Second OPM Hack Revealed: Even Worse Than The First
from the the-federal-government,-ladies-and-gentlemen dept
Oh great. So after we learned late yesterday that the hack of all sorts of data from the federal government's Office of Personnel Management (OPM) was likely much worse than originally believed -- including leaking all Social Security numbers unencrypted -- and that the so-called cybersecurity "experts" within the government weren't even the ones who discovered the hack, things are looking even worse. That's because, late today, it was revealed that there was likely a separate hack, also by Chinese state actors, accessing even more sensitive information:The forms authorities believed may have been stolen en masse, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant's Social Security number and that of his or her cohabitant is required.And yet... this is the same federal government telling us that it wants more access to everyone else's data to "protect" us from "cybersecurity threats" -- and that encryption is bad? Yikes.
In a statement, the White House said that on June 8, investigators concluded there was "a high degree of confidence that ... systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated."
"This tells the Chinese the identities of almost everybody who has got a United States security clearance," said Joel Brenner, a former top U.S. counterintelligence official. "That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That's a gold mine. It helps you approach and recruit spies."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: china, hack, leak, opm, security clearance, sf-86, sf86
Reader Comments
Subscribe: RSS
View by: Time | Thread
Worrisome, but not surprising
This should be held up as a perfect example of why it's a terrible idea to engage in mass spying and data collection, because even if the ones doing it never use the information themselves, such a database is an extremely tempting target for anyone, government or otherwise, who believes that the data is valuable.
If the database exists, it will be hacked, it's only a matter of time, meaning it's better to never create it in the first place.
[ link to this | view in chronology ]
Re: Worrisome, but not surprising
Just saying...
[ link to this | view in chronology ]
Re: Re: Worrisome, but not surprising
[ link to this | view in chronology ]
Re: Re: Re: Worrisome, but not surprising
The database was originally created to be used, so while sticking it behind an air gap would have been the smart thing to do, but not the useful option.
It was also probably created because the government has a pathological need to retain any information it ever obtains.
As for exactly how it ended up online? The people actually getting paid for implementing it either picked a simple standard online database setup to allow access from anyone who should be throwing data at it. Or the people overseeing it's creation were easily wowed by the prospect of the database being available to their people nation wide, without any thought to security because they weren't techs, just administrators with no real understanding of network security.
You know, the same kinds of people that just say, "well, our people are smart so encryption golden keys are the way to go. Because, we need to see what other people are doing, and our people can figure out a way to keep everyone else out."
[ link to this | view in chronology ]
Re: Re: Re: Re: Worrisome, but not surprising
[ link to this | view in chronology ]
Re: Worrisome, but not surprising
Now how the heck you would go around building a database like that I'll leave as an exercise for the reader :)
[ link to this | view in chronology ]
Re: Re: Worrisome, but not surprising
[ link to this | view in chronology ]
Re: Worrisome, but not surprising
This ought to (but won't) completely kill the idea of key escrow and the Feds logging and archiving private data.
I'm probably more trusting than I should be regarding motives, but I've never been trusting re competence. I've never applied for a security clearance, and can't imagine doing so.
Anyone who did trust the Fed's competence by (honestly) filling out a Standard Form 86 has now been proven a fool - anything embarrassing, or even just useful for leverage (which relatives to threaten...), is now in play.
And these incompetent fools are telling us to trust them with our data?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Jealousy Personified
[ link to this | view in chronology ]
The question arises
They've stolen the top level personal information of our government and now the Chinese know all about their life problems.
I smell blackmail in the air.
I just wonder how stupid the government really is. They just admitted their entire personnel files are now in the possession of a semi-hostile country.
Data that was not encrypted, due to utter stupidity and belief that they would be able to prevent/stop such events with the usual derring do. They failed this one miserably.
Also the same government that has been trying to blackmail/cajole Microsoft and other big computer companies to allow them a backdoor into the systems, and forbidding encryption.
Looks like the government now needs "Life Lock".
[ link to this | view in chronology ]
Re: The question arises
Because high-level U.S. and Chinese politicians belong to the same club. They're basically the same, just with different names.
[ link to this | view in chronology ]
Re: The question arises
This is how the intelligence game is played. Back in the day, it would have involved someone going in and physically photographing or copying files. Nobody's going to war or breaking off relations due to something like this, because I can tell you with perfect certainty that everyone involved in international espionage/politics is pulling the same shit. The only real shame on that field is getting caught red-handed with enough evidence for a courtroom. And even then the worst that really happens (publicly, anyway) is the international equivalent of name-calling or a few agents getting tossed in the clink.
