OPM Hack Update - 6:46 PM 6/30/2015: Hacks Bring Down US Background Check System — But the Worst Is Yet to Come | Audit finds new flaw at US Office of Personnel Management • The Register | Spies Warned Feds About OPM Mega-Hack Danger | The Dark Net Is Selling Hacked OPM Information, And It Could Be Worth $140M: Report
- Get link
- Other Apps
- Hacks Bring Down US Background Check System — But the Worst Is Yet to Come |
- Audit finds new flaw at US Office of Personnel Management • The Register |
- Spies Warned Feds About OPM Mega-Hack Danger
- The Dark Net Is Selling Hacked OPM Information, And It Could Be Worth $140M: Report
opm hack |
Things seemed to be going swimmingly at the US Office of Personnel Management (OPM), the entity that serves as the federal government's HR department.
"I'm happy to report that this first virtual conference exceeded even my high expectations," agency director Katherine Archuleta wrote on her official blog May 26. "And I'm not the only one who thinks the conference hit the mark. 'By all accounts, the OPM Virtual HR Conference was a smashing success!' said Gary Musicante, Director of Workplace Planning at the Department of Veterans Affairs. On our conference evaluation form, an employee with the Department of Interior's Bureau of Indian Affairs said, 'Why haven't we done this sooner?'"
A week later, however, it was a different story. On June 4, US officials announced that an ongoing series of massive OPM data breaches had begun nearly a year before and gone completely undetected — the thieves had exfiltrated the personal information of up to 18 million federal employees.
Shit, predictably, hit the fan. The US pointed the finger at China, whose government said "hypothetical" accusations are "irresponsible and counterproductive." Last week, OPM Inspector General Patrick McFarland testified before the Senate Homeland Security Committee, saying the failure by OPM to secure its data was being followed up with a shoddy effort to clean it up. On Friday, 17 GOP lawmakers called for Archeleta and other OPM officials to be fired.
And today, OPM announced it had shut down the system used for background checks of federal employees.
According to the Office of the Director of National Intelligence, there are 4.51 million people currently holding security clearances. To get them, each had to first fill out a 127-page form called an SF-86. The dossiers compiled based on one's SF-86 come complete with transcripts, results of polygraph exams, and details of extramarital affairs, past drug use, and gambling problems. If you lie, you face federal charges. One applicant was turned down for a security clearance for lying about having smoked marijuana and having outstanding medical debt. Another, a military veteran who had a 20-year affair with his college roommate's wife, was approved after having "mitigated the sexual behavior and personal conduct security concerns."
Because the SF-86 files were among the data stolen, the OPM breach has been called a "cyber 9/11." Former US Air Force cyber crimes investigator Daimon Geopfert thinks it could actually be worse. He ticked off to VICE News a list of possible outcomes, from blackmail, to the unmasking of clandestine operatives, to a wholesale degradation of national security.
"This is basically a multi-level layer cake of awfulness," Geopfert said, "each layer worse than the last."
* * *
Shortly after it was announced that OPM's database had been breached, software engineer David Auerbach gave "points to the CIA" in an article for Slate, since the agency had "refused to have anything to do with the OPM and thus kept its own employees' information safe."
Yet even though the CIA maintains its own security clearance platform, the agency is not insulated from the OPM data breach, explained Geopfert, now the head of security and privacy consulting for McGladrey Inc. The most functional cover for a covert operative is often a position within the government — for examples, as a low-level assistant at an embassy. This generally entails putting them on the roster of another federal agency handled by OPM.
'There could be people with top-secret security clearances inside US intelligence agencies right now who were improperly cleared by hackers secretly editing their information.'
"Now, you start doing some data mining and come up with a tactical list of anomalies," Geopfert said, noting that cheap, even free, software that does this can be easily found online. "You won't find a big, glowing sticker on someone's file that says they're a spy," but by looking at what isn't there — dates that don't add up, a career path that doesn't fit with a current job — things can quickly turn into "the worst case scenario for someone who is undercover."
Being able to zero in on a specific subject, armed with potentially ruinous information, can lead to blackmail. But former US Army counterintelligence agent Jarrett Kolthoff tells VICE News blackmail isn't what worries him most.
"If you take a historical look at all the 'successful' espionage operations conducted against the United States over the years, the majority have not been based on blackmail, but on money and personal issues," Kolthoff said. "Here, nation-states would be able to use certain data in people's backgrounds to more easily spot and assess individuals to be targeted, people they think might be more susceptible to being turned."
