Slashdot Mirror
What Federal Employees Really Need To Worry About After the Chinese Hack
HughPickens.com writes: Lisa Rein writes in the Washington Post that a new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in — and some of the implications are quite grave. According to the Congressional Research Service, covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals. Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations (PDF).
CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
And then expected it would never be hacked?
Bravo.
in a bid to buy /.
Just issue everyone a new set of fingerprints.
If I have been able to see further than others, it is because I bought a pair of binoculars.
build a database of U.S. government employees
So waitaminnit... let me get this straight.
Is this the same US government that has built a database of virtually every internet-using person in the world, including all their private communication, all their personal associations, the contents of their phone calls, where they are at any given moment in time, and every shred of information that can possibly be obtained?
Would it be that same US government that has the unmitigated gall to complain about a tiny, tiny fraction of that being done to them in return?
I just want to make sure it's the same one. Because it doesn't seem like a government that spies on everyone in the world to a scale never before seen in history has ANY FUCKING right to complain. Good for the goose, good for the gander, after all.
Fingerprints can't be reissued
No shit sherlock.
At least this makes it obvious that fingerprint databases are ripe for abuse. I guess we can only hope this will lower the popularity of collecting it in the first place.
>> giant database...never be hacked
"Data warehouses" and "big data" have all these problems. I remember a big data security talk where the conclusion was basically "well there's a handful of half-baked solutions for the biggest platforms, but no one actually uses them."
In my corporate experience, data warehouse and big data projects happen when an executive gets annoyed with the slow progress of IT and basically dumps out the contents of a few databases into an almost-impossible-to-secure bowl of soup. As a resident security guru I frequently developed a blind spot for these executive disasters: reporting or trying to audit them usually led to career pain.
What this breach really does is give Chinese agents leverage over U.S. citizens in sensitive positions. It completely destroys the ability of the U.S. Government to keep secrets... any secrets... away from a determined probe, because a Chinese agent WILL have information that gives sufficient leverage to conduct black mail against a person close to the secret.
Secrets are harder to keep. Personally I see it as a bit of an equalizer, and makes warfare a bit more symmetrical, thus less effective in gaining supremacy.
“He’s not deformed, he’s just drunk!”
As a former regional acting Security Officer, this whole thing brings three conclusions, which we all knew in the 80s when we set up security priniciples:
1. Full data should never be fully available on any external or easily linked database. It is far better to have a query/response system that does not have full details.
2. You don't need the full security clearance information unless you're looking for potential spies. Only the CIA internal agency and FBI internal agency data should have been internally available. Ever.
3. Linking position to clearance data (other than NEEDED level of clearance) is never a good idea. We used to keep that on locked laptops (yes, a decade before you civvies got them) in removable locked hard drives for that exact reason. In a safe that was fire proof. And EMP safe.
-- Tigger warning: This post may contain tiggers! --
"Intelligence" yields a pathetically low return on investment. If past history is any indicator (Philby, for example), the world is NOT going to collapse, things are NOT that grave, and except for the damage to the intelligence community, things are going to go on pretty much the same as always.
Does everyone else who's been hacked by the US government ALSO have these grave and severe problems to look out for? Or is the concern only if "the wrong people" do it? Or only not a problem if "the right people" do it? If so, who decides?
TIA, 98% Of The World
Snowden hands over evidence that the NSA has been illegally spying on U.S. citizens and Allies (not to mention perjuring itself before Congress) to an American journalist resulting in a careful release of some data to prove the allegation and the feds call for his head on a platter, even risking an international incident or two to try to disappear him.
The OPM fumbles and hands over 4.2 million very detailed dossiers on federal employees and 21 million others with security clearance to China and the feds say "no worries, we'll give you a year of credit monitoring.....eventually.".
Yes, by gosh. You've hit the nail squarely on the head. It IS the very same US government!
This is a non-issue for several reasons, among them:
1) Covert officers travel under diplomatic cover, and most diplomats have security clearances. This will not stand out.
2) It's already trivial for a nation-state to identify spies under diplomatic cover. We know who theirs are, and they know who ours are. Diplomatic cover is not about cover; it's about *diplomatic immunity*, so if they get pissed at our spies, all they can do is kick them out, and vice versa.
