Slashdot Mirror
What Federal Employees Really Need To Worry About After the Chinese Hack
HughPickens.com writes: Lisa Rein writes in the Washington Post that a new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in — and some of the implications are quite grave. According to the Congressional Research Service, covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals. Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations (PDF).
CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
And then expected it would never be hacked?
Bravo.
in a bid to buy /.
Just issue everyone a new set of fingerprints.
If I have been able to see further than others, it is because I bought a pair of binoculars.
build a database of U.S. government employees
So waitaminnit... let me get this straight.
Is this the same US government that has built a database of virtually every internet-using person in the world, including all their private communication, all their personal associations, the contents of their phone calls, where they are at any given moment in time, and every shred of information that can possibly be obtained?
Would it be that same US government that has the unmitigated gall to complain about a tiny, tiny fraction of that being done to them in return?
I just want to make sure it's the same one. Because it doesn't seem like a government that spies on everyone in the world to a scale never before seen in history has ANY FUCKING right to complain. Good for the goose, good for the gander, after all.
Fingerprints can't be reissued
No shit sherlock.
At least this makes it obvious that fingerprint databases are ripe for abuse. I guess we can only hope this will lower the popularity of collecting it in the first place.
Fingerprints can so be reissued. You just need a hand transplant.
This is a great way to ensure a budget increase and change the subject from illegal mass surveillance. So, there's nothing to worry about!
Shanghai and Shenzen were both in massive sell-off mode the morning that NYSE went down, but that was "unrelated" - or was it actually?
>> giant database...never be hacked
"Data warehouses" and "big data" have all these problems. I remember a big data security talk where the conclusion was basically "well there's a handful of half-baked solutions for the biggest platforms, but no one actually uses them."
In my corporate experience, data warehouse and big data projects happen when an executive gets annoyed with the slow progress of IT and basically dumps out the contents of a few databases into an almost-impossible-to-secure bowl of soup. As a resident security guru I frequently developed a blind spot for these executive disasters: reporting or trying to audit them usually led to career pain.
What this breach really does is give Chinese agents leverage over U.S. citizens in sensitive positions. It completely destroys the ability of the U.S. Government to keep secrets... any secrets... away from a determined probe, because a Chinese agent WILL have information that gives sufficient leverage to conduct black mail against a person close to the secret.
Secrets are harder to keep. Personally I see it as a bit of an equalizer, and makes warfare a bit more symmetrical, thus less effective in gaining supremacy.
“He’s not deformed, he’s just drunk!”
As a former regional acting Security Officer, this whole thing brings three conclusions, which we all knew in the 80s when we set up security priniciples:
1. Full data should never be fully available on any external or easily linked database. It is far better to have a query/response system that does not have full details.
2. You don't need the full security clearance information unless you're looking for potential spies. Only the CIA internal agency and FBI internal agency data should have been internally available. Ever.
3. Linking position to clearance data (other than NEEDED level of clearance) is never a good idea. We used to keep that on locked laptops (yes, a decade before you civvies got them) in removable locked hard drives for that exact reason. In a safe that was fire proof. And EMP safe.
-- Tigger warning: This post may contain tiggers! --
"Intelligence" yields a pathetically low return on investment. If past history is any indicator (Philby, for example), the world is NOT going to collapse, things are NOT that grave, and except for the damage to the intelligence community, things are going to go on pretty much the same as always.
Does everyone else who's been hacked by the US government ALSO have these grave and severe problems to look out for? Or is the concern only if "the wrong people" do it? Or only not a problem if "the right people" do it? If so, who decides?
TIA, 98% Of The World
Snowden hands over evidence that the NSA has been illegally spying on U.S. citizens and Allies (not to mention perjuring itself before Congress) to an American journalist resulting in a careful release of some data to prove the allegation and the feds call for his head on a platter, even risking an international incident or two to try to disappear him.
The OPM fumbles and hands over 4.2 million very detailed dossiers on federal employees and 21 million others with security clearance to China and the feds say "no worries, we'll give you a year of credit monitoring.....eventually.".
You remember those "Backdoors" you want for government to be able to access everyones data..... Well China thought that was a great idea and created one for themselves.
Just think of this as being the same as what the US has done to the rest of the world, including their Allies.
What goes about, comes about.
Would it be that same US government that has the unmitigated gall to complain about a tiny, tiny fraction of that being done to them in return?
I understand your point and I see where you're coming from, but consider: with the breach that took place, people can die. This isn't some sort of political theory or a matter of taking a stand. Real people may die because of this.
Yes, by gosh. You've hit the nail squarely on the head. It IS the very same US government!
Is a chinese hack.
This is a non-issue for several reasons, among them:
1) Covert officers travel under diplomatic cover, and most diplomats have security clearances. This will not stand out.
