Personal Data For More Than 130,000 Sailors Hacked: U.S. Navy

Hackers gained access to sensitive information, including Social Security numbers, for 134,386 current and former U.S. sailors, the U.S. Navy has said. According to Reuters: It said a laptop used by a Hewlett Packard Enterprise Services employee working on a U.S. Navy contract was hacked. Hewlett Packard informed the Navy of the breach on Oct. 27 and the affected sailors will be notified in the coming weeks, the Navy said. "The Navy takes this incident extremely seriously - this is a matter of trust for our sailors," Chief of Naval Personnel Vice Admiral Robert Burke said in a statement.

"Hacked" another word for spyware?

[guruevi]

Everything these days going wrong in information security is a 'hack'. Most likely this dude clicked on an advert on CNN and got some spyware installed.

It's not a 'hack' if it involves the user on a Windows machine installing something unsavory.

Re:"Hacked" another word for spyware?

Of course, there must not be any NAVY regulation or contractual requirement for common level of carefulness for handling the customer information as that would be against the spirit of the coming administration. Then again I'm sure some of that spyware specifically targets certain IP ranges and infects only those machines accessing the CNN ads.

Re:"Hacked" another word for spyware?

[Big+Hairy+Ian]

If he was running his own private web server they'll throw the book at him

Re:"Hacked" another word for spyware?

NAVY contracts should state execution by with a regulation manual as a part of the termination clause..

Re:"Hacked" another word for spyware?

How is that attack vector even possible?

If the Navy knew what it was doing, they would only allow access to trusted machines. And by trusted machines, I mean something that was stripped of all non-critical OS components, tightly locked down so that it can't connect to anything else, and no admin acess for the dumb user. And to make sure that the dumb user doesn't try anything funny, the hard drive would be encrypted and the BIOS locked down.

Anyone that even THINKS about connecting with an insecure machine, or try to mess around with the secure machine, or copy secure data offline will have a LOT of explaining to do, while hanging upside down over a goldfish aquarium (the shark tank is reserved for when you do something really serious... like being caught playing solitaire... You are in the Navy dammit! We play Minesweeper!).

Re:"Hacked" another word for spyware?

Netcraft confirms: as many as 130000 US navy sailors have been backdoored on regular basis

Re:"Hacked" another word for spyware?

[number17]

Or guy's window got hacked with a crowbar and laptop stolen from the front seat.

Re:"Hacked" another word for spyware?

[guruevi]

Yes, I'm sure that's how it works.
First: this was a contractor, contractors are hired because they tend to get stuff done without having to be held to any sort of regulation. It's cheaper that way and one of the reasons hiring contractors make sense.

Second: Locking down a computer that tightly is not possible on the Windows platform.

Third: I work with FDA-approved Windows versions. It's certified to be free of all sorts of tampering (because it sets among other things, radiation limits), except it's still running Windows XP, it's only relying on the built-in firewall, the only browser is IE6 and yes, you can get to the Internet on it. This is a build STILL being certified by the FDA and NIST as late as February this year. I actually have to build a custom version of OpenSwan for the remote tech service because the encryption it requires is no longer enabled in the recent builds.

Re:"Hacked" another word for spyware?

[Mikkeles]

I think the real question is: why had an HPE contractor (or anyone else for that matter) downloaded the stats from a Navy personnel db (or the db itself)?

The only thing that comes to mind is that he was employed to cross-check the stats against a very long paper list and decided to do it at home while enjoying a beer and watching Netflix.

Re:"Hacked" another word for spyware?

[rubycodez]

Q: How does the USN separate the men from the boys? A: With a crowbar

Re: "Hacked" another word for spyware?

You really have no idea how the world works.

Re:"Hacked" another word for spyware?

[syntotic]

I am not sure... does it call for the plank to be called? I still want my 20+ email accounts hacked away, back. Maybe this time something serious will be done about these issues.

More great holiday news!

Add this to all the murder and drunk driving death stories in the news today. What a time to be alive.

Someone treated the computer as their own

and managed to get spyware/malware on it, but of course it's convenient to say they were "hacked", and as is usually the case, blame it on "Russian hackers". They say they take the incident very seriously, now if they had only taken security as serious as well...

Re:Someone treated the computer as their own

[hambone142]

HP requires its employees to encrypt the HDDs on their PCs.

Wouder what wrong here.

Re:Someone treated the computer as their own

Have you dealt with HPe as a contracting firm? I worked for a small company that used them for a MSP. They decided to require each port be locked to an Ethernet address, forcing a trouble ticket anytime a machine is added or moved.

