US Office of Personnel Management Hacked Again 73
tranquilidad writes: According to a story in the Washington Post, China hacked into the computer system of the United States' Office of Personnel Management last December. This was the second major intrusion in less than a year. Personally identifiable information of approximately 4 million individuals may have been compromised. The compromised information was related to security clearances and employee records. "The FBI is working with our interagency partners to investigate this matter. We take all potential threats to public and private sector systems seriously, and will continue to investigate and hold accountable those who pose a threat in cyberspace," an FBI spokesman said.
Governments of the World Agree: Encryption Must Di (Score:3, Insightful)
Government: Crap, we got hacked again. How are we supposed to protect our lists of security clearances and employee records? Its so confusing.
IT people of the wold collectively reply: ID10T Errors, you have to solve them first! Then you can protect your data.
Re: (Score:3, Informative)
Federal personnel records: Some of the personnel records (the change forms, personnel actions) are stored in an online system which can be accessed online, via a username and password for each employee. A security requirement is that the password has to be changed every 90 days. And for YEARS, whenever the password was changed, the system would send a plain text email that included the new password, "for verification". Complaints about this obvious and basic security breach fell on deaf ears for about f
Official FBI Position (Score:1)
The FBI spokesman then added "Fuck them. Fuck them up their stupid asses."
The government can't get it right (Score:2, Insightful)
We're from the government and we're here to help you...
'The most terrifying words you can hear' Ronald Reagan
Re: (Score:1)
We're from the government and we're here to help you...
'The most terrifying words you can hear' Ronald Reagan
Self fulfilling prophecy!
Re: (Score:3, Insightful)
'The most terrifying words you can hear' Ronald Reagan
The president whose government brought in guilty-until-proven-innocent drug testing and citizenship checks to the workplace.
Re:The government can't get it right (Score:4, Interesting)
Re: (Score:2)
If you work for the Gov then this information should be public anyway. We pay your salary, we should know whats its going towards. We don't need any more secrecy, all that leads to asides from war in middle east countries is racist white cops shooting innocent blank teens.
You also pay the salary of Apple employees if you buy a computer, and own the company if you own stock. You may be able to see their quarterly reports, but do you really think you should be able to know *everything* they're working on? Won't that take away their competitive advantage and ability to protect themselves against threats to the company?
Most big companies are working on some non-public things because public exposure would make those efforts either much harder or futile. As much as I agree with
Re: The government can't get it right (Score:1)
I'm not forced - by physical force - to buy Apple.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Since you pay the salaries of govt employees, you probably don't want them to demand more money when they discover that OTHER govt workers are earning more than they are....
Re: (Score:2)
Government salaries are public knowledge.
https://www.opm.gov/policy-dat... [opm.gov]
If someone else is making more than you with the same GS level, then you have good reason to complain.
Re: (Score:3)
If you work for the Gov then this information should be public anyway. We pay your salary, we should know whats its going towards.
You have no idea what goes into an SF86 form, do you? It's your whole life for at least the past 7 years, including SSN, bank account numbers, past addresses, KAs, relatives. It'd be one-stop shopping for stealing every cleared persons identity if it were public. Also, not all cleared personnel are employed by the government.
We don't need any more secrecy, all that leads to asides from war in middle east countries is racist white cops shooting innocent blank teens.
Those are local cops, for the most part. If the local and state PDs were as thorough as the feds, we might have fewer issues as they might catch more potential problems through psyc
Re: (Score:2)
You might want to think this through a little more.
Re: (Score:2)
Asshole, the money is going to pay my salary. You don't get to know how I spend it.
"China Hacked" ? (Score:1)
You mean United States citizens using hacked Chinese botnets to proxy their true identities?
Remember that all major news media outlets push a CIA agenda http://en.wikipedia.org/wiki/Operation_Mockingbird [wikipedia.org]
Now that you realize the agenda, you know the truth that it was not Chinese nationals.
Re: (Score:2)
These are government sites. The CIA wouldn't use proxies to hack them. They'd set up a VPN, send over an ISA/MOU and just download everything.
Re: (Score:2)
Remember Hanlon's Razor.
http://en.wikipedia.org/wiki/H... [wikipedia.org]
They don't have an agenda, they're just idiots.
The usual verbiage...but they missed something... (Score:3, Insightful)
"...and will continue to investigate and hold accountable those who pose a threat in cyberspace,"
I am sure they will investigate. What I am not sure about is whether, "hold accountable those who pose a threat in cyberspace" means anything if history is to be believed.
I beg to be enlightened: What has my the [mighty] USA done in the past, that should make me think holding accountable in the case of China means anything really?
