What Federal Employees Really Need To Worry About After the Chinese Hack 123
HughPickens.com writes: Lisa Rein writes in the Washington Post that a new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in — and some of the implications are quite grave. According to the Congressional Research Service, covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals. Some suspect that the Chinese government may build a database of U.S. government employees that could help identify U.S. officials and their roles or that could help target individuals to gain access to additional systems or information. National security concerns include whether hackers could have obtained information that could help them identify clandestine and covert officers and operations (PDF).
CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
CRS says that if the fingerprints in the background investigation files are of high enough quality, "depending on whose hands the fingerprints come into, they could be used for criminal or counterintelligence purposes." Fingerprints also could be trafficked on the black market for profit — or used to blow the covers of spies and other covert and clandestine officers, the research service found. And if they're compromised, fingerprints can't be reissued like a new credit card, the report says, making "recovery from the breach more challenging for some." vivaoporto Also points out that these same hackers are believed to be responsible for hacking United Airlines.
So you made this giant database of sensitive info (Score:5, Insightful)
And then expected it would never be hacked?
Bravo.
Re:So you made this giant database of sensitive in (Score:5, Interesting)
>> giant database...never be hacked
"Data warehouses" and "big data" have all these problems. I remember a big data security talk where the conclusion was basically "well there's a handful of half-baked solutions for the biggest platforms, but no one actually uses them."
In my corporate experience, data warehouse and big data projects happen when an executive gets annoyed with the slow progress of IT and basically dumps out the contents of a few databases into an almost-impossible-to-secure bowl of soup. As a resident security guru I frequently developed a blind spot for these executive disasters: reporting or trying to audit them usually led to career pain.
Re: (Score:1)
In my corporate experience, data warehouse and big data projects happen when an executive gets annoyed with the slow progress of IT and basically dumps out the contents of a few databases into an almost-impossible-to-secure bowl of soup.
Exactly how the whole Chelsea Manning/Wikileaks thing happened.
Before 9/11 info was comparmentalised and need to know, after it was "gotta let every low level person have access to everything so we don't slip up again". Whoops.
Re:Top secret data accessable from Internet. (Score:4, Interesting)
A few scenarios are possible:
1. Some high muckedy muck decided they wanted access to the data for some thingy and squashed the CIO/ISSO when they objected. This happens all the time.
2. Lots of compliance and security theater in place giving a false sense of security. What needed to get done wasn't done.
3. Probably some contractors involved who don't really care except to get paid.
4. Inside job.
Re:Top secret data accessable from Internet. (Score:4, Interesting)
Re: (Score:2)
I have to ask why was such sensitive information able to be accessed from the internet? Doesn't the government have leased lines or some other really secure backbone?
And retribution towards China. I think a one trillion dollar fine would be in order. Freeze some of their cash, make some of their US Government Treasury bonds worthless ....
And if they did, then how would all of the web-based services that use this data get to it?
Not every database exploit comes from some dimwit leaving port 1433 open to Internet access or a SQL Injection attack. You can do even worse damage if you pwn the webservers and start working your way back up the LAN.
Re: (Score:1)
Honestly, I have to ask why this isn't considered an act of war. We've kicked countries' asses over much less.
Re: (Score:2)
Honestly, I have to ask why this isn't considered an act of war. We've kicked countries' asses over much less.
Because the indications that it was "Der Chiners" was just innuendo and speculation by media reporters. There is NO evidence that it was the Chinese, and no official statement that China was involved or that they had evidence to that effect. It's just as likely that it was some kid in his parent's basement in Jersey.
Re: (Score:2)
Its just a lot of useful cutouts, web 2.0 names, bait, front companies, names, terms, funding, locations that might have existed to push staff and products into US operations and bases after 2000.
If the US needed a deep cov
Re: (Score:2)
A perfectly reasonable assumption, if it was in a locked room secured by armed guards. Which is really where it should have been.
well, it might help China (Score:2)
No problem! (Score:5, Funny)
Just issue everyone a new set of fingerprints.
Re: (Score:1)
Just issue everyone a new set of fingerprints.
I thought so too, but did you read the summary? It says "fingerprints can't be reissued like a new credit card." There's probably too much red tape involved.
Re: (Score:1)
"Red", but not "tape".
Anyway, the Q branch knows how to get around this [wikifoundry.com]
spying: good when we do it, bad when they do it? (Score:5, Insightful)
build a database of U.S. government employees
So waitaminnit... let me get this straight.