2) It's already trivial for a nation-state to identify spies under diplomatic cover. We know who theirs are, and they know who ours are. Diplomatic cover is not about cover; it's about *diplomatic immunity*, so if they get pissed at our spies, all they can do is kick them out, and vice versa.
3) Non-official cover employees are harder to detect, but they generally only hide their present employment, not their past employment, and usually have cover stories, not cover identities/jobs. See: Valerie Plame. At best, you can use fingerprints to confirm that they are who they say they are, which they're not lying about anyway, so...
The real danger is blackmail. The employer already knows what infractions are listed on the SF86, of course, but the general public may not. Affairs, drug usage, and to a lesser degree, expunged criminal history, arrest record, financial issues, etc. Just download an SF86 and look it over. Depending on the individual, it could be a scandal that they'd rather avoid, and/or that the employer would rather avoid. e.g., "Why would you hire someone who smoked crack?"
https://www.eff.org/https-everywhere
And I'm here to help!
"I say we take off, nuke the site from orbit. It's the only way to be sure."
Still don't get why China would launch hacking attacks from their own country's ip range, which is why I'm a little leery of the press reporting on this story. Even the government is giving mixed signals as to China's involvement:
Officials are still investigating the actors behind the breaches and what the motivations might
have been. Theft of personally identifiable information (PII) may be used for identity theft and
financially motivated cybercrime, such as credit card fraud. Many have speculated that the OPM
data were taken for espionage rather than for criminal purposes, however, and some have cited
China as the source of the breaches.
and
Speaking at an intelligence conference on June 24, 2015, Admiral Michael Rogers, director of the
National Security Agency and head of U.S. Cyber Command, declined to discuss who might be
responsible for the attacks, stating “I’m not [going to] get into the specifics of attribution.... That’s
a process that we’re working through on the policy side. There’s a wide range of people, groups
and nation states out there aggressively attempting to gain access to that data.” Speaking at the
same conference a day later, however, Director of National Intelligence James Clapper identified
China as the “leading suspect” in the attacks. Mr. Clapper expressed grudging admiration for the
alleged hackers, noting “[y]ou have to kind of salute the Chinese for what they did.... You know,
if we had an opportunity to do that, I don’t think we’d hesitate for a moment.”
So, there still is an investigation going on over the breaches, though some intelligence officials like Clapper are already fingering China as the culprit. I think it would be more sensible to follow Admiral Roger's caution as to assigning blame for the breach given the fact that there is are a "wide range" of groups and nations aggressively trying to get access to the data and US systems. Its certainly possible that whoever did it simply used China IP space to launch the attacks in order to cast suspicion on China. So why then is the press and certain government officials beating the drum to cast blame for the attacks on the Chinese?
If the United States chooses to respond in other ways to intrusions from China, experts have
suggested that China has multiple vulnerabilities that the United States could exploit. “China’s
uneven industrial development, fragmented cyber defenses, uneven cyber operator tradecraft, and
the market dominance of Western information technology firms provide an environment
conducive to Western CNE [computer network exploitation] against China,” notes one scholar of
Chinese cyber issues.
Ah, now I get it.
I have to ask why was such sensitive information able to be accessed from the internet? Doesn't the government have leased lines or some other really secure backbone?
And retribution towards China. I think a one trillion dollar fine would be in order. Freeze some of their cash, make some of their US Government Treasury bonds worthless ....
Snowden leaks a bunch of sensitive information and government officials beat their chests over the jeopardy of his actions, never allowing him to be forgiven. Meanwhile, Katherine Archuleta and her OPM staff walks freely on the streets even though the security was Bridge of Death Easy and not Mission Impossible Hard
Clearly, the government's priorities are screwed up.
Mod me down, I shall become more off-topic than you could possibly imagine.
Because even in the face of this, no politician has the guts to propose a bill that would transfer OPM's work to more competent agencies, fire all of its staffers with a 90 day severance package and have GSA sell the agency's assets at public auction. The worst assault on US national security since the Rosenbergs' treason (yes, much much worse than any of the recent leaks) and no one high level is even losing a job, let alone facing indictment. And the best part, no one in Congress seems to think it sufficiently grave to raise that issue.
This is why when people say Donald Trump is a joke and we need serious candidates, I say bullshit. If you're talking foreign policy as a candidate and you don't have a comprehensive answer to this, you aren't serious because this is more serious than Iran getting a nuke or two. This compromises so much of our ability to do black ops.
If the number of affected users, via SF86 forms, is as large as reported the implications are enormous. These clearance request forms contain detailed information about the applicant, extended family, references, etc. Fingerprints just ice the cake.
Lets call these people A B and C.
A works for the nsa.
