Slashdot Mirror
Encryption Would Not Have Protected Secret Federal Data, Says DHS
HughPickens.com writes: Sean Gallagher reports at Ars Technica that Dr. Andy Ozment, Assistant Secretary for Cybersecurity in the Department of Homeland Security, told members of the House Oversight and Government Reform Committee that in the case of the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, encryption would "not have helped" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. Ozment added that because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network. "If the adversary has the credentials of a user on the network, they can access data even if it's encrypted just as the users on the network have to access data," said Ozment. "That did occur in this case. Encryption in this instance would not have protected this data."
The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed. "This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here. As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."
The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed. "This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here. As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."
Dear Government. Stop being idiots and use REAL freaking security on your systems.
the lowest bidder is not how you get real security. here at work, even if I give away my password (77Grumpy-Cat88) not even the best hackers in the world can get into the server here because they do not have my second factor authentication.
Instead we get retarded IT security and policies at the government that lets anyone from outside reset a users password if they get that users information and SSN.
All it takes is faking that you are an HR person and suddenly you have all you need to convince the lowest paid drones at the help desk to reset a password and you have the keys to get inside.
True, encryption is not the only factor but it is a pretty big one. In this case encryption coupled with a system to limit mass database access without multiple authorizations would have prevented the theft. Encryption would have prevented the attackers from simply copying the entire database off of the physical drive and user limits through the DBMS would have prevented the attackers from copying the records one by one, at least as long as their access was eventually discovered. These BASIC safeguards should be a part of any system which contains financial/tax information.
The article's author makes it sound like logging into the system would have automatically unlocked the encrypted files, or at least have allowed a logged-in user to get at the keys without authenticating further.
I suppose an encryption scheme could be implemented that way, and as just as the article suggests, that would have been useless. But an encryption doesn't need to be implemented that way, shouldn't be implemented that way, and is in fact harder to implement that way. It would provide protection against stolen hard drives, but that's not the main model of threat for things like this, and a proper policy would protect against that equally well while handling additional threats.
It's a simple policy: some things do not go in your freaking keychain. Important data like this, if it must be encrypted with a password, should require that password to be entered manually, every time. Yes, it is less convenient, but some things are too important to afford shortcuts.
Last I checked, the current administration is the Obama administration. So why shouldn't they take the heat for this? Saying that "Bush did it too!" is pointless; they're long gone and incapable of effecting policy decisions on stuff that happens today.
The real problem here is that SSN's and Birthdates shouldn't be treated as secret passwords that let you steal someone's identity. especially since it is near impossible to change them.
Really? Because everything resets and starts with the new administration and nothing should have been done in the past? Today's policy decisions are affected by decisions made in the past.