I called them to add a new machine to a port, told the person on the other line the MAC address of the machine. The person on the other end closed the ticket, said they refuse to support Apple products.

Ah, HPE

[snookiex]

It's not that this could not have happened to any other contractor, but HPE, like most HP itself, is walking dead and this is just another tiny nail in the coffin. It's funny when you read what Megan Whitman said about the recent merge with Micro Focus:

"They are fantastic assets," Whitman said in an interview. "They're just not core to our strategy."

duplicate

[turkeydance]

saw this on /. earlier

Re: duplicate

You'll also see it again later... From BeauHD, but with some sort of implication that Russia/Trump did it.

Re:duplicate

Yeah. The other article was better written. This Reuters article has 100 words.
Mods have been ignoring submissions lately. Pushing the same 10 sources every day: Reuters, Vice, TorrentFreak, BetaNews, Softpedia... etc.

Re:duplicate

Here's the link, for a more in-depth article: https://slashdot.org/submissio... Nice job mod.. nice job.

you can't do anything ...

I have confidence that I can keep MY computers secure from anything short of a dedicated state sponsored attack, but I am still vulnerable.

Anyone who I give my personal data to is a huge risk. Medical care. Employment. Shopping online. Almost any activity collects such data and these systems are compromised on a regular basis, sometimes with the disclosure of highly sensitive data.

Shit, I don't even trust my doctor's office to secure their infrastructure, but there's nothing you can do., because they will not give you medical care without entering your information into their computer systems.

Re:you can't do anything ...

[ColdWetDog]

I have confidence that I can keep MY computers secure from anything short of a dedicated state sponsored attack, but I am still vulnerable.

Anyone who I give my personal data to is a huge risk. Medical care. Employment. Shopping online. Almost any activity collects such data and these systems are compromised on a regular basis, sometimes with the disclosure of highly sensitive data.

Shit, I don't even trust my doctor's office to secure their infrastructure, but there's nothing you can do., because they will not give you medical care without entering your information into their computer systems.

You don't have to worry about *just* your doctor's office. You have to worry about the pharmacy database - every script in this country goes into one or both of two huge organizations that keep track of those little drugs. You have to worry about your insurance company AND the insurance clearing house. As well as CMS (Centers for Medicaid and Medicare Security, a wonderfully Orweillian name) and bog knows who else.

Might as well just post it on Facebook and stop bothering about it.

In the coming weeks?

[wjcofkc]

Well then, at least it could not possibly be data of any significance. Nope, not remotely.

SSNs shouldn't be 'sensitive information.'

[Bing+Tsher+E]

Social Security Numbers need to be defanged. There is no reason they should be considered 'secret numbers' that can be used against a person. It should be totally safe to print your SSN on a t-shirt and wear it in public.

There is no excuse for it being 'dangerous' to reveal your SSN to others. It's not designed to be a 'protected' piece of information and when established, a Social Security Number was intended simply as an index.

Unfortunately, the credit industry seems to think they can use the posession of a person's SSN to extend credit to anybody who has access to it. Because of this, our SSNs have become weapons against us.

It would be easy for us all collectively to take that power of the SSN away from the credit industry. If 10% of all Americans agreed to disclose their SSNs publicly, it would make it impossible and impractical for the credit industry to use the revealing of a SSN to issue credit cards at cash registers in stores, which is, among other conveniences for them, what the 'secrecy of SSNs' is all about.

My dream is that someday enough of us will agree to publish our SSNs that it would become impractical for the credit industry to use it as a 'secret code.' The coolest way for this to happen would be for people to just start writing their SSN on a sign in front of their house, or on the mailbox or something of that nature.

Practically, though, the best way it could happen would be in an all-at-once event, so that the Credit Industry can't use SSNs tricking out as an attack vector on a few people at a time. But with a mix of some sort of 'big release' of SSNs and a trickling out, i.e. people not on the 'big release' revealing their SSNs on a place like their mailbox where it can't be verified en-masse, the use of SSNs as a 'secret number' for credit applications could be nullified.

Re: SSNs shouldn't be 'sensitive information.'

My unique idenifier notice missiles security number is 1 of the few ways that I know that nobody except for someone very personal to me or company is it requires this information to run a background check through government channels has on me. It doesn't need to be public anywhere and all that defeats the purpose. I like it having a way to confirm who I am that isn't available in a database on the internet at least not legally. I don't know about you but I've already been a victim of identity theft and if it require myself a security number they wouldnt of been able to do the damage they did. Maybe it isn't the best idea ever but it's not the worst idea ever. And unless you have a good alternative I suggest you shut the fuck up and stop being a whiner

Re:SSNs shouldn't be 'sensitive information.'

