Slashdot Mirror
Encryption Would Not Have Protected Secret Federal Data, Says DHS
HughPickens.com writes: Sean Gallagher reports at Ars Technica that Dr. Andy Ozment, Assistant Secretary for Cybersecurity in the Department of Homeland Security, told members of the House Oversight and Government Reform Committee that in the case of the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, encryption would "not have helped" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. Ozment added that because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network. "If the adversary has the credentials of a user on the network, they can access data even if it's encrypted just as the users on the network have to access data," said Ozment. "That did occur in this case. Encryption in this instance would not have protected this data."
The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed. "This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here. As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."
The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed. "This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here. As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."
Is the word for the day.
cuz dey kin do errything.
Convenient, no?
These days so many people think that encryption is the answer to security. When I read the story the other day and everyone was up in arms over the lack of encryption, my first question was "what impact would encryption have had? Likely very little."
Encryption for data at rest usually protects against physical theft - like backup tapes or a whole computer. Remote exfiltraction is much easier on a running system where the data is intended to be accessed. In those cases, encryption does little to protect data.
Dear Government. Stop being idiots and use REAL freaking security on your systems.
the lowest bidder is not how you get real security. here at work, even if I give away my password (77Grumpy-Cat88) not even the best hackers in the world can get into the server here because they do not have my second factor authentication.
Instead we get retarded IT security and policies at the government that lets anyone from outside reset a users password if they get that users information and SSN.
All it takes is faking that you are an HR person and suddenly you have all you need to convince the lowest paid drones at the help desk to reset a password and you have the keys to get inside.
The head of OPM also claimed in recent House hearings that their failure to close these systems down was justified since the hackers were already in the system when the recommendation was made.
In other words, we didn’t do anything to make the system secure, and when hackers broke in it was further justification for not doing anything.
Yeah, let’s put our healthcare under their control also!
Well. The most charitable possible explanation I can give is that this DHS 'cybersecurity' guy realizes that congress as been getting non-stop "zOMG 'encryption' will cause all the pedophiles and every terrorist to 'go dark' and become impossible to catch; and only by mandating magical Clipper 2.0 backdoors can we possibly save America from this impenetrable code wall!" bullshit from the DHS, FBI, and various other spook flacks for weeks on end at this point(they've pretty much been flipping out about it since Apple first considered making it a default, if not earlier).
Because of that, the primitive herd mind now presumably believes that 'encryption' is a magic data-protection sauce that can be added to any IT system just by swiping at a touchscreen for a minute or two without too much drooling. This will...not...aid their comprehension of what went wrong, or the coherence(if any) of their demands that Something Be Done. So he has the unenviable task of trying to explain that no, actually, 'encryption' is pretty tricky to get right; and needs to be part of an overall system that isn't completely fucked if it's supposed to work, and so on.
... you are much more totally, hopelessly, and bafflingly stupid than the hackers that gained access to our systems.
The Feds always look for the most expensive option. They'll end up with pricey battery powered hardware tokens when they could look at cheap Yubikeys.
Trolling is a art,
Total and complete incompetence from the Obama administration where the only qualification that matters is political loyalty.
From the article:
"A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports."
The alternative to limited government is unlimited government.
Correct me if I am wrong but stealing thousands or millions of records through an accessible UI doesn't seem feasible to me. If the data itself had been encrypted, even if the thiefs had access to the storage directly, they would have been stealing encrypted files. Maybe encryption isn't the holy grail but I would sure feel better knowing my data wasn't readable after downloading. I mean make them work for it anyway.
The article's author makes it sound like logging into the system would have automatically unlocked the encrypted files, or at least have allowed a logged-in user to get at the keys without authenticating further.
I suppose an encryption scheme could be implemented that way, and as just as the article suggests, that would have been useless. But an encryption doesn't need to be implemented that way, shouldn't be implemented that way, and is in fact harder to implement that way. It would provide protection against stolen hard drives, but that's not the main model of threat for things like this, and a proper policy would protect against that equally well while handling additional threats.
It's a simple policy: some things do not go in your freaking keychain. Important data like this, if it must be encrypted with a password, should require that password to be entered manually, every time. Yes, it is less convenient, but some things are too important to afford shortcuts.
Bad title - It's not "Secret Federal Data". It's Employee Information (PII/SSN/etc.) but not classified gov. secrets.
AC b/c posting at work.
... to outlaw social engineering.
Lacking <sarcasm> tags,
Ignorance of the law is not an excuse to break it, ignorance of IT should not be an excuse to ignore it in this day and age.
It doesn't matter how many factors of authentication are used to obtain those credentials...
