back to article China's hackers stole files on 4 MEELLION US govt staff? Bu shi, says China

China is fending off accusations it was behind the theft of personal dossiers on four million US government workers – some of whom had applied for or were granted security clearances. China's foreign ministry spokesman Hong Lei told NBC News: "We hope the United States could discard this kind of suspicion and stop groundless …

  1. Anonymous Coward
    Anonymous Coward

    Told you so

    I've said it before and I will openly say it again:

    Security intrusions will continue to happen until the entire IT world accepts the fact that TCP/IP is not appropriate for 21st century needs. The IT world is living in denial: being inherently insecure, with no designed-in security protocols, TCP/IP was acceptable 20 years ago but is not going to cut it in today's government supported, hacker-filled & espionage-filled world. Firewalls, credentials and other add-on structures - patches to the system - can only go so far.

    Data communication must be encrypted at the SOURCE, by DEFAULT, across the world. Period. Anything else is simply a continuous data theft, waiting to happen.

    And yes, I've got my Nomex on. Go ahead and spread the hate as you wallow in the past, expecting what worked then to be perfectly acceptable now.

    1. Chris Miller

      Re: Told you so

      Good luck trying to replace IP on every computer in the world. We've been trying with IPv6 (which, incidentally, handles end-to-end encryption far better than IPv4) for 20 years, with 'limited' success.

      And getting everyone to encrypt everything all the time would require some system of universal PKI. Even better luck getting that to work.

      Finally, most of these large-scale data thefts have been carried out by internal malware, introduced because someone clicked a link on an apparently legitimate email. How will universal encryption prevent that? It might even make the problem worse by inhibiting scanning of incoming emails.

    2. Destroy All Monsters Silver badge
      Facepalm

      Re: Told you so

      TCP/IP is not appropriate for 21st century needs

      Yeah well maybe you should go back to the course on "Infosec 101" because if you think TCP/IP is the problem, I have a bridge in lower Manhattan, very cheap...

      "He overdosed on alcohol? Clearly the fault of the glass bottles!"

      Data communication must be encrypted at the SOURCE, by DEFAULT, across the world. Period. Anything else is simply a continuous data theft, waiting to happen.

      You may want to explain how encrypting data communications will prohibit data being exfiltrated in the first place. Your voodoo is weak...

      Ok, start with The Orange Book and work your way forward, slowly...

    3. swampdog

      Re: Told you so

      The Internet was designed to be anarchy. No amount of legislation will change that. Legislation will just fuck it up.

      Folks do not need all these protocols. Just use an encrypted tunnel.

    4. Anonymous Coward
      Anonymous Coward

      Re: Told you so

      > Security intrusions will continue to happen until the entire IT world accepts the fact that TCP/IP is not appropriate for 21st century needs.

      It's like you have had your house burgled but you are complaining that the fundamental design of roads makes it too easy to car-jack someone. You've rather missed the point.

  2. W Donelson

    Jeez

    Sure, the US may have security problems, the whole world has problems...

    But you can bet the Chinese are JUST as bad as everyone else in this.

    Don't blame the victim, bozos.

    1. Stuart 22

      Re: Jeez

      The surprise was not the breach but the size of the breach. And I am going to blame the victim if this resulted from a single breach. Breaches will always happen no matter how careful you are. The issue is to minimise the consequences of a breach. This, and the Sony experience, suggest that their data wasn't properly compartmentalised. The hackers once in just ran riot.

      I know this is difficult if you are trying to run a universal emergency patient database - but an HR database? This needs to be soundly sandbagged. Makes it much harder for the hacker with multiple opportunities for early detection as the hacker attempts to search across boundaries.

    2. Alan Brown Silver badge

      Re: Jeez

      Given the number of compromised boxes I've detected in China which are clearly being used by non-chinese skiddies, the victims here aren't the OPM.

      Pay no attention to the man behind the curtain, concentrate on the smoke and mirrors.

