Demo impact level:
This must have been the security company's best demonstration ever.
The data breach that recently hit the US government's Office of Personnel Management, in which personnel records for millions of federal workers were swiped, is worse than first feared, sources claim. According to new reports that emerged on Thursday, the attack was active for more than a year and the pilfered information …
This must have been the security company's best demonstration ever.
How do you tell them? You're sitting in a room full of your equipment and a connection to their network...and you see something...
On the other hand, I sure as hell hope that this was the FIRST IDS/IPS vendor demo, and not the 6th or 8th.
El Reg, I think this would be an important piece of information for your audience. Especially if you can get the names of any vendors whose presentations preceeded CyTech's.
.... we need more surveillance.
Hi, Mark 85,
Methinks rather than more surveillance, would idiots in Congress, the United States of America (and is that a monster oxymoron) and everywhere else also, greater intelligence is needed to play effectively and win win rather than always be on the losing side of the GIG (Greater IntelAIgent Game).
And guaranteed success and quite perfect enough stealth for all and/or any sort of public and/or private and/or pirate missions in Realities and the Live Operational Virtual Environment are automatically/autonomously provided whenever such an obvious inherent deficit is denied and left as a titanic 0day rich vulnerability to exploit and enjoy and export and expand.
My head hurts with this.... so I'll ask back:
1) Rather than increase surveillance of their population, would it not be better for Congress to insist that the government systems be patched and have what we civilians would call "normal" security systems in place? They failed their own audit.
2) To what purpose would increasing the surveillance of the populace do to prevent the government systems from being broken into?
Senator Burr's recommendation was exactly that. Ignore the problem and step up domestic snooping.
of course they're saying stupid things. They're all being blackmailed by the Chinese and forced to say them!
They will grab on to anything to claim we need more surveillance. It's the only words they have in their current voice chip.
"...They're all being blackmailed by the Chinese and forced to say them!"
Nah, they're in congress. First, congress folk are not, sadly, "Federal employees," else we could fire them. Second, they are in Congress which means that 'stupid' - or minimally "as ignorant as a summer day is long in Alaska" - was part of the job description.
They will say anything that comes to mind if there is a chance it will be quoted somewhere because it pertains to some current event. That it happens to be stupid is, well, garbage in - garbage out.
Hmmm? 14 down votes (at 0705 hrs Sunday) without any explanatory commentary for the alien comment on the Congressional idiots is like a poor attempt at misdirection and alternate perception management, and that view would be fully supported after a read of this short paper, supplied to the U.S. Office of the Director of National Intelligence ...... Cyberwar, Netwar, and the Future of Cyberspace
Are there such things as dodgy government sponsored trolls and shills with not much more to do other than deny the truth and try to spin a dumb picture into a smarter landscape?
Leading intelligence integration cannot even start without building upon the truths of the day and the exploiting and exporting of vulnerabilities and opportunities for and with awesome 0days. Square that circle and APT ACTive riddle, wrapped in a mystery, inside an enigma is AI Key ..... Advanced Internetional Key.
"the attack carries with it a significant monetary cost"
One cost will be installing the security measures they never had.
Will they dump everything they got to pastebin?
Having their privacy taken from them by the Chinese government doesn't feel any better than when us peons have it taken from us from our own government.
At least it isn't hackers out for identity theft, though assuming it wasn't that tough to break in, the Chinese government hackers may not be the only ones who got access to this data.
re: "At least it isn't hackers out for identity theft", this might not have been the immediate intent, but now that they (whoever "they" is) has the data how long will it sit around before someone tries to monetize it?
"Federal employees deserve better than this." Now that is hilarious. Why would they deserve better service than what they give the U.S. citizens? Are they more deserving than the people who pay their salaries?
"Now that is hilarious."
Not really. Everyone deserves better than this. That would include Federal employees.
." Why would they deserve better service than what they give the U.S. citizens? "
Because they ARE US citizens.
And they ARE NOT mostly working in the department that screwed up.
They are not some strange hive colony different from other people.
These are ordinary citizens who do their daily jobs just like you do.
Get their pay packet.
Live their lives.
And they have the same right to expect their employer to keep files confidential that you have.
(Except that an El Reg commentard in this situation may well be one of the people responsible for not securing the data).
Actually, most us citizens are better protected than this (at least on paper) than the federal employees were. If a private company were this lax with employee data, they would have been sued out of business long ago.
I wonder if the hackers got into the databases of those contractors who had/have security clearances. If they were in OPM's system what other systems were/are they in?
Let me put it this way: when my roommate got back from vacation he said "Great tomorrow I have to sign up for credit monitoring because OPM was breached."
Yes, he has more than just the general "you're ok to work for the government" clearance. I think it is fairly low, although I've never asked how high on the off chance he might have to report it if I did.
General(ret.) Keith "Collect it all" Alexander was a federal employee until a year ago. Has the Reg been able to contact him for a comment?
I don't understand why they are so worried about this information being swiped. Surely if they've done nothing wrong then they've got nothing to fear....
NOTHING TO HIDE, NOTHING TO FEAR!
NOTHING TO HIDE, NOTHING TO FEAR!
NOTHING TO HIDE, NOTHING TO FEAR!
Because "nothing to hide" from your own employer/government is rather different to having nothing to hide from a hostile or devious foreign agency/government.
Things like friends or family who may be vulnerable to intimidation.
I think you missed the irony.
discovered during a product demo
"And here we see that data was copied to an IP address in .... ?"
T-Rex teleports into a Dilbert strip!
