If you have nothing to hide, you have nothing to fear.
How much info did hackers steal on US spies? Try all of it
If the latest reports are true and Chinese hackers have managed to pilfer as much data about US government employees in sensitive positions as is thought, the Obama administration may be headed for a serious intelligence crisis. According to an Associated Press report on Friday, hackers linked to China may have compromised …
COMMENTS
-
-
Saturday 13th June 2015 01:56 GMT Anonymous Coward
That's not the point
Feel free to fill one out and post it. For people whose major asset is their Facebook account, it might not matter, but it does to the rest of us.
I, for one, have something to hide from hackers: my name, address, and SSN, to start. Not to mention those "verify your identity" questions like high school, street I grew up on, mother's maiden name, etc.
And I'll point out, the forms and other information that was stolen were from people who had passed their security clearance.
-
Saturday 13th June 2015 02:22 GMT Eddy Ito
Re: That's not the point
Not to mention those "verify your identity" questions like high school, street I grew up on, mother's maiden name, etc.
Those questions are worse than useless since most of it is public information. You graduate high school - it's in the paper, your address was recorded by the registrar of deeds, your parents marriage license is recorded somewhere and their proud parents (your grandparents) undoubtedly had an announcement in the paper. Sure, it's a bit of work but it's all there and when you consider a good number of people still live in the town they grew up in it's quite a bit easier. Kids of career military might be a little harder to pin down if they moved several times but not too much since there are very detailed records of that too.
-
Saturday 13th June 2015 13:21 GMT Doctor Syntax
Re: That's not the point
"most of it is public information"
So it is but for any one person it takes time, effort & expense to locate as anyone interested in genealogy will tell you. You may run into multiple people with the same names and have to devote more time to sorting them out. Having it all neatly laid out by the data subject saves an awful lot.
-
-
-
Saturday 13th June 2015 06:57 GMT Anonymous Coward
Re: That's not the point
Throughout the long recorded history of mankind, I've noticed one universal. So long as those who consider themselves one of the "middle-class" are treated well, their lot improving, and their "rights" (social privileges) untrammeled, they go with the program, whatever program has been selected by those (perceived to be) in charge. When that contract is broken, revolution is not far over the horizon.
You can drape this in philosophical, economic, political science, psychological, or other frameworks, it matters not. History is very unforgiving.
-
-
-
Saturday 13th June 2015 18:04 GMT Anonymous Coward
@HildyJ "verify your identity" questions
Only a moron answers truthfully to those security questions that are a plague on websites everywhere, asking what high school you went to, the name of the street you lived on when you are in third grade, etc. No matter how good of a password you choose, if you answer these questions truthfully you may as well have used "password1" for your password since it takes almost no effort to find many of these answers for the average person and email the "forgot password" link to reset their password.
It is sad that those same questions are used to verify your identity when you try to access your credit report since that's probably already been pulled for all the high value targets on the list, but considering the scale of this breach the ability of the Chinese government to access your credit report is like adding a firecracker to a bonfire.
Guess I'm lucky that even if they got my info the Chinese government wouldn't have any interest in me since my stint as a contractor was nearly a decade ago and I don't have any friends who are Chinese nationals.
No doubt the US has broken into similar databases for most countries in the world, except for those too backward (or too smart?) to have digitized them.
-
Sunday 14th June 2015 21:56 GMT Dr Gerard Bulger
Re: @HildyJ "verify your identity" questions
What annoys me about these security question is that banks and others, such as SKY TV/Broadband INSIST that they will only correspond by telephone. I am on an analogue telephone, which can be hacked into by anyone with a pair or crocodile clips, Sky will not give any email address and their web chat then says RING in if you want anything done. Banks respond even to letters, hand written by a phone call to confirm what I wrote, because reading is beyond them. Oh no, you have to ring and to blurt out bits of passwords and those security questions over an open line. Then they transfer you to another department you make you do the whole thing over again. I think I must have given my details to six different people with SKY once. Telstra in Australia no better
-
Sunday 14th June 2015 22:50 GMT x 7
Re: @HildyJ "verify your identity" questions
"banks and others, such as SKY TV/Broadband INSIST that they will only correspond by telephone"
simple reasons for that:
1) dealing with an enquiry by phone means there is no paper record to scan / read / analyse / action and file. Everything happens and is logged during the call with the operative keying the record there and then
2) companies invest a lot of capital in setting up call centres and they want to sweat the assets - put as much work through them as possible
3) every call to a call centre is a potential sales opportunity. You'd be surprised at how many complaint calls can be reversed into a new sale or upgrade
Sorry this is a diversion from the thread but I felt the point required answering
-
Monday 15th June 2015 14:02 GMT Tom 13
Re: they will only correspond by telephone.
Be thankful they do.
The "free security" OPM is offering as a result of the breach? Yeah that's right government is distributing the notification in unsigned email asking those who have been affected to go to a website to register. If you have the temerity to call them, they refer you to their website while keeping you on indefinite hold. Absolutely no chance for fraud there sir, none whatsoever.
-
-
-
-
Saturday 13th June 2015 22:00 GMT Neil Stansbury
Wrong
You have everything to fear...
Because you have no idea how that information will be used today or what inferences will be drawn from it tomorrow, or indeed who your conveniently collated life history will be passed on to - intentionally or unintentionally.
People who suggest you have nothing to hide live in cloud cuckoo land, whereby talentless, unqualified politicians & civil servants don their super-hero capes and upon their white steed coming riding out of the sunset to your rescue.
Dream on.
The simple reality is this, if you genuinely have nothing to hide, then you have nothing worthwhile sharing, so keep your mouth shut and hide as much as possible.
