Chatham County Online BBS
November 17, 2017, 12:18:30 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Before you go out to eat check out the Local Restaurant Reviews
 
   Home   Help Search Calendar Tags Login Register  





Pages: [1]   Go Down
  Send this topic  |  Print  
Author Topic: OPM Data Breach - This Is Not Good  (Read 2112 times)
0 Members and 1 Guest are viewing this topic.
Pi
Chathamohican
*****
Offline Offline

Last Login:October 18, 2017, 02:18:36 PM
Date Registerd:August 09, 2011, 10:12:40 AM
Posts: 4,510



« on: June 22, 2015, 09:39:00 AM »

http://arstechnica.com/security/2015/06/epic-fail-how-opm-hackers-tapped-the-mother-lode-of-espionage-data/

“EPIC” fail—how OPM hackers tapped the mother lode of espionage data
Two separate "penetrations" exposed 14 million people's personal info.

Government officials have been vague in their testimony about the data breaches—there was apparently more than one—at the Office of Personnel Management. But on Thursday, officials from OPM, the Department of Homeland Security, and the Department of the Interior revealed new information that indicates at least two separate systems were compromised by attackers within OPM's and Interior's networks. The first was the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior's shared service data center. The second was the central database behind EPIC, the suite of software used by OPM's Federal Investigative Service in order to collect data for government employee and contractor background investigations.

OPM has not yet revealed the full extent of the data exposed by the attack, but initial actions by the agency in response to the breaches indicate information of as many as 3.2 million federal employees (both current federal employees and retirees) was exposed. However, new estimates in light of this week's revelations have soared, estimating as many as 14 million people in and outside government will be affected by the breach—including uniformed military and intelligence personnel. It is, essentially, the biggest potential "doxing" in history. And if true, personal details from nearly everyone who works for the government in some capacity may now be in the hands of a foreign government. This fallout is the culmination of years of issues such as reliance on outdated software and contracting large swaths of security work elsewhere (including China).


The government did not encrypt the data at rest.  Major FUBAR.

Logged

There are two ways to conquer and enslave a country. One is by the sword. The other is by debt. - John Adams
noway2
Chathameister
****
Offline Offline

Last Login:April 22, 2016, 03:02:27 PM
Date Registerd:June 20, 2014, 01:36:40 PM
Posts: 555


« Reply #1 on: June 22, 2015, 11:14:06 AM »

So you read ARS too, eh?  I thought that this was the sort of thing that the CIP Firewall (http://24.wikia.com/wiki/CIP_firewall) was supposed to prevent.

All joking aside, the fubar was not that the information was stored unencrypted, but that it was stored.  If it was absolutely imperative that it be stored, it should have been in a manner that made it impossible to hack via the Internet.  Before anyone says that is an unreasonable position, figure that until fairly recently, this would have been the case.  There isn't a computer connected to a network that can't be hacked and there isn't a database that can't be compromised.  Several years ago, I was working on developing an eCommerce sight for my spouse and I was dealing with the issue of processing credit cards.  I quickly concluded that the only safe way to do so was to never store the card information, even encrypted and even then this information would still be held in memory while it was being utilized.  It really gave me a perspective on the notion of storing data and the limitations of encrypting it.  Had this data been encrypted in the storage, it would have at best slowed down the process but it would have still gotten out.

On this note, as a reminder to our user base, if you haven't already, you should really consider putting a freeze on your credit files which will greatly reduce your threat exposure of identity theft.  As more people protect themselves this way, those that don't will be at even greater risk.
Logged
1911A
Chathamohican
*****
Offline Offline

Last Login:Yesterday at 12:46:43 PM
Date Registerd:April 22, 2006, 04:24:28 PM
Posts: 8,674

"Stand Your Ground" by Charles McNaughton


« Reply #2 on: June 22, 2015, 12:32:37 PM »

The data theft also includes that of anyone that has had to obtain govt security clearance for contracted IT work in private companies.
Logged

"You are clearly a bigoted, racist pig." - Matilda

"Let us assume for the moment everything you say about me is true. That just makes your problem bigger, doesn't it?"

