Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
China Security United States

What Federal Employees Really Need To Worry About After the Chinese Hack 123

HughPickens.com writes: Lisa Rein writes in the Washington Post that a new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in — and some of the implications are quite grave. According to the Congressional Research Service, covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals. Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations (PDF).

CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some."
vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
This discussion has been archived. No new comments can be posted.

What Federal Employees Really Need To Worry About After the Chinese Hack

Comments Filter:
  • by weilawei ( 897823 ) on Wednesday July 29, 2015 @01:46PM (#50207909)

    And then expected it would never be hacked?

    Bravo.

    • by xxxJonBoyxxx ( 565205 ) on Wednesday July 29, 2015 @02:01PM (#50208113)

      >> giant database...never be hacked

      "Data warehouses" and "big data" have all these problems. I remember a big data security talk where the conclusion was basically "well there's a handful of half-baked solutions for the biggest platforms, but no one actually uses them."

      In my corporate experience, data warehouse and big data projects happen when an executive gets annoyed with the slow progress of IT and basically dumps out the contents of a few databases into an almost-impossible-to-secure bowl of soup. As a resident security guru I frequently developed a blind spot for these executive disasters: reporting or trying to audit them usually led to career pain.

      • In my corporate experience, data warehouse and big data projects happen when an executive gets annoyed with the slow progress of IT and basically dumps out the contents of a few databases into an almost-impossible-to-secure bowl of soup.

        Exactly how the whole Chelsea Manning/Wikileaks thing happened.

        Before 9/11 info was comparmentalised and need to know, after it was "gotta let every low level person have access to everything so we don't slip up again". Whoops.

    • A perfectly reasonable assumption, if it was in a locked room secured by armed guards. Which is really where it should have been.

  • No problem! (Score:5, Funny)

    by Qzukk ( 229616 ) on Wednesday July 29, 2015 @01:50PM (#50207955) Journal

    Just issue everyone a new set of fingerprints.

    • by Anonymous Coward

      Just issue everyone a new set of fingerprints.

      I thought so too, but did you read the summary? It says "fingerprints can't be reissued like a new credit card." There's probably too much red tape involved.

  • by Anonymous Coward on Wednesday July 29, 2015 @01:51PM (#50207973)

    build a database of U.S. government employees

    So waitaminnit... let me get this straight.

    Is this the same US government that has built a database of virtually every internet-using person in the world, including all their private communication, all their personal associations, the contents of their phone calls, where they are at any given moment in time, and every shred of information that can possibly be obtained?

    Would it be that same US government that has the unmitigated gall to complain about a tiny, tiny fraction of that being done to them in return?

    I just want to make sure it's the same one. Because it doesn't seem like a government that spies on everyone in the world to a scale never before seen in history has ANY FUCKING right to complain. Good for the goose, good for the gander, after all.

    • Would it be that same US government that has the unmitigated gall to complain about a tiny, tiny fraction of that being done to them in return?

      I understand your point and I see where you're coming from, but consider: with the breach that took place, people can die. This isn't some sort of political theory or a matter of taking a stand. Real people may die because of this.

      • by sims 2 ( 994794 )

        Lets call these people A B and C.

        A works for the nsa.

        B is A's Girlfriend who is cheating on A with C.

        C is the other guy.

        A uses the nsa's database to keep track of B during the day.

        I imagine that when A discovers B's calls to C's number there might be a murder.

        "NSA analysts spied on spouses, girlfriend"
        http://www.nydailynews.com/new... [nydailynews.com]

        But they are just imaginary people so I suppose its ok.

        • I didn't think it was necessary to spell it out but when clandestine agents and their collaborators are uncovered they can be in mortal danger.

          • by sims 2 ( 994794 )

            Yes you are correct.

            I was just trying to point out that even if the spying is done on regular civilians it can still put them in harms way not as commonly as if you were spying on the military but harm still the same.

        • by Anonymous Coward
          This is an NSA example, so please rephrase your example with the proper cryptological terminology - Alice, Bob, Eve.
      • by rtb61 ( 674572 )

        Well then, let's hope those hackers do not use the information to fly drones around the place firing off missiles seemingly at random. That or spends billions of dollars to take over countries only to generate civil wars. Then there is the whole idea of blackmailing all the worlds political leaders to ensure they obey the dictates of US corporations, no matter how many of those countries citizens are harmed by those dictates.