-
Sunday 14th June 2015 20:57 GMT Mark 85
@ Neil S -- Re: Wrong
It is funny in many (funny = scary) how information is passed around. I recently had need to log on to UPS (United Parcel Service) which meant "open an account". Instead of my filling in the blanks as I remembered things or wanted to put in... they were asking questions from 20 years ago AND telling me if I got the answer wrong. Needless to say, I didn't open the account, I called instead and quickly rectified the issue. If they are getting wrong data, let 'em have it. The scary part is, what if they were getting it right? Where did it come from? Who else has access to this?
Do I have anything to hide? Just my identity as far as financials go. Do I have anything to fear? You bet. There's already too much out there. I realize it's not "am I going to be a victim?" but rather "when am I going to be a victim?".
-
-
Sunday 14th June 2015 01:19 GMT Anonymous Coward
Post-snowden, I'd naturally assume these were in some sort of unmaintained and unpatched SharePain server.
If you have nothing to hide, you use M$ warez. In other words, if you use any of their products, but don't have the time or budget to constantly sit around to patch and reboot every other day, assume your data will be compromised sooner or later.
-
Sunday 14th June 2015 10:28 GMT Anonymous Coward
You must understand the background.
If you have nothing to hide, you have nothing to fear.
That's actually not the point of deeper security vetting. Deep security vetting is not a pass/fail process (although the data contributes to a final decision), it is a risk assessment that is actually in your interest.
Such an assessment seeks to discover where an adversary might seek to coerce or pressure you into cooperating, and plan accordingly. It means that some work may be a personal risk to you, or that you may be very suited to some work because you do not have a weak spot there.
-
-
Saturday 13th June 2015 01:46 GMT Anonymous Coward
Lots of people have to fill this out
As a retired fed, I wanted to clarify something. When people hear "security clearance" they think military and intelligence people but the use of security clearances in the US Government is much more widespread. Many people in positions considered "sensitive" for reasons other than military secrets are required to fill out this form. In addition to text/PDF records, the government also collects digitized pictures and fingerprints (although I don't know if OPM gets those).
-
-
Saturday 13th June 2015 06:32 GMT Anonymous Coward
Re: Lots of people have to fill this out
One stop shop? In a shop you usually have to pay. Here the Feds have given the data away.
Having said that, I wouldn't put it past the bureaucrats to have allowed this to happen because it can now be used to"justify" a vast increase in offensive operations against China et al, and it gifts them the ultimate budget defence of "of our budget gets cut we won't be able to secure your personal data".
Never forget that the purpose of a bureaucracy is quite singular, and that is to grow and sustain itself even at the expense of the host organism.
-
-
Sunday 14th June 2015 04:26 GMT Robert Helpmann??
Re: Lots of people have to fill this out
Many people in positions considered "sensitive" for reasons other than military secrets are required to fill out this form.
Exactly. Also, the constant refrain from the press on this is that it is all about government employees, but it affects everyone who has filled out one of these forms, including contractors, retirees and those who merely applied for a position but never were hired.
-
Sunday 14th June 2015 05:57 GMT John Smith 19
Re: Lots of people have to fill this out
"As a retired fed, I wanted to clarify something. When people hear "security clearance" they think military and intelligence people but the use of security clearances in the US Government is much more widespread. Many people in positions considered "sensitive" for reasons other than military secrets are required to fill out this form. In addition to text/PDF records, the government also collects digitized pictures and fingerprints (although I don't know if OPM gets those)."
I'd read various memoirs of US Govt types mentioning the Draconian application form.
So "Spy" really is a documentary?
-
-
Saturday 13th June 2015 03:16 GMT Mark 85
This is rapidly becoming a world laughing stock
And deservedly so... I'm just waiting to hear what else has been lifted like maybe social security information, immigration information, etc. Yes a super massive FAIL to the government for not providing the security the data deserves. Congress is just as much blame as I'm sure they've slashed IT budgets left and right. The want the data slurps but won't protect the people's information.
I fear the worst is yet to come.....
-
Saturday 13th June 2015 10:00 GMT Anonymous Coward
Re: This is rapidly becoming a world laughing stock
It was not so long ago that one guy looking for UFO information made headlines because he was able to look through a 'secure' US Mil computer. The US said then that their networks were so secure he had to be the worlds master hacker. Now it turns out that almost anyone can walk in and look round any US Gov/Mil computer and take what they want.
This much vaunted 'security' is indeed becoming truly laughable.
-
Saturday 13th June 2015 18:57 GMT Anonymous Coward
Re: This is rapidly becoming a world laughing stock
Indeed, and it's about time that the US apologised to Mr McKinnon for harassing him over their own failings. It was blindingly obvious at the time that US governemnt security was laughable, yet they still hounded teh poor chap simply because they were embarassed at having their failings exposed and tried to make Mr McKinnon suffer because of their embarassment. That's simply despicable.
-
Monday 15th June 2015 14:10 GMT Tom 13
Re: almost anyone can walk in and look round any US Gov/Mil computer
No, not the Mil computers, OPM. Trust me on this. My roommate has enough trouble logging into his work computer every day and he's authorized to do so. The secure one? Yeah, that's an even bigger PITA.
The problem is OPM
forgotignored the fact that since those records constitute the underpinnings for the whole security infrastructure, so when collected into a single database it requires one grade above Eyes Only clearance.
-
-
Saturday 13th June 2015 10:44 GMT keithpeter
Re: This is rapidly becoming a world laughing stock
I hope that this discovery will lead to questions being asked about the resources being spent on mass surveillance of home and allied populations - i.e. huge data trawls producing low priority information that is mostly just deleted after some period of time.
Just possibly someone might begin to think that a little spending on actual secure systems for the basics like this might be a better idea?
Jaron Lanier writes about 'siren servers' by which he means the way various agencies 'sell' large IT based projects to gullable politicians/corporate managers. Shiny, sound good, but apparently generate little advantage.