Is this the same US government that has built a database of virtually every internet-using person in the world, including all their private communication, all their personal associations, the contents of their phone calls, where they are at any given moment in time, and every shred of information that can possibly be obtained?
Would it be that same US government that has the unmitigated gall to complain about a tiny, tiny fraction of that being done to them in return?
I just want to make sure it's the same one. Because it doesn't seem like a government that spies on everyone in the world to a scale never before seen in history has ANY FUCKING right to complain. Good for the goose, good for the gander, after all.
Re: (Score:1)
Would it be that same US government that has the unmitigated gall to complain about a tiny, tiny fraction of that being done to them in return?
I understand your point and I see where you're coming from, but consider: with the breach that took place, people can die. This isn't some sort of political theory or a matter of taking a stand. Real people may die because of this.
Re: (Score:2)
Lets call these people A B and C.
A works for the nsa.
B is A's Girlfriend who is cheating on A with C.
C is the other guy.
A uses the nsa's database to keep track of B during the day.
I imagine that when A discovers B's calls to C's number there might be a murder.
"NSA analysts spied on spouses, girlfriend"
http://www.nydailynews.com/new... [nydailynews.com]
But they are just imaginary people so I suppose its ok.
Re: (Score:3)
I didn't think it was necessary to spell it out but when clandestine agents and their collaborators are uncovered they can be in mortal danger.
Re: (Score:1)
Yes you are correct.
I was just trying to point out that even if the spying is done on regular civilians it can still put them in harms way not as commonly as if you were spying on the military but harm still the same.
Re: (Score:1)
Re: (Score:2)
Well then, let's hope those hackers do not use the information to fly drones around the place firing off missiles seemingly at random. That or spends billions of dollars to take over countries only to generate civil wars. Then there is the whole idea of blackmailing all the worlds political leaders to ensure they obey the dictates of US corporations, no matter how many of those countries citizens are harmed by those dictates.
Bucket loads of people do DIE as a result of those things, you mean it could be
Re: (Score:1)
Fingerprints can't be reissued (Score:4, Insightful)
No shit sherlock.
At least this makes it obvious that fingerprint databases are ripe for abuse. I guess we can only hope this will lower the popularity of collecting it in the first place.
Re: (Score:1)
Fingerprints should never be available, and only as a query/response data store with id links that have no further info on the subject they belong to.
Just because you "want" to see it doesn't mean you "should" see it.
Re: (Score:1)
Technically, we can regrow fingerprints, but it's very expensive, and we have to alter the pattern.
Biometrics are frequently a lazy method that creates just as many problems as they solve. Most security breaches involve people spacing out. And if you make things too difficult, they subvert them, making them even more useless.
Re: (Score:1)
So someone can be sued when having conjectural evidence at best against that person and fingerprints "are highly unlikely" to be planted by somebody else. Let's say somebody walked near the crime scene and that persons's fingerprints were found from the murder weapon. They just found the killer.
The problem is not the fingerprints but missing evidence and false claims.
Multi-factor is the only right way (Score:4, Insightful)
Re: (Score:3, Informative)
NO! A million times no!
Proper multi-factor authentication is ALWAYS "something you have" and "something you know". The idea is that if someone steals the thing you know (i.e. password), then they have to also steal something you have (i.e. hardware token / smartcard / phone, you name it). The hope is that even if you don't notice that your password is compromised, you'll notice when you lose your phone. Similarly, if someone copies the smartcard you have, they still don't know the PIN to access your acco
Re:Multi-factor is the only right way (Score:5, Insightful)
Re:Multi-factor is the only right way (Score:5, Funny)
Proper authentication is made up of at least two of the following:
Something you know
I have a big Dick
Something you have
A big Dick
Something you are
A big Dick
Huh - didn't know it would be so easy......
Re:Multi-factor is the only right way (Score:5, Funny)
Re: (Score:1)
Being a Bid Dick and all, you are a perfect candidate to be in charge of security at OMB. Being a Dick seems to be the only qualification you need.
Don't be so silly. You have to also be a really big asshole.
Re: (Score:1)
"Something you are" = Somebody can verify the fingerprints came from you. It is an authentication process in case of fingerprints. If not, they are just a password, i.e. something you know.
