Slashdot Mirror
Encryption Would Not Have Protected Secret Federal Data, Says DHS
HughPickens.com writes: Sean Gallagher reports at Ars Technica that Dr. Andy Ozment, Assistant Secretary for Cybersecurity in the Department of Homeland Security, told members of the House Oversight and Government Reform Committee that in the case of the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, encryption would "not have helped" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. Ozment added that because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network. "If the adversary has the credentials of a user on the network, they can access data even if it's encrypted just as the users on the network have to access data," said Ozment. "That did occur in this case. Encryption in this instance would not have protected this data."
The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed. "This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here. As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."
The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed. "This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here. As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."
Dear Government. Stop being idiots and use REAL freaking security on your systems.
the lowest bidder is not how you get real security. here at work, even if I give away my password (77Grumpy-Cat88) not even the best hackers in the world can get into the server here because they do not have my second factor authentication.
Instead we get retarded IT security and policies at the government that lets anyone from outside reset a users password if they get that users information and SSN.
All it takes is faking that you are an HR person and suddenly you have all you need to convince the lowest paid drones at the help desk to reset a password and you have the keys to get inside.
The head of OPM also claimed in recent House hearings that their failure to close these systems down was justified since the hackers were already in the system when the recommendation was made.
In other words, we didn’t do anything to make the system secure, and when hackers broke in it was further justification for not doing anything.
Yeah, let’s put our healthcare under their control also!
Well. The most charitable possible explanation I can give is that this DHS 'cybersecurity' guy realizes that congress as been getting non-stop "zOMG 'encryption' will cause all the pedophiles and every terrorist to 'go dark' and become impossible to catch; and only by mandating magical Clipper 2.0 backdoors can we possibly save America from this impenetrable code wall!" bullshit from the DHS, FBI, and various other spook flacks for weeks on end at this point(they've pretty much been flipping out about it since Apple first considered making it a default, if not earlier).
Because of that, the primitive herd mind now presumably believes that 'encryption' is a magic data-protection sauce that can be added to any IT system just by swiping at a touchscreen for a minute or two without too much drooling. This will...not...aid their comprehension of what went wrong, or the coherence(if any) of their demands that Something Be Done. So he has the unenviable task of trying to explain that no, actually, 'encryption' is pretty tricky to get right; and needs to be part of an overall system that isn't completely fucked if it's supposed to work, and so on.
Total and complete incompetence from the Obama administration where the only qualification that matters is political loyalty.
From the article:
"A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports."
The alternative to limited government is unlimited government.
Correct me if I am wrong but stealing thousands or millions of records through an accessible UI doesn't seem feasible to me. If the data itself had been encrypted, even if the thiefs had access to the storage directly, they would have been stealing encrypted files. Maybe encryption isn't the holy grail but I would sure feel better knowing my data wasn't readable after downloading. I mean make them work for it anyway.
True, encryption is not the only factor but it is a pretty big one. In this case encryption coupled with a system to limit mass database access without multiple authorizations would have prevented the theft. Encryption would have prevented the attackers from simply copying the entire database off of the physical drive and user limits through the DBMS would have prevented the attackers from copying the records one by one, at least as long as their access was eventually discovered. These BASIC safeguards should be a part of any system which contains financial/tax information.
The article's author makes it sound like logging into the system would have automatically unlocked the encrypted files, or at least have allowed a logged-in user to get at the keys without authenticating further.
I suppose an encryption scheme could be implemented that way, and as just as the article suggests, that would have been useless. But an encryption doesn't need to be implemented that way, shouldn't be implemented that way, and is in fact harder to implement that way. It would provide protection against stolen hard drives, but that's not the main model of threat for things like this, and a proper policy would protect against that equally well while handling additional threats.
It's a simple policy: some things do not go in your freaking keychain. Important data like this, if it must be encrypted with a password, should require that password to be entered manually, every time. Yes, it is less convenient, but some things are too important to afford shortcuts.
... to outlaw social engineering.
Lacking <sarcasm> tags,
It doesn't matter how many factors of authentication are used to obtain those credentials...
One past known attack was to obtain the users credential file. Works against AD just as well as against Kerberos (they are the same).
The one protection that kerberos had was that to use such credentials you had to be on the machine that they were given to. But since so many sites are now using NAT (which makes this useless), the stolen credentials can be used from anywhere for as long as the credentials have lifetime.