One past known attack was to obtain the users credential file. Works against AD just as well as against Kerberos (they are the same).
The one protection that kerberos had was that to use such credentials you had to be on the machine that they were given to. But since so many sites are now using NAT (which makes this useless), the stolen credentials can be used from anywhere for as long as the credentials have lifetime.
One thing the DoD did was mandate that the kerberos credentials granted received different lifetimes based on the network the request came from. As short as 15 minutes (least trusted) up to 7 days (with renewal every 10 hours) when the machine making the request was in a trusted network.
Worked fairly well at flushing out violations of policy.
So encryption would not have helped because the Attackers had a valid set of credentials with which to ex-filtrate ,millions of records.
The bigger issue here is why were alarms not ringing in the appropriate places while millions of records were being ex-filtrated? Why was there not effective monitoring of access use and network anomalies?
Funny thing is, if that sort of software was being used properly where another notable security cleared contractor was working (who's data was also leaked by this breach) he would have had a much harder time copying out so many documents without leaving a trace of his activities.
I have to think on the most recent Lastpass breach. In that case the lastpass people detected the anomalous network traffic, quickly tracked it down and discovered the exact nature of the possible breach. Because though their systems only stored data encrypted by keys that the systems themselves did not hold then the only leak was of the master-password hashes which because they were individually salted and hashed would only be useful in a targeted attack on individuals should they have weak passwords.
Maybe I'm wrong, but why is this kind of data on publicly accessible Internet? Is it not possible to put the encrypted data on totally secure servers requiring the best kind of login services that are not attached in any way to the public Internet but accessible through a separate wide area network? Folks who have access to this kind of data might need a separate terminal to access the data perhaps in a physically different location from their Internet connected computer. Users would need to be prevented from switching cables between the two kinds of terminals or otherwise allowing the servers to connect to the public Internet.
In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
So they can't one arm of the government saying encryption would have helped and another saying it should be illegal.
The thing is, how bad do you suck at security if social engineering was behind this "attack"
"If any question why we died, Tell them because our fathers lied."
The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed.
A foreign country got ahold of our SF86 data and somebody is asking why social security numbers weren't protected? /. is missing the significance of this but if this is the oversight committee's concern they need to be replaced with people who understand the national security implications of this. Hopefully I'm just misreading something.
I'm not surprised that
From TFS:
"As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."
Never blame on bureaucratic conspiracy that which can be adequately explained by Congressional incompetence.
I presume they know who's credentials were used.
Have they been fired? Because giving anyone your credentials is like crossing the streams...it's never done.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Can anybody think of any reason any user would ever need full SSN data?
No sir I dont like it.
Problem is, other people have similar sorts of systems and similar weaknesses. I used to work at a company that did IT for several hospitals (a relationship defining "its complicated" since they founded us) and well, simple auditing of usage after the fact is so..... 1990s.
By the time I left there was already some real time auditing and control in place, even to the extent of flagging attempts to access inappropriate records. In fact, if you were to access the medical record of your next door neighbor, or a relative, it would be flagged as suspicious access. The only records I knew of that you could look up frivolously were Santa Claus' and the Easter Bunny (Santa had much more hilarious prescriptions).
I am pretty sure you couldn't easily use that system to download large swaths of records before you got noticed. And that system had additional issues like, you basically need to let most people access most records because you don't want to deny access in an emergency so you HAVE to err on the side of letting the authorized user see everything and audit their usage.
Why would any other system have such a restraint? A nurse might need to emergency look up a patient she found in the hallway.... federal employee information... who has those needs on an emerhency basis? Seems they could have rate limits and cross checks against work loads.
"I opened my eyes, and everything went dark again"
Yes, it is less convenient, but some things are too important to afford shortcuts.
And the data on these systems is not one of those important things. This was SF-86 data, SF-85P data and data from follow-up investigations of that data -- it isn't Top Secret, it isn't Secret, it isn't Classified, it isn't Controlled Unclassified Information (née Sensitive But Unclassified), it isn't even Law Enforcement Sensitive. There is no legal requirement for the US Government to protect this information, so they didn't waste budget on safeguarding it.
If you've ever filled out one of those forms you should have noticed the glaringly obvious omission of any promise to protect the information you provided. But don't tell the interviewer you noticed that or they'll decide you are not trustworthy.
Since everyone had access to it... Seriously, this is why least access principles are so important. Encryption isn't a silver bullet, there is no silver bullet, it's a process, with many layers and technology. You need to do it all, or determined attackers will pick the weakest link.
So Dr. Andy Ozment and the DHS crowd are just incompetent? The political jockeying and posturing is pretty annoying though.