Leverage (Score:4, Insightful)
What this breach really does is give Chinese agents leverage over U.S. citizens in sensitive positions. It completely destroys the ability of the U.S. Government to keep secrets... any secrets... away from a determined probe, because a Chinese agent WILL have information that gives sufficient leverage to conduct black mail against a person close to the secret.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
It's the beauty, and the bane of high technology (Score:1)
Secrets are harder to keep. Personally I see it as a bit of an equalizer, and makes warfare a bit more symmetrical, thus less effective in gaining supremacy.
Three takeaways (Score:4, Interesting)
As a former regional acting Security Officer, this whole thing brings three conclusions, which we all knew in the 80s when we set up security priniciples:
1. Full data should never be fully available on any external or easily linked database. It is far better to have a query/response system that does not have full details.
2. You don't need the full security clearance information unless you're looking for potential spies. Only the CIA internal agency and FBI internal agency data should have been internally available. Ever.
3. Linking position to clearance data (other than NEEDED level of clearance) is never a good idea. We used to keep that on locked laptops (yes, a decade before you civvies got them) in removable locked hard drives for that exact reason. In a safe that was fire proof. And EMP safe.
More Money? (Score:2)
"Intelligence" yields a pathetically low return on investment. If past history is any indicator (Philby, for example), the world is NOT going to collapse, things are NOT that grave, and except for the damage to the intelligence community, things are going to go on pretty much the same as always.
Can you tell me something? (Score:1)
Does everyone else who's been hacked by the US government ALSO have these grave and severe problems to look out for? Or is the concern only if "the wrong people" do it? Or only not a problem if "the right people" do it? If so, who decides?
TIA, 98% Of The World
So where is the rending of garments? (Score:5, Insightful)
Snowden hands over evidence that the NSA has been illegally spying on U.S. citizens and Allies (not to mention perjuring itself before Congress) to an American journalist resulting in a careful release of some data to prove the allegation and the feds call for his head on a platter, even risking an international incident or two to try to disappear him.
The OPM fumbles and hands over 4.2 million very detailed dossiers on federal employees and 21 million others with security clearance to China and the feds say "no worries, we'll give you a year of credit monitoring.....eventually.".
Re: (Score:2)
OPM =/= NSA/CIA
The Office of Personnel Management is not the same organization as NSA/CIA.
So you compare the IRS to the State Department just because they both ha sleazy employees?
Re: (Score:2)
It is considered confidential and PII, and should be controlled in that manner. I agree fully that they screwed up, but unfortunately, the gov organization in charge of information security (NSA - communcations, DISA - computers) isn't allowed to tell them to get their act together.
As far as I know, the NSA isn't involved too much in the investigation. I do expect heads will roll over this though, it is just a matter of getting to the bottom of it.
Re: (Score:2)
True, but unlike all of the domestic spying going on, securing American networks and government systems from foreign attack is very much part of their charter. They blew it big time.
Re: (Score:2)
The NSA has it collection systems, the CIA has its own vast duplicated networks.
That is not on some open, random, unencrypted, English searchable database in the USA waiting for any internal or external search request.
Very few nations keep any data in any readable form that can walk. East Germany lost its list of trusted staff to the West
Re: (Score:2)
It's pervasive and powerful all right. It's just that it has the Competence of the Three Stooges and the level headedness of the Queen of Hearts.
Re: (Score:2)
In anticipation of counterarguments: I'm not saying the government has reacted appropriately to the OPMI breach. No, I
Re:So where is the rending of garments? (Score:4, Insightful)
And meanwhile, Snowden's release had a strong element of public interest to it. There is no public interest in OPM's screw up.
Re: (Score:2)
Re: (Score:2)
Actually, I meant in the other sense. The American public has a right to know that an agency of it's government is illegally spying on them. The public has no such overriding interest in the personal details of federal employees.
Non-issue (Score:3)
This is a non-issue for several reasons, among them:
1) Covert officers travel under diplomatic cover, and most diplomats have security clearances. This will not stand out.
2) It's already trivial for a nation-state to identify spies under diplomatic cover. We know who theirs are, and they know who ours are. Diplomatic cover is not about cover; it's about *diplomatic immunity*, so if they get pissed at our spies, all they can do is kick them out, and vice versa.
3) Non-official cover employees are harder to detect, but they generally only hide their present employment, not their past employment, and usually have cover stories, not cover identities/jobs. See: Valerie Plame. At best, you can use fingerprints to confirm that they are who they say they are, which they're not lying about anyway, so...
