Encryption wouldn’t have stopped OPM breach, say officials
The “most devastating cyberattack in our nation’s history”
The OPM mega-breach has created a nice bipartisan coalition in Congress—against the bureaucrats who allegedly did nothing to stop it.
This week, members of Congress called for the resignation of OPM chief Katherine Archuleta after testimony revealed that security protecting OPM’s databases is so inadequate that some believe the systems should be shut down entirely.
During a 2-hour hearing before the House Oversight Committee, Chairman Jason Chaffetz (R-Utah) let loose on Archuleta, calling the breach “most devastating cyberattack in our nation’s history” and demanding to know why OPM was seemingly ambivalent about how vulnerable its systems were to attack.
Via Ars Technica:
House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.
Chaffetz pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”
When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM’s systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, “I would be glad to discuss that in a classified setting.” That was Archuleta’s response to nearly all of the committee members’ questions over the course of the hearing this morning.
Watch:
The system was vulnerable, but it’s still unclear what measures could have been taken on a software level to prevent this specific attack. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that, because the attackers had obtained valid user credentials, encryption wouldn’t have stopped sensitive information from being compromised. Because there is no system of multistep user authentication, the hackers were able to jump in and out of the database at will from both inside and (most likely) outside the network.
U.S. Chief Information Officer Tony Scott has ordered a 30 day cybersecurity “sprint” to identify vulnerabilities and kickstart development of a multistep user authentication process. Critics say that this move lacks the type of accountability that an emergency breach situation requires, so don’t expect this issue to go away any time soon.
DONATE
Donations tax deductible
to the full extent allowed by law.
Comments
What it looks like to (un-technical) me LESS like a “hack” and MORE like straight up give-away.
IF I did something like this with client information, I’d lose my bar card.
They had root access, they likely had master keys to any encryption.
When you make the chips you don’t need something as shallow as root access.
Per Insty, there were Chinese sysadmins with root access.
http://pjmedia.com/instapundit/208756/
Ars Technica: A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?’”
Instapundit: They were in China, and had root access. In China. With root access.
Amazing. Reminds me of the US contractors working remotely who do outsource their work to low cost off-shore places that could include mainland China.
A proper security architecture is multi-layered. Even if they did have root access to the host systems, there should have been other tools in place such as network monitoring that could have flagged root access from outside the local network. Additionally, proper separation of duties and system monitoring tools could have caught the fact that a root user, who should be restricted to system administration functions, was mucking around in an application database.
This is another perfect example of a government agency getting too big for it’s britches. It has no business compiling such a high-value database if it can’t comport itself to manage that database at the highest levels of professionalism.
It boggles my mind that so many in the tech industry, who know what is standard operating procedure for operations such as this, see how pathetically incompetent big government is yet they constantly vote for more government. To the prog mind the solution to every problem is another government program. And crap like this is what that mindset results in.
Tripwires.
Encryption into Mandarin seemed like such a good idea at the time.
You should get plus-10 for that one.
At Rantburg that would “snark of the day”
OPM should use the information blocking encryption called HillaryHolder.
Why cotton-fiber paper files are good for somethings. They age well. Digital data is at the mercy of the next tetra byte micro thumb drive.
So who is going to be fired? Who will be brought up on charges?
Awesome. Contractors to various departments (DoE, DoD, etc) MUST encrypt any PII on their machines, be it email, local files, network files, spreadsheets, anything, under threat of termination for non-compliance. I guess it wasn’t necessary after all, eh? We will be waiting for the next cyber security update…
The nameless, faceless ‘Congress.’
Don’t expect much from ‘Congress’ with the Squeaker and the Turtle hogging its leadership positions. Perhaps when we’re through tolerating those two assholes, real men and/or women will take the lead, and ‘Congress’ will have names and faces people can get their minds and hearts around.
Meantime, what a joke we collectively are for watching this pathetic circus and allowing it to continue.
Everyone needs to get behind The Convention of States project. It’s the only way we’ll cut the nuts out of the grotesque rooting hog that DC has become.
This is what happens when you bring in a bunch of H1-B workers for sensitive IT.
Ladies and Gentlemen – There is something far, far more important here that nobody seems to be noticing:
OPM does not want to discuss (in public) the fact that OPM systems may have included personnel data from NON-GOVERNMENTAL employees (contractors) are doing or may have done business with the government in the past.
Wa-Poo had a piece on this two days ago which touched upon it. The Privacy Act of 1974 opens the federal government to suit by a limited waiver of sovereign immunity. Every individual whose data was breached has a cause of action for damages and attorney’s fees against the federal government. OPM chief Katherine Archuleta doesn’t dare say whether any of the individuals or companies data may have been breached in public, because that WILL start the tide of Federal lawsuits.
Wa-poo tried to make it sound like it would be particularly difficult. It is not. Any individual who worked in a sensitive capacity (CIA, FBI, NSA, National Reconnaissance Office, etc…) as an “off the books” employee or subcontractor now has to be looking over their shoulder on the idea that a foreign national to whom the hackers have sold the info may be coming after them or their families.
My guess is that there are also contractual provisions regarding disclosure of some of those working relationships which could lead to a sovereign immunity waiver.
Also remember: Lewis “Scooter” Libby went to JAIL for purported violations of Title 50, United States Code, Section 421 (disclosure of the identity of covert intelligence personnel); and Title 18, United States Code, Sections 793 (improper disclosure of national defense information) in relation to his disclosure of the identity of “Valarie Plame.” EVERY SINGLE PERSON in the security chain of this datastream has at least Libby’s level of culpability in the release of this information, and now may be subject to CRIMINAL charges as well as personal individual civil suit.
Only word that appropriately describes these people is TREASON. This administration has done everything it can to bring our country to its knees. I’m still waiting for a Republican presidential candidate to speak the truth.
The Obama administration has quite the record on IT.
Data security is not so difficult as it seems. It requires intelligent people who are dedicated and hard working. Maybe this is why Government databases seem to be so wide open.
Most corporations have several levels of secure data. the most secure is hidden behind a data diode i.e. a data path in one direction only, like a diode. A simplex system that only allows data to flow out, not in. the only access to level 3-4 data is from a level 3-4 workstation. these have exactly zero access to the typical business LAN and further down to the wide open internet other than pushing data to lower levels.
Insiders can hack but someone at their desk in China would never be able to enter.
Hear, hear. It drives me nuts to listen to the dialog surrounding incidents like this and Lois Lerner’s “crashed hard drive” or Hillary’s “missing emails.” They just blatantly lie and baffle the masses with their bullshit. In the private sector people would be fired, fined, sued, thrown in jail and professionally blackballed for such monumental displays of incompetence and arrogant defiance of procedure and law.
Sometimes, may still often there would REAL CONSEQUENCES for sloppy computer security. But the aphorism that the “fish rots from the head down” applies to US business too. Cronyism has come to predominate in big business, and the habits of the sincecured Administrative State bureaucracies come to dominate in private business too.
The strength of the US is still that we deliver quality consistently at low or reasonable cost. We have a national habit of real quality and responsibility DESPITE the current national political and administrative cohorts lack of same. But will that hold up? Not from most of our colleges, and not by over-engageing with the mainland Chinese. The mainland Chinese businessmen have a cultural habit of what they can get away with and among the workers is little back-pressure to vile work conditions. Americans have high personal expectations and we often actualize them in what we produce, and in how we work.