clearance takes anywhere from 3-6 months, longer if the investigator finds an irregularity. I'd estimate an air-gap would add at least another month or two to the process accounting for snail-mail transmission times.
As someone who's information was compromised, I absolutely agree the information should have been better protected. I'm just not sure an air-gap is the appropriate measure to take in this case.
Again, I'm not a network security expert.
Only two things are infinite, the universe and human stupidity, and I'm not entirely sure about the universe - Einstein
You make an excellent point. A corollary is a bit of a counter-point. Sometimes you DON'T need to decrypt it, and in those cases you shouldn't be able to.
The most obvious example is passwords. You store those as salted hashes which can't be decrypted. You don't need to know what their password is, you only need to know if it's the same as what they entered or not . We can apply the same principle to data we use for fraud prevention. We want to know if this transaction attempt is coming from the same device / os / ip / location that the legitimate user normally uses. We don't have to store their previous data, only a hash so we can see if the new attempt matches or not.
The OPM didn't need to store details of the applicants' past indiscretions. They could have simply encoded it as a risk score, 1-5. That's like a hash of the narrative, in a aay, irreversible but still useful. Then people couldn't be blackmailed or outed with the information.
oh, I do agree that there are circumstances (such as specific use cases as you mention) where rapid access to data would be required, but in that case, what about a compromise? Keep the airgap, just extract the data as needed and send it on a closed feed such as eDX (which has end to end encryption using a key the enquirer supplies). The enquirer doesn't even need to access the database. This can be done by an operator with local access. The legal profession uses something a bit less fanciful, DX in this case involves a courier (as in one single person who's basically surgically attached to the pouch to which he has no internal access) travelling nonstop from source to sink. A DX courier could make across the States from LA to NYC in a day.
As for data entry: this has to be done anyway, and depending on the sensitivity, varying clearances have to be met anyway so keeping that in-house shouldn't be a problem if the data is that important.
Sources: been there, done that, never had a breach. Disclosure: I (still) handle thousands of pages worth of legal documentation having previously represented in courts across England. I've come across solicitors firms who send documents via email(!) and even Facebook(!!). I've also dealt with some of the worst offenders one of whom sent me an entire case file on the WRONG CLIENT, by REGULAR MAIL.
Still shaking my head over that one.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
The SF-86 is an online form. How are you going to airgap that?
what, me personally? By not using it.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
If Congress again passes a requirement for departments to do something but refuses to fund it then the executive branch can't do anything.
Not true. The agency can cut spending elsewhere to implement the requirement. Which is what Congress wants the IRS to do, while the IRS want to use the excuse of no new funding to maintain things as they are. It all just theatre.
If you air-gap that system you have to hire someone to either run OCR scans or enter all that data by hand into the database.
Or someone does a malware scan of electronic media and if all clear they walk the media past the air gap.
Let's say your character witness is Joe Schmuckatelly who lives in California and you live in Nebraska. It's easier and less expensive for the regional office in Nebraska to put the file on the network and request the regional office in California to interview Joe.
Why is the entire file necessary for the interview? A relevant excerpt, only what the applicant claims with respect to Joe, can be walked back across that air gap and sent to the regional office. The interview results then get walked past the air gap and merged/appended to the file. Naturally what really gets walked across is a large number of excerpts and data to merge/append.
In short air gaps allow for electronic data input and output, just in a very controlled and monitored manner.
The SF-86 is an online form. How are you going to airgap that?
Entry occurs on the public side of the gap. An applicant's data gets transferred to electronic media and walked across the gap. The applicant's data then get merged into the air gapped database that holds *everyone's* data.
:-)
Remember, before cat-5 cables we had station wagons loaded with tapes and it worked quite well.
And the horse seems to be happily running free somewhere thousands of miles beyond the barn door.
If this works like many IT security efforts, we'll spend millions replacing the barn door with a bank vault door. And then leave the window next to it open
As perpenso already noted-- you can move some of the data temporarily across the gap. Even whole files for people whose investigations are currently in progress. But given that reinvestigations are only every 5+ years, data that isn't immediately required can be isolated from the internet. In that case, if you suffer a data breach you still let out a bunch of confidential information on people, but you don't let *all* of it out on *everybody*. And some inputs to the database (e.g. invesitgation results that aren't needed for other investigators) can be swept to the isolated side on a regular basis.
The trouble is, those same Republicans have derailed national cyber security regulations since Obama has been in office. It's all been channeled through the US Chamber of Commerce.
So that was pretty much the end of it. The Obama administration declared some executive orders, but that clearly did not have much impact. Up until this latest incident the Party of Ignorance (R) got what they wanted: keep you hands off my bidness.
So no one should be very surprised that this happened. There is no bright line between big government and big business when it comes to matters like cybersecurity. Particularly with the amount of outsourcing going on. Don't forget that the OPM breach was not simply in a government network, but at security contractor USIS.
The DHS/OPM/whatever are doing everything they can to cover up what really happened, so the trail to the contractors has been rather effectively hidden. They primarily want to keep evidence of their vast incompetency out of the public eye. That is taking precedence over remedial action to address the breach. This is why they are leaving the roughly 4 million government employees at risk just hanging in the breeze. If they were to do the responsible thing and help the victims it would reveal how extensively they failed.
Remember, horribly incompetent government security contractors are the new normal: Blackwater in Iraq, the TSA meatheads who infest airports, and now this. No one should be surprised. And they should be even less surprised when no one is held accountable and nothing changes.