The real danger is blackmail. The employer already knows what infractions are listed on the SF86, of course, but the general public may not. Affairs, drug usage, and to a lesser degree, expunged criminal history, arrest record, financial issues, etc. Just download an SF86 and look it over. Depending on the individual, it could be a scandal that they'd rather avoid, and/or that the employer would rather avoid. e.g., "Why would you hire someone who smoked crack?"
Re: (Score:2, Insightful)
Covert officers do not travel under diplomatic cover. You're thinking of non-covert officers, i.e. the "official" spies with diplomatic immunity. The only thing covert, if at all, is that they nominally hold some official position with the embassy. Although often it's an intelligence-related position.
Covert officers have their status as an officer of the U.S. government classified, and they enter countries as tourists or under some other cover. And when arrested they get to sit in prison. Thus, if you have
I'm from the Chinese Government (Score:2)
Re:I'm from the Chinese Government (Score:4, Insightful)
Also, can we contact you later if we need copies of your copies as backups? Thanks!
Don't get it. (Score:4, Interesting)
Still don't get why China would launch hacking attacks from their own country's ip range, which is why I'm a little leery of the press reporting on this story. Even the government is giving mixed signals [fas.org] as to China's involvement:
Officials are still investigating the actors behind the breaches and what the motivations might
have been. Theft of personally identifiable information (PII) may be used for identity theft and
financially motivated cybercrime, such as credit card fraud. Many have speculated that the OPM
data were taken for espionage rather than for criminal purposes, however, and some have cited
China as the source of the breaches.
and
Speaking at an intelligence conference on June 24, 2015, Admiral Michael Rogers, director of the
National Security Agency and head of U.S. Cyber Command, declined to discuss who might be
responsible for the attacks, stating “I’m not [going to] get into the specifics of attribution.... That’s
a process that we’re working through on the policy side. There’s a wide range of people, groups
and nation states out there aggressively attempting to gain access to that data.” Speaking at the
same conference a day later, however, Director of National Intelligence James Clapper identified
China as the “leading suspect” in the attacks. Mr. Clapper expressed grudging admiration for the
alleged hackers, noting “[y]ou have to kind of salute the Chinese for what they did.... You know,
if we had an opportunity to do that, I don’t think we’d hesitate for a moment.”
So, there still is an investigation going on over the breaches, though some intelligence officials like Clapper are already fingering China as the culprit. I think it would be more sensible to follow Admiral Roger's caution as to assigning blame for the breach given the fact that there is are a "wide range" of groups and nations aggressively trying to get access to the data and US systems. Its certainly possible that whoever did it simply used China IP space to launch the attacks in order to cast suspicion on China. So why then is the press and certain government officials beating the drum to cast blame for the attacks on the Chinese?
If the United States chooses to respond in other ways to intrusions from China, experts have
suggested that China has multiple vulnerabilities that the United States could exploit. “China’s
uneven industrial development, fragmented cyber defenses, uneven cyber operator tradecraft, and
the market dominance of Western information technology firms provide an environment
conducive to Western CNE [computer network exploitation] against China,” notes one scholar of
Chinese cyber issues.
Ah, now I get it.
Re: (Score:1)
Well according to this [washingtonpost.com], the theory kinda fall flat. US would do it in a heartbeat and it's all fair game really:
Jail? (Score:2)
Clearly, the government's priorities are screwed up.
Comment removed (Score:5, Interesting)
Re:You want to know why the system is broken? (Score:4, Insightful)
You're assuming, of course, that the gross incompetence displayed by the OPM is somehow exceptional. How quickly we forget that RSA had their most highly sensitive databases cracked by the Chinese, which stored the secret keys to tens of thousands of key fobs used to access highly classified government and contractor offices and databases.
If there's gross incompetence here, it's the NSA, and specifically NSA leadership. By choosing to stymie and hold back security technology, they're the ones responsible (more than any other single entity) for the horrendously poor choices we have in terms of securing infrastructure. It's not just about algorithms. They've been putting up roadblocks to pervasive use of public-private key smart cards, for example. They do so by suggesting this or that might be illegal; or this or that might lead to a loss of government contracts. They push overly complex standards that they know will never see pervasive adoption.
The incompetence is that they failed to understand that COTS solutions _must_ be secure. There's simply no way to cultivate and grow a market of secure solutions for the government while sabotaging COTS markets. They're too interconnected. Plus government has to hire the bulk of their IT and engineering staff from the private, COTS-focused job market.
