Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Federal Employees Really Need To Worry About After the Chinese Hack

Posted by samzenpus on from the who's-to-blame dept.

HughPickens.com writes: Lisa Rein writes in the Washington Post that a new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in — and some of the implications are quite grave. According to the Congressional Research Service, covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals. Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations (PDF).

CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.

28 of 123 comments (clear)

  1. So you made this giant database of sensitive info by weilawei · · Score: 4, Insightful

    And then expected it would never be hacked?

    Bravo.

  2. No problem! by Qzukk · · Score: 4, Funny

    Just issue everyone a new set of fingerprints.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  3. spying: good when we do it, bad when they do it? by Anonymous Coward · · Score: 5, Insightful

    build a database of U.S. government employees

    So waitaminnit... let me get this straight.

    Is this the same US government that has built a database of virtually every internet-using person in the world, including all their private communication, all their personal associations, the contents of their phone calls, where they are at any given moment in time, and every shred of information that can possibly be obtained?

    Would it be that same US government that has the unmitigated gall to complain about a tiny, tiny fraction of that being done to them in return?

    I just want to make sure it's the same one. Because it doesn't seem like a government that spies on everyone in the world to a scale never before seen in history has ANY FUCKING right to complain. Good for the goose, good for the gander, after all.

  4. Fingerprints can't be reissued by grumpy_old_grandpa · · Score: 3, Insightful

    Fingerprints can't be reissued

    No shit sherlock.

    At least this makes it obvious that fingerprint databases are ripe for abuse. I guess we can only hope this will lower the popularity of collecting it in the first place.

  5. Multi-factor is the only right way by grilled-cheese · · Score: 3, Insightful
    Proper authentication is made up of at least two of the following:
    • Something you know (Password)
    • Something you have (Smartcard)
    • Something you are (Fingerprints)
    1. Re:Multi-factor is the only right way by johnwallace123 · · Score: 3, Informative

      NO! A million times no!

      Proper multi-factor authentication is ALWAYS "something you have" and "something you know". The idea is that if someone steals the thing you know (i.e. password), then they have to also steal something you have (i.e. hardware token / smartcard / phone, you name it). The hope is that even if you don't notice that your password is compromised, you'll notice when you lose your phone. Similarly, if someone copies the smartcard you have, they still don't know the PIN to access your account.

      The hack of fingerprint databases illustrates this. For example, someone with access to the hacked OPM databse can steal/copy your smartcard and can now impersonate you at will if you've relied on Smartcard + Fingerprints. Now, "something you have" could certainly be your fingerprint, but 2-factor auth is NOT "something you have" and "something else you have." Just like the bank's "security questions" are not two-factor auth, because they're "something you know" and "something else you know."

    2. Re:Multi-factor is the only right way by Reason58 · · Score: 4, Insightful

      Going to have to disagree. Fingerprints (all biometrics) are identification, not authentication. Just like a SSN, if you cannot change it then it is not a secret.

    3. Re:Multi-factor is the only right way by Ol+Olsoc · · Score: 4, Funny

      Proper authentication is made up of at least two of the following:

      Something you know

      I have a big Dick

      Something you have

      A big Dick

      Something you are

      A big Dick

      Huh - didn't know it would be so easy......

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    4. Re:Multi-factor is the only right way by Required+Snark · · Score: 4, Funny

      Being a Bid Dick and all, you are a perfect candidate to be in charge of security at OMB. Being a Dick seems to be the only qualification you need.

      --
      Why is Snark Required?
  6. Re:So you made this giant database of sensitive in by xxxJonBoyxxx · · Score: 4, Interesting

    >> giant database...never be hacked

    "Data warehouses" and "big data" have all these problems. I remember a big data security talk where the conclusion was basically "well there's a handful of half-baked solutions for the biggest platforms, but no one actually uses them."

    In my corporate experience, data warehouse and big data projects happen when an executive gets annoyed with the slow progress of IT and basically dumps out the contents of a few databases into an almost-impossible-to-secure bowl of soup. As a resident security guru I frequently developed a blind spot for these executive disasters: reporting or trying to audit them usually led to career pain.