Why is Snark Required?
step out from behind your AC sock and say that, bitch.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
I mean this can't happen in real life.
mfwright@batnet.com
This gets me wondering:
Is it possible to separate the fields of the SF-86 form so after they get OCR-ed, the physical documents (if any) go to a secure site [1], and if electronic, it gets printed out. Hard copies are useful for long term archiving.
Then, the online data gets split up into different databases, each not connected to the other. This is done with banking, and has helped with limiting the scope of an intrusion.
By separating the data out (preferably into physically separate data centers, and then having a query be done from different DBs, this would make the job of grabbing everything a lot tougher.
Of course, it might be wise to have the data only accessible on NIPRNet or some other WAN that is not connected to the Internet, and the forms never available via the external web. Again, not a 100% measure, but it forces an attacker to have to resort to physical compromise.
[1]: Historically, governments are top notch at physical security, so reducing computer security issues to things that require a physical presence go a long way.
The ironic thing is that if more companies used an OpenPGP variant (Symantec's PGP, GnuPG, NetPGP, and so on), it really wouldn't matter what channel stuff was sent on. They could create a FB group and stash the files as attachments, but the contents would be secure, assuming keys of a proper length and the private keys properly used/secured, for example, having a key generated and stored in a Yubikey or other cryptographic token. Even just doing document processing in a secured environment like an iOS or Android device would reduce the level of compromise of files in transit quite a bit. Nowhere near as secure as an airgap, but for a lot of items, it brings down risk to acceptable levels.
Of course, if I had access to couriers, one possibility would be to use them to exchange DVDs or other media full of cryptographically secure random numbers, and both sides just use one time pads [1]. That way, a document can be sent via a number of routes, and still be reasonably secure (although it doesn't hurt to send the sensitive stuff via offline courier anyway.)
[1]: I'd not just exchange OTP files, but a few dedicated TrueCrypt keyfiles and OpenPGP public keys. That way, there are a number of security tools available for data that doesn't need the maximum security of a OTP.
Historically, governments are top notch at physical security...
You just made me spit coffee through my new keyboard.
https://en.wikipedia.org/wiki/...
(incomplete list, LOTS of avoidable breaches, including hard drives, even LAPTOPS left on trains, paper documents left on park benches, the worst reported breach being revealed in 2008 of a 2007 loss of 25 MILLION records of benefit claimants' families (practically the entire UK population) were dispatched in the regular post on unencrypted CDs and subsequently "lost").
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Nobody I know does their SF-86 form on paper. It is an online form completed through a system called "e-qip".
Learning HOW to think is more important than learning WHAT to think.
Right, because another requirement/standard will solve this problem. It will get tossed on the pile of requirements for every new contract. It will be implemented to the letter, just like current security requirements. And it will help a bit but things still won't be "secure."
Security is fundamentally picking the level of risk you're willing to accept. The answer is uniformly "none," but strangely enough you still that network hooked up, so you end up with a 4,000 page requirements that effectively amounts to "Well, you need to make sure that _everything_ is 100% locked down and goes through 6 month review and and..."
Security works well when there's no hacks, no rushes and above all no one in the organization who says "I'm important, so these rules represent a threat to my status/are stupid/but this is _important_..." You don't think there's anyone like that in the government, do you?
Ack!
It should be clear by now that systems cannot be made perfectly hack proof. The people who make security can break security. And some people have to be trusted. People cannot be trusted.
E Proelio Veritas.
Is it possible to separate the fields of the SF-86 form so after they get OCR-ed, the physical documents (if any) go to a secure site [1], and if electronic, it gets printed out. Hard copies are useful for long term archiving.
If you're going through OPM you fill out the SF86 online on a system called eQIP-- you get a pdf at the end that you can print and keep, but they collect all the data electronically. No OCR involved.
eQIP has its own problems-- the default passwords for entry are based on data that anybody can look up about you. You're supposed to change them so that when you submit your stuff for reinvestigation you use passwords that you made up, but given that they have specific password requirements (3 passwords) and reinvestigation is every 5+ years, you might as well just bang on they keyboard and then ask for a password reset when it's time to do it again.
that is my full legal name, fool.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
There are several other problems.
1) When you come back to enter more data and expect the fields to be populated (the form takes a day or two to fill out the first time).
2) When you need access to something and the manager of that element has to look at your file to approve it.
3) When you get a new security manager and they have to approve it.
Your basically taking us back to the paper office days. In that time it was really easy to not put two and two together because cross referencing information was really hard.
It certainly is your option to not have a federal job. I've had three employers over the last decade and all three have lost my PII, not sure how different it is.
There are several other problems. 1) When you come back to enter more data and expect the fields to be populated (the form takes a day or two to fill out the first time).
Again, fill out the form on the public side. Completely filled out. It doesn't need to got into the database until then.
2) When you need access to something and the manager of that element has to look at your file to approve it.
(a) The people who need to access it can be on the air gapped side, analysts and such.
(b) One person's data can be extracted from the database, walked across the gap, and sent to someone who needs it. The point of the gap is to isolate the database with everyone's records, and the monitor/supervise data coming from and being sent to public networks. Individual records being worked on at a given moment can outside. Expose of data being minimized.
3) When you get a new security manager and they have to approve it.
Such people can work on the air gapped side.
Your basically taking us back to the paper office days. In that time it was really easy to not put two and two together because cross referencing information was really hard.
Again, I think the people doing the cross referencing, analysis, etc can be on the air gapped side. They can be a team with members from all relevant departments and agencies.