B is A's Girlfriend who is cheating on A with C.
C is the other guy.
A uses the nsa's database to keep track of B during the day.
I imagine that when A discovers B's calls to C's number there might be a murder.
"NSA analysts spied on spouses, girlfriend"
http://www.nydailynews.com/new...
But they are just imaginary people so I suppose its ok.
Minimum threshold fixed. Thanks!
They hate government employees and consider us leeches. Well, except when they're a government employee themselves. They're such hypocrites.
They hate government employees and consider us leeches
Say it with me: SECRETARY OF STATE SARAH PALIN
Better start getting that cv into shape, leechy.
Just to put recent events in perspective:
1) The Chinese grab a database of our personnel, which lets them impersonate anyone (in the database), find spies and ongoing projects, blackmail federal workers for more information... and no one is charged with incompetence, fired, or even blamed.
2) David Petraeus, former director of the CIA, gave classified information to his biographer/mistress to make him seem more powerful... he pleads guilty, gets a $40,000 fine and 2 years probation.
3) Edward Snowden releases summary information about widespread illegal activity by the U.S. spy services. No specifics about operations or personnel were leaked, resulting in no deaths and no aborted operations(*) ...he's banished from the U.S.
4) Chelsea [nee Bradley] Manning releases video evidence of war crimes committed by the U.S. military, literally gunning down members of the international press and other civilians with no provocation... was subjected to months of cruel and unusual punishment (tortured, per U.N. definition of torture), sentenced to 35 years in prison, and given dishonourable discharge.
(*) Quoth the office of the president: "Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country..."
The pot called the kettle black. Guess what, the kettle's black, regardless of what color the pot is.
I didn't think it was necessary to spell it out but when clandestine agents and their collaborators are uncovered they can be in mortal danger.
Where's the Class Action law suit against the US Government for violating the Privacy Act of 1974 (as amended) for violating its duty to protect this information?
AALDEF is going to have a real hard time getting juries that are not alcohol dehydrogenase impaired to see things their way. The last time I checked snivel rights jurisprudence, this sort of national security issue was a compelling government interest wherein discrimination that would otherwise be unlawful would be lawful. People who seek to preserve careers and social standing will have to face the dour fact that the best and brightest are also security risks.
KM:EY
A perfectly reasonable assumption, if it was in a locked room secured by armed guards. Which is really where it should have been.
Your ad here. Ask me how!
Yes you are correct.
I was just trying to point out that even if the spying is done on regular civilians it can still put them in harms way not as commonly as if you were spying on the military but harm still the same.
Minimum threshold fixed. Thanks!
A class action law suit against the government is called an election.
So Edward Snowden can't be pardoned because of "all the damage" he did to our security (which is nonsense for the record).
But on the other hand these clowns can allow something orders of magnitude worse to happen that has real, actual consequences for security, and not a damn thing will happen to them.
A class action law suit against the government is called an election.
A class action law suit against a politician is called an election.
A class action law suit against a government is call a revolution.
The problem that we need to solve is two-fold.
is that their superiors and government is going to continue to scream wolf and lie to them. The Chinese aren't breaking into computers left and right. What has been definitely proven, however, is that the U.S itself does this.
... There is a certain level of incompetence that is so unacceptable that you can't do anything besides line up some people against a wall and blow them away... and then move forward with everyone on the same page that "X was fucking unacceptable."
I don't know what else it is going to take to get these government fuckwits to take security seriously besides a literal firing squad.
I don't want to do it... I just don't know how to get through to these people. They're so fucking stupid.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
This is an NSA example, so please rephrase your example with the proper cryptological terminology - Alice, Bob, Eve.
Some government dimwit is going to cry over "chronic under funding" leading to this whole mess. Just like when the Amtrak train flew off the tracks. Never mind that the guy was driving the train at TWICE the speed he should have been. Noooooo....more money...that's what we need. Yeah, that'll fix everything.
When are people going to realize that more money is not the solution. The solution is to get rid of idiots that cannot/will not enforce policies.
all the same things your nsa \ government does?
hi nice one
BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago..It has really changed my life for good and now I can say I'm rich and I can never be poor again. The least money I get in a day with it is about $2,000.(two thousand USD) Every now and then I keeping pumping money into my account. Though is illegal,there is no risk of being caught ,because it has been programmed in such a way that it is not traceable,it also has a technique that makes it impossible for the CCTVs to detect you..For details on how to get yours today, email the hackers on : (atmmachinehackes @ gmail.com). Tell your loved once too, and start to live large. That's the simple testimony of how my life changed for good...Love you all ...the email address again is atmmachinehackes@gmail.com
So? That's the risk they take when they signed up, no? Surely they understand that, to some degree.
