Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encryption Would Not Have Protected Secret Federal Data, Says DHS

Posted by samzenpus on from the might-as-well-give-up dept.

HughPickens.com writes: Sean Gallagher reports at Ars Technica that Dr. Andy Ozment, Assistant Secretary for Cybersecurity in the Department of Homeland Security, told members of the House Oversight and Government Reform Committee that in the case of the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, encryption would "not have helped" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. Ozment added that because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network. "If the adversary has the credentials of a user on the network, they can access data even if it's encrypted just as the users on the network have to access data," said Ozment. "That did occur in this case. Encryption in this instance would not have protected this data."

The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed. "This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here. As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."

8 of 142 comments (clear)

  1. Result of no consequences for decision makers by schwit1 · · Score: 4, Informative
    An inspector general report last year had advised OPM to shut down many of its computer systems because they were running without sufficient security. The agency ignored that recommendation.

    In the audit report published November 12, 2014, OIG found that 11 out of 47 computer systems operated by OPM did not have current security authorizations. Furthermore, the affected systems were “amongst the most critical and sensitive applications owned by the agency.” Two of the unauthorized systems are described in the report as “general support systems” which contained over 65 percent of all OPM computer applications. Two other unauthorized systems were owned by Federal Investigative Services, the organization which handles background investigations in connection with government security clearances. OIG warned bluntly, “any weaknesses in the information systems supporting this program office could potentially have national security implications.”

    Because of the volume and sensitivity of the information involved, OIG recommended OPM “consider shutting down systems that do not have a current and valid Authorization.” But OPM declined, saying, “We agree that it is important to maintain up-to-date and valid ATOs for all systems but do not believe that this condition rises to the level of a Material Weakness.”

    The head of OPM also claimed in recent House hearings that their failure to close these systems down was justified since the hackers were already in the system when the recommendation was made.

    In other words, we didn’t do anything to make the system secure, and when hackers broke in it was further justification for not doing anything.

    Yeah, let’s put our healthcare under their control also!

  2. Project administrators held PRC passports! by C+R+Johnson · · Score: 5, Informative

    Total and complete incompetence from the Obama administration where the only qualification that matters is political loyalty.

    From the article:

    "A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports."

    --
    The alternative to limited government is unlimited government.
    1. Re:Project administrators held PRC passports! by Anonymous Coward · · Score: 5, Insightful

      Last I checked, the current administration is the Obama administration. So why shouldn't they take the heat for this? Saying that "Bush did it too!" is pointless; they're long gone and incapable of effecting policy decisions on stuff that happens today.

    2. Re:Project administrators held PRC passports! by oh_my_080980980 · · Score: 4, Insightful

      Really? Because everything resets and starts with the new administration and nothing should have been done in the past? Today's policy decisions are affected by decisions made in the past.

  3. Sounds like it's about time by overshoot · · Score: 5, Funny

    ... to outlaw social engineering.

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
  4. Re: Apathy by overshoot · · Score: 4, Funny

    I admit I'm getting old, but is "mamware" a new name for tittypics?

    --
    Lacking <sarcasm> tags, /. substitutes moderation as "Troll."
  5. Government doesn't get data security, generally by whyde · · Score: 5, Informative

    My family is visiting D.C. this summer, and in order to take a tour of a government facility (Capitol Hill, Congress, Dept. of Engraving, etc.) you need to apply through your congressional representative's office.

    The "official and only" way to apply for a tour is to fill in and return, by email, unencrypted, a non-protected Excel spreadsheet with full names, SSNs, and other personally-identifiable information for your entire tour group (family) in one page of the spreadsheet.

    Basically, if you want a tour, you must be willing first to roll over and put your goods out for anyone to sniff. No exceptions.

    I was sick to my stomach over the idiocy of it all.

  6. Re:This by bitingduck · · Score: 4, Informative

    Two-factor authentication only means that in order to access the system you need two components, for example a Debit card and PIN, it doesn't necessarily limit access if you have those two components.

    Other parts of the government already use more appropriate forms of two-factor authentication, generally smartcard badge+password, pin+rolling RSA key, or in some cases pin+password+rolling RSA key (not really more secure, and easier to forget pin+password). The badges and RSA keys have to be issued by the agency (and sometimes department) and synchronized-- I have a bag full of them from various agencies and aerospace companies and they're hard to keep track of. The badges are issued as a result of the whole background check process that was compromised and contain a hash of your fingerprints as well (some, though very few, computers have fingerprint readers). If they had implemented any of those, it's likely that the breach wouldn't have occurred. If, as you suggest, they had included access limits or almost any kind of access log checking, they could likely have detected and stopped a breach that was traceable to a forged/stolen credential as well.