3) Non-official cover employees are harder to detect, but they generally only hide their present employment, not their past employment, and usually have cover stories, not cover identities/jobs. See: Valerie Plame. At best, you can use fingerprints to confirm that they are who they say they are, which they're not lying about anyway, so...
The real danger is blackmail. The employer already knows what infractions are listed on the SF86, of course, but the general public may not. Affairs, drug usage, and to a lesser degree, expunged criminal history, arrest record, financial issues, etc. Just download an SF86 and look it over. Depending on the individual, it could be a scandal that they'd rather avoid, and/or that the employer would rather avoid. e.g., "Why would you hire someone who smoked crack?"
https://www.eff.org/https-everywhere
And I'm here to help!
"I say we take off, nuke the site from orbit. It's the only way to be sure."
Still don't get why China would launch hacking attacks from their own country's ip range, which is why I'm a little leery of the press reporting on this story. Even the government is giving mixed signals as to China's involvement:
Officials are still investigating the actors behind the breaches and what the motivations might
have been. Theft of personally identifiable information (PII) may be used for identity theft and
financially motivated cybercrime, such as credit card fraud. Many have speculated that the OPM
data were taken for espionage rather than for criminal purposes, however, and some have cited
China as the source of the breaches.
and
Speaking at an intelligence conference on June 24, 2015, Admiral Michael Rogers, director of the
National Security Agency and head of U.S. Cyber Command, declined to discuss who might be
responsible for the attacks, stating “I’m not [going to] get into the specifics of attribution.... That’s
a process that we’re working through on the policy side. There’s a wide range of people, groups
and nation states out there aggressively attempting to gain access to that data.” Speaking at the
same conference a day later, however, Director of National Intelligence James Clapper identified
China as the “leading suspect” in the attacks. Mr. Clapper expressed grudging admiration for the
alleged hackers, noting “[y]ou have to kind of salute the Chinese for what they did.... You know,
if we had an opportunity to do that, I don’t think we’d hesitate for a moment.”
So, there still is an investigation going on over the breaches, though some intelligence officials like Clapper are already fingering China as the culprit. I think it would be more sensible to follow Admiral Roger's caution as to assigning blame for the breach given the fact that there is are a "wide range" of groups and nations aggressively trying to get access to the data and US systems. Its certainly possible that whoever did it simply used China IP space to launch the attacks in order to cast suspicion on China. So why then is the press and certain government officials beating the drum to cast blame for the attacks on the Chinese?
If the United States chooses to respond in other ways to intrusions from China, experts have
suggested that China has multiple vulnerabilities that the United States could exploit. “China’s
uneven industrial development, fragmented cyber defenses, uneven cyber operator tradecraft, and
the market dominance of Western information technology firms provide an environment
conducive to Western CNE [computer network exploitation] against China,” notes one scholar of
Chinese cyber issues.
Ah, now I get it.
Snowden leaks a bunch of sensitive information and government officials beat their chests over the jeopardy of his actions, never allowing him to be forgiven. Meanwhile, Katherine Archuleta and her OPM staff walks freely on the streets even though the security was Bridge of Death Easy and not Mission Impossible Hard
Clearly, the government's priorities are screwed up.
Mod me down, I shall become more off-topic than you could possibly imagine.
Because even in the face of this, no politician has the guts to propose a bill that would transfer OPM's work to more competent agencies, fire all of its staffers with a 90 day severance package and have GSA sell the agency's assets at public auction. The worst assault on US national security since the Rosenbergs' treason (yes, much much worse than any of the recent leaks) and no one high level is even losing a job, let alone facing indictment. And the best part, no one in Congress seems to think it sufficiently grave to raise that issue.
This is why when people say Donald Trump is a joke and we need serious candidates, I say bullshit. If you're talking foreign policy as a candidate and you don't have a comprehensive answer to this, you aren't serious because this is more serious than Iran getting a nuke or two. This compromises so much of our ability to do black ops.
If the number of affected users, via SF86 forms, is as large as reported the implications are enormous. These clearance request forms contain detailed information about the applicant, extended family, references, etc. Fingerprints just ice the cake.
Lets call these people A B and C.
A works for the nsa.
B is A's Girlfriend who is cheating on A with C.
C is the other guy.
A uses the nsa's database to keep track of B during the day.