  7. Leverage by Anonymous Coward · · Score: 4, Insightful

    What this breach really does is give Chinese agents leverage over U.S. citizens in sensitive positions. It completely destroys the ability of the U.S. Government to keep secrets... any secrets... away from a determined probe, because a Chinese agent WILL have information that gives sufficient leverage to conduct black mail against a person close to the secret.

  8. Three takeaways by WillAffleckUW · · Score: 4, Interesting

    As a former regional acting Security Officer, this whole thing brings three conclusions, which we all knew in the 80s when we set up security priniciples:

    1. Full data should never be fully available on any external or easily linked database. It is far better to have a query/response system that does not have full details.

    2. You don't need the full security clearance information unless you're looking for potential spies. Only the CIA internal agency and FBI internal agency data should have been internally available. Ever.

    3. Linking position to clearance data (other than NEEDED level of clearance) is never a good idea. We used to keep that on locked laptops (yes, a decade before you civvies got them) in removable locked hard drives for that exact reason. In a safe that was fire proof. And EMP safe.

    --
    -- Tigger warning: This post may contain tiggers! --
  9. So where is the rending of garments? by sjames · · Score: 5, Insightful

    Snowden hands over evidence that the NSA has been illegally spying on U.S. citizens and Allies (not to mention perjuring itself before Congress) to an American journalist resulting in a careful release of some data to prove the allegation and the feds call for his head on a platter, even risking an international incident or two to try to disappear him.

    The OPM fumbles and hands over 4.2 million very detailed dossiers on federal employees and 21 million others with security clearance to China and the feds say "no worries, we'll give you a year of credit monitoring.....eventually.".

    1. Re:So where is the rending of garments? by sjames · · Score: 3, Insightful

      And meanwhile, Snowden's release had a strong element of public interest to it. There is no public interest in OPM's screw up.

  10. Non-issue by StikyPad · · Score: 2

    This is a non-issue for several reasons, among them:

    1) Covert officers travel under diplomatic cover, and most diplomats have security clearances. This will not stand out.
    2) It's already trivial for a nation-state to identify spies under diplomatic cover. We know who theirs are, and they know who ours are. Diplomatic cover is not about cover; it's about *diplomatic immunity*, so if they get pissed at our spies, all they can do is kick them out, and vice versa.
    3) Non-official cover employees are harder to detect, but they generally only hide their present employment, not their past employment, and usually have cover stories, not cover identities/jobs. See: Valerie Plame. At best, you can use fingerprints to confirm that they are who they say they are, which they're not lying about anyway, so...

    The real danger is blackmail. The employer already knows what infractions are listed on the SF86, of course, but the general public may not. Affairs, drug usage, and to a lesser degree, expunged criminal history, arrest record, financial issues, etc. Just download an SF86 and look it over. Depending on the individual, it could be a scandal that they'd rather avoid, and/or that the employer would rather avoid. e.g., "Why would you hire someone who smoked crack?"

    --
    https://www.eff.org/https-everywhere
    1. Re:Non-issue by Anonymous Coward · · Score: 2, Insightful

      Covert officers do not travel under diplomatic cover. You're thinking of non-covert officers, i.e. the "official" spies with diplomatic immunity. The only thing covert, if at all, is that they nominally hold some official position with the embassy. Although often it's an intelligence-related position.

      Covert officers have their status as an officer of the U.S. government classified, and they enter countries as tourists or under some other cover. And when arrested they get to sit in prison. Thus, if you have access to the classified database of all government officers, you'll be able to identify a large number of covert officers.

      Which part of "covert" or "cover" was confusing? Maybe you were associating cover with diplomatic immunity. You should be watching The Americans.

      Note that officer and agent are not the same thing. It would be kind of stupid to use as a deep cover spy anybody who actually worked for the U.S. government. But then again, our HUMINT programs are pretty poorly run these days.