And the NSA miscalculated how quickly other countries would adopt secure solutions in the U.S. As incompetent as the U.S. government can be, it pales in comparison to the incompetence of Russian, Chinese, and other governments we need to spy on. It doesn't matter how cheap or easy to acquire secure solutions are, if an incompetence bureaucracy would fail to implement properly.
You're assuming the OPM is uncharacteristically incompetent. But they're almost certainly not. The intelligence agents sabotaged the market in security solutions, so it's entirely predictable that large organizations will fumble the task of securing this information while making it readily available and useable. Remember, the latter is their primary task. Maybe you're a system administration. Sysadmins seem to think their job of "securing" things is accomplished only when things are locked down so tight nobody can actually make use of the information or resources. I'm a programmer, and to me the failure here is the lack of simple and secure solutions.
SF86 implications (Score:5, Insightful)
Some perspective (Score:5, Interesting)
Just to put recent events in perspective:
1) The Chinese grab a database of our personnel, which lets them impersonate anyone (in the database), find spies and ongoing projects, blackmail federal workers for more information... and no one is charged with incompetence, fired, or even blamed.
2) David Petraeus, former director of the CIA, gave classified information to his biographer/mistress to make him seem more powerful... he pleads guilty, gets a $40,000 fine and 2 years probation.
3) Edward Snowden releases summary information about widespread illegal activity by the U.S. spy services. No specifics about operations or personnel were leaked, resulting in no deaths and no aborted operations(*) ...he's banished from the U.S.
4) Chelsea [nee Bradley] Manning releases video evidence of war crimes committed by the U.S. military, literally gunning down members of the international press and other civilians with no provocation... was subjected to months of cruel and unusual punishment (tortured, per U.N. definition of torture), sentenced to 35 years in prison, and given dishonourable discharge.
(*) Quoth the office of the president: "Mr. Snowden's dangerous decision to steal and disclose classified information had severe consequences for the security of our country..."
Double standards (Score:5, Insightful)
So Edward Snowden can't be pardoned because of "all the damage" he did to our security (which is nonsense for the record).
But on the other hand these clowns can allow something orders of magnitude worse to happen that has real, actual consequences for security, and not a damn thing will happen to them.
Re: (Score:2)
Oh, wait ...
Someone needs to be shot... (Score:2)
... There is a certain level of incompetence that is so unacceptable that you can't do anything besides line up some people against a wall and blow them away... and then move forward with everyone on the same page that "X was fucking unacceptable."
I don't know what else it is going to take to get these government fuckwits to take security seriously besides a literal firing squad.
I don't want to do it... I just don't know how to get through to these people. They're so fucking stupid.
Don't tell me, let me guess.... (Score:2)
Some government dimwit is going to cry over "chronic under funding" leading to this whole mess. Just like when the Amtrak train flew off the tracks. Never mind that the guy was driving the train at TWICE the speed he should have been. Noooooo....more money...that's what we need. Yeah, that'll fix everything.
When are people going to realize that more money is not the solution. The solution is to get rid of idiots that cannot/will not enforce policies.
Re: (Score:1)
The solution is to get rid of idiots that cannot/will not enforce policies.
Can you still call it a government if there aren't any people in it?
Re: (Score:2)
Well, that raises a good point. How do we get competent people to work for the government by choice? I've done a lot of contracting work for government agencies and the like so I speak with some authority on this. There are some good, hard working, competent people in government. No really - there are.
The problem is that almost none of them - in my experience - are in management or leadership positions. Now some might say that is true in the private sector as well. No argument there - there are certainly a
Kidnapping (Score:2)
DoD too, or just civilians? (Score:2)
I've been trying to find out whether the breach of background investigation info also includes military. I underwent an FBI background check in the 90's, and if there are 21 million records stolen, I have a feeling mine could be one of them. The paperwork I had to fill out pretty much told my life story, and I had to give names and addresses and phone numbers of people I knew. Which the FBI didn't talk to, they asked for others that knew me from those 5. Hell they even interviewed my high school counse
Those employees' careers are burned (Score:1)
If security trumped everything, those employees would all be retrained and reassigned to completely unrelated tasks and their previous access yanked as soon as their replacements could be trained.
Now, that's not going going to happen except in a relatively small percentage of individuals.
Instead, our country is probably going to take the risk that this info will be used to hurt us rather than pay the cost of losing a valuable employee 21 million times over.
Re: (Score:1)
What Federal Employees should really worry about (Score:2)