Slashdot Mirror

← Back to Stories (view on slashdot.org)

Personal Data For More Than 130,000 Sailors Hacked: U.S. Navy (reuters.com)

Posted by msmash on from the security-woes dept.

Hackers gained access to sensitive information, including Social Security numbers, for 134,386 current and former U.S. sailors, the U.S. Navy has said. According to Reuters: It said a laptop used by a Hewlett Packard Enterprise Services employee working on a U.S. Navy contract was hacked. Hewlett Packard informed the Navy of the breach on Oct. 27 and the affected sailors will be notified in the coming weeks, the Navy said. "The Navy takes this incident extremely seriously - this is a matter of trust for our sailors," Chief of Naval Personnel Vice Admiral Robert Burke said in a statement.

28 of 57 comments (clear)

  1. "Hacked" another word for spyware? by guruevi · · Score: 4, Insightful

    Everything these days going wrong in information security is a 'hack'. Most likely this dude clicked on an advert on CNN and got some spyware installed.

    It's not a 'hack' if it involves the user on a Windows machine installing something unsavory.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:"Hacked" another word for spyware? by Big+Hairy+Ian · · Score: 1

      If he was running his own private web server they'll throw the book at him

      --

      Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    2. Re:"Hacked" another word for spyware? by Anonymous Coward · · Score: 1

      Netcraft confirms: as many as 130000 US navy sailors have been backdoored on regular basis

    3. Re:"Hacked" another word for spyware? by number17 · · Score: 1

      Or guy's window got hacked with a crowbar and laptop stolen from the front seat.

    4. Re:"Hacked" another word for spyware? by guruevi · · Score: 1

      Yes, I'm sure that's how it works.
      First: this was a contractor, contractors are hired because they tend to get stuff done without having to be held to any sort of regulation. It's cheaper that way and one of the reasons hiring contractors make sense.

      Second: Locking down a computer that tightly is not possible on the Windows platform.

      Third: I work with FDA-approved Windows versions. It's certified to be free of all sorts of tampering (because it sets among other things, radiation limits), except it's still running Windows XP, it's only relying on the built-in firewall, the only browser is IE6 and yes, you can get to the Internet on it. This is a build STILL being certified by the FDA and NIST as late as February this year. I actually have to build a custom version of OpenSwan for the remote tech service because the encryption it requires is no longer enabled in the recent builds.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    5. Re:"Hacked" another word for spyware? by Mikkeles · · Score: 1

      I think the real question is: why had an HPE contractor (or anyone else for that matter) downloaded the stats from a Navy personnel db (or the db itself)?

      The only thing that comes to mind is that he was employed to cross-check the stats against a very long paper list and decided to do it at home while enjoying a beer and watching Netflix.

      --
      Great minds think alike; fools seldom differ.
    6. Re:"Hacked" another word for spyware? by rubycodez · · Score: 1

      Q: How does the USN separate the men from the boys? A: With a crowbar

    7. Re:"Hacked" another word for spyware? by syntotic · · Score: 1

      I am not sure... does it call for the plank to be called? I still want my 20+ email accounts hacked away, back. Maybe this time something serious will be done about these issues.

  2. Ah, HPE by snookiex · · Score: 1
    It's not that this could not have happened to any other contractor, but HPE, like most HP itself, is walking dead and this is just another tiny nail in the coffin. It's funny when you read what Megan Whitman said about the recent merge with Micro Focus:

    "They are fantastic assets," Whitman said in an interview. "They're just not core to our strategy."

    --
    Open Source Network Inventory for the masses! Kuwaiba
  3. duplicate by turkeydance · · Score: 1

    saw this on /. earlier

    1. Re:duplicate by Anonymous Coward · · Score: 1

      Yeah. The other article was better written. This Reuters article has 100 words.
      Mods have been ignoring submissions lately. Pushing the same 10 sources every day: Reuters, Vice, TorrentFreak, BetaNews, Softpedia... etc.

  4. you can't do anything ... by Anonymous Coward · · Score: 2, Insightful

    I have confidence that I can keep MY computers secure from anything short of a dedicated state sponsored attack, but I am still vulnerable.