Grand, so those who snoop got bitten in the bum. The likely reaction? not much, can you imagine the I told you so.... where do you start the complete rewrite?
Of course the entire database is compromised and the data in it is no longer trustworthy. How many fake personnel records did the hackers insert?
I wondered why I got flagged up as a Japanese navy admiral when entering the USA :)
Elephant in the room
Of course the entire database is compromised and the data in it is no longer trustworthy. How many fake personnel records did the hackers insert? .... shrdlu
Another side of that COIN is .... I wonder how many fake personnel records such hacking finds?
Oops ..... you beat to the punch with that converse line, Mystic Megabyte ...[ I wondered why I got flagged up as a Japanese navy admiral when entering the USA :)] Bravo, Sir and/or Madam:-)
Hacks in, changes salary, logs back out. Worked in Ferris Bueller..I'll just blame the other hackers if anyone notices.
If it's unacceptable that a foreign government does this why should it be acceptable if one's own does it?
This is entirely different situation as we are not enemies with ourselves. Foreign hackers stole info (including Social Security Numbers) from OPM (Office of Personnel Management) that could be used against people in this and other countries.
Your OWN governments are "spying" on you every day too and all the blowback from privacy advocates and Eurocrats regulations is not going to stop that. There is a big difference in intent between knowing you called Syria and arranged a flight for someone there on your credit card is helpful info and justifiably collected today, too bad if you don't like it. Stealing the personal info of tens of millions of employees with the intent to use it against them is not acceptable.
The issue here being that OPM has as many holes in their network as baby Swiss cheese, ALL of this data theft being the fault of the US government for poor security. At the very least, every one of those SSN should be replaced by the Feds and new credit histories be created for each affected person.
Social Security Numbers are the absolute least of it. They took the results of the security clearance background checks - those are an in-depth exploration of the risks a person might present if given security clearance, all the bad debts, past affairs and other secrets that might make them vulnerable to blackmail. It would be hard to imagine a more complete treasure-trove of information for a hostile intelligence agency or a more enormous and comprehensive screw up from any government organisation with the least interest in the wellbeing of the state.
"This is entirely different situation as we are not enemies with ourselves."
There is, in fact, a similarity. If my govt. wishes to spy on me it should do so with due process of law. It should go to a judge, or at least a magistrate, with sufficient a priori evidence to get a warrant. This concept of due process was introduced into English law by Magna Carta. In a few days, no doubt, the PM will be saying how great Magna Carta is & how splendid that this has been part of English law for the last 800 years - whilst being quite happy to see this principle violated.
An APT can't be expected to use due process. My govt. should. It is unacceptable if, like the APT, they don't.
Look how much we value you.
Allright folks, we're here today to demonstrate our APT-Detect 2000 product, software for finding malware in your infrastructure. Please give us a few minutes while we hook things up and we'll get the demo started.
Technician hooks up some network cables to a laptop, starts some software
Alright, we're just doing a self-test here, and..
Laptop starts beeping
Hmm, that's strange..
OPM manager comes over - What seems to be the problem?
Laptop emits siren sound, technician typing really fast like in the hacker movies
Not one problem, sir, there's millions of them!
Screen fills with green falling symbols like in the Matrix
These are APT's sir, they are exfiltrating data as we speak - gigabytes worth of all your most valuable data! I'm zooming in to the core now
Laptop fan turns on, showers of zooming symbols flying around the screen
OPM manager sweating profusely - My God, its full of stars!
Technician slams laptop shut, a puff of smoke wafts from the fan vents - I think we've all seen enough, shall we move the discussion over to your accounting department? This won't be cheap.
Of course the accounting department is thinking that $5 per credit report.
The employees are thinking of years of identify theft, loss of jobs, possible threats from outside groups. Then again, that could happen at Target, Blue Cross/Blue Shield, on and on.
With all the hyperbole over the past six months (from both sides of the pond) about how the authorities need to have back door/front door access to encryption, and the more recent comments from the FBI about all those pesky cybercriminals and how the US is on the verge of a massive attack, isn't it just a bit convenient that a large attack of this nature happened?
Can we have a black flag icon please, El Reg? I think it's appropriate under the circumstances.
Hmm? I can hear a strange whum whum whum whum noise in the distance, I wonder what that could be?
"Well Well. Well Well Well Well..." CIA and NSA employees are government employees, yes? I wonder what sorts of reports this data could be massaged into delivering about the sneaky side of government? Prolly better than an airport x-ray machine could deliver, eh?
There are government employees and there are government employees and some government employees are government employers. And just imagine how much further things have progressed since the production of the following missive and dynamic page ...... http://cryptome.org/2015/06/nsa-sid-hacker.pdf
As part of the Five Eyes agreement, I'm sure the US has access to the publicly available Australian Signals Directorate's Top 35 Strategic Mitigations. You can even Google it. If they'd just followed the Top 4 items (application white-listing, patch your damn apps, patch your damn OS, and limited administration rights even for administrators), I bet the APT would have been either detected, blocked. The Top 4 are mandatory for all Australian government agencies and departments, so if anyone says that a large government bureaucracy can't use white listing, patching apps and OS, and has limited administrators, they haven't looked very far. In my view, not doing the Top 4 is tantamount to actual negligence.
The really stupid thing is that all that information was available through a single entry point. Is there information on what OS the OPM was using on its systems?
So... The NSA is spying on everyone and all data feeds?
Why did they not detect this, do they not have data analysts?
If they cannot spot one of the biggest hacks in the history of the US , it really says everything about their ability to target terrorists.....
Biting the hand that feeds IT © 1998–2017