back to article 4 new twists that push the hacker attack on millions of US govt workers into WTF land

The data breach that recently hit the US government's Office of Personnel Management, in which personnel records for millions of federal workers were swiped, is worse than first feared, sources claim. According to new reports that emerged on Thursday, the attack was active for more than a year and the pilfered information …

  1. ~mico
    Angel

    Demo impact level:

    GODLIKE!

    This must have been the security company's best demonstration ever.

    1. Anonymous Coward
      Anonymous Coward

      Re: Demo impact level:

      How do you tell them? You're sitting in a room full of your equipment and a connection to their network...and you see something...

      On the other hand, I sure as hell hope that this was the FIRST IDS/IPS vendor demo, and not the 6th or 8th.

      El Reg, I think this would be an important piece of information for your audience. Especially if you can get the names of any vendors whose presentations preceeded CyTech's.

  2. Mark 85
    Facepalm

    And the idiots in Congress responses have been...

    .... we need more surveillance.

    http://www.theregister.co.uk/2015/06/11/cyberspying_cisa_amendment/

    1. amanfromMars 1 Silver badge

      Re: And the idiots in Congress responses have been...

      Hi, Mark 85,

      Methinks rather than more surveillance, would idiots in Congress, the United States of America (and is that a monster oxymoron) and everywhere else also, greater intelligence is needed to play effectively and win win rather than always be on the losing side of the GIG (Greater IntelAIgent Game).

      And guaranteed success and quite perfect enough stealth for all and/or any sort of public and/or private and/or pirate missions in Realities and the Live Operational Virtual Environment are automatically/autonomously provided whenever such an obvious inherent deficit is denied and left as a titanic 0day rich vulnerability to exploit and enjoy and export and expand.

      1. Mark 85

        Re: And the idiots in Congress responses have been...

        My head hurts with this.... so I'll ask back:

        1) Rather than increase surveillance of their population, would it not be better for Congress to insist that the government systems be patched and have what we civilians would call "normal" security systems in place? They failed their own audit.

        2) To what purpose would increasing the surveillance of the populace do to prevent the government systems from being broken into?

        Senator Burr's recommendation was exactly that. Ignore the problem and step up domestic snooping.

      2. amanfromMars 1 Silver badge

        Re: And the idiots in Congress responses have been... @amfM

        Hmmm? 14 down votes (at 0705 hrs Sunday) without any explanatory commentary for the alien comment on the Congressional idiots is like a poor attempt at misdirection and alternate perception management, and that view would be fully supported after a read of this short paper, supplied to the U.S. Office of the Director of National Intelligence ...... Cyberwar, Netwar, and the Future of Cyberspace

        Are there such things as dodgy government sponsored trolls and shills with not much more to do other than deny the truth and try to spin a dumb picture into a smarter landscape?

        Leading intelligence integration cannot even start without building upon the truths of the day and the exploiting and exporting of vulnerabilities and opportunities for and with awesome 0days. Square that circle and APT ACTive riddle, wrapped in a mystery, inside an enigma is AI Key ..... Advanced Internetional Key.

    2. Pen-y-gors

      Re: And the idiots in Congress responses have been...

      of course they're saying stupid things. They're all being blackmailed by the Chinese and forced to say them!

      1. pyhoff@gmail.com

        Re: And the idiots in Congress responses have been...

        They will grab on to anything to claim we need more surveillance. It's the only words they have in their current voice chip.

      2. Marshalltown

        Re: And the idiots in Congress responses have been...

        "...They're all being blackmailed by the Chinese and forced to say them!"

        Nah, they're in congress. First, congress folk are not, sadly, "Federal employees," else we could fire them. Second, they are in Congress which means that 'stupid' - or minimally "as ignorant as a summer day is long in Alaska" - was part of the job description.

      3. Jaybus

        Re: And the idiots in Congress responses have been...

        They will say anything that comes to mind if there is a chance it will be quoted somewhere because it pertains to some current event. That it happens to be stupid is, well, garbage in - garbage out.

  3. Ole Juul

    They gambled - and lost

    "the attack carries with it a significant monetary cost"

    One cost will be installing the security measures they never had.

  4. Anonymous Coward
    Anonymous Coward

    I wonder...

    Will they dump everything they got to pastebin?

  5. Anonymous Coward
    Anonymous Coward

    Glad that top administration officials were affected

    Having their privacy taken from them by the Chinese government doesn't feel any better than when us peons have it taken from us from our own government.

    At least it isn't hackers out for identity theft, though assuming it wasn't that tough to break in, the Chinese government hackers may not be the only ones who got access to this data.

    1. skeptical i
      Pirate

      Re: Glad that top administration officials were affected

      re: "At least it isn't hackers out for identity theft", this might not have been the immediate intent, but now that they (whoever "they" is) has the data how long will it sit around before someone tries to monetize it?