    3. Tomato42
      FAIL

      Re: Jeez

      problem is that IT is woefully underfunded and its importance underrated

      we really need to change that, because a world where a bored teenager will be able to wreck half the federal agencies is not a nice one when really malicious actors start using it

      the only way to fix it is to start finger pointing and demanding real solutions, not just "security audits" that achieve squat

    4. Anonymous Coward
      FAIL

      Re: Jeez

      The victim is absolutely to blame! Everyone today is so fucking worried about how the l'users will feel about a change, instead of forcing the users to comply. You want a fucking benefit - YOUR JOB. Everyday I'm told how implementing best practices will inconvenience the user and therefore that sound architecture WILL BE SHELVED. WHAT?!?

      You can't handle sensitive information and visit snaptwitter and facetube ON THE SAME FUCKING HOST! And yet, still you have compromise after compromise. If you take China's repressive network policy and apply it where it needs to be - @WORK, maybe that shit wont leak.

      Everyone out here is like, "OMG, this place is so awesome to work. We get free this and free that, and I can bring in any device I want and connect and waste all day long planning my wedding that will last 2 years.....and my brats love the new retina display on my work PC, so I give it to them to play with to keep them outta my hair, and it's so awesome". TAKE A FUCKING BREATH!

      1. doctorchatterteeth

        Re: Jeez

        TAKE A FUCKING BREATH

      2. doctorchatterteeth

        Re: Jeez

        You sadly cling to some hyper secure system that doesn't include users. (have you never purchased shoes or dinner reservations on your work pc?)

  3. Badger Murphy

    Fingers of blame can still point

    I certainly am willing to concede that it is likely that their network security was lacking, since network security seems very rarely to be fully and well implemented. HOWEVER, poor security doesn't necessarily obfuscate who the attacker was any more than if there had been good security.

    If I leave the doors to my house unlocked and then get robbed, a crime still took place, and the culprit is still the culprit. Poor security doesn't change the identity of or level of guilt of the attacker.

    If the Chinese government was not to blame, so be it, but the level and quality of the security that was breached is tangential to the matter of assigning blame.

    1. Mark 85
      Alert

      Re: Fingers of blame can still point

      I think you're onto something. It could have been the Norks or a script kiddie, but since the US Government was the target, it has to be a big nation state that did it. We wouldn't want the government to be a laughing stock now, would we?

      1. Anonymous Coward
        Anonymous Coward

        Re: Fingers of blame can still point

        ...but...but...these are the people who are telling us we're not grown up enough to have encryption! And then they get broken into too! We're DOOMED, I tell you...DOOOOOOMED!

    2. Solmyr ibn Wali Barad

      Re: Fingers of blame can still point

      point a finger

      three point back

  4. John H Woods Silver badge

    "HOWEVER, poor security doesn't necessarily obfuscate who the attacker was any more than if there had been good security ... the level and quality of the security that was breached is tangential ..." --- Badger Murphy

    I disagree: the higher the level of security, the more restricted the pool of potential culprits. Some attacks are so sophisticated (Stuxnet?) that they are almost certainly nation-state sponsored; on the other hand, a very poorly secured system can be successfully attacked by a much wider range of attackers, including script kiddies and people emailing executable trojans. It must therefore be true that it is harder to justify allegations that a nation-state has attacked you if your security is of a level amenable to much less highly resourced attackers, unless you have very significant evidence of the origin of the attack.

  5. Kevin McMurtrie Silver badge
    Devil

    Pleading ignorance

    CHINANET hasn't had a working abuse contact in something like 16 years, so of course China would know nothing of the non-stop attacks coming from that government network.

  6. Gray
    Trollface

    Of course they didn't!

    If they say they didn't, then that's good enough for me! And of course, those growing "sand islands" in the South China Sea have nothing to do with territorial aggression ... after all, it's called the South China Sea for a reason, right? And I've taken great comfort in Putin's reassurances that Russia has nothing whatsoever to do with the rebellious discontent in eastern Ukraine.

    1. Alan Brown Silver badge

      Re: Of course they didn't!

      If China really wanted to screw over the USA all they need to do is prevent exports going there for six months.