However I imagine the expectation is that their own government's incompetence won't be the thing that outs them.
The last company I worked for gave us all T-Shirts left over from the "Better Days" swag bin. Then HR told us all not to wear them. "You'll make yourself a target for kidnapping," they said. So on behalf of that company, which if you're the Chinese hacker who compromised my information, you'll know who it is, please don't kidnap their employees! With their culture of ineptitude and recent public stock offering, anyone who knew how to build a thing that we were working on had long since left the company! Literally the worst thing you could do for your country's program is kidnap one of their employees! You will set your program back by a least a decade! You'd be much better off targetting Google's employees for kidnapping! Thanks for your understanding!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I've been trying to find out whether the breach of background investigation info also includes military. I underwent an FBI background check in the 90's, and if there are 21 million records stolen, I have a feeling mine could be one of them. The paperwork I had to fill out pretty much told my life story, and I had to give names and addresses and phone numbers of people I knew. Which the FBI didn't talk to, they asked for others that knew me from those 5. Hell they even interviewed my high school counselor.
Regardless I am not feeling worried. What would the Chinese want with me nowadays? :-) Still a bit creepy though.
No, we take that risk too. We even read /..
If security trumped everything, those employees would all be retrained and reassigned to completely unrelated tasks and their previous access yanked as soon as their replacements could be trained.
Now, that's not going going to happen except in a relatively small percentage of individuals.
Instead, our country is probably going to take the risk that this info will be used to hurt us rather than pay the cost of losing a valuable employee 21 million times over.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Comment removed based on user account deletion
Well then, let's hope those hackers do not use the information to fly drones around the place firing off missiles seemingly at random. That or spends billions of dollars to take over countries only to generate civil wars. Then there is the whole idea of blackmailing all the worlds political leaders to ensure they obey the dictates of US corporations, no matter how many of those countries citizens are harmed by those dictates.
Bucket loads of people do DIE as a result of those things, you mean it could be worse than that or do you mean those other things might happen less as a result. So which generates the greater number of casualties a few dead American spies or the hundreds of thousands who die as a result of the actions of those American spies. Especially when those spies were not serving justice or freedom but to serving corporate greed and slavery. I think you view about American spies is wildly exorbitantly biased, yeah those honourable people who believed in freedom and justice from decades are long, long, gone. Now they are amongst the worst criminals of the lot, some worse then third world dictator varieties, well, toss up there, after all America propped up a lot of those third world dictators.
Chaos - everything, everywhere, everywhen
Heir to an Execution which was a documentary made by a grandchild of Julius and Ethel Rosenberg.
The creator of the documentary discovered by talking to her grandparents' friends and relatives that they were, indeed, spies for mother Russia. In fact the people who were their closest associates are quite open in admitting to the spying and seem quite proud of it. I seem to recall one of them even regrets they did not get more classified material to Russia. They were all Marxists and they believed they were helping the Communist utopia over in the Soviet Union. Usually, when a young person sets out to do a documentary to save the reputation of their relatives and finds no reputation to save, the project is quietly dropped. Ivy Meeropol deserves a great deal of respect for her objectivity and honesty; she herself, of course, bears no responsibility for the acts of her elders - we are each accountable only for our own deeds, which in her case are completely honorable.
that his biographer/mistress Paula Broadwell had her own security clearance high enough to make it legal for her to handle such information. She was an army officer herself, and she wisely did not disclose anything that was unsafe to disclose. The result was that while he and she were both in the wrong (affairs by officers in the US military have long been unlawful and can result in various punishments (unless that has recently changed)) no actual damage was done by the particular transfer of classified info.
Also, Your white-wash of Snowden is misleading: his data all ended up in the hands of Russia, and possibly China. His only faux defense of this is to either pretend he is unaware of any copies they have made of his memory sticks/laptop drives, or to be aware of such copies and lie, or to claim the data is so well encrypted that it will take them years to crack it (which is something he cannot know, and something he cannot compensate American taxpayers for if he is wrong). I do agree with the sentiment however that it's a little bit of a stretch for the same government that handed over data on millions of Americans to China to go all self-righteous on Snowden.
What Federal Employees should really worry about after the Chinese hack - is the next version of Microsoft Windows - without which - none of these 'cyber' attacks would work.
In my corporate experience, data warehouse and big data projects happen when an executive gets annoyed with the slow progress of IT and basically dumps out the contents of a few databases into an almost-impossible-to-secure bowl of soup.
Exactly how the whole Chelsea Manning/Wikileaks thing happened.
Before 9/11 info was comparmentalised and need to know, after it was "gotta let every low level person have access to everything so we don't slip up again". Whoops.
Watch this Heartland Institute video
Over the last seven years the US has been flushed down the proverbial commode