PS: if this happened in the UK we would never hear about it of course. Rest assured.
-
Saturday 13th June 2015 14:11 GMT Primus Secundus Tertius
Re: This is rapidly becoming a world laughing stock
@keithpeter
In the UK they just send CDs of social security data in the post. As you say, they have not admitted that anyone has actually used that information. Also they leave memory sticks in pubs and taxis, but don't admit that.
The UK Treasury clearly did not believe in spending money to protect data about UK citizens. It looks as though the USA has a similar problem.
-
-
Saturday 13th June 2015 04:44 GMT Magani
El Reg illuminates again
Thank you, El Reg, for showing me another instance in the seemingly never-ending list of words that Merkins use differently to other English speakers:
"Had your wages garnished?"
My first thought was of my pay packet lightly sprinkled with pepper and a few parsley flakes. It would seem however, that they were referring to what I'd always known as 'garnishee'.
Am I alone here, or do fellow Strine speakers (to say nothing of K1W1s or those from the Mother Country) also know it as 'garnisheed wages'?
-
This post has been deleted by its author
-
Saturday 13th June 2015 05:55 GMT Anonymous Coward
Re: El Reg illuminates again
It's AMEЯICAN ЯEVEЯSAL...
Try to imagine newspeak delivered in some hideous slack-jawed parochial accent.
Garnishing : Taking something away
Officer involved homicide: The filth just shot you
Land of the free: Prison (if you're lucky)
...and so on...
Poor sods have even been made to drive on the wrong side of the road!
Whoops! Forgot the mask. <sarc>Wouldn't want to end up on any lists!</sarc>
-
-
Saturday 13th June 2015 06:06 GMT skeptical i
Just direct employees? Or also contractors' employees?
If some government contractors require various clearances, would this same form be used as a starting point to determine which contractors (and contractors' employees) get them? If so, would they (or copies of them) also have been stored with the employees' forms that got hacked? Sorry if this was addressed elsewhere (hence Paris). I'm concerned about a former co-worker who had moved on/up to a job for a company that did government work.
-
Monday 15th June 2015 14:35 GMT Tom 13
Re: Just direct employees? Or also contractors' employees?
It's a question OPM is mostly dodging for the moment for the first breach (technically tepid denials), on the second the answer seems to be yes both types of data were compromised. And really, if you're thinking about it from the black hat angle, both databases have value if not necessarily of the same type. If you've got a fed you probably have deep penetration, with a contractor you might get wide penetration.
-
-
Saturday 13th June 2015 11:40 GMT bri
Re: Dear US of A
Who said it was on external-facing network? They could get there through multiple hops - it's perfectly sufficient for another government body to have connections both to OPM and external network.
Having seen some large networks and their defenses I don't believe that such hacks are *that* straightforward. But granted, it would be even more tragic that way.
-
Saturday 13th June 2015 17:11 GMT Neil Barnes
Re: Dear US of A
@Bri - you're right, it probably wasn't on anything directly visible - but my point is that information like that should have been locked as tightly, and as accessibly, as if it were individual paper copies in a filing cabinet.
Access should have been restricted to a small set of people able to access *one file at a time* and ideally physically separated - airgapped - from generic access; that is, access permissions are physical, not electronic. This is not the sort of information for which there is *ever* a need for one person to see all of it, and a huge risk - as demonstrated - if they do. But some genius has been sold the idea that it would be much easier to deal with if it were all in one virtual database...
Which is not to say that it is only the USA government that can commit such idiocies, nor even that a one-file-at-a-time access mechanism would necessarily stop people trying, and perhaps succeeding in, gaining access illicitly - it's such a juicy target. It's not the only one - think of insurance companies, health agencies, tax agencies, benefit systems, banks... they're all in the same boat and if they're not thinking about this now, no matter how good they think their systems are, then they should be.
-
Sunday 14th June 2015 12:59 GMT Koconnor100
Re: Dear US of A
Internal facing networks are no safer. the night janiter plops a rasberry computer with a wireless modem to the outside world into an unused jack and moves along and no one is the wiser. (rasberry's are very small). And with China constantly gathering private information on people, and a long history of black mailing (usually ex chinese patriots ... we have a gun to your grandads head, you will do as you are told...) , yeah , they're going to penetrate everything.
Even if you lock out the chinese immigratns, they have home addresses. They can black mail the imigrants into planting letter bombs (carry them by hand so the post office can't intercept them) , and after a few go off start threatenning americans "We know where you live, thank you for giving the names and addresses of your wife and children you will do as we say OR ELSE !" ....
And NSA is going to be up there saying "YOU NEED US ! THIS IS OUR TIME !" but really , it's theyr'e breaking of everyone's encryption everywhere that caused this. We need more NSA like we need a hole in our heads.
-
Sunday 14th June 2015 15:57 GMT Anonymous Coward
Re: "a rasberry computer with a wireless modem"
"a rasberry computer with a wireless modem to the outside world into an unused jack "
Absolutely impossible, at least at my previous employer, where Raspberry Pis were confiscated by the IT Department if discovered onsite.
Same outfit (a UK List X site) also didn't seem to care that the networked printer/copiers (supplied and maintained by a company whose technicians' identities were generally not checked before entry to the site) were very convenient places to hide the same kind of dodgy game.
Or alternatively someone could have used a random smartphone with a USB OTG LAN adapter and plugged that in instead. Kind of hard to spot.
Anyway, in principle, on a properly configured switched network, an ordinary port will only see traffic which is genuinely destined for that port (its own MAC address, or multicast/broadcast). Sadly, the same employer didn't seem to have managed to set this up right; my desktop saw all kinds of traffic it should never have seen.