It still sounds like a "you shouldn't encrypt because we said so" argument with the "because this lame example" gambit tacked on the end.
Morons.
There is so much wrong with this article its not even funny. I don't blame the writer, he's just trying to tie a nice neat bow on a badly wrapped pig.
I had to laugh though when he twice gives the example of proximity unlock on cars as IOT security. These are the same devices that only guarantee proximity security by using signal strength and thus are easily defeated by a $17 signal booster available on eBay, which has been in the news as the cause of many thefts of the contents of vehicles.
By seriously the core issue here is authentication and concentration of secrets, and no matter how many extra factors you have this will not change because each new factor requires the service to store another secret to be stolen or live phished from you.
As I see it the only long term solution is a better single factor and one that puts the handling of secrets as close to the user as possible and contained in something that is hardened or prevented from running malware. Then have that device use a site specific asymmetric key pair to offer a zero knowledge proof of authentication to the service. In that way the services hold no authentication secrets and what they do hold cannot even be used by an attacker to infer linkage between services.
Unfortunately right now, there is nothing in production and widely available that can do this, not even the much vaunted FIDO an U2F will accomplish this as their choices have rendered those protocols only usable as a second factor. There is one Single factor protocol that is presently 18 months into its research and development that I think will satisfy all the requirements of what the article writer needs, that being SQRL from The Gibson Research Corporation. Which also has additional features that even allow complete recovery from a loss of control over its core secret.
My family is visiting D.C. this summer, and in order to take a tour of a government facility (Capitol Hill, Congress, Dept. of Engraving, etc.) you need to apply through your congressional representative's office.
The "official and only" way to apply for a tour is to fill in and return, by email, unencrypted, a non-protected Excel spreadsheet with full names, SSNs, and other personally-identifiable information for your entire tour group (family) in one page of the spreadsheet.
Basically, if you want a tour, you must be willing first to roll over and put your goods out for anyone to sniff. No exceptions.
I was sick to my stomach over the idiocy of it all.
Um, to apply for social security? To use a store-my-SSN-so-i-don't-have-to-keep-typing-it service? To give governments and corporations a unique ID to use to track them? To satisfy poorly designed registration requirements? To register for the draft? To get a driver's license? To pay taxes? To obtain the sense of security that comes from knowing any service that requires it must be highly regulated because surely that's how things really work, and somehow that surely means you'll get good service? How much credit do you give to the intelligence of "regular users"?
Encryption is only one piece of the security puzzle, they also need to consider access control, multi-factor authentication, among other things. Being a security professional and one of the people affected by this it appears the OPM was negligent in protecting our information. We should be pushing for a class action lawsuit.
Congress does not really hold much high ground in this.
Expecting technically competent govt workers without outside feedback is not a plausible solution.
Unfortunately, for the system Congress setup, the primary outside feedback path seems to be from the bad guys.
The obvious way to actually fix it is to figure out a way to employ/embrace some friendly hackers to find the bugs and close them.
Instead, Congress discourages this with anti-hacking laws and so the less friendly hackers have their way with us.
Sure, one *could* do a lot of things. But they didn't. And they probably didn't because there's a limited amount of time and money to do what needs to get done, and someone, somewhere along the line decided that it wasn't worth it.
Not out of incompetence or ignorance even.
They probably get requests every other day for "can you tell us the age distribution of all government workers in department X and Y and Z with paygrade GS-12 who have made claims against their health insurance in any of 2008, 2009, 2011, or 2012" Sure, one could set up some sort of funky database, with randomized, hashed keys to decouple the SSN and name from the entity data. But why? that would cost a lot of money and time, and how would you do it in a generalized way so that tomorrow, when the next request comes in for "tell me how many GS14s have last names beginning with Q", you aren't going "doh, now I have to dereference the entire database, build a new index, build new hashes, etc."
Nah, you just have the big database, with decent user access controls (which they had), and trust in the professionalism of the users to respect the data. Of course, there is a hole: if user access is compomised, they get the data.
This isn't some laboratory study where from the beginningyou know what data is PII and what isn't, and you can set up a simple "subject 12345" has data XYZ, and the relationship between subject 12345 and Joe Smith is kept in a locked filing cabinet on paper.
The whole purpose of OPM is to maintain "HR Permanent Records". their whole function *is* to maintain the connection between Joe Smith and 123 River Drive and 987-65-4321.
Mine doesn't ask for this. It is most certainly not needed for a Capitol tour, in general. I walked into my member's office and they handed me a house gallery pass. Yeah, I had to go through the metal detector at the door to the office building, and I might have had to show id (don't remember).