Further, there's no way to know if any SF-86 applications were surreptitiously altered on behalf of an enemy agent who wouldn't have otherwise made it through the application process.
"If that's the case, then we can no longer trust the foundation of the security clearances that have already been issued," ThreatConnect CEO Adam Vincent said. "There could be people with top secret security clearances working inside US intelligence agencies right now who were improperly cleared by secretly edited SF-86es."
* * *
After Mary Cullings retired as a special agent with the Defense Security Service, she continued to perform security clearance investigations for multiple federal agencies, including OPM, as a contractor. However, she says working for OPM was simply too frustrating to deal with for a number of reasons — one being the computer system they used to file reports. She gave up the contract inside of 18 months.
"The computer system at OPM is just horrendous," Cullings told VICE News. "It's so antiquated, it was just a nightmare to work with. I finally said, 'I'm not doing this anymore — if you ever get a system that actually works, I'll reconsider.'"
In 2007, an OPM Inspector General's report said the agency's lack of information security represented a "material weakness." Even so, OPM had no IT security staff until 2013. The following year, an audit by OPM's Inspector General found "significant" deficiencies in its IT structure. A month after that, the networks of USIS, a private company hired by OPM to conduct background checks for the Department of Homeland Security, were breached. USIS was fired and replaced by a company called KeyPoint. It was hacked in December 2014.
Watch VICE News founder Shane Smith interview Secretary of Defense Ashton Carter.
The current cyber best-practices within the US government are a 15 years behind the times, says Richard Stiennon, chief research analyst at IT-Harvest and author of There Will Be Cyberwar. The intrusion detection systems that government agencies, including OPM, are working on implementing right now were state-of-the-art in 2000, he says. Meanwhile, the people hacking into those systems are using today's technology to compromise them.
"The government is taking baby steps while unfortunately, the threat actors are sprinters," Stiennon told VICE News. "A lot of people probably feel the conversation could have started in 2007, when the Pentagon's email servers were taken over by hackers. Or in 2008, when the Pentagon gotcompletely infected by a USB thumb drive. Or when the VA lost laptops with everybody's unencrypted data in them, in 2006 and again in 2010. OPM has affected so many people within the US government, I think there will be a very, very serious 'come-to-the-table' moment, and the right things may start to get accomplished."
Or not. As Donna Seymour, OPM's chief information officer, told Congress in April, "Most of the government's data is in a mainframe. The adversaries in today's environment are typically used to more modern technologies and so in this case, potentially our antiquated technologies may have helped us a little bit."
* * *
In a recent post on OPM's website, Archuleta says she "quickly realized that the agency's outdated, legacy system needed to be modernized," shortly after she took over in November 2013.
"My team got to work on the comprehensive IT Strategic Plan during my first 100 days as OPM Director," she said. "That plan clearly identified security vulnerabilities in our aging systems. We immediately began an aggressive modernization and security overhaul…. It was because of that overhaul and the tools we put in place to strengthen our cybersecurity that OPM — working with our partners at the Department of Homeland Security and the Federal Bureau of Investigation — was able to detect the cyberbreaches of personnel and background investigations data."
Perhaps there was a plan in place, which may very well have included implementing a much-needed security overhaul. But the breach was discovered by a team of sales reps from a company called CyTech Services. During a product demo at the OPM offices on April 21, the software package they were demoing identified malware embedded deep within OPM's systems.
"CyTech Services remained on site to assist with the breach response, provided immediate assistance, and performed incident response services supporting OPM until May 1, 2015," read a statement issued by CyTech's CEO. "During this time, CyTech provided on-site support at OPM to the OPM security personnel as well as representatives of the FBI and US-CERT." US-CERT is the United States Computer Emergency Readiness Team, part of the Department of Homeland Secrity's National Cybersecurity and Communications Integration Center.
OPM spokesman Samuel Schumach disputed this account in a statement of his own, saying the agency's "cybersecurity team made this discovery in April 2015. If not for the fact that OPM was already in the process of updating and strengthening our IT infrastructure, we would have not known about the intrusion, and would have not been able to mitigate any damage."
* * *
Things are going to have to change in a fundamental way, said Alan Cohen, chief commercial officer at Illumio, a data center and cloud security company. Systems need proactive detection systems that can head off incursions before they can do too much damage. And, as Cohen told VICE News, a modicum of accountability would be nice.
"If critical weapons platforms designed to protect the US against terrorist attacks failed, the manufacturer would be scrutinized, there would be an unending river of headlines about the failure, even books would be written — and the maker would certainly be held financially responsible," Cohen said.