In principle then, even without the joys of 802.11X per-port authentication (can you do that on a Pi?), network port snooping shouldn't be all that useful a tactic. If you can get at a managed switch and configure a mirror port, that would be helpful, but if you can do that the organisation probably has bigger problems.
-
Sunday 14th June 2015 19:37 GMT Paul Crawford
Re: Dear US of A
"the night janiter plops a rasberry computer with a wireless modem"
If they are taking security seriously the switch would be configured to only allow specific MAC addresses on specific ports and even then only allowing the DHCP-supplied IP address to be used, so that trick won't work.
Also if they take security seriously they would put all the crappy never-patched network things like printers, web cameras, etc, on a separate VLAN/IP range (and without external access in the sad case they are not air-gapped) so their behaviour can be seen more clearly by intrusion monitoring systems, etc, and they can be blocked from initiating any connection to the "good range" machines (i.e. they only react to a print command and don't get to broadcast or probe the PCs).
A more likely physical attach is to plug 'evil USB' devices in to unguarded machines. OK those systems should also be locked down so USB is not on autorun on anything like it, but that may not be enough if they have a zero-day exploit for the lower level USB hardware/stack used. In the nation-state with insider doing dirty work case that is, of course, possible.
Either way, it is much much harder to exploit a network not on-line, as exfiltrating the data needs some sort of access (USB or similar again) and there is a high risk of the person getting caught if the sysadmins have some regular checking of system logs for device attachment, etc, happening.
-
Sunday 14th June 2015 20:08 GMT Roland6
Re: Dear US of A @Paul Crawford
"If they are taking security seriously the switch would be configured to only allow ..."
You are omitting the fun and games of multiple layers of traffic encryption which are usually done both physically separate to the switch and to each other, so that there is minimal risk of traffic of differing grades being "in the clear" in the same physical box...
-
Sunday 14th June 2015 20:38 GMT Paul Crawford
Re: Dear US of A @Paul Crawford
You are of course correct.
I was just thinking aloud about things that can be done for little physical cost on "normal" PCs & networks typically used in below-secret Gov, Business & Universities. OK, air-gapping is not common on those, but all the other features are pretty much standard on Cisco and similar kit, so having red/black networks for internal/external can be done and spare kit used for both.
Edited to add, worth a read:
http://www.gocsc.com/UserFiles/File/Ortronics/WhitePaperGovtv5AUG2011FINAL.pdf
-
-
Monday 15th June 2015 09:32 GMT Anonymous Coward
Re: Dear US of A
"If they are taking security seriously the switch would be configured to only allow specific MAC addresses on specific ports and even then only allowing the DHCP-supplied IP address to be used, so that trick won't work."
And if the device acts as a transparent sniffer that CLONES the target's MAC? AND is provided information from inside the device to decrypt connections and so on?
-
Monday 15th June 2015 11:34 GMT Paul Crawford
Re: Dear US of A
Again, you are looking at a much higher bar than plugging in a device to an unused port at the recreational area, etc.
Now you are actually tampering with the internal wiring and could easily install a keyboard logger, etc. But on an isolated network you would have to use a radio link out, and that could be monitored as part of a sweep for bugging anyway, if you are sufficiently paranoid or working to regulations that deamand that degree of security. That is why the "red" cables in proper high security installations have to be visible along whole length and subject to regular inspections for tampering (or shielded fibre with some fibres used as tamper-detection, etc).
-
Monday 15th June 2015 15:05 GMT Charles 9
Re: Dear US of A
"But on an isolated network you would have to use a radio link out, and that could be monitored as part of a sweep for bugging anyway."
Not if it's designed NOT to transmit all the time but instead only on a specially coded signal it receives first, THEN it transmits its stuff in a quick short-range burst that would require omnipresent super-sensitive (as in prone to drowning out) detector to trace. If you're pro enough to get this far, you probably have an egress plan as well.
-
-
-
-
-
Sunday 14th June 2015 19:58 GMT Roland6
Re: Dear US of A
"Who said it was on external-facing network? They could get there through multiple hops"
Well that would indicate that the database was incorrectly graded for security purposes. As given the risks associated with disclosure - the full database should of been Secret or higher (so no physical connection to lower grade networks), with only highly selective extracts being made available on networks with lower security ratings.
So once again it seems the US government is paying in spades for it's approach to security which doesn't seem to have changed over the years - namely extradite and put on trial those identified as having made unauthorised access to their "secure" IT systems.
-
-
Monday 15th June 2015 14:43 GMT Tom 13
Re: Dear US of A
OPM is the clearing house for every other agency across the country. How else to you manage that other than an external facing network? No, really; how do you do it? Army, Navy, Air Force Marines, Coast Guard National Guard, okay maybe them you can put on secure PCs on the mil net. Dept of Energy? Dept of Commerce (NOAA/weather, FAA)? Dept of Treasury? Dept of Homeland Security? NASA? Dept of State? Dept of Veterans Affairs?
You need immediate access across multiple locations. Maybe you can make the case it shouldn't be on the internet, but even that's problematic. Yes it should have been secured better than it was, but simply not public facing won't meet system requirements.
-
Monday 15th June 2015 15:30 GMT Paul Crawford
Re: @Tom 13
Firstly all these remote locations don't need access to a lot of data at any one time, so the database server ought to rate-limit requests and queries to a reasonable amount per authorised machine/user.
Secondly having something where the leak is so significant really ought to have raised the question about how many sites really need to access it, and for them you could have deployed specific machines with dedicated hardware encryption in the network card (or a dedicated secure router) to tunnel the data to/from the server.
None of them having any simple path to the outside world so an attacker would need multiple physical access aspects to begin hacking past the user account and rate-limiting aspects. Anyone needing to access the data base would find those PC(s) in a reasonably secured room, log on and do their job, then go. Room could be CCTV'd so any attempted tampering would be on record, etc.