One thing the DoD did was mandate that the kerberos credentials granted received different lifetimes based on the network the request came from. As short as 15 minutes (least trusted) up to 7 days (with renewal every 10 hours) when the machine making the request was in a trusted network.
Worked fairly well at flushing out violations of policy.
I admit I'm getting old, but is "mamware" a new name for tittypics?
Lacking <sarcasm> tags,
Problem is, other people have similar sorts of systems and similar weaknesses. I used to work at a company that did IT for several hospitals (a relationship defining "its complicated" since they founded us) and well, simple auditing of usage after the fact is so..... 1990s.
By the time I left there was already some real time auditing and control in place, even to the extent of flagging attempts to access inappropriate records. In fact, if you were to access the medical record of your next door neighbor, or a relative, it would be flagged as suspicious access. The only records I knew of that you could look up frivolously were Santa Claus' and the Easter Bunny (Santa had much more hilarious prescriptions).
I am pretty sure you couldn't easily use that system to download large swaths of records before you got noticed. And that system had additional issues like, you basically need to let most people access most records because you don't want to deny access in an emergency so you HAVE to err on the side of letting the authorized user see everything and audit their usage.
Why would any other system have such a restraint? A nurse might need to emergency look up a patient she found in the hallway.... federal employee information... who has those needs on an emerhency basis? Seems they could have rate limits and cross checks against work loads.
"I opened my eyes, and everything went dark again"
The Feds always look for the most expensive option. They'll end up with pricey battery powered hardware tokens when they could look at cheap Yubikeys.
Every employee of the US government already has two-factor authentication in the form of a smart card. The problem is that there are many programs that don't have the hooks for two-factor authentication built in.
For example, a web app that queries Active Directory almost always asks for username and password, when Windows Authentication can use either username/password or smart card/PIN. This is because smart card/PIN requires trusted code to run on the client computer, and we all know that isn't really possible.
"Can anybody think of any reason any user would ever need full SSN data?"
Can anybody think of any valid reason why USA insists for an ID, as the SSN is, to be taken for a password?
There shouldn't have to be any more problem knowing your SSN than knowing you are silas_moeckel.
My family is visiting D.C. this summer, and in order to take a tour of a government facility (Capitol Hill, Congress, Dept. of Engraving, etc.) you need to apply through your congressional representative's office.
The "official and only" way to apply for a tour is to fill in and return, by email, unencrypted, a non-protected Excel spreadsheet with full names, SSNs, and other personally-identifiable information for your entire tour group (family) in one page of the spreadsheet.
Basically, if you want a tour, you must be willing first to roll over and put your goods out for anyone to sniff. No exceptions.
I was sick to my stomach over the idiocy of it all.
Two-factor authentication only means that in order to access the system you need two components, for example a Debit card and PIN, it doesn't necessarily limit access if you have those two components.
Other parts of the government already use more appropriate forms of two-factor authentication, generally smartcard badge+password, pin+rolling RSA key, or in some cases pin+password+rolling RSA key (not really more secure, and easier to forget pin+password). The badges and RSA keys have to be issued by the agency (and sometimes department) and synchronized-- I have a bag full of them from various agencies and aerospace companies and they're hard to keep track of. The badges are issued as a result of the whole background check process that was compromised and contain a hash of your fingerprints as well (some, though very few, computers have fingerprint readers). If they had implemented any of those, it's likely that the breach wouldn't have occurred. If, as you suggest, they had included access limits or almost any kind of access log checking, they could likely have detected and stopped a breach that was traceable to a forged/stolen credential as well.
Done all the time. Yes, it shouldn't, but it does. Here are examples I've ran into that makes me cringe to this day.
1. Password written on a sticky note placed under the keyboard.
2. Password on a strip of paper taped over on the palm-rest of a laptop.
3. Everyone has the same password of "Password01" per the insistence of the owner.
4. Employees casually sharing passwords.
5. A entire spreadsheet of everyone's password stored on the public file share and replicated in various places on local computers (desktop, my documents, etc) as PASSWORDS.XLSX.
Done!!! Put a fork in it!
Life is not for the lazy.
it isn't Controlled Unclassified Information (née Sensitive But Unclassified)
Yes it is. It is considered Confidential/Sensitive. It is also considered to contain PII, which means it has to be protected according to various government regulations.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
1. Password written on a sticky note placed under the keyboard.
2. Password on a strip of paper taped over on the palm-rest of a laptop.
Perfectly good way to manage your passwords when you're in Burnt Scrotum, New Mexico and your opponent is in Pudong, China.