Security experts are calling for an end to the overuse of "privileged access" to OPM's systems, in which groups of people share login credentials, removing a network administrator's ability to know exactly who is inside the system.
Archuleta's office declined an interview request from VICE News, saying that she is making official statements via social media for the time being. A June 21 post on Archuleta's Facebook page says OPM is continuing to update its website with new information "as it becomes available. Please share this important resource with your colleagues and be sure to check back often."
"When will we receive an apology for this?" reads one reply. "We trusted OPM with sensitive information, and they let us down. Once our free 18 months of credit monitoring expires, we are on the hook for it every month, for. the. rest. of. our. lives. But no one has felt that maybe they should say 'sorry?'"
Follow Justin Rohrlich on Twitter: @justinrohrlich
Read the whole story
· · · · · · · ·
A security review that followed the original hack at the US Office of Personnel Management (OPM) has turned up a new, but hopefully-unexploited, vulnerability.
The “Electronic Questionnaires for Investigations Processing” system, abbreviated to e-QIP, was found to be vulnerable under the review, and will be taken offline for as long as six weeks while it's fixed.
e-QIP is a set of Web forms used to “complete and submit background investment forms”, the OPM's brief statement says.
“This proactive, temporary suspension of the e-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted”, director Katherine Archuleta says in the statement.
Reuters reports that e-QIP was set up to process security clearances after September 11.
The discovery of the vulnerability, the newswire says, has some agencies switching to handling security clearance information on paper, adding that it “could prompt some intelligence agencies … to switch back to their own applications.”
The OPM's troubles, which began in late May, have already exacerbated a logjam in processing security clearances that began with budget cuts in 2013, and Reuters speculates that one response may be for the US government to issue fewer clearances.
The original estimate that four million users were affected has been upped to 10 million, and the FBI reckons that may below out to 18 million. ®
U.S. intelligence agencies initially refused to share data with OPM, the now-infamously insecure arm of the government. Then the spies apparently handed over their files anyway.
Five years ago, U.S. officials refused to merge a database containing classified personnel records of intelligence-agency employees with another run by the Office of Personnel Management, fearing that if the two systems were linked up, it could expose the personal information of covert operatives to leakers and hackers.
Those concerns look prescient now that the OPM, the government’s human-resources department, has been overrun by hackers who exploited its weak computer security and made off with huge amounts of personal information on millions of government employees and contractors. But that incident has also raised troubling questions about whether U.S. spy agencies actually heeded their own advice and have kept their records physically segregated from the OPM systems that were recently hacked, presumably by spies in China.
In 2010, officials across the government were under pressure to chip away at a backlog in processing security-clearance applications. And a sweeping intelligence law, passed in the wake of the 9/11 attacks, required them to merge their records into one, all-purpose security-clearance system.
But U.S. intelligence officials said they couldn’t go along with that plan, “due to concerns related to privacy, security, and data ownership,” according to a report from the Government Accountability Office, Congress’s oversight arm.
Brenda Farrell, the oversight agency’s director of defense capabilities and management, testified before Congress in December 2010 that intelligence officials were particularly concerned that names, Social Security numbers, and personal information for covert operatives would be exposed to hackers if the personnel database, known as Scattered Castles, weren’t left to stand on its own.
But three years later, the Office of the Director of National Intelligence began working with OPM “to set the stage for the upload of active, completed clearance records” from OPM’s system—which was later overrun by hackers—into Scattered Castles, according to a 2014 report (PDF) from the intelligence office. The report noted a “current upload of records” from the Defense Department’s personnel computer system, as well. It is now linked with OPM’s, so that one person can search records in both simultaneously.
The Daily Beast contacted U.S. intelligence officials, as well as spokespeople for the FBI and the OPM. None would definitively say that Scattered Castles is not connected to OPM’s system. If there are connections between the two—as that recent government report suggests there are—it could be exploited by hackers, giving them a pathway from OPM into the most highly classified personnel records in the entire government.
Officials across the government were under pressure to chip away at a backlog in processing security-clearance applications. But U.S. intelligence officials said they couldn’t go along with that plan.
“There is no connection between Scattered Castles and the OPM hack,” a U.S. official said, speaking on background. But when asked whether Scattered Castles has any physical links to the OPM system, such as for sharing files and records between the two systems, the official declined to comment and referred questions to the FBI, which is investigating the OPM hack.
Over at the bureau, a spokesperson likewise declined to answer whether the two systems are linked, noting that “security procedures prevent us from detailing specifics regarding network infrastructure.” A spokesperson for OPM referred all questions to intelligence officials—who are punting to the FBI.