Now, remember we as a country, do the same stuff to other countries regularly.
Re: (Score:3)
Hold Accountable != punish
It just means that once they find out WHO did it, (or who they intend to say did it) they will blame them for doing it. It doesn't mean they will bomb them back to the stone age or put them on trial it says they will hold them accountable. Whatcha gona do? Send them a bill you cannot force them to pay?
Saying "Don't look at me, that guy over there, see him? HE DID IT!" = promise kept.
Not Impressed (Score:2, Interesting)
Having helped the JD secure some applications is the past... I am no longer impressed by hackers who get into these systems. Many government applications use templated login IDs and even templated passwords. Account sharing is common as many of these systems cant handle simultaneous access of records. It is truly harder to not hack a government system than it is to hack one. The whole government's security audit is a FAIL in my opinion.
It's axiomatic (Score:2)
Not that the two are mutually exclusive, but for your governing overlords, it boils down to implementing effective strategies to protect information or having access to it.
It's not very difficult to see which side your elected leaders currently line up on.
Trivial (Score:5, Insightful)
So, I think that the word we need to get out to the uninformed public is that hackers do not have magic powers that are impossible to defend against. Governments and Corporations responsible for these breaches keep trying to portray the hackers as if they were mad-men flying planes into buildings. How can you stop a fully loaded 747 flying at 800mph right?!?!
But that's not the case. Every single one of these breaches has been the result of mistakes made my the organization that was attacked as trivial as leaving keys in the lock of your safe with a big sign that says "Money inside!" These agencies and companies could easily, and with little monetary investment, make breaches like this nearly impossible.
In most cases the mistakes aren't even technological, they're institutional. Usually those attacked had well qualified security folks on staff who were doing their best to prevent the attack. But when the "VP of operations" (or whatever) comes in and says "The project is late, everyone's telling me it's because you're department is insisting on two factor authentication. I'm going to sign off on that and we're going to move forward" there's not much they can do.
Look at the Sony attack. You had executives of the company sitting there with the entire companies financial records down to the penny sitting on their windows desktop... WHILE their security department was telling them the entire network had an active virus infection running rampant. Basically nothing happened to any of the people responsible.
Re: Trivial (Score:1)
Re: (Score:1)
There's a footnote, that says "number in thousands." You fucking idiot.
I think the point he was making is that it implies that more or less ALL federal employees are affected by this. Do try to keep up, you fucking idiot.
More people than employees are in that DB (Score:1)
OPM manages a lot of stuff for government contractors too.
For instance, OPM is a "central point" for things like background checks for security clearances.
4 million government employees! (Score:2, Insightful)
Trying to think, what the guys like Benjamin Franklin or Thomas Jefferson would've said, had anybody told them, that mere 200 years later the Republic they founded will have millions of Federal-government employees and that the collective spending of governments will dance around 50% of the nation's GDP [blogspot.com]...
Oh, some of those aren't employees, but are contractors. Sure, that changes everything...
Re: 4 million government employees! (Score:1)
They should consider encryption (Score:2)
give and take (Score:2)
Should we be so concerned with what they took? (Score:4, Insightful)
Should we be so concerned with what they took?
How about we be a little more concerned with what they inserted?
I wonder how many Ministry of State Security agents are now vetted for U.S. high security clearances?
Re: (Score:2)
Don't worry you will pay for credit monitoring. (Score:4, Informative)
This happened before when one of NASA's HR people left their laptop with every employees information in an unencrypted file in their car and it was stolen. We got 2 whole years of credit monitoring.
No proof it was China (Score:1)
The US Government claims it was China, but has offered no evidence. We should not just assume the US Government is telling the truth, because it seldom does.
If I had to venture a guess, I would suspect Israel long before I suspected China. Israel is no friend to the US, and is keenly interested in developing enemy lists. This would fit very well with those initiatives.
identity is for the rest of your life (Score:1)
From a personal point of view: (Score:1)
Re: (Score:2)
Not that I think breach of *that* material will never happen (when, not if).
Hate to say it, but regardless, this is a pretty serious breach of trust on OPM's part. It's difficult to secure systems. It's not impossible.
And yet the NSA knows nothing... (Score:2)
With their billions of petabytes of data, they still didn't see this coming or actually know who did it. The FBI treats identity theft as a LOW PRIORITY crime, they usually advise you to get credit monitoring and then they do zero to catch the criminals.
Mark my words: Nothing will be done. BAU. Our government's policy is "you are on your own", unless you were attached by a muslim terrorist, in which case, they will spend trillions on security theater.
Re: (Score:2)
... or actually know who did it.
Other than the fact they've said who did it. Other than that part.