I imagine that when A discovers B's calls to C's number there might be a murder.
"NSA analysts spied on spouses, girlfriend"
http://www.nydailynews.com/new...
But they are just imaginary people so I suppose its ok.
Minimum threshold fixed. Thanks!
A few scenarios are possible:
1. Some high muckedy muck decided they wanted access to the data for some thingy and squashed the CIO/ISSO when they objected. This happens all the time.
2. Lots of compliance and security theater in place giving a false sense of security. What needed to get done wasn't done.
3. Probably some contractors involved who don't really care except to get paid.
4. Inside job.
Just to put recent events in perspective:
1) The Chinese grab a database of our personnel, which lets them impersonate anyone (in the database), find spies and ongoing projects, blackmail federal workers for more information... and no one is charged with incompetence, fired, or even blamed.
2) David Petraeus, former director of the CIA, gave classified information to his biographer/mistress to make him seem more powerful... he pleads guilty, gets a $40,000 fine and 2 years probation.
3) Edward Snowden releases summary information about widespread illegal activity by the U.S. spy services. No specifics about operations or personnel were leaked, resulting in no deaths and no aborted operations(*) ...he's banished from the U.S.
4) Chelsea [nee Bradley] Manning releases video evidence of war crimes committed by the U.S. military, literally gunning down members of the international press and other civilians with no provocation... was subjected to months of cruel and unusual punishment (tortured, per U.N. definition of torture), sentenced to 35 years in prison, and given dishonourable discharge.
(*) Quoth the office of the president: "Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country..."
I didn't think it was necessary to spell it out but when clandestine agents and their collaborators are uncovered they can be in mortal danger.
A perfectly reasonable assumption, if it was in a locked room secured by armed guards. Which is really where it should have been.
Your ad here. Ask me how!
Yes you are correct.
I was just trying to point out that even if the spying is done on regular civilians it can still put them in harms way not as commonly as if you were spying on the military but harm still the same.
Minimum threshold fixed. Thanks!
I have to ask why was such sensitive information able to be accessed from the internet? Doesn't the government have leased lines or some other really secure backbone?
And retribution towards China. I think a one trillion dollar fine would be in order. Freeze some of their cash, make some of their US Government Treasury bonds worthless ....
And if they did, then how would all of the web-based services that use this data get to it?
Not every database exploit comes from some dimwit leaving port 1433 open to Internet access or a SQL Injection attack. You can do even worse damage if you pwn the webservers and start working your way back up the LAN.
So Edward Snowden can't be pardoned because of "all the damage" he did to our security (which is nonsense for the record).
But on the other hand these clowns can allow something orders of magnitude worse to happen that has real, actual consequences for security, and not a damn thing will happen to them.
An ars article seems to give the clearest view of a rather murky subject. Basically, there appears to have been multiple ways in to the data. Including situations like IT contractors hiring database admins located in places like Argentina and China, at which point it doesn't matter what technical security solutions are put in place since people are explicitly given full access to the data. (I guess technically that falls under the "inside job" scenario?)
... There is a certain level of incompetence that is so unacceptable that you can't do anything besides line up some people against a wall and blow them away... and then move forward with everyone on the same page that "X was fucking unacceptable."
I don't know what else it is going to take to get these government fuckwits to take security seriously besides a literal firing squad.
I don't want to do it... I just don't know how to get through to these people. They're so fucking stupid.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
This is an NSA example, so please rephrase your example with the proper cryptological terminology - Alice, Bob, Eve.
Some government dimwit is going to cry over "chronic under funding" leading to this whole mess. Just like when the Amtrak train flew off the tracks. Never mind that the guy was driving the train at TWICE the speed he should have been. Noooooo....more money...that's what we need. Yeah, that'll fix everything.
When are people going to realize that more money is not the solution. The solution is to get rid of idiots that cannot/will not enforce policies.
Honestly, I have to ask why this isn't considered an act of war. We've kicked countries' asses over much less.