[ link to this | view in chronology ]
Re: The question arises
[ link to this | view in chronology ]
Re: Re: The question arises
[ link to this | view in chronology ]
Re: Re: The question arises
Not true. China isn't even the #1 holder of US debt. You know who is? US citizens and companies.
[ link to this | view in chronology ]
Hate it
[ link to this | view in chronology ]
Re: Hate it
Don't forget lowercase and special characters. In this case, a couple of well-placed exclamation marks might just be what's called for! ;)
[ link to this | view in chronology ]
Re: Re: Hate it
[ link to this | view in chronology ]
Re: Hate it
translation: We may leak such compromising information against you if you discover illegal activity by a U.S Government agency and attempt to disclose such to the media.
https://www.opm.gov/forms/pdf_fill/sf86.pdf
[ link to this | view in chronology ]
Re: Hate it
I'm sure you meant well, and perhaps you even did good things to help your neighbors and the world.
But, with all due respect, trusting the Feds to keep your SF86 information secure was...foolish. And now you're going to pay the price.
[ link to this | view in chronology ]
Re: Re: Hate it
[ link to this | view in chronology ]
Government Agency
[ link to this | view in chronology ]
Re: Government Agency
Because the true purpose of such agencies is to protect the real rulers of America from you the people. Once every four years you get to pretend to pick your own leader.
[ link to this | view in chronology ]
Encryption anyone
Whoever didn't encrypt this data was negligent at a minimum. Gov't being what it is, no one will be fired...
[ link to this | view in chronology ]
Re: Encryption anyone
The government doesn't really care about your privacy. Only its own, not because of anything resembling national security but only because it doesn't want to get embarrassed.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Cost vs benefit program.
NSA- Helped destroy the world's view on the US being a great nation. Ticked off everyone on the planet with the exception of the guy living under the rock in the GEICO commercial. And cost a lot of money each year to operate even though people are going hungry in the streets.
$60 Security program- Found major security violation and malware on the span of a 30 minute sales demo. Did not possible off the entire planet. And can back up everything it does in a clear manner. Looks like the NSA needs to shut down.
[ link to this | view in chronology ]
Cost vs benefit program.
NSA- Helped destroy the world's view on the US being a great nation. Ticked off everyone on the planet with the exception of the guy living under the rock in the GEICO commercial. And cost a lot of money each year to operate even though people are going hungry in the streets.
$60 Security program- Found major security violation and malware on the span of a 30 minute sales demo. Did not possible off the entire planet. And can back up everything it does in a clear manner. Looks like the NSA needs to shut down.
[ link to this | view in chronology ]
https://www.nsa.gov/ia/ia_at_nsa/index.shtml
"NSA's Information Assurance Directorate (IAD) protects and defends National Security Information and Information Systems, in accordance with National Security Directive 42. National Security Systems are defined as systems that handle classified information or information otherwise critical to military or intelligence activities.
IAD is responsible for NSA's defensive mission and is widely acknowledged for leading innovative security solutions. Partnering extensively with government, industry, and academia, allows IAD to ensure appropriate security solutions are in place to protect and defend information systems, as well as our Nation’s critical infrastructure. IAD's work is guided by its vision to create "Confidence in Cyberspace."
Seems to me that it's high time we drag the current and former heads of the NSA before Congress and ask them how this happened on their watch. Of course, like what happened with the financial crises, bringing anything into the public sphere would be tantamount to being 'too big to fail'
Uh, guess what just happened......
[ link to this | view in chronology ]
"This is the IRS, if we do not receive payment within the next 30 minutes, we will send someone to your house to arrest you..."
"Our son was killed in Afghanistan/Iraq and we need to pay for funeral costs. The government isn't helping us. Would you please donate some money?"
"You have won $1,000,000!!! Just wire us $1,500 from your bank account to cover the processing fees and the money will be delivered!"
"Hello, this is Chinese Intelligence. Have you thought about the lucrative business of trading government secrets?"
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
OPM Managers Need Lessons in Online Security 101
Putting all that sensitive data on a computer connected to the Internet was a bad idea from the get-go and those in charge should have realised that from the beginning. If nothing else the very act of putting it online meant that they were painting a large red target on that data, daring hackers to have a go at breaching security and exfiltrating it. Which, thanks in part to pitiful security, they not only succeeded in doing, but were able to get away withOUT detection until pure chance and a product demo exposed them.