Vetustior Humo.
noway2
Chathameister
****
Offline Offline

Last Login:April 22, 2016, 03:02:27 PM
Date Registerd:June 20, 2014, 01:36:40 PM
Posts: 555


« Reply #3 on: June 22, 2015, 01:16:00 PM »

The data theft also includes that of anyone that has had to obtain govt security clearance for contracted IT work in private companies.
Great.  I once did a particular job that I did where I had to provide a lot of information and it took several days to get pre-authorized to work at a sensitive military base and I suspect that this may have put me in that category.  My father in law did top secret IT work for the military and I was having a conversation with his wife who mentioned that when they may contact with us (my wife didn't know her father until well into adulthood) that they ran a background check on us to see what kind of people we were.  She said that they were able to pull up my wife's information relatively easily and were even able to see a traffic ticket she had a teenager roughly 25 years ago.  Why that information is still in any sort of database is a question in and of itself, but where it gets interesting is she said, "you must have a security clearance because your information has been locked down."  I said that I wasn't aware of having one and she said that you must have at some point in the past and I assume that it was that job I did.
Logged
BOFH
Chathamite
***
Offline Offline

Last Login:March 07, 2017, 04:48:08 PM
Date Registerd:October 03, 2013, 09:15:08 AM
Posts: 145


« Reply #4 on: June 22, 2015, 08:21:37 PM »

yeah, it's bad:

The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions.

Given the scale of the breach as publicly disclosed by the Obama administration and OPM, it's likely that the hackers obtained the SF-86 data of every military member who filled out the form on a computer, something that has been standard practice in Defense Department for well over a decade, said a retired senior intelligence community official who writes a blog under the pen name Victor Socotra.

The services began to make the digital SF-86 form mandatory in 2007, but service members used the digital form for years before that.

"They had access on everyone who has applied for a security clearance: families, residences and job assignments, bank records," Socotra said. "If that's not an absolute calamity, I don't know what is."

<snip>
http://www.breitbart.com/big-government/2015/06/19/opm-on-second-thought-we-dont-know-when-massive-hack-began/

During an exchange between Oversight Chariman Rep. Jason Chaffetz (R-UT) and OPM Director Katherine Archuleta, Archuleta suggested the intrusion predated an Inspector General recommendation to shut down certain OPM computer systems. “The recommendation to close down our systems came after the adversaries were already in our network,” Archuleta said.

Archuleta was referring to an Inspector General recommendation to shut down 11 of 47 OPM computer systems which were operating without a valid security authorization in 2014. According to the OIG, that recommendation was dated September 18, 2014, three months before the hack supposedly took place in December. OPM declined the IG’s recommendation in October.

--------

Computer security is like living on the Serengeti, constantly evolving and changing - you don't want to be the slow gazelle as OMB was here.
The pros at the NSA could go a long way to protect us from things like this but they choose to keep attacking(now it's anti virus companies) instead of doing assessments of our own systems and advising departments that they are vulnerable and how.
If you worked for the government in any capacity oooh in the last 10-15 years, I would expect to receive a notification.

http://www.opm.gov/news/releases/2015/06/opm-to-notify-employees-of-cybersecurity-incident/
Logged
noway2
Chathameister
****
Offline Offline

Last Login:April 22, 2016, 03:02:27 PM
Date Registerd:June 20, 2014, 01:36:40 PM
Posts: 555


« Reply #5 on: June 23, 2015, 07:30:18 AM »

Quote
The pros at the NSA could go a long way to protect us from things like this but they choose to keep attacking(now it's anti virus companies) instead of doing assessments of our own systems and advising departments that they are vulnerable and how.
In my view, this was the biggest and most profound of the Snowden revelations.  Prior to then, I tended to view the NSA as a bit of a rogue "black hat" but one whose mission was in the interests of keeping the people of this country safe.  Snowden showed the true duplicity and revealed them as being the enemy of the people.  As you said, they have chosen to keep attacking - attacking the very people they were sworn to protect.  The real sad and scary part of this is that in reality this extends to all of the Federal govt.  The conclusion, I will leave as an exercise for the reader.
Logged
BOFH
Chathamite
***
Offline Offline