  6. thx1138v2

    "Federal employees deserve better than this." Now that is hilarious. Why would they deserve better service than what they give the U.S. citizens? Are they more deserving than the people who pay their salaries?

    1. Doctor Syntax Silver badge

      "Now that is hilarious."

      Not really. Everyone deserves better than this. That would include Federal employees.

    2. Terry 6 Silver badge

      Oh FFS!!!

      ." Why would they deserve better service than what they give the U.S. citizens? "

      Because they ARE US citizens.

      And they ARE NOT mostly working in the department that screwed up.

      They are not some strange hive colony different from other people.

      These are ordinary citizens who do their daily jobs just like you do.

      Get their pay packet.

      Live their lives.

      And they have the same right to expect their employer to keep files confidential that you have.

      (Except that an El Reg commentard in this situation may well be one of the people responsible for not securing the data).

    3. Tom 13

      @thx1138v2

      Actually, most us citizens are better protected than this (at least on paper) than the federal employees were. If a private company were this lax with employee data, they would have been sued out of business long ago.

  7. a_yank_lurker

    I wonder if the hackers got into the databases of those contractors who had/have security clearances. If they were in OPM's system what other systems were/are they in?

    1. Anonymous Coward
      Anonymous Coward

      @a_yank_lurker

      Let me put it this way: when my roommate got back from vacation he said "Great tomorrow I have to sign up for credit monitoring because OPM was breached."

      Yes, he has more than just the general "you're ok to work for the government" clearance. I think it is fairly low, although I've never asked how high on the off chance he might have to report it if I did.

  8. iLuddite

    "Collected it all", someone FTFY

    General(ret.) Keith "Collect it all" Alexander was a federal employee until a year ago. Has the Reg been able to contact him for a comment?

  9. Any mouse Cow turd

    worrried

    I don't understand why they are so worried about this information being swiped. Surely if they've done nothing wrong then they've got nothing to fear....

    1. Destroy All Monsters Silver badge

      Now on the blackboard...

      NOTHING TO HIDE, NOTHING TO FEAR!

      NOTHING TO HIDE, NOTHING TO FEAR!

      NOTHING TO HIDE, NOTHING TO FEAR!

    2. Terry 6 Silver badge

      Re: worrried

      Because "nothing to hide" from your own employer/government is rather different to having nothing to hide from a hostile or devious foreign agency/government.

      Things like friends or family who may be vulnerable to intimidation.

      1. Anonymous Coward
        Anonymous Coward

        Re: worrried

        I think you missed the irony.

        1. Terry 6 Silver badge

          Re: worrried

          Could be.

  10. Destroy All Monsters Silver badge
    Trollface

    discovered during a product demo

    "And here we see that data was copied to an IP address in .... ?"

    T-Rex teleports into a Dilbert strip!

  11. Barry Mahon

    Grand, so those who snoop got bitten in the bum. The likely reaction? not much, can you imagine the I told you so.... where do you start the complete rewrite?

  12. shrdlu

    Elephant in the room

    Of course the entire database is compromised and the data in it is no longer trustworthy. How many fake personnel records did the hackers insert?

    1. Mystic Megabyte
      Joke

      Re: Elephant in the room

      I wondered why I got flagged up as a Japanese navy admiral when entering the USA :)

      1. amanfromMars 1 Silver badge

        Re: Elephant in the room

        Oops ..... you beat to the punch with that converse line, Mystic Megabyte ...[ I wondered why I got flagged up as a Japanese navy admiral when entering the USA :)] Bravo, Sir and/or Madam:-)

    2. amanfromMars 1 Silver badge

      Raging Bull Elephant in the room ....

      Elephant in the room

      Of course the entire database is compromised and the data in it is no longer trustworthy. How many fake personnel records did the hackers insert? .... shrdlu

      Another side of that COIN is .... I wonder how many fake personnel records such hacking finds?

  13. lukewarmdog

    Self-improvement

    Hacks in, changes salary, logs back out. Worked in Ferris Bueller..I'll just blame the other hackers if anyone notices.

  14. Doctor Syntax Silver badge

    If it's unacceptable that a foreign government does this why should it be acceptable if one's own does it?

    1. Dan Paul

      @ Doctor Syntax

      This is entirely different situation as we are not enemies with ourselves. Foreign hackers stole info (including Social Security Numbers) from OPM (Office of Personnel Management) that could be used against people in this and other countries.

      Your OWN governments are "spying" on you every day too and all the blowback from privacy advocates and Eurocrats regulations is not going to stop that. There is a big difference in intent between knowing you called Syria and arranged a flight for someone there on your credit card is helpful info and justifiably collected today, too bad if you don't like it. Stealing the personal info of tens of millions of employees with the intent to use it against them is not acceptable.

      The issue here being that OPM has as many holes in their network as baby Swiss cheese, ALL of this data theft being the fault of the US government for poor security. At the very least, every one of those SSN should be replaced by the Feds and new credit histories be created for each affected person.