It is all perfectly possible, but it costs money to do (much less than the hack is going to cost, I'll bet) and adds some inconvenience, but still much easier than the old days of paper files. So its not really *that* inconvenient.
-
-
-
Saturday 13th June 2015 08:14 GMT Mark 85
There's more to this than identiry theft....
I seriously suspect that people are going to die. If I were in the CIA or other agency, I'd figure that I'm a target. If I had filled out the form and had relatives in certain countries... some of them may die and not by natural causes. That's the freakin' scary part. There's a whole lot more to worry about and our stupid.. #$%^#@ government is responsible.
If we think the US is alone in this, who broke into the German system? What did they get? Are there other countries that have been broken into and either they aren't telling or they don't know it yet?
Don't get too smug those of you not in the US, I suspect your government may have already been hacked or is about to be.
-
Saturday 13th June 2015 08:41 GMT Paul Crawford
Re: There's more to this than identiry theft....
The sad thing in this train wreck was seen to be coming for a long time, as you have:
1) Gov collecting data on its people like a fetishist
2) Gov cutting IT budgets and not holding anyone personally responsible, with power, to do anything about it.
3) Putting stuff on or connected to external networks because its cheaper/easier/more productive that way.
4) Software / OS being so complex and hole-ridden with developers all running after "shiny and new" instead of simple and reliable.
5) Other nations realising 1-4 and the gains to be had from popping said data.
The USA may not be the first, but it sure as hell won't be the last nation to have its dirty laundry sent to China (or Russia, Israel, etc, etc)
-
Saturday 13th June 2015 08:27 GMT Anonymous Coward
we who are about to be ripped off (again)
point out that this is the best argument against mass surveillance. A one stop honey pot, managed by lowest bidder. The amount of detail that a bunch of clerks have on those of us who have to get clearances to do our tedious jobs has concerned coworkers for years. Our identities could easily be "borrowed". Israelies are good at that as an Ozwegian found out a few years ago. One wonders how many of the TLAs that lurk around Brandfis' Attorney Generals Department lends identities as required to our good fiends when required.
-
Saturday 13th June 2015 09:41 GMT Anonymous Coward
Re: we who are about to be ripped off (again)
I know it is a silly question, but why wasn't this data encrypted? Any ideas out there?
In my shop (an NGO, ffs) all externally facing data was encrypted at rest and in transit. All systems using that data needed to use a key and two way handshake before the data was useful. Our local DB copies were frequently sucked out by local yokels within our various branch offices, but this was always a disappointing experience for the suckers.
Why does stupidity and lowest common denominator thinking always win over common sense and good design?
-
Saturday 13th June 2015 12:09 GMT Charles 9
Re: we who are about to be ripped off (again)
"In my shop (an NGO, ffs) all externally facing data was encrypted at rest and in transit. All systems using that data needed to use a key and two way handshake before the data was useful."
Thing was, the stuff has to be useful at SOME point, which is where you attack the database: at the points where they MUST be decrypted to be useful. That's always been the unavoidable flaw with encryption. In order for data to be useful, you have DEcrypt it SOMEWHERE.
-
Saturday 13th June 2015 17:43 GMT Anonymous Coward
Re: you have DEcrypt it SOMEWHERE.
"In order for data to be useful, you have DEcrypt it SOMEWHERE."
That's very true. Even so, does it necessarily lead to the conclusion that encrypting the data is a pointless exercise? I'd have thought that encryption was one layer in a multi-layered approach, but what do I know.
-
Saturday 13th June 2015 20:47 GMT Charles 9
Re: you have DEcrypt it SOMEWHERE.
Trouble is the multi-layered approach suffers from a common ponit of failure: the user interface where EVERYTHING has to be removed in order for the stuff to be of any use. About the only solution to this problem (essentially an exploitable "analog hole") is to go cyberpunk (in the style of William Gibson or Shirow Masamune) and have enc/dec security capabilities built directly into our brains.
-
Sunday 14th June 2015 13:04 GMT Anonymous Coward
Re: you have DEcrypt it SOMEWHERE.
"Trouble is the multi-layered approach suffers from a common ponit of failure: the user interface"
Others have already mentioned that the user interface has built in rate limits. Any attempt to extract more decrypted data than plausible rate limits would permit, should immediately be ringing alarm bells.
-
Monday 15th June 2015 09:37 GMT Charles 9
Re: you have DEcrypt it SOMEWHERE.
"Others have already mentioned that the user interface has built in rate limits. "
That doesn't stop a PATIENT adversary, though. And the GOOD ones are patient. Patient adversaries are how we developed techniques like Smurfing and steganography. They probably started at a position where the stuff is used as part of the job, sniffed out the ones picked up during normal operations, and slowly worked up, finding ways to defeat the detectors as he went.
-
Tuesday 16th June 2015 12:50 GMT Tom 13
Re: plausible rate limits would permit
Who says they exceeded plausible rate limits? Some of the reports I've read claim they traced the breach as far back as December 2014.
What if the account compromised was an system admin level account? You know, the ones where you're expected to move the databases around as you reconfigure things.
-
-
-
-
-
Tuesday 16th June 2015 12:46 GMT Tom 13
Re: why wasn't this data encrypted
It's not clear whether the data was encrypted or not. If the data is encrypted on the drive, but uses an access account to decrypt the data and you compromise an access account, the data is still yours for the taking. That's largely the way the industry works these days with everything pushing to single log on authentication.
-
Tuesday 16th June 2015 12:43 GMT Tom 13
Re: we who are about to be ripped off (again)
No it's not. The compromised data wasn't part of surveillance. It was collected specifically to do security clearances; to prove who you are and that you don't have any obvious weak links. That is, it isn't simply surveillance, it's been narrowed and refined. Indeed the biggest problem NSA and the rest of the mass surveillance people have is that there is too much data to easily produce usable information. Anyone trying to raid your one stop honey pot faces the same problem the surveillance agencies do, except not being state actors they are less likely to have the available resources to process the data.