The last company I worked for gave us all T-Shirts left over from the "Better Days" swag bin. Then HR told us all not to wear them. "You'll make yourself a target for kidnapping," they said. So on behalf of that company, which if you're the Chinese hacker who compromised my information, you'll know who it is, please don't kidnap their employees! With their culture of ineptitude and recent public stock offering, anyone who knew how to build a thing that we were working on had long since left the company! Literally the worst thing you could do for your country's program is kidnap one of their employees! You will set your program back by a least a decade! You'd be much better off targetting Google's employees for kidnapping! Thanks for your understanding!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I've been trying to find out whether the breach of background investigation info also includes military. I underwent an FBI background check in the 90's, and if there are 21 million records stolen, I have a feeling mine could be one of them. The paperwork I had to fill out pretty much told my life story, and I had to give names and addresses and phone numbers of people I knew. Which the FBI didn't talk to, they asked for others that knew me from those 5. Hell they even interviewed my high school counselor.
Regardless I am not feeling worried. What would the Chinese want with me nowadays? :-) Still a bit creepy though.
If security trumped everything, those employees would all be retrained and reassigned to completely unrelated tasks and their previous access yanked as soon as their replacements could be trained.
Now, that's not going going to happen except in a relatively small percentage of individuals.
Instead, our country is probably going to take the risk that this info will be used to hurt us rather than pay the cost of losing a valuable employee 21 million times over.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Honeypot of staff after 2000 with every name in English, project names on the same database, letters about how well a project went and the staff who worked on them all searchable. Just waiting to be read by any internal or external staff member with access or who could get access...
Its just a lot of useful cutouts, web 2.0 names, bait, front companies, names, terms, funding, locations that might have existed to push staff and products into US operations and bases after 2000.
If the US needed a deep cover mission for a fancy international NGO, a staff member can be located on their post 2000 work. The readable, open, contractor database can be looked into and Bob or Sally is found with a few years of work for the US mil or gov as their job application shows, with a SS number and other background.
Such a list also keeps all post 2000 contractors distant from all other US mil and gov staff going back decades.
Staff that have had war time experiences, talked to too many translators, made dual citizen friends under the stress of occupations, been friends with other nations staff, other nations embassy workers and contractors.
Every nation that thought it turned some cleared US staff since 2000 now understands that name is on a plain text list with on an open network. Who or what did they really get?
Sometimes unencrypted, network facing and plain text has its own long term value for other longer term honeypot missions.
Staff in the US used that huge easy to read database everyday, got to look up and enter names. Great to watch who was searching for what terms, names over years. Sensitive information is kept very secure AC, other bulk readable information is left to be found, internally and for others.
Domestic spying is now "Benign Information Gathering"
Comment removed based on user account deletion
Honestly, I have to ask why this isn't considered an act of war. We've kicked countries' asses over much less.
Because the indications that it was "Der Chiners" was just innuendo and speculation by media reporters. There is NO evidence that it was the Chinese, and no official statement that China was involved or that they had evidence to that effect. It's just as likely that it was some kid in his parent's basement in Jersey.
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
Well then, let's hope those hackers do not use the information to fly drones around the place firing off missiles seemingly at random. That or spends billions of dollars to take over countries only to generate civil wars. Then there is the whole idea of blackmailing all the worlds political leaders to ensure they obey the dictates of US corporations, no matter how many of those countries citizens are harmed by those dictates.
Bucket loads of people do DIE as a result of those things, you mean it could be worse than that or do you mean those other things might happen less as a result. So which generates the greater number of casualties a few dead American spies or the hundreds of thousands who die as a result of the actions of those American spies. Especially when those spies were not serving justice or freedom but to serving corporate greed and slavery. I think you view about American spies is wildly exorbitantly biased, yeah those honourable people who believed in freedom and justice from decades are long, long, gone. Now they are amongst the worst criminals of the lot, some worse then third world dictator varieties, well, toss up there, after all America propped up a lot of those third world dictators.
Chaos - everything, everywhere, everywhen
What Federal Employees should really worry about after the Chinese hack - is the next version of Microsoft Windows - without which - none of these 'cyber' attacks would work.
In my corporate experience, data warehouse and big data projects happen when an executive gets annoyed with the slow progress of IT and basically dumps out the contents of a few databases into an almost-impossible-to-secure bowl of soup.
Exactly how the whole Chelsea Manning/Wikileaks thing happened.
Before 9/11 info was comparmentalised and need to know, after it was "gotta let every low level person have access to everything so we don't slip up again". Whoops.
Watch this Heartland Institute video