[4wdloop]

Simple solution is to make CC etc. by statue solely responsible for all damages caused by identity fraud.
Then they would move earth and heaven to make sure they verified identity right.

Why in land of the law I am responsible for the acts that I did not commit?

Re:SSNs shouldn't be 'sensitive information.'

Often they already cover everything. One of the biggest is problems is the time it takes to deal with everything.

Re: SSNs shouldn't be 'sensitive information.'

This shows how young you are. Once upon a time everyone's ssn was printed on every check they wrote. And if it wasn't, then the clerk wrote it on or they wouldnt accept the check. It didn't seem to help keep us from getting into this situation.

Putin should pay for cleanup

No doubt Russia was behind the hack, again, seize Russian assets to pay for the cleanup and re-securing of the servers. Putin had $2 billion in Panama bank accounts, we know this from the Panama leaks. That money is easy to grab. So go grab it.

Same with the recount for the hacked swing states, that will cost a few million $$$. We know Florida and many others had their election rolls hacked, and an unnamed election machine maker had their servers hacked.... and likely quite a few other hacks yet to be discovered.

Those voting paper trails need to be checked, it costs money to do that, Russian state hacker did that, NSA and CIA already confirmed that, so go seize Putin's cashpile in Panama to pay for it.

And do it before Trump tries to stop it, because he also had Panama accounts, and he benefitted from those hacks, and he provided political cover for Putin's hackers. So he has big reasons to cover for those foreign hijack of the election.

Re:Putin should pay for cleanup

There's nothing but propaganda to suggest Russian hackers did it.

Re:Putin should pay for cleanup

[AHuxley]

AC what did the "NSA and CIA already confirmed that"?
The US gov said it saw that someone in the private sector found old BEAR code that anyone could be using and that a few very different groups accessed very different US networks. Groups using old code that was well understood to be in public hands and that contractors told the media about.
As for this topic AC, the US navy issues?
"compromised" is about the best world to use. No mention of nations or methods AC.."early stages of investigating "...
Not the usual rapid contractor rush out to tell the waiting media about code litter AC.
The question is then was the data unencrypted and why was it facing the internet? Why does the US gov and mil have data facing the intent thats often easy to find and then read?

lol

hooray for M$ Windoze...

Bain of IA are DoD Contractors

[Captain+Ramage]

The last 5 or 6 major breaches/spillages of sensitive/PII/FOUO information in the DoD were either directly caused by IT contractors or from IT contractor maintained systems. Be it HP, DT, BA, SAIC, or CSC. Most of my IA department's arguments are not about security of government systems, they are about the security of the contractor systems and why WE the government employees should be controlling those networks.

Re:Bain of IA are DoD Contractors

[AHuxley]

If the Navy keep data secure this with its own teams its seen as a big gov going and not supporting the very dynamic and smarter private sector.
When data fails in the hands of the private sector its just part of the American way.

Assuming it was Windows...

Enough said. Business as usual for the most insecure OS ever.

Bane* of IA are DoD Contractors

[Captain+Ramage]

My bad on the spelling.

found three common factors

found three common factors: rum bum and baccy

Shouldn't be, but are.

[Captain+Ramage]

The problem is, that horse is out of the barn and has left the coral and far down the road. No amount of recrimination will fix it. The system needs to be overhauled completely, with complete reissue of a new style SSN and the banking industry coming up with a separate and new system of positive ID.

Re:

[srichard25]

I agree with your post, but I'm just wondering what we could use to prove identity without using SSN. Birthdate is easy to find. Driver's licenses can be faked. Mother's maiden name is easily known by any family members.

just give 'em free lifetime identify theft protect

Meh. just give 'em free lifetime identify theft protection. They'll be PROTECTED FOR LIFE GODDAMIT! So what exactly is the problem?

Re:

[NotAPK]

It's about a combination of things you know. Ultimately one of those things has to be secret, like a password that you supply and only you know. Your SSN is entirely unsuitable for this.

The idea is you should supply 3-4 items from this list:

Full Name
DOB
Address
Telephone Number
SSN
Driver's License Number

And in addition to that, a secret password that you selected, otherwise, someone finding your wallet on the street has access to everything.

The whole concept of SSNs being secret and used in the US in all kinds of crazy ways always makes me laugh. Sucks to be in the US. On the contrary, the UK goes way too far the other way, asking for all kinds of ridiculous information just to change the billing plan on your cellphone.