In fact, you can walk up and get a tour, and I'm sure they don't ask for your SSN
"However, same-day tour passes may be available at the “Public Walk-up” line near an Information Desk located on the lower level of the Visitor Center. During peak visitation periods such as spring and summer, fewer same-day tour passes are available, and there are often longer waits for these passes"
Now, your member of congress may be collecting SSNs and PII on unencrypted spreadsheets out of ignorance or malice. Maybe they're building a database.
They should not be allowed to slink off via resigning from their jobs. This was a truly incompetent job and shows obvious negligence regarding PII type data. Indict and prosecute them and let's see if that improves data protection practices with the Federal government.
Surely the government shouldn't have a problem with the public using encryption, then?
"Encryption" is not magic Security-Pixie-Dust.
Imagine this: You have a document server protected by https. Attacker connects using https, gets a proper and secured crypto session. Then uses a buffer overflow in the web server to pwn the entire web server. From then on, reads the main memory of the entire web server process. Has access to EVERYTHING (SQL connections, backend servers, files, pipes to other processes....) which is transmitted via / connected to this server. Bummer. Encryption was useless to stop this.
Equally, "encrypted personell records" do not help, when the application decrypting the records runs on a pwned PC. A single C-style bug/exploit is sufficient to have an entire NT or Linux kernel pwned.
OPM was probably a victim of the poisonous concept seeded by Bell Labs. Concept is called "C based Kernel".
Rust and Swift are paving the way out of the Cyber War Space. Let's hope we get out of this deadly jungle before people start to use typewriters and microfiches again. Actually OPM would not have been affected so badly if they had run operations on Microfiche !
An OS kernel in a memory safe language would still have bugs. But most of them would result in immediate, deterministic and debuggable crashes. You would REALIZE a security intrusion, instead of having an attacker existing in your computer for months, learning all your habits, your connections, you passwords and your security precautions.
Likewise, drivers written in Swift would not be able to compromise then entire kernel. Instead the subsystem in question (e.g. the network interface driver) would be compromised. That's bad enough but the attacker would not learn passwords and contents of the file system as it is the case with C based kernels/drivers.
Burroughs and ELBRUS (of Russia) had a similar concept decades ago. Unisys still sells these machines, but has failed to modernize the concept with OO languages like Swift or Rust. Microsoft had a C# based OS kernel in their Research labs.
Dim-witted CEOs won't make this happen. We certainly need a Steve-Jobs style figure to dump C based kernels. Mr Thorvalds has repeatedly stated he is to dim-witted to make this drastic change.
But this is the way forward. The IT industry either adapts or it will perish at the hand of the Microfiche business. Deal with it.
We need to connect everything to everything. We use some super-expensive firewalls "to secure it". Which is of course BOLLOCKS. A firewall will not protect you against first-rate threats like a virus that comes in by spearfishing and exfiltrates by "comouflaging" itself similar to legit traffic. In many if not most corporations, exfiltration could be done by traffic to facebook, twitter, instagramm and the like. Your funny IDS will most probably not detect it because the malware will first monitor existing traffic and then "fit into existing patterns" for exfiltration.
So - radical measures like truly, physically disconnected systems are required. Or use microfiche+paper files and even the dumbest ass will be able to grasp the security processes. Certainly it will be realized when a 32ton truck will arrive to "exfiltrate" just 5% of your records.
Encryption would have helped, but the way most encryption is implemented it would not. Let me explain, from most systems I have seen encryption is not part of the original design, it is a layer that is added later; usually at the database or disk level. So yes, if you have a valid account to the system you can access the database and query the unencrypted data with no problems.
Now good encryption does not rely on a wrapper, but is done to the data before it reaches the database. So in a multi-tiered application, the application server does the encryption and decryption, the database server only stores and retrieves the encrypted data. If someone breaks into the database server, or opens a connection to it, the data is encrypted. Yes if someone breaks into the application server they could craft calls to the database that would decrypt, but this would take longer and would be pretty easy to cut off and limit.
The general idea is that the data storage should not be able to encrypt or decrypt the data; the application system that does encrypt and decrypt shouldn't have direct control of the data.
So yes encryption implemented properly would have helped.
Other than the obvious (Outing and tracking potential government agents etc) The attackers now potentially have the ability to impersonate these individuals whos data was compromised. Perhaps Obtain legitimate ID's in there names with a trivial amount of social engineering (Do you happen to have a utility bill with you sir?)
This could lead to a chain of breeches as we have already seen here that critical government infrastructure does not necessarily subscribe to multi-factor authentication.
This is such a mess...the data ex filtration was probably only the first step in a carefully planned state actor operation.