        Bucket loads of people do DIE as a result of those things, you mean it could be

    • Yes, by gosh. You've hit the nail squarely on the head. It IS the very same US government!
  • by grumpy_old_grandpa ( 2634187 ) on Wednesday July 29, 2015 @01:53PM (#50207993)
    Fingerprints can't be reissued

    No shit sherlock.

    At least this makes it obvious that fingerprint databases are ripe for abuse. I guess we can only hope this will lower the popularity of collecting it in the first place.
    • Fingerprints should never be available, and only as a query/response data store with id links that have no further info on the subject they belong to.

      Just because you "want" to see it doesn't mean you "should" see it.

    • So someone can be sued when having conjectural evidence at best against that person and fingerprints "are highly unlikely" to be planted by somebody else. Let's say somebody walked near the crime scene and that persons's fingerprints were found from the murder weapon. They just found the killer.

      The problem is not the fingerprints but missing evidence and false claims.

  • by grilled-cheese ( 889107 ) on Wednesday July 29, 2015 @01:58PM (#50208067)
    Proper authentication is made up of at least two of the following:
    • Something you know (Password)
    • Something you have (Smartcard)
    • Something you are (Fingerprints)
    • Re: (Score:3, Informative)

      NO! A million times no!

      Proper multi-factor authentication is ALWAYS "something you have" and "something you know". The idea is that if someone steals the thing you know (i.e. password), then they have to also steal something you have (i.e. hardware token / smartcard / phone, you name it). The hope is that even if you don't notice that your password is compromised, you'll notice when you lose your phone. Similarly, if someone copies the smartcard you have, they still don't know the PIN to access your acco

    • by Reason58 ( 775044 ) on Wednesday July 29, 2015 @02:21PM (#50208347)
      Going to have to disagree. Fingerprints (all biometrics) are identification, not authentication. Just like a SSN, if you cannot change it then it is not a secret.
    • by Ol Olsoc ( 1175323 ) on Wednesday July 29, 2015 @03:28PM (#50208995)

      Proper authentication is made up of at least two of the following:

      Something you know

      I have a big Dick

      Something you have

      A big Dick

      Something you are

      A big Dick

      Huh - didn't know it would be so easy......

    • "Something you are" = Somebody can verify the fingerprints came from you. It is an authentication process in case of fingerprints. If not, they are just a password, i.e. something you know.

  • Leverage (Score:4, Insightful)

    by Anonymous Coward on Wednesday July 29, 2015 @02:02PM (#50208125)

    What this breach really does is give Chinese agents leverage over U.S. citizens in sensitive positions. It completely destroys the ability of the U.S. Government to keep secrets... any secrets... away from a determined probe, because a Chinese agent WILL have information that gives sufficient leverage to conduct black mail against a person close to the secret.

    • Guess there's going to be a lot of openings for new clandestine services agents. Let's just hope they guard the information better next time.
      • This. No fooling.
      • This is about more than just overseas spies. This is about people working in sensitive positions with the pentagon, the capitol, at langley, the nsa, embassies, etc, and gaining access to anything to which those people can get access. Perhaps one of the first things a hypothetical Chinese operation might do with this leverage is use it to discover the location and ID of any agents working in their borders. However, the real danger here isn't just for current operatives. The danger is that we can't also jus
  • Secrets are harder to keep. Personally I see it as a bit of an equalizer, and makes warfare a bit more symmetrical, thus less effective in gaining supremacy.

  • Three takeaways (Score:4, Interesting)

    by WillAffleckUW ( 858324 ) on Wednesday July 29, 2015 @02:04PM (#50208149) Homepage Journal

    As a former regional acting Security Officer, this whole thing brings three conclusions, which we all knew in the 80s when we set up security priniciples:

    1. Full data should never be fully available on any external or easily linked database. It is far better to have a query/response system that does not have full details.

    2. You don't need the full security clearance information unless you're looking for potential spies. Only the CIA internal agency and FBI internal agency data should have been internally available. Ever.

    3. Linking position to clearance data (other than NEEDED level of clearance) is never a good idea. We used to keep that on locked laptops (yes, a decade before you civvies got them) in removable locked hard drives for that exact reason. In a safe that was fire proof. And EMP safe.