Last Login:March 07, 2017, 04:48:08 PM
Date Registerd:October 03, 2013, 09:15:08 AM
Posts: 145


« Reply #6 on: June 23, 2015, 05:33:43 PM »

Oh Katherine Archuleta needs to be shown the door, quickly......

http://www.breitbart.com/big-government/2015/06/23/opm-director-says-no-one-responsible-for-historic-security-breach-blames-old-computers-and-software/

“If there’s anyone to blame, it’s the perpetrators,” Archuleta said. “Their concentrated, very well-funded efforts to come into our system are what we’re concerned about.”

me:
No - you own the data, it's your job to protect it


The OPM director blames this blameless inattention from nobody in particular for leaving her department with obsolete electronic security to fend off state-of-the-art intruders. However, the latest information to dribble slowly out of this opaque Administration suggests the hackers got into OPM with valid user names and passwords, obtained by either targeting employees with malware, developing human intelligence sources with old-school spycraft… or possibly the simple expedient of getting Chinese nationals into consulting jobs with OPM that granted them full-fledged administrator access to everything. Nobody was responsible for any of that either, huh?

    “So to date you don’t consider anyone at OPM to be personally responsible [for the attack]?” Moran asked her. “Or is this simply a problem with the system and no one in particular is responsible?”

    Archuleta responded, “I’m as angry as you are that this has happened at OPM. But cybersecurity is the responsibility of all of us.”

That’s Big Government failure in a nutshell, isn’t it? It’s everyone’s fault, which means it’s no one’s fault. Don’t ask what happened to the billions of dollars we were given to handle our core responsibilities. There are no refunds when we fail to live up to our end of a bargain with the public, no one to sue when our promises turn out to a huge swindle, no one to punish when the ball is dropped. The bigger the federal government gets, the less anyone within it worries about the consequences of abuse or failure.
Logged
1911A
Chathamohican
*****
Offline Offline

Last Login:Yesterday at 12:46:43 PM
Date Registerd:April 22, 2006, 04:24:28 PM
Posts: 8,674

"Stand Your Ground" by Charles McNaughton


« Reply #7 on: June 23, 2015, 07:44:54 PM »

Quote
The bigger the federal any government gets, the less anyone within it worries about the consequences of abuse or failure.

FIFY.
Logged

"You are clearly a bigoted, racist pig." - Matilda

"Let us assume for the moment everything you say about me is true. That just makes your problem bigger, doesn't it?"

Vetustior Humo.
1911A
Chathamohican
*****
Offline Offline

Last Login:Yesterday at 12:46:43 PM
Date Registerd:April 22, 2006, 04:24:28 PM
Posts: 8,674

"Stand Your Ground" by Charles McNaughton


« Reply #8 on: June 24, 2015, 02:27:33 AM »

http://www.cnn.com/2015/06/22/politics/opm-hack-18-milliion/

Quote
FBI Director James Comey gave the 18 million estimate in a closed-door briefing to Senators in recent weeks, using the OPM's own internal data, according to U.S. officials briefed on the matter. Those affected could include people who applied for government jobs, but never actually ended up working for the government.
Logged

"You are clearly a bigoted, racist pig." - Matilda

"Let us assume for the moment everything you say about me is true. That just makes your problem bigger, doesn't it?"

Vetustior Humo.
1911A
Chathamohican
*****
Offline Offline

Last Login:Yesterday at 12:46:43 PM
Date Registerd:April 22, 2006, 04:24:28 PM
Posts: 8,674

"Stand Your Ground" by Charles McNaughton


« Reply #9 on: July 10, 2015, 01:38:39 PM »

http://hotair.com/archives/2015/07/09/the-hack-to-end-all-hacks-china-now-has-sensitive-info-on-21-5-million-americans-feds-say/

http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say/?tid=sm_tw

That's the url; here's the WaPo headline:  "Hacks of OPM databases compromised 22.1 million people, federal authorities say"

The number appears to keep rising ....