Question is how deep does this Rabbit hole go?
by Anonymous Coward on Thursday June 18, 2015 @01:46PM
"PRC passports".
How fucking insane is that ? Total corruption at the highest level. Learning this kind of shit explains why they could not simply lock up the boss of Lehman Brothers before he decided to reboot the economy.
The government has been pwned by the banksters. Simple explanation why this kind of crap happens. Banksters are cynics so they give a damn about a PRC guy being an OPM admin with Total Access. All they care is about "cut the cost so that I can use the money to build my Bankster castle in the countryside".
The Lehman boss was a Navy Pilot before. He hit his commanding officer into the face. Then he became Lehman Boss. Then he hit the world economy in the face. Still not in jail.
Instead a bankster marries Chelsea Clinton. See how it works ?
Not ironic, really. The Chinese just had need-to-know; you don't ...
...head of statistics walks along and commands you to hand over "entire table CLEARANCES" to Jeffrey of the statistics department. Jeff will then proceed to run a bunch of shitty VBA scripts on the table before browsing filthypornAndVirus.com.
You dont argue with Wally because he knows all the shitty tricks of the mid-level manager while you are only an obedient little CS guy. So, forget all your theories.
I see you are mostly clueless. Two years out of CS studies or even less reasoning capabilties, eh ?
First, "encrypt each record differently" works straight against most of the ideas of an RDBMS. If data is wholly encrypted, you cannot do much indexing, much querying. A file server with individually crypted files is as good as the RBDMS you enivision. The OPM people probably want to answer "who has a clearance for 'Spartan-Snoop-A', so that we can quickly fill this position". If the record is encrypted, it cannot be done.
Secondly, how exactly do you handle key material ? I bet a dumbass like you would build a second server system filled with the keys. And then you would proceed to give some officer's machine access to the crypted database and to all keys on the second server. And you would be too dumb to realize that pwning the officer's PC will make a full, automated decryption of the entire crypted database possible.
So, get yourself a "101 of proper reasoning" book.
Here is my analysis: Short of microfiche this kind of data collection cannot be secured. Because we have to expect the entirety of PCs in organizations to be pwned for years until somebody notices it. They can collect records for years. Including the decrypts of your previously nicely encrypted records.
They should not be allowed to slink off via resigning from their jobs. This was a truly incompetent job and shows obvious negligence regarding PII type data. Indict and prosecute them and let's see if that improves data protection practices with the Federal government.
I suspect the real problem with this is that Congress is most likely just as culpable as anyone in this fiasco. OPM budget is set by Congress. Right now, there are many in Congress and the Administration pushing to put back doors into encryption systems, etc. The list is long. No, this will be good for a few members of Congress to get valuable face time on the evening news in which they can fulminate with righteous indignation, but I'm sure that they will be less than eager to really start asking hard questions about how this actually happened. That will probably hit a little too close to home for many of them. And this will be quickly forgotten the next time Justin Beiber (or whoever) does something outrageous in public, so it's really no skin off their nose.
'encryption would "not have helped" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering'
An encrypted database that could only be queried through a secure and fully audited channel. Any attempt to download the entire database would trip an alarm.
She's lying about her "it wouldn't have mattered".
Part of the "valid user credentials" is the system from which the login request is originating.
If only certain authorized machines, or machines within a certain building, or on a certain network, are permitted to log in using the credentials that were obtained, they would still not have been able to log in remotely.
Additional restrictions, such as time windows during which certain credentials may be used could also have further constrained the attackers.
She's obviously relying on the technical ignorance of the House Oversight and Government Reform Committee membership to try and "pull a fast one".
It's too bad these guys do not have competent technical advisors in the room with them to tell them the questions they need to ask to elicit the truth.
I was watching the inquiries on CSPAN. My thoughts exactly were, "do we even know encryption would have solved the issue?". You have this legislator (didn't catch his name) up in front everyone lambasting OPM Director Katherine Archuleta and demanding to know why the data was not encrypted. As if the guy has a clue about what is involved and what problems it would solve directly. Exactly as mentioned in the article since the system has to be able to decrypt it's own data in order to function all you have to do is compromise the system and you get the data. I'm not defending outdated, piss poor public sector security practices, but it's just pretty lame to grandstand and pretend all the solutions are so obvious and that encrypting all your data for the last 30 years is as simple as deciding it should be done. It's particularly obnoxious when the criticism comes from a clueless legislator, who doesn't know anything about network security and is just engaging in a self serving attempt to seem tough on the issue.
http://www.businessinsider.com/the-us-agency-plundered-by-chinese-hackers-made-one-of-the-dumbest-security-moves-possible-2015-6