  11. Don't get it. by Anonymous Coward · · Score: 4, Interesting

    Still don't get why China would launch hacking attacks from their own country's ip range, which is why I'm a little leery of the press reporting on this story. Even the government is giving mixed signals as to China's involvement:

    Officials are still investigating the actors behind the breaches and what the motivations might
    have been. Theft of personally identifiable information (PII) may be used for identity theft and
    financially motivated cybercrime, such as credit card fraud. Many have speculated that the OPM
    data were taken for espionage rather than for criminal purposes, however, and some have cited
    China as the source of the breaches.

    and

    Speaking at an intelligence conference on June 24, 2015, Admiral Michael Rogers, director of the
    National Security Agency and head of U.S. Cyber Command, declined to discuss who might be
    responsible for the attacks, stating “I’m not [going to] get into the specifics of attribution.... That’s
    a process that we’re working through on the policy side. There’s a wide range of people, groups
    and nation states out there aggressively attempting to gain access to that data.    ” Speaking at the
    same conference a day later, however, Director of National Intelligence James Clapper identified
    China as the “leading suspect” in the attacks.     Mr. Clapper expressed grudging admiration for the
    alleged hackers, noting “[y]ou have to kind of salute the Chinese for what they did.... You know,
    if we had an opportunity to do that, I don’t think we’d hesitate for a moment.”

    So, there still is an investigation going on over the breaches, though some intelligence officials like Clapper are already fingering China as the culprit. I think it would be more sensible to follow Admiral Roger's caution as to assigning blame for the breach given the fact that there is are a "wide range" of groups and nations aggressively trying to get access to the data and US systems. Its certainly possible that whoever did it simply used China IP space to launch the attacks in order to cast suspicion on China. So why then is the press and certain government officials beating the drum to cast blame for the attacks on the Chinese?

    If the United States chooses to respond in other ways to intrusions from China, experts have
    suggested that China has multiple vulnerabilities that the United States could exploit. “China’s
    uneven industrial development, fragmented cyber defenses, uneven cyber operator tradecraft, and
    the market dominance of Western information technology firms provide an environment
    conducive to Western CNE [computer network exploitation] against China,    ” notes one scholar of
    Chinese cyber issues.

    Ah, now I get it.

  12. Jail? by otaku244 · · Score: 2

    Snowden leaks a bunch of sensitive information and government officials beat their chests over the jeopardy of his actions, never allowing him to be forgiven. Meanwhile, Katherine Archuleta and her OPM staff walks freely on the streets even though the security was Bridge of Death Easy and not Mission Impossible Hard
    Clearly, the government's priorities are screwed up.

    --
    Mod me down, I shall become more off-topic than you could possibly imagine.
  13. Re:I'm from the Chinese Government by Fire_Wraith · · Score: 3, Insightful

    Great! Since you already have admin access to my network, can you fix up the issues from our last server migration? Outlook keeps cutting in and out during the day, and we'd really appreciate it if you could fix that while you're busy copying all our files.

    Also, can we contact you later if we need copies of your copies as backups? Thanks!

  14. You want to know why the system is broken? by MikeRT · · Score: 4, Interesting

    Because even in the face of this, no politician has the guts to propose a bill that would transfer OPM's work to more competent agencies, fire all of its staffers with a 90 day severance package and have GSA sell the agency's assets at public auction. The worst assault on US national security since the Rosenbergs' treason (yes, much much worse than any of the recent leaks) and no one high level is even losing a job, let alone facing indictment. And the best part, no one in Congress seems to think it sufficiently grave to raise that issue.

    This is why when people say Donald Trump is a joke and we need serious candidates, I say bullshit. If you're talking foreign policy as a candidate and you don't have a comprehensive answer to this, you aren't serious because this is more serious than Iran getting a nuke or two. This compromises so much of our ability to do black ops.

    1. Re:You want to know why the system is broken? by Anonymous Coward · · Score: 4, Insightful

      You're assuming, of course, that the gross incompetence displayed by the OPM is somehow exceptional. How quickly we forget that RSA had their most highly sensitive databases cracked by the Chinese, which stored the secret keys to tens of thousands of key fobs used to access highly classified government and contractor offices and databases.

      If there's gross incompetence here, it's the NSA, and specifically NSA leadership. By choosing to stymie and hold back security technology, they're the ones responsible (more than any other single entity) for the horrendously poor choices we have in terms of securing infrastructure. It's not just about algorithms. They've been putting up roadblocks to pervasive use of public-private key smart cards, for example. They do so by suggesting this or that might be illegal; or this or that might lead to a loss of government contracts. They push overly complex standards that they know will never see pervasive adoption.