Lame arguments like this make the whole "no mass surveillance" crowd look like the tinfoil hat brigade. Use some logic instead of grooving on your latest hate meme.
-
-
Saturday 13th June 2015 09:33 GMT Anonymous Coward
a scoop of a century
or worse. And when in Chinese hands, the data is also likely to end up, bits of it, sold off to other interested "parties", happy to pay for this information. Russians would be delighted to be allowed to bid for some records, Iranians would be even more keen to "co-operate" with China on a "far-reaching range of issues", above and below water. Short of replacing those millions of affected bods (yeah, put them in storage and churn out new model), there's very little that can be done. I bet there's a race to go through the records, both in the US and in China, to see what information can be used immediately, before the other side applies countermeasure. Somehow, in this instance, I feel nothing but sorry for the US. Well, perhaps, ironically, given the fact they see it fair to spy on the whole world: what goes round...
-
-
Sunday 14th June 2015 00:40 GMT Anonymous Coward
Re: Clusterf+ck
From our side or their side?
From our side, the only solution is for everyone in that database to turn themselves in to their nearest hospital as a living organ donor.
For their side, well....we've got B-1's, B-2's, B-52's, and F-117's and I'm sure we could scrape up some F-111's, we could just empty our nuclear arsenal. It would take about 12 hours.
Either way, the problem would be solved....but neither solution is perfect, since all of the pilots' data was in that database.
-
-
Saturday 13th June 2015 12:19 GMT Unicornpiss
That's what they want you to think?
China actually hacked a database with made up information on hundreds of "people." All part of the plan...
Seriously though, this breach is utterly appalling and should never have been allowed to happen. Since we can't police China effectively, maybe it's time for some trade sanctions?
-
Saturday 13th June 2015 13:07 GMT Infernoz
Re: That's what they want you to think?
Why are you so brain-dead as to suggest sanctions on China when the corpocracy which took over the US government and others shipped most of the goods manufacturing and jobs to China, so that the US is now a parasitic dependant of China!
So where will all your goods come from then, stupid? Is it sinking in now just how stuffed the US is?
The US government has been corrupted so badly and been fed so much over-priced shoddy junk (for massive corporate profits, mainly for the 0.1%) that it can't even do effective data security for what is arguably it's Achilles Heal, the living people who work for this zombie fiction!
-
Saturday 13th June 2015 17:38 GMT Chris G
Re: That's what they want you to think?
Having just reacted and downvoted Unicornpiss, on second thoughts he/she may have been being ironic in which case an upvote would be in order. Alternatively it could be a case of 'Don't feed the trolls' so no vote. Decisions , decisions!
As for the really spooky peeps in the US, would they necessarily have any details on this database still?
-
Friday 19th June 2015 15:57 GMT laird cummings
Re: That's what they want you to think?
"As for the really spooky peeps in the US, would they necessarily have any details on this database still?"
Oh, yes. Absolutely - those 'really spooky' people didn't spring forth, fully-formed, from the CIA's head. They were once lowly applicants. The SF-86 is the gateway to the very first clearance, which is necessary to gain entre to the kinds of programs wherein one becomes 'really spooky.'
The comforting factor is that those 'really spooky' people are burried as needles in an enormous needle-stack, and the SF-86 doesn't link forwards, only backwards. Mister X's *pre-spook* history revealed, but no one knows which of those millions *became* Mister X.
Government data is forever (until deleted in a mis-timed backup or datacenter fire).
-
-
Saturday 13th June 2015 17:43 GMT Anonymous Coward
Re: That's what they want you to think?
"Is it sinking in now just how stuffed the US is?"
Somehow I doubt it. I don't think Fox or its viewers could cope with the news that World War III has finished and the winners were the global corporate kleptocrats in conjunction with "communist" China.
-
This post has been deleted by its author
-
-
Sunday 14th June 2015 21:32 GMT Ilmarinen
Re: That's what they want you to think?
"can't police China effectively" - who do you think you are ?
Clue: the Opium wars were a couple of centuries ago and the "China" that we are pretty much in hock to is a soverign Big Government state with big military and global trade. Sending the traditional gunboat would result in sinking at the least. And what do you think the outcome of "trade sanctions" might be?
Words do not fail me, but almost.
-
-
-
-
Tuesday 16th June 2015 12:59 GMT Tom 13
Re: I couldn't remember the answers to the questions
Yeah, if you don't get into one of these jobs pretty much straight out of college, you're screwed on answering the questions. If you do, you just keep a copy of your last form to update them.
Although I will say that when I had to reconstruct some of those questions for some job interviews, the internet was scary good at digging up the answers for me. I could actually reconstruct my housing record all the way back through college.
-
-
Saturday 13th June 2015 16:09 GMT WalterAlter
Duck and Cover Bilderberger Swine
Would be nice to have critical quantities of data on the intel conduits to and from globalist oligarch elements and their assets in the CIA, NSA, ONI, FBI, FEMA and other potential police state apparats. This will be THE topic of woe at the current Bilderberger meeting. Hopefully our hackers are in touch with their hackers and such outlets as Cryptome and Wikileaks will be in the loop.
IF China is the invisible hand in all this, they will first use it to insure and amplify the work of the BRICS economic and credit bloc.
-
-
Friday 19th June 2015 16:03 GMT laird cummings
Re: Probably explains why..
"Either they're going to check or they're fishing."
They ARE going to check, but without help from you it costs too much. And if you're not going to be cooperative, you've already demonstrated a bad attitude, as far as security goes. Why should they waste extra $$ on an attitude case? Especially as you're no special snowflake, and there are thousands of people without attitude problems who also want jobs.