    Anyone who I give my personal data to is a huge risk. Medical care. Employment. Shopping online. Almost any activity collects such data and these systems are compromised on a regular basis, sometimes with the disclosure of highly sensitive data.

    Shit, I don't even trust my doctor's office to secure their infrastructure, but there's nothing you can do., because they will not give you medical care without entering your information into their computer systems.

    1. Re:you can't do anything ... by ColdWetDog · · Score: 1

      I have confidence that I can keep MY computers secure from anything short of a dedicated state sponsored attack, but I am still vulnerable.

      Anyone who I give my personal data to is a huge risk. Medical care. Employment. Shopping online. Almost any activity collects such data and these systems are compromised on a regular basis, sometimes with the disclosure of highly sensitive data.

      Shit, I don't even trust my doctor's office to secure their infrastructure, but there's nothing you can do., because they will not give you medical care without entering your information into their computer systems.

      You don't have to worry about *just* your doctor's office. You have to worry about the pharmacy database - every script in this country goes into one or both of two huge organizations that keep track of those little drugs. You have to worry about your insurance company AND the insurance clearing house. As well as CMS (Centers for Medicaid and Medicare Security, a wonderfully Orweillian name) and bog knows who else.

      Might as well just post it on Facebook and stop bothering about it.

      --
      Faster! Faster! Faster would be better!
  5. In the coming weeks? by wjcofkc · · Score: 1

    Well then, at least it could not possibly be data of any significance. Nope, not remotely.

    --
    Brought to you by Carl's Junior.
  6. SSNs shouldn't be 'sensitive information.' by Bing+Tsher+E · · Score: 5, Insightful

    Social Security Numbers need to be defanged. There is no reason they should be considered 'secret numbers' that can be used against a person. It should be totally safe to print your SSN on a t-shirt and wear it in public.

    There is no excuse for it being 'dangerous' to reveal your SSN to others. It's not designed to be a 'protected' piece of information and when established, a Social Security Number was intended simply as an index.

    Unfortunately, the credit industry seems to think they can use the posession of a person's SSN to extend credit to anybody who has access to it. Because of this, our SSNs have become weapons against us.

    It would be easy for us all collectively to take that power of the SSN away from the credit industry. If 10% of all Americans agreed to disclose their SSNs publicly, it would make it impossible and impractical for the credit industry to use the revealing of a SSN to issue credit cards at cash registers in stores, which is, among other conveniences for them, what the 'secrecy of SSNs' is all about.

    My dream is that someday enough of us will agree to publish our SSNs that it would become impractical for the credit industry to use it as a 'secret code.' The coolest way for this to happen would be for people to just start writing their SSN on a sign in front of their house, or on the mailbox or something of that nature.

    Practically, though, the best way it could happen would be in an all-at-once event, so that the Credit Industry can't use SSNs tricking out as an attack vector on a few people at a time. But with a mix of some sort of 'big release' of SSNs and a trickling out, i.e. people not on the 'big release' revealing their SSNs on a place like their mailbox where it can't be verified en-masse, the use of SSNs as a 'secret number' for credit applications could be nullified.

    1. Re:SSNs shouldn't be 'sensitive information.' by 4wdloop · · Score: 1

      Simple solution is to make CC etc. by statue solely responsible for all damages caused by identity fraud.
      Then they would move earth and heaven to make sure they verified identity right.

      Why in land of the law I am responsible for the acts that I did not commit?

      --
      4wdloop
  7. Re:Someone treated the computer as their own by hambone142 · · Score: 1

    HP requires its employees to encrypt the HDDs on their PCs.

    Wouder what wrong here.

  8. Re: by srichard25 · · Score: 1

    I agree with your post, but I'm just wondering what we could use to prove identity without using SSN. Birthdate is easy to find. Driver's licenses can be faked. Mother's maiden name is easily known by any family members.

  9. Re: by NotAPK · · Score: 1

    It's about a combination of things you know. Ultimately one of those things has to be secret, like a password that you supply and only you know. Your SSN is entirely unsuitable for this.

    The idea is you should supply 3-4 items from this list:

    Full Name
    DOB
    Address
    Telephone Number
    SSN
    Driver's License Number

    And in addition to that, a secret password that you selected, otherwise, someone finding your wallet on the street has access to everything.