At the very least somebody needs to get fired fcr this, although chances are it will be some poor schmuck at the coaslface end rather than those higher-ups whose decisions (or lack thereof) led to this fiasco.
[ link to this | view in chronology ]
I am aghast.
Does the US government not have an IT department?
[ link to this | view in chronology ]
Re: I am aghast.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
1. You can hardly blame the Chinese [if it was them] when NSA is doing same
2. There is no excuse for not securing deeply personal info in your possession. Businesses are required by law to do that. Encrypt the data, air gap the really sensitive stuff
3. Breaking that encryption for your own purposes pretty much invalidates 2. Encryption is useless if it has a back door.
Unfortunately the response to this will be nothing but red faced silence. What should really happen now is that the US get rid of all the intelligence staff compromised (this is a way bigger risk than Snowden) and start again. This lot are so corrupt, that is probably a good idea anyway.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
NSA/Israel not China
No evidence of Chinese = evidence of NSA probability
Not really, but c'mon, it's the NSA and it's friends (Israel) doing this spying.
[ link to this | view in chronology ]
Learning from the Pros
Having been hacked and blackmailed by the US spy agencies for years, they have finally turned the tables and joined The Five Eyes Blackmail Game, by learning how to blackmail the Five Eyes' member nation's spies themselves.
I guess the leaders of the Five Eyes thought that they could secretly survey and blackmail the world and the world would just obey them and bend over, and not try and protect itself from them. They didn't even bother to secure their own data because they think the rest of the world is composed of lesser beings.
What a bunch of self-important, arrogant, morons.
The leaders of the Five Eyes have opened a can of worms they are definitely not going to like, as they have forced the world to fight back against the monster - to fight fire with fire and learn how to blackmail the blackmailers.
Coming soon: Public Encryption Security Training Control
===================(PEST Control)=================
---
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Data insecurity
2) Office of Personnel Management used Microsoft Windows, the most exploited(hacked) operating system in History.
[ link to this | view in chronology ]
That sounds like good stuff to have available online
[ link to this | view in chronology ]
Much worse than Edward Snowden affair
OPM is a REAL disaster
as far as China and Russia having Ed Snowden data: if they did they sure wouldn't let you know about it. The latest on Ed Snowden is just static to help cover up the OPM mess
hot mess, make that
[ link to this | view in chronology ]
Another thought
Because when you read it properly, Edward Snowden's personnel information is part of it, as are probably most of the NSA's.
I wonder if he knew about the operational insecurity of the OPM?
You have to admit that it would have saved an awful lot of hot mess if he had warned the government about it before it happened.
In that case, he would have been awarded a medal for it and given a better job.
But history had another idea. That's why he's in Russia and facing charges that he stole data from the government and our government's had their information stolen by a foreign entity called China.
It boggles the mind to know that the government completely overlooked their own data and failed to do the most basic security steps to protect it.
Snowden is the least of their problems right now.
Way to go, USA!
[ link to this | view in chronology ]
Re: Another thought
Maybe. Doesn't really matter.
"You have to admit that it would have saved an awful lot of hot mess if he had warned the government about it before it happened."
Unlikely. History shows - repeatedly - that such warnings - at best - would have been ignored and at worst would have been received with great hostility.
"In that case, he would have been awarded a medal for it and given a better job."
No. Having embarrassed the Authorizing Official (required under FISMA, look it up) for whichever system it was, he'd have been lucky to have gotten the equivalent of an "atta boy, good job, go back to work" and subsequently having the report shelved, not be be looked at again until some reporter filed a FOIA request for it.
[ link to this | view in chronology ]
Re: Another thought
In that case, he would have been awarded a medal for it and given a better job.
No, he would have been prosecuted on multiple felony computer abuse charges.
[ link to this | view in chronology ]
Re: Another thought
He did.
[ link to this | view in chronology ]
Re: Re: Another thought
[ link to this | view in chronology ]
Re: Re: Re: Another thought
[ link to this | view in chronology ]
This is exactly what happens...
I mean, don't get me wrong - there's no question that this is really bad. But if we, as a country, continue to centralize information on everybody in the name of security, then before too many years have elapsed, we're going look back on this particular breach as being small scale and, dare I say it, quaint.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I don't doubt they would be willing to do such a thing, but I think you're giving their competence too much credit.
[ link to this | view in chronology ]
Not at all surprised
The OPM has done nothing but harass, illegally with hold full annuity payments.
I am not at all surprised there was this horrible breach. They are too busy picking on widows.
[ link to this | view in chronology ]