-
-
-
-
-
-
Sunday 14th June 2015 13:45 GMT Anonymous Coward
Re: Snowden
Yes, its all so simple now.
Snowden bad, Government data guardians good.
The data guardians (irony, please) will now need to make encryption illegal and store everyone's communications and private information online. Perhaps they will encrypt it too. Everyone else can f-off. And of course it's all Snowden's fault. His files probably contained the backdoor passwords for all those secure gov't databases. Or the URL of the sharepoint server where all the data was consolidated. Stupid doesn't begin to describe....
Honestly, isn't it time for Alice to come out of the rabbit hole?
A secure facility somewhere outside Washington DC, mid-November 2016:
"Gentlemen, the Queen of Hearts will see you now, please leave your mobile phones, laptops and USB keys with the nice man in uniform."
-
-
-
Sunday 14th June 2015 14:26 GMT Sir Runcible Spoon
Re: Snowden
"Interesting article on how the hack was discovered."
Doesn't sound right. Unless the OPM are running a flat network and the computer running the demo software was just plugged into a meeting room ethernet port to run a scan.
Deploying this software into complex environments takes time and planning (aka projects) - I just don't seem someone plugging their laptop into the network and 'discovering' this malware unless that network is completely open - in which case there are more problems to deal with than I could list!
-
Sunday 14th June 2015 15:16 GMT Anonymous Coward
Re: Snowden
I have looked into the CYTech company, who do defense work and other things. One of their demos is a full network scan. This apparently uncovered some malware and triggered the forensic discovery that it had been present for at least a year. Check out www.cyfir.com for a description of the product(s). An interesting feature is concurrent scans of outgoing connections, which may be how they discovered the malware.
As for it not sounding right, if someone with sufficient privilege gave the vendors access, they could do whatever they wanted. A flat or flattish network architecture wouldn't surprise me in the least, as wouldn't open ethernet ports, etc. etc
There are many, many network vulnerability scanning tools out there. Sounds like the OPM had just begun discovering them, a bit too late it seems. Don't forget that this is a government agency and a PHB could have easily handed them the keys to the kingdom.
Still trying to find out more on this story, but so far no dice. They need to be interviewed by El Reg. For now only the Washington Post seems to be reporting it (paywall).
-
-
-
-
-
-
Sunday 14th June 2015 20:43 GMT Anonymous Coward
Re: Snowden
So let me check I've understood this right:
The US's own OPM gets hacked, over a period of years, and nobody notices till some software outfit does a demo of an intrusion detection package. This despite the fact that the US guvmint has spent a fortune on an in-house anti-intrusion system. The apparently plausible story is that everyone on the Federal payroll is at risk. Maybe more victims will emerge from other databases.
And then a few days later, in an (ahem) unrelated and as yet uncorroborated story, Snowden is once again accused of putting the lives of a few (in comparison) spies at risk, people who knew they would be at risk even before they accepted the job.
Look, over there, a lion/tiger/squirrel/honest politician!
Pardon me if I'm not very sympathetic to the anti-Snowden storyplanters and their puppets on this occasion.
-
Friday 19th June 2015 16:10 GMT laird cummings
Re: Snowden
"The US's own OPM gets hacked, over a period of years, and nobody notices till some software outfit does a demo of an intrusion detection package..."
Entirely plausible, if you're familliar with the Gordian Knot that is the US Civil Service and Government agency rules - including procurement rules.
-
-
-
-
-
Sunday 14th June 2015 07:18 GMT John 98
What the Chinese did with it?
One imagines that the Chinese have used all this data to quietly log in to a multitude of systems using the accounts of users with little technical knowledge, or concern for security, with easliy guessed passwords. They may well have reams of other background information, plus of course the abilty to cause chaos whenever they wish. And an amusing thought, they may have known for quite a while all about what the NSA and CIA have been up to round the world. Maybe more than Snowdon? And maybe been allowing some misleading "hacks" into their own systems for good measure?
-
-
Sunday 14th June 2015 19:53 GMT Paul Crawford
Re: What the Chinese did with it?
Maybe Snowden's documents were the source, or maybe this mega-hack. Who is to say the UK has not been popped (or was sharing with the US which clearly has been)?
If I were Russia/China it would make sense to say it was Snowden to disguise being in on this hack, for example.
Similarly if I were the USA/UK it would make sense to use Snowden as a stool pigeon to try and deflect public anger from the piss-poor security in place and/or the lack of appreciation of what such a massive database of all security-checked staff could mean when leaked.
-
Tuesday 23rd June 2015 15:51 GMT Anonymous Coward
Re: What the Chinese did with it?
That Sunday Times article is paywalled, but the same subject is covered elsewhere:
"RUSSIA and China have cracked the top-secret cache of files stolen by the fugitive US whistleblower Edward Snowden, forcing MI6 to pull agents out of live operations in hostile countries, according to senior officials in Downing Street, the Home Office and the security services. "
Technically plausible? Possibly. Actually credible (given the sources): not here it's not. "They would say that, wouldn't they. And they have a long long long record of consistently misleading the public."
-
-
Sunday 14th June 2015 20:18 GMT Roland6
Re: What the Chinese did with it?
Depends who "the Chinese" are. If they are government then I suggest they will do the same as we did in the WWII and for many decades afterwards over Bletchley Park, namely keep very quiet and use the information wisely.
Given what is on Form 86, I suggest it is information with a very long shelf life, which can also be used to cross match data from other 'public' sources. So they know who your children are and where they are...
-
Sunday 14th June 2015 20:33 GMT x 7
Re: What the Chinese did with it?
As I said before...when cross matched with the medical insurance data they've already ripped off they have a lot of info on a lot of potential targets thats going to have a very very long shelf life.