U.S. computer defences are like a swiss cheese

Or like a Windows Defender: strong and bold letters hide luke-warm amateur walled-protection with juicy soft and tender innards.

No Big Deal

[amiga3D]

Sailors are used to getting backdoored.

Re:No Big Deal

Shipmate, are you in distress? ;) -PCP

Re:

[thegarbz]

Huh? Drivers licenses can be faked by an SSN can't? What kind of absolutely absurd knowledge is that? Your SSN ceases to be secret and personal every time you share it for identification purposes, at least someone needs to put effort into faking a drivers license (and if that is such a big problem then maybe you should change your drivers licenses).

Some countries use a point ranking system which requires multiple documents to establish who you are with multiple characteristics. e.g. in Australia for banking changes (loans, credit, etc) you need 100 points. Documents which are difficult to issue and fake are more valid than others. E.g. A valid passport is something like 50 points. Add a drivers license you get another 35. Also have a credit card, birth certificate, or other government, local council or otherwise issued documentation well that gets you over the line.

Major Uh Oh

That is a surprising number of Navy LGBTQs using the same escort and prostitution service.

Must have been an accounting and billing audit.

Re:

[gtall]

Years ago there was talk of a national id. I don't know how practical that was or what kind of security could be built in. What sunk it was the Libretards and Republicans. Naturally, the Christian fundamentalists were against it too, claiming it was akin to tattooing 666-xxx-xxx-xxx-xxx onto everyone. They then went back to pretending security was a warm blanket.

identity verification kiosks?

[4wdloop]

To avoid all identity theft problems we need to do away with all on line, give me this or that bit of your public life to verify it's you.

All these require some form of physical presents.

One solution would be local 'kiosks' to issue a digitally signed certificates, for specific reason, after physical verification of identity. Technology exists, (chain of trust or whatever they use for digital currency). Services paid by whoever requested this verification. In a way it would be a kin Public Notary service in 21 century.

Yes it would be less convenient, but so much safer. Probably a problem for all living out in da boonies...

There are activities that do not accept on-line verification, some I can think of:
1) DMV/ID
2) INS
3) DOS/Passports
4) Hospitals/Doctors
5) Home appraisal (requires physical inspection by certified agent)
6) Public Notary

If we made all CC etc. be by statue responsible for all damages caused be identity fraud, they would have come with solution. Now, they just do not care.

Re:identity verification kiosks?

No one will go for this, and without major participation, it's pointless. For example: the Coast Guard made me get a Transportation Worker ID card, which I have to periodically renew. TSA issues them, and they make some significant effort to make sure it's really me getting the card. But afterwards, no one wants to look at it. At the "secure" (except on cruise ship days, when they let anyone in) Pier 91 in Seattle, they want your DL, not your TWIC. TSA doesn't treat them as valid ID in airports. No one at all wants to look at them. Even USCG, which uses the ability to get a TWIC as a gateway to getting a license, wants to see the license they issue, not the TWIC.

I see NY.gov is providing some electronic ID verification services. Something like this would probably be a good way to go. Physical ID confirmation with an organization that can afterwards provide a two factor login for you and electronically verify your identity for others. Should work fine 'till they get hacked.

Re:identity verification kiosks?

[AHuxley]

The only way to secure this is to quiz every US mil/gov sector and see who has in house solution that don't leak due to encryption, air gaps and expert gov/mil staff.
Keep the mil data well away from contractors.
Someone in the US gov must be doing something very correct as not all agencies leak to the public or trust contractors.

Services the navy uses

[malditaenvidia]

Did grindr get hacked?

The real solution:

Is making a website of DMV information that is push-only (recieves one way batch processed new information daily) with cryptographically signed records for each resident with a rewritable verification code on the card (either digital or some sort of rewritable/replacable label so it can be updated periodically at the DMV to keep unauthorized/previously authorized individuals from snooping on your personal information.

It would take some work to set up, but it would provide 'reissued credit card' level of security without the costs associated with replacing the physical card, only the authorization token and a freshly signed copy of the data.

Not Russian hackers

Not Russian hackers? what absolute nonsense everyone knows that the only people in the world who know how to hack are Russian.

Again?????

Awwwww man looks like I'm getting another letter from the DOD

Join the Navy and see the world

[eric_harris_76]

And the world will see you right back.

A question from a security analyst

Why was this information on a laptop in the first place??? Sensitive data is required to be stored on a secure server NOT! on a friggin laptop. PLEASE! go read and put in place your NIST regs.