And http://hotair.com/archives/2015/07/10/breaking-opm-head-resigns/
Logged

"You are clearly a bigoted, racist pig." - Matilda

"Let us assume for the moment everything you say about me is true. That just makes your problem bigger, doesn't it?"

Vetustior Humo.
1911A
Chathamohican
*****
Offline Offline

Last Login:Yesterday at 12:46:43 PM
Date Registerd:April 22, 2006, 04:24:28 PM
Posts: 8,674

"Stand Your Ground" by Charles McNaughton


« Reply #10 on: July 10, 2015, 01:45:28 PM »

From a BOFH post --

Quote
The OPM director blames this blameless inattention from nobody in particular for leaving her department with obsolete electronic security to fend off state-of-the-art intruders. However, the latest information to dribble slowly out of this opaque Administration suggests the hackers got into OPM with valid user names and passwords, obtained by either targeting employees with malware, developing human intelligence sources with old-school spycraft… or possibly the simple expedient of getting Chinese nationals into consulting jobs with OPM that granted them full-fledged administrator access to everything. Nobody was responsible for any of that either, huh?


Two comments from the Belmont Club:

Quote
ChrisP900
People keep calling this a "Hack".
That's Bullsh1t!

OPM hired an Argentine front-company that was run by a Chinese PLA member, working from home in China, and they gave him ROOT!

As the IG of OPM stated;
The OPM IT security policy was the equivalent of leaving all your doors and windows open and trusting that no-one would come in to steal your information...

Subotai Bahadur
ChrisP900 has it. This was not an external breach. It was internal treachery, and one wonders who got paid off and in what.


ARS Technica reported the same.
Logged

"You are clearly a bigoted, racist pig." - Matilda

"Let us assume for the moment everything you say about me is true. That just makes your problem bigger, doesn't it?"

Vetustior Humo.
BOFH
Chathamite
***
Offline Offline

Last Login:March 07, 2017, 04:48:08 PM
Date Registerd:October 03, 2013, 09:15:08 AM
Posts: 145


« Reply #11 on: July 12, 2015, 08:46:00 PM »

Well Archuleta first tried to weather the storm until someone finally whispered in her ear that it was time to go.
Poor security procedures, practices and software made them the slowest antelope on the Serengeti this time - who's going to be next?

Just pretty damn embarrassing that it was so easy.....
Logged
1911A
Chathamohican
*****
Offline Offline

Last Login:Yesterday at 12:46:43 PM
Date Registerd:April 22, 2006, 04:24:28 PM
Posts: 8,674

"Stand Your Ground" by Charles McNaughton


« Reply #12 on: July 12, 2015, 10:27:31 PM »

That's what happens when hiring is done totally to mark off the identity politics check-boxes.  She was more concerned with LBTGWXYZ advocacy than taking care of IT security business, which why they hired a Democrat bundler instead of an experienced security geek.

It's not embarrassing, it's infuriating.
Logged

"You are clearly a bigoted, racist pig." - Matilda

"Let us assume for the moment everything you say about me is true. That just makes your problem bigger, doesn't it?"

Vetustior Humo.
Axiomatic
Chathamohican
*****
Offline Offline

Last Login:Yesterday at 10:50:58 PM
Date Registerd:August 04, 2010, 09:27:19 PM
Posts: 3,402



« Reply #13 on: July 13, 2015, 08:25:57 AM »

That's what happens when hiring is done totally to mark off the identity politics check-boxes.  She was more concerned with LBTGWXYZ advocacy than taking care of IT security business, which why they hired a Democrat bundler instead of an experienced security geek.

It's not embarrassing, it's infuriating.

The real fury starts to kick in when you realize that she, like most of the Øbongo Criminal Enterprise, is ultimately going to skate and leave us to pick up the pieces...
Logged

Don't gotsta worry 'bout no mo'gage, don't gotsta worry 'bout no gas; Obama gonna take care o' me!
Tags:
Pages: [1]   Go Up
  Send this topic  |  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!