      The rest is simply noise.

  7. Anonymous Coward
    Anonymous Coward

    Defenseless

    The people who run our governments either proudly revel in their ignorance or feign a level of understanding that doesn't hold up under close examination. These are the same leaders who decided to turn over the administration of publicly owned computer systems to private contractors who were the lowest bidders and have over time demonstrated neither the competence nor the dedication needed to keep those systems safe. Our government agencies, including our militaries, lack the capability to run their own networks or systems.The truth is they have no way to independently verify that their chosen contractors are doing their jobs.

  8. 0_Flybert_0

    .. what were the gateway systems ?

    .. Windows ? .. how many XP machines still running ? .. what flavor servers ?

    .. just curious .. can we trust our data to Windows clients and Servers run by government IT ?

  9. Anonymous Coward
    Flame

    Pot, kettle..

    Considering a state-sponsored US criminal gang has been happily collecting data illegally on hunderds of millons of people in Europe alone (and gawd knows how many elsewhere in the wolrd), aided and abetted by Dear Old Blighty's own state-sponsored cybercriminals (I'm looking at YOU GCHQ, and feeling disgusted that you exist in a country I once signed up to help defend)) - I can only wonder how the US has the chutzpah to express any kind of outrage at having its own data snooped upon.

  10. Chris Miller

    "You can't defend yourselves well if you don't know what systems you have and where your data is,"

    True, but in a large organisation running many hundreds or thousands of server instances (most of them virtual, of course) the chances that the poor old admins are aware of every single one of them are slim to none. And even if you're confident that you have such control today, you probably won't tomorrow.

    Your security defences need to be sufficiently powerful and flexible to cope with the inevitable 'rogue' server.

    1. Tomato42
      Boffin

      if you run puppet or ansible you are aware and have catalogued every single one machine, including transient virtual ones

      1. Chris Miller

        Just to clarify - I'm not suggesting that you shouldn't even attempt to catalogue every server instance in your organisation, just that you need to recognise that you're unlikely to achieve perfection, and therefore need a plan to cope with the 'known unknowns'.

  11. WonkoTheSane
    Holmes

    Security Clearances

    I read "elsewhere" that the OPN also handles gubmint security clearances.

    Maybe this data grab was a diversion, and the clearance database now contains a few more names than the last backup might indicate?

  12. John Savard

    An Operating System of Their Own

    And, in fact, a processor API of their own. Yes, 'security by obscurity' is not real security, but it's a basic first step none the less. Except for machines such as IBM z System, Unisys ClearPath Libra and Dorado, and SPARC servers from ORACLE, all Federal government computers should use a customized secure version of Linux or BSD, running on some less-popular chip architecture like that of the PowerPC.

    That way, all the zero-day vulnerabilities in Windows and even OS X would avail hackers not a bit; they'd have to really work at it to get into those computers. (Given the BSD license, that may be a better choice, because then Uncle Sam would be under no obligation to disclose the source of the version of the OS they're using.)

    1. Anonymous Coward
      Anonymous Coward

      Re: An Operating System of Their Own

      > running on some less-popular chip architecture like that of the PowerPC

      Huuh? Exactly how would PowerPC have prevented this attack?

      Which PowerPC? Big-Endian? Little-Endian?

      You realize that, once the attacker has gained direct access to the data - which appears to have been the case here - the ISA the Operating System is running on is irrelevant?

      1. Peter Gathercole Silver badge

        Re: An Operating System of Their Own @ST

        I can't comment on this attack, but if you have a processor with a different instruction set, then many of the stack smashing and buffer overrun vulnerabilities disappear, at least until the malware becomes clever enough to identify the processor architecture before dropping machine code into the target system.

        The issue here is that we are fast approaching a monoculture, with x86-64 processors becoming ubiquitous, so there is only one processor target. Granted that different OSs give some protection, but however you do it, if you can get some valid machine code injected and executing on a system, then many things are possible.