    The whole concept of SSNs being secret and used in the US in all kinds of crazy ways always makes me laugh. Sucks to be in the US. On the contrary, the UK goes way too far the other way, asking for all kinds of ridiculous information just to change the billing plan on your cellphone.

  10. No Big Deal by amiga3D · · Score: 1

    Sailors are used to getting backdoored.

  11. Re: by thegarbz · · Score: 1

    Huh? Drivers licenses can be faked by an SSN can't? What kind of absolutely absurd knowledge is that? Your SSN ceases to be secret and personal every time you share it for identification purposes, at least someone needs to put effort into faking a drivers license (and if that is such a big problem then maybe you should change your drivers licenses).

    Some countries use a point ranking system which requires multiple documents to establish who you are with multiple characteristics. e.g. in Australia for banking changes (loans, credit, etc) you need 100 points. Documents which are difficult to issue and fake are more valid than others. E.g. A valid passport is something like 50 points. Add a drivers license you get another 35. Also have a credit card, birth certificate, or other government, local council or otherwise issued documentation well that gets you over the line.

  12. Re: by gtall · · Score: 1

    Years ago there was talk of a national id. I don't know how practical that was or what kind of security could be built in. What sunk it was the Libretards and Republicans. Naturally, the Christian fundamentalists were against it too, claiming it was akin to tattooing 666-xxx-xxx-xxx-xxx onto everyone. They then went back to pretending security was a warm blanket.

  13. identity verification kiosks? by 4wdloop · · Score: 1

    To avoid all identity theft problems we need to do away with all on line, give me this or that bit of your public life to verify it's you.

    All these require some form of physical presents.

    One solution would be local 'kiosks' to issue a digitally signed certificates, for specific reason, after physical verification of identity. Technology exists, (chain of trust or whatever they use for digital currency). Services paid by whoever requested this verification. In a way it would be a kin Public Notary service in 21 century.

    Yes it would be less convenient, but so much safer. Probably a problem for all living out in da boonies...

    There are activities that do not accept on-line verification, some I can think of:
    1) DMV/ID
    2) INS
    3) DOS/Passports
    4) Hospitals/Doctors
    5) Home appraisal (requires physical inspection by certified agent)
    6) Public Notary

    If we made all CC etc. be by statue responsible for all damages caused be identity fraud, they would have come with solution. Now, they just do not care.

    --
    4wdloop
    1. Re:identity verification kiosks? by AHuxley · · Score: 1

      The only way to secure this is to quiz every US mil/gov sector and see who has in house solution that don't leak due to encryption, air gaps and expert gov/mil staff.
      Keep the mil data well away from contractors.
      Someone in the US gov must be doing something very correct as not all agencies leak to the public or trust contractors.

      --
      Domestic spying is now "Benign Information Gathering"
  14. Services the navy uses by malditaenvidia · · Score: 1

    Did grindr get hacked?

  15. Re:Bain of IA are DoD Contractors by AHuxley · · Score: 1

    If the Navy keep data secure this with its own teams its seen as a big gov going and not supporting the very dynamic and smarter private sector.
    When data fails in the hands of the private sector its just part of the American way.

    --
    Domestic spying is now "Benign Information Gathering"
  16. Re:Putin should pay for cleanup by AHuxley · · Score: 1

    AC what did the "NSA and CIA already confirmed that"?
    The US gov said it saw that someone in the private sector found old BEAR code that anyone could be using and that a few very different groups accessed very different US networks. Groups using old code that was well understood to be in public hands and that contractors told the media about.
    As for this topic AC, the US navy issues?
    "compromised" is about the best world to use. No mention of nations or methods AC.."early stages of investigating "...
    Not the usual rapid contractor rush out to tell the waiting media about code litter AC.
    The question is then was the data unencrypted and why was it facing the internet? Why does the US gov and mil have data facing the intent thats often easy to find and then read?

    --
    Domestic spying is now "Benign Information Gathering"
  17. Join the Navy and see the world by eric_harris_76 · · Score: 1

    And the world will see you right back.

    --
    There's no time like the present. Well, the past used to be.