A computer-security expert who has discussed the OPM hack and its implications with U.S. government officials said he was deeply troubled that the people investigating the breach don’t seem to appreciate how a daisy chain of computer systems could allow hackers who compromised one agency to hop to another and steal more data there. Scattered Castles is used by the National Security Agency, the National Reconnaissance Office, and other highly secretive intelligence organizations.
“Based on my understanding of U.S. government databases and networks, as well as recent conversations with U.S. government officials, I have high confidence that the agencies do not have a clear understanding of the architecture of their systems and how they’re interconnected,” Michael Adams, who served more than two decades in the U.S. Special Operations Command, told The Daily Beast. “I further believe that the U.S. government either doesn’t understand or is obfuscating the national-security implications of this cyberattack. These people either need serious help or need to come clean now.”
U.S. officials have already said that Social Security numbers and other personal information on as many as 18 million employees and contractors were compromised in the OPM hack. And the agency’s chief information officer confirmed that details about government employees’ sex lives, drug habits, and financial problems also may have been stolen.
But so far, there has been no official confirmation that active-duty or former intelligence-agency employees were among those affected by the hack. The Scattered Castles system contains their personal information, which could be used to reveal covert operatives’ real names. The system also contains a list of employees with access to so-called sensitive compartmented information, which can divulge intelligence sources and collection methods.
U.S. officials wouldn’t comment on the apparent data links that were set up between the hacked OPM system and Scattered Castles. The 2014 report said that by this year, the links would allow Scattered Castles to “contain active security-clearance records from all federal agencies.” It also noted that “OPM continues to partner with the [intelligence community] to explore cross-domain interface technology and various alternative solutions for enhanced… information sharing for agencies that use unclassified systems.” In other words, more links.
That was good news for the goal of speeding up and better managing the cumbersome security-clearance process. But it’s not clear how officials intended to do that and keep intelligence personnel records secure. Nor is there any indication in the report that the security concerns of just three years earlier had been addressed or resolved.
While the U.S. official said the OPM hack hadn’t affected the intelligence community’s records, it was clear Monday that new vulnerabilities are still being discovered that could pose future threats.
OPM’s embattled director, Katherine Archuleta, said in a statement that the agency had discovered a security hole in the so-called e-QIP system, a Web-based platform used for filling out and submitting background investigation forms. The agency found no indication that the vulnerability had been exploited, the statement said, but OPM took the drastic step of pulling the entire system offline, potentially for as much as six weeks, while the vulnerability is fixed.
An OPM spokesman didn’t elaborate on the nature of the vulnerability or when it was discovered. He also didn’t specify if the flaw was in the Web platform itself, and whether it could have posed a risk to anyone who used it. Websites loaded with viruses and spyware can implant them on unwitting users’ computers.
Dmitri Alperovitch, a co-founder of cybersecurity firm CrowdStrike, told The Daily Beast that the OPM hack shows how government agencies must stop reacting to attacks after they’ve occurred and start “hunting” for threats in their computer networks. “You have to go looking for the adversary,” he said.
____________________________________
The millions of federal government employees who had their personal information stolen as part of the hack on the U.S. Office of Personnel Management might be able to buy it back. They would just need $140 million or so.
Names, phone numbers, addresses, Social Security numbers, personal relationships and other sensitive information belonging to as many as 14 million people was taken as part of the data breach. While the hack has widely been blamed on the Chinese government, a new analysis from Vocativhas discovered that some of the information taken in the breach might be for sale on criminal dark net websites like Agora, Alpha Bay and Nucleus.
Vendors were charging between 50 cents and $10 per data set, Vocativ reported, meaning that if the entire trove of data went on sale it would be worth $140 million, though only a fraction of the stolen files appear to be available.
The number of users on each site varies widely but information sellers on each forum updated their listings with “new [database] added” and “updated 4.22,” which Vocativ speculated could be a reference to the 4.2 million federal workers whose data was stolen.
The data, which apparently does not include information taken as part of the infiltration on the government's database of security clearance records, is so valuable because it enables foreign hackers to impersonate unsuspecting Americans.
It's not clear when the hack began or for how long outsiders lurked within government networks. The hack was first revealed in June and was shown to be more devastating in successive announcements. The OPM announced Monday it will suspend the online system that enables the government to conduct background checks for four to six weeks, or until it can complete “security enhancements.”
____________________________________
- Get link
- Other Apps
Comments
Post a Comment