        Obviously, x86-64 machine code is not valid on, say, a system with an ARM or POWER or Z processor, so this type of attack becomes invalid in the short term. But this only remains the case until another processor type is sufficiently widely deployed to make it worth attacking, where upon you have the existing problems, just with some additional wrinkles.

    2. Vic

      Re: An Operating System of Their Own

      Given the BSD license, that may be a better choice, because then Uncle Sam would be under no obligation to disclose the source of the version of the OS they're using

      Any obligation they might have so to do has nothing to do with the licence...

      Vic.

  13. W. Anderson

    One pertinent contributor to the weaknesses of UK government infrastructure has been it overarching reliance and fondness for technology almost exclusively from Microsoft - until very recently - which has never been an advanced or formidable networking or technology security expert company - by any means.

    While it may be near impossible to "totally" secure any national government (or enterprise) IT infrastructure, placing all one's bets on crappy 20th century technology in year 2015 and beyong is ridiculous, and maybe now the UK government will come from under the skirt of US technology dependance.

  14. Anonymous Coward
    Anonymous Coward

    But...but...the Uber Snooper NSA program should have seen this coming a mile away right? Oh, it never stopped anything? Oh, sorry, I misunderstood when they said that they were keeping us safe from the t'erists.

  15. Anonymous Coward
    Anonymous Coward

    American spy doomsday

    What this means, even if the US doesn't realize it yet, is that the entire clandestine service has been stripped naked. When Snowden talked about being able to turn out the lights on American intelligence, it would look something like the OPM hack.

    Never again, with any current or former employee of the Federal government, can an American intelligence agency place an operative in China or Russia. Not only that, China now has all they need to hunt or turn these people the world over.

    A lot of people are going to start disappearing from their posts soon, either voluntarily if they're smart, or involuntarily if they're not.

    1. Winkypop Silver badge
      Facepalm

      Re: American spy doomsday

      Meanwhile: Tinfoil prices are up!

  16. crayon

    'And of course, those growing "sand islands" in the South China Sea have nothing to do with territorial aggression ... after all, it's called the South China Sea for a reason, right?'

    Of course not, otherwise the US would have accused Vietnam and the Philippines of territorial aggression already because they have been building "islands" and outposts years before China got in on the act.

    "And I've taken great comfort in Putin's reassurances that Russia has nothing whatsoever to do with the rebellious discontent in eastern Ukraine."

    And so you should because Russia has as much to do with the rebellious discontent in eastern Ukraine as the US had to do with the overthrow of the previous democratically elected government of Ukraine.

    1. Dan Paul

      Go back to watching....

      Putin TV and smoking the opium bong.

      Really, the previous "democratic election" in Ukraine had way too much in common with the "democratic elections" in Russia. The only thing "democratic" about it was you had a "choice" of handpicked Putin Oligarchs to choose from. The US had nothing to do with Ukraine or we'd have better relations with them right now. Nothing like the Russian invasions of eastern Ukraine and Crimea, all instigated by Putin the barechested and his cronies. Have to have someplace for the cronies to build vacation homes.

      BTW Those "Islands" are out way beyond any concept of territorial waters that any sane rational country recognizes. They are there just to cause issues. This coming from the one country that has "good relations" with North Korea. Another indication China is off it's rocker.

  17. Anonymous Coward
    Anonymous Coward

    Alas, poor COBOL! I knew him

    25 years ago.

  18. Anonymous Coward
    Anonymous Coward

    Love the title.

    Bu Shi = no in Chinese. Headline robot on form with this one :-)

  19. Anonymous Coward
    Anonymous Coward

    Unusable.

    Any network that is secure enough to prevent any hacking at all will be completely unusable. If you have files that absolutely positively must be kept private, store them on a machine that is PHYSICALLY isolated from the internet. The same goes for all other vital systems. If they cannot be messed about they must be isolated from the internet. Otherwise, you are tying your goat up in a public place. It WILL be stolen just of giggles if nothing else.

  20. Anonymous Coward
    Anonymous Coward

    These are the people who want a backdoor into your network to help strengthen your cybersecurity.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like