  • "Intelligence" yields a pathetically low return on investment. If past history is any indicator (Philby, for example), the world is NOT going to collapse, things are NOT that grave, and except for the damage to the intelligence community, things are going to go on pretty much the same as always.

  • by Anonymous Coward

    Does everyone else who's been hacked by the US government ALSO have these grave and severe problems to look out for? Or is the concern only if "the wrong people" do it? Or only not a problem if "the right people" do it? If so, who decides?

    TIA, 98% Of The World

  • by sjames ( 1099 ) on Wednesday July 29, 2015 @02:19PM (#50208321) Homepage Journal

    Snowden hands over evidence that the NSA has been illegally spying on U.S. citizens and Allies (not to mention perjuring itself before Congress) to an American journalist resulting in a careful release of some data to prove the allegation and the feds call for his head on a platter, even risking an international incident or two to try to disappear him.

    The OPM fumbles and hands over 4.2 million very detailed dossiers on federal employees and 21 million others with security clearance to China and the feds say "no worries, we'll give you a year of credit monitoring.....eventually.".

    • by Gryle ( 933382 )
      Snowden and OPMI are not an exact apples-to-apples comparison. Snowden disclosed classified information pertaining to technical methods, programs, and capabilities of the intelligence community. The OMPI data isn't classified and most of it, excluding medical records and probably certain financials, could be obtained by a determined and patient private investigator. That's the difference.

      In anticipation of counterarguments: I'm not saying the government has reacted appropriately to the OPMI breach. No, I
  • by StikyPad ( 445176 ) on Wednesday July 29, 2015 @02:28PM (#50208403) Homepage

    This is a non-issue for several reasons, among them:

    1) Covert officers travel under diplomatic cover, and most diplomats have security clearances. This will not stand out.
    2) It's already trivial for a nation-state to identify spies under diplomatic cover. We know who theirs are, and they know who ours are. Diplomatic cover is not about cover; it's about *diplomatic immunity*, so if they get pissed at our spies, all they can do is kick them out, and vice versa.
    3) Non-official cover employees are harder to detect, but they generally only hide their present employment, not their past employment, and usually have cover stories, not cover identities/jobs. See: Valerie Plame. At best, you can use fingerprints to confirm that they are who they say they are, which they're not lying about anyway, so...

    The real danger is blackmail. The employer already knows what infractions are listed on the SF86, of course, but the general public may not. Affairs, drug usage, and to a lesser degree, expunged criminal history, arrest record, financial issues, etc. Just download an SF86 and look it over. Depending on the individual, it could be a scandal that they'd rather avoid, and/or that the employer would rather avoid. e.g., "Why would you hire someone who smoked crack?"

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Covert officers do not travel under diplomatic cover. You're thinking of non-covert officers, i.e. the "official" spies with diplomatic immunity. The only thing covert, if at all, is that they nominally hold some official position with the embassy. Although often it's an intelligence-related position.

      Covert officers have their status as an officer of the U.S. government classified, and they enter countries as tourists or under some other cover. And when arrested they get to sit in prison. Thus, if you have

  • And I'm here to help!
    • by Fire_Wraith ( 1460385 ) on Wednesday July 29, 2015 @02:35PM (#50208471)
      Great! Since you already have admin access to my network, can you fix up the issues from our last server migration? Outlook keeps cutting in and out during the day, and we'd really appreciate it if you could fix that while you're busy copying all our files.

      Also, can we contact you later if we need copies of your copies as backups? Thanks!
  • Don't get it. (Score:4, Interesting)

    by Anonymous Coward on Wednesday July 29, 2015 @02:33PM (#50208451)

    Still don't get why China would launch hacking attacks from their own country's ip range, which is why I'm a little leery of the press reporting on this story. Even the government is giving mixed signals [fas.org] as to China's involvement:

    Officials are still investigating the actors behind the breaches and what the motivations might
    have been. Theft of personally identifiable information (PII) may be used for identity theft and
    financially motivated cybercrime, such as credit card fraud. Many have speculated that the OPM
    data were taken for espionage rather than for criminal purposes, however, and some have cited
    China as the source of the breaches.

    and

    Speaking at an intelligence conference on June 24, 2015, Admiral Michael Rogers, director of the
    National Security Agency and head of U.S. Cyber Command, declined to discuss who might be
    responsible for the attacks, stating “I’m not [going to] get into the specifics of attribution.... That’s
    a process that we’re working through on the policy side. There’s a wide range of people, groups
    and nation states out there aggressively attempting to gain access to that data.
    ” Speaking at the
    same conference a day later, however, Director of National Intelligence James Clapper identified
    China as the “leading suspect” in the attacks.
    Mr. Clapper expressed grudging admiration for the
    alleged hackers, noting “[y]ou have to kind of salute the Chinese for what they did.... You know,
    if we had an opportunity to do that, I don’t think we’d hesitate for a moment.”