      1. breakfast Silver badge
        Mushroom

        Re: @ Doctor Syntax

        Social Security Numbers are the absolute least of it. They took the results of the security clearance background checks - those are an in-depth exploration of the risks a person might present if given security clearance, all the bad debts, past affairs and other secrets that might make them vulnerable to blackmail. It would be hard to imagine a more complete treasure-trove of information for a hostile intelligence agency or a more enormous and comprehensive screw up from any government organisation with the least interest in the wellbeing of the state.

      2. Doctor Syntax Silver badge

        Re: @ Doctor Syntax

        "This is entirely different situation as we are not enemies with ourselves."

        There is, in fact, a similarity. If my govt. wishes to spy on me it should do so with due process of law. It should go to a judge, or at least a magistrate, with sufficient a priori evidence to get a warrant. This concept of due process was introduced into English law by Magna Carta. In a few days, no doubt, the PM will be saying how great Magna Carta is & how splendid that this has been part of English law for the last 800 years - whilst being quite happy to see this principle violated.

        An APT can't be expected to use due process. My govt. should. It is unacceptable if, like the APT, they don't.

  15. Doctor Syntax Silver badge
    Facepalm

    $5 each

    Look how much we value you.

  16. Anonymous Coward
    Anonymous Coward

    Wow, that must've been some demo meeting!

    Allright folks, we're here today to demonstrate our APT-Detect 2000 product, software for finding malware in your infrastructure. Please give us a few minutes while we hook things up and we'll get the demo started.

    Technician hooks up some network cables to a laptop, starts some software

    Alright, we're just doing a self-test here, and..

    Laptop starts beeping

    Hmm, that's strange..

    OPM manager comes over - What seems to be the problem?

    Laptop emits siren sound, technician typing really fast like in the hacker movies

    Not one problem, sir, there's millions of them!

    Screen fills with green falling symbols like in the Matrix

    These are APT's sir, they are exfiltrating data as we speak - gigabytes worth of all your most valuable data! I'm zooming in to the core now

    Laptop fan turns on, showers of zooming symbols flying around the screen

    OPM manager sweating profusely - My God, its full of stars!

    Technician slams laptop shut, a puff of smoke wafts from the fan vents - I think we've all seen enough, shall we move the discussion over to your accounting department? This won't be cheap.

    1. elDog

      Re: Wow, that must've been some demo meeting!

      Nice.

      Of course the accounting department is thinking that $5 per credit report.

      The employees are thinking of years of identify theft, loss of jobs, possible threats from outside groups. Then again, that could happen at Target, Blue Cross/Blue Shield, on and on.

  17. Kane
    Black Helicopters

    Amazing really...

    With all the hyperbole over the past six months (from both sides of the pond) about how the authorities need to have back door/front door access to encryption, and the more recent comments from the FBI about all those pesky cybercriminals and how the US is on the verge of a massive attack, isn't it just a bit convenient that a large attack of this nature happened?

    Can we have a black flag icon please, El Reg? I think it's appropriate under the circumstances.

    Hmm? I can hear a strange whum whum whum whum noise in the distance, I wonder what that could be?

  18. WalterAlter
    Mushroom

    Cue "Clockwork Orange" Theme Music

    "Well Well. Well Well Well Well..." CIA and NSA employees are government employees, yes? I wonder what sorts of reports this data could be massaged into delivering about the sneaky side of government? Prolly better than an airport x-ray machine could deliver, eh?

    1. amanfromMars 1 Silver badge

      Re: Cue "Clockwork Orange" Theme Music

      Hi, WalterAlter,

      There are government employees and there are government employees and some government employees are government employers. And just imagine how much further things have progressed since the production of the following missive and dynamic page ...... http://cryptome.org/2015/06/nsa-sid-hacker.pdf

  19. Andrew van der Stock

    The stupid thing is...

    As part of the Five Eyes agreement, I'm sure the US has access to the publicly available Australian Signals Directorate's Top 35 Strategic Mitigations. You can even Google it. If they'd just followed the Top 4 items (application white-listing, patch your damn apps, patch your damn OS, and limited administration rights even for administrators), I bet the APT would have been either detected, blocked. The Top 4 are mandatory for all Australian government agencies and departments, so if anyone says that a large government bureaucracy can't use white listing, patching apps and OS, and has limited administrators, they haven't looked very far. In my view, not doing the Top 4 is tantamount to actual negligence.

    1. Marshalltown

      Re: The stupid thing is...

      The really stupid thing is that all that information was available through a single entry point. Is there information on what OS the OPM was using on its systems?

  20. razorfishsl

    So... The NSA is spying on everyone and all data feeds?

    Why did they not detect this, do they not have data analysts?

    If they cannot spot one of the biggest hacks in the history of the US , it really says everything about their ability to target terrorists.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like