      The incompetence is that they failed to understand that COTS solutions _must_ be secure. There's simply no way to cultivate and grow a market of secure solutions for the government while sabotaging COTS markets. They're too interconnected. Plus government has to hire the bulk of their IT and engineering staff from the private, COTS-focused job market.

      And the NSA miscalculated how quickly other countries would adopt secure solutions in the U.S. As incompetent as the U.S. government can be, it pales in comparison to the incompetence of Russian, Chinese, and other governments we need to spy on. It doesn't matter how cheap or easy to acquire secure solutions are, if an incompetence bureaucracy would fail to implement properly.

      You're assuming the OPM is uncharacteristically incompetent. But they're almost certainly not. The intelligence agents sabotaged the market in security solutions, so it's entirely predictable that large organizations will fumble the task of securing this information while making it readily available and useable. Remember, the latter is their primary task. Maybe you're a system administration. Sysadmins seem to think their job of "securing" things is accomplished only when things are locked down so tight nobody can actually make use of the information or resources. I'm a programmer, and to me the failure here is the lack of simple and secure solutions.

  15. SF86 implications by OffTheLip · · Score: 4, Insightful

    If the number of affected users, via SF86 forms, is as large as reported the implications are enormous. These clearance request forms contain detailed information about the applicant, extended family, references, etc. Fingerprints just ice the cake.

  16. Re:spying: good when we do it, bad when they do it by sims+2 · · Score: 2

    Lets call these people A B and C.

    A works for the nsa.

    B is A's Girlfriend who is cheating on A with C.

    C is the other guy.

    A uses the nsa's database to keep track of B during the day.

    I imagine that when A discovers B's calls to C's number there might be a murder.

    "NSA analysts spied on spouses, girlfriend"
    http://www.nydailynews.com/new...

    But they are just imaginary people so I suppose its ok.

    --
    Minimum threshold fixed. Thanks!
  17. Re:Top secret data accessable from Internet. by whitelabrat · · Score: 3, Interesting

    A few scenarios are possible:

    1. Some high muckedy muck decided they wanted access to the data for some thingy and squashed the CIO/ISSO when they objected. This happens all the time.
    2. Lots of compliance and security theater in place giving a false sense of security. What needed to get done wasn't done.
    3. Probably some contractors involved who don't really care except to get paid.
    4. Inside job.

  18. Some perspective by Okian+Warrior · · Score: 5, Interesting

    Just to put recent events in perspective:

    1) The Chinese grab a database of our personnel, which lets them impersonate anyone (in the database), find spies and ongoing projects, blackmail federal workers for more information... and no one is charged with incompetence, fired, or even blamed.

    2) David Petraeus, former director of the CIA, gave classified information to his biographer/mistress to make him seem more powerful... he pleads guilty, gets a $40,000 fine and 2 years probation.

    3) Edward Snowden releases summary information about widespread illegal activity by the U.S. spy services. No specifics about operations or personnel were leaked, resulting in no deaths and no aborted operations(*) ...he's banished from the U.S.

    4) Chelsea [nee Bradley] Manning releases video evidence of war crimes committed by the U.S. military, literally gunning down members of the international press and other civilians with no provocation... was subjected to months of cruel and unusual punishment (tortured, per U.N. definition of torture), sentenced to 35 years in prison, and given dishonourable discharge.

      (*) Quoth the office of the president: "Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country..."

  19. Re:spying: good when we do it, bad when they do it by chipschap · · Score: 2

    I didn't think it was necessary to spell it out but when clandestine agents and their collaborators are uncovered they can be in mortal danger.

  20. Double standards by nrasch · · Score: 5, Insightful

    So Edward Snowden can't be pardoned because of "all the damage" he did to our security (which is nonsense for the record).

    But on the other hand these clowns can allow something orders of magnitude worse to happen that has real, actual consequences for security, and not a damn thing will happen to them.

  21. Re:Top secret data accessable from Internet. by elistan · · Score: 3, Interesting

    An ars article seems to give the clearest view of a rather murky subject. Basically, there appears to have been multiple ways in to the data. Including situations like IT contractors hiring database admins located in places like Argentina and China, at which point it doesn't matter what technical security solutions are put in place since people are explicitly given full access to the data. (I guess technically that falls under the "inside job" scenario?)