    So, there still is an investigation going on over the breaches, though some intelligence officials like Clapper are already fingering China as the culprit. I think it would be more sensible to follow Admiral Roger's caution as to assigning blame for the breach given the fact that there is are a "wide range" of groups and nations aggressively trying to get access to the data and US systems. Its certainly possible that whoever did it simply used China IP space to launch the attacks in order to cast suspicion on China. So why then is the press and certain government officials beating the drum to cast blame for the attacks on the Chinese?

    If the United States chooses to respond in other ways to intrusions from China, experts have
    suggested that China has multiple vulnerabilities that the United States could exploit. “China’s
    uneven industrial development, fragmented cyber defenses, uneven cyber operator tradecraft, and
    the market dominance of Western information technology firms provide an environment
    conducive to Western CNE [computer network exploitation] against China,
    ” notes one scholar of
    Chinese cyber issues.

    Ah, now I get it.

    • Well according to this [washingtonpost.com], the theory kinda fall flat. US would do it in a heartbeat and it's all fair game really:

      “This is espionage,” said Michael Hayden, a retired Air Force general and former head of the CIA and the National Security Agency, of the OPM hacks. “I don’t blame the Chinese for this at all. If I [as head of the NSA] could have done it, I would have done it in a heartbeat. And I would have not been required to call downtown, either” to seek White House permission.

  • Snowden leaks a bunch of sensitive information and government officials beat their chests over the jeopardy of his actions, never allowing him to be forgiven. Meanwhile, Katherine Archuleta and her OPM staff walks freely on the streets even though the security was Bridge of Death Easy [youtube.com] and not Mission Impossible Hard [youtube.com]
    Clearly, the government's priorities are screwed up.
  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Wednesday July 29, 2015 @02:40PM (#50208517)
    Comment removed based on user account deletion
    • by Anonymous Coward on Wednesday July 29, 2015 @03:46PM (#50209147)

      You're assuming, of course, that the gross incompetence displayed by the OPM is somehow exceptional. How quickly we forget that RSA had their most highly sensitive databases cracked by the Chinese, which stored the secret keys to tens of thousands of key fobs used to access highly classified government and contractor offices and databases.

      If there's gross incompetence here, it's the NSA, and specifically NSA leadership. By choosing to stymie and hold back security technology, they're the ones responsible (more than any other single entity) for the horrendously poor choices we have in terms of securing infrastructure. It's not just about algorithms. They've been putting up roadblocks to pervasive use of public-private key smart cards, for example. They do so by suggesting this or that might be illegal; or this or that might lead to a loss of government contracts. They push overly complex standards that they know will never see pervasive adoption.

      The incompetence is that they failed to understand that COTS solutions _must_ be secure. There's simply no way to cultivate and grow a market of secure solutions for the government while sabotaging COTS markets. They're too interconnected. Plus government has to hire the bulk of their IT and engineering staff from the private, COTS-focused job market.

      And the NSA miscalculated how quickly other countries would adopt secure solutions in the U.S. As incompetent as the U.S. government can be, it pales in comparison to the incompetence of Russian, Chinese, and other governments we need to spy on. It doesn't matter how cheap or easy to acquire secure solutions are, if an incompetence bureaucracy would fail to implement properly.

      You're assuming the OPM is uncharacteristically incompetent. But they're almost certainly not. The intelligence agents sabotaged the market in security solutions, so it's entirely predictable that large organizations will fumble the task of securing this information while making it readily available and useable. Remember, the latter is their primary task. Maybe you're a system administration. Sysadmins seem to think their job of "securing" things is accomplished only when things are locked down so tight nobody can actually make use of the information or resources. I'm a programmer, and to me the failure here is the lack of simple and secure solutions.

  • SF86 implications (Score:5, Insightful)

    by OffTheLip ( 636691 ) on Wednesday July 29, 2015 @02:42PM (#50208531)
    If the number of affected users, via SF86 forms, is as large as reported the implications are enormous. These clearance request forms contain detailed information about the applicant, extended family, references, etc. Fingerprints just ice the cake.
  • Some perspective (Score:5, Interesting)

    by Okian Warrior ( 537106 ) on Wednesday July 29, 2015 @03:06PM (#50208735) Homepage Journal

    Just to put recent events in perspective:

    1) The Chinese grab a database of our personnel, which lets them impersonate anyone (in the database), find spies and ongoing projects, blackmail federal workers for more information... and no one is charged with incompetence, fired, or even blamed.

    2) David Petraeus, former director of the CIA, gave classified information to his biographer/mistress to make him seem more powerful... he pleads guilty, gets a $40,000 fine and 2 years probation.

    3) Edward Snowden releases summary information about widespread illegal activity by the U.S. spy services. No specifics about operations or personnel were leaked, resulting in no deaths and no aborted operations(*) ...he's banished from the U.S.

    4) Chelsea [nee Bradley] Manning releases video evidence of war crimes committed by the U.S. military, literally gunning down members of the international press and other civilians with no provocation... was subjected to months of cruel and unusual punishment (tortured, per U.N. definition of torture), sentenced to 35 years in prison, and given dishonourable discharge.

      (*) Quoth the office of the president: "Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country..."

  • Double standards (Score:5, Insightful)

    by nrasch ( 303043 ) on Wednesday July 29, 2015 @03:59PM (#50209253)

    So Edward Snowden can't be pardoned because of "all the damage" he did to our security (which is nonsense for the record).

    But on the other hand these clowns can allow something orders of magnitude worse to happen that has real, actual consequences for security, and not a damn thing will happen to them.

  • ... There is a certain level of incompetence that is so unacceptable that you can't do anything besides line up some people against a wall and blow them away... and then move forward with everyone on the same page that "X was fucking unacceptable."

    I don't know what else it is going to take to get these government fuckwits to take security seriously besides a literal firing squad.

    I don't want to do it... I just don't know how to get through to these people. They're so fucking stupid.

  • Some government dimwit is going to cry over "chronic under funding" leading to this whole mess. Just like when the Amtrak train flew off the tracks. Never mind that the guy was driving the train at TWICE the speed he should have been. Noooooo....more money...that's what we need. Yeah, that'll fix everything.

    When are people going to realize that more money is not the solution. The solution is to get rid of idiots that cannot/will not enforce policies.

    • The solution is to get rid of idiots that cannot/will not enforce policies.

      Can you still call it a government if there aren't any people in it?

      • Well, that raises a good point. How do we get competent people to work for the government by choice? I've done a lot of contracting work for government agencies and the like so I speak with some authority on this. There are some good, hard working, competent people in government. No really - there are.

        The problem is that almost none of them - in my experience - are in management or leadership positions. Now some might say that is true in the private sector as well. No argument there - there are certainly a

  • The last company I worked for gave us all T-Shirts left over from the "Better Days" swag bin. Then HR told us all not to wear them. "You'll make yourself a target for kidnapping," they said. So on behalf of that company, which if you're the Chinese hacker who compromised my information, you'll know who it is, please don't kidnap their employees! With their culture of ineptitude and recent public stock offering, anyone who knew how to build a thing that we were working on had long since left the company! Lit
  • I've been trying to find out whether the breach of background investigation info also includes military. I underwent an FBI background check in the 90's, and if there are 21 million records stolen, I have a feeling mine could be one of them. The paperwork I had to fill out pretty much told my life story, and I had to give names and addresses and phone numbers of people I knew. Which the FBI didn't talk to, they asked for others that knew me from those 5. Hell they even interviewed my high school counse

  • If security trumped everything, those employees would all be retrained and reassigned to completely unrelated tasks and their previous access yanked as soon as their replacements could be trained.

    Now, that's not going going to happen except in a relatively small percentage of individuals.

    Instead, our country is probably going to take the risk that this info will be used to hurt us rather than pay the cost of losing a valuable employee 21 million times over.

  • Comment removed based on user account deletion
  • What Federal Employees should really worry about after the Chinese hack - is the next version of Microsoft Windows - without which - none of these 'cyber' attacks would work.

Fast, cheap, good: pick two.

Working...