As of now, everyone on that list is a potential target for threat blackmail or extortion. That by implication means no-one on that list can be trusted. Everybody - and I mean everybody - with a security clearance is going to have to be turned over and checked thoroughly. Its going to make the McCarthy era look like playtime.
-
Monday 15th June 2015 09:20 GMT Charles 9
Re: What the Chinese did with it?
"Everybody - and I mean everybody - with a security clearance is going to have to be turned over and checked thoroughly."
Credits to milos the FIRST people turned are going to be the CHECKERS, putting your square in a "Who Watches the Watchers?" scenario and no way out since you need checkers to hire more checkers.
-
-
-
-
Sunday 14th June 2015 08:16 GMT Afernie
Isn't there an agency dedicated to preventing this?
Pretty sure it's the one with the motto that reads "Defending Our Nation. Securing The Future." What's that you say - they couldn't spare any analysts or budget because they were too busy checking up on their girlfriends and sifting through US citizens email for fun and profit as much as any security objective?
For shame..
-
Sunday 14th June 2015 18:32 GMT RegisterYank
Forget all that yap, the danger is....
You just handed at least one foreign intelligence service a concise list of persons to check, which filters out all the non-sensitive government employees and all the general population. Then you give their spy service a list of potentially key people who can be blackmailed or a list of their loved ones that can be threatened or kidnapped.
And yet, this is not the major story that it should be. The US government is spending trillions of dollars to trample on the privacy of everyone on the planet, yet cannot be trusted to maintain the security of a simple database.
They'll eventually sacrifice some minor government functionaries and never change their priorities.
-
Sunday 14th June 2015 20:01 GMT Paul Crawford
Re: Forget all that yap, the danger is....
Sadly it could get worse, the original hackers could paste it on a torrent or similar to provide plausible deny-ability for the state about acting on the information in it, and just say they got it from the hackers' public posting. That way other nations and every low-life scammer out there would have the treasure trove as well.
I feel sad for all of those US citizens now at risk and angry that their government was so stupidly caviller in having such an important database on a public-connected system (probably?) with such a poorly thought-through security aspect as this.
They pay billions for the NSA and the least they could have done was got them to give the whole system and its management a once-over. Scrap that, Snowden showed even they had not thoroughly thought-through big system security.
-
Monday 15th June 2015 08:02 GMT Wzrd1
Let's put it this way
I have filled out the SF86 four times in my life, first when I worked with nuclear weapons, then with other highly sensitive operations and recently, for a job in the civilian world.
So, as near as I've been able to ascertain, the PRC knows everything about me - for the past 35 - 40 years.
Save, for some military duties.
Federal positions specific duties are outside of OPM's purview.
-
Monday 15th June 2015 19:30 GMT RW
Putting that stuff online was asking for trouble
Sure, they didn't mean to put it online, but where there's a connection to Ye Olde Internette, there are hackers, and they are smarter than you are.
Information that should never be leaked should never be digitized. To do so is asking for trouble.
-
Friday 19th June 2015 15:37 GMT laird cummings
One-stop shopping for ID thieves; but necessary
The article makes it sound all so pointless and sinisiter and intrusive... Well, they're right on intrusive, but then, you don't have to ask for a security-clearance job, either.
The primary point of the SF-86 is to give the suits doing your background check a leg up, so they don't have to spend so much money checking you out. If they had to do it from scratch, it would take years, and cost millions - per clearance.
It's not JUST the leg up, either; those references that they could 'just look up' themselves? Who you pick as your references tells something specific about *you* - your judgement, that is. Did you pick morally-upstanding citizens? Or did you cite your drug-smoking trouble-making friends? (I have literally seen just exactly that on an SF-86!) If you lack the judgement to cudgel your brain for a few 'good citizen' refferences (or don't have any!), then the guys in suits can bin your application for 'demonstrated poor judgement' and save the taxpayers a lot of cash.
The more complete your SF-86, the less it costs for the government to make an informed decision about your judgement, trustworthiness, and lack of hostile influences - All of which are necessary. It generally works out pretty well - Despite some very public breaches of late, the VAST, overwhelming majority of security-cleared persons go abuot their jobs in a trustworthy manner, day in, day out, for their entire careers.
Which of course makes the breach of trust on the part of the government that much worse. I'll guarantee you that my name is in that pile of data. And my wife's. And my father's. My children. My siblings. And pretty much all of my friends. Every last one of us, betrayed by the government to whom I (and my wife, and my father) rendered faithful service.
-
-
Friday 24th July 2015 17:53 GMT laird cummings
Re: One-stop shopping for ID thieves; but necessary
What you *do* is not place it in an internet-accessible archive. Also; you apply solid security standards to the archive. And you segregate the archive into 'current' and 'historical.' There's generally not much call for SF86s from twenty years ago, though some MAY be called forth to corroberate a current case - But every instance where the form isn't being used for current clearances should be pushed right back into the 'History' bin, which should be kept 'near-line' as opposed to 'on-line.'
-
-
-
Friday 26th June 2015 06:32 GMT Anonymous Coward
Spooks play the victim to gain sympathy.
From another perspective, perhaps the reason they are advertising this and wringing their hands so publicly is because this information is fundamentally useless to anyone.
If the leak was really so damaging, they would not be making a deal about it. The reason they need to squeal like stuck pigs is to ensure that we understand how vital the "intelligence" services are, and so feed them more money to help beef up their defences. Help them recover from this tiny lapse, the poor dears.
We've been well primed over the years to sympathise with alcoholics, depressives, kleptomaniacs and homosexuals, so helping the spies get back on their feet should come naturally to us.
(Along with hating even more the Chinese and Russian evil doers.)
This is nothing more than the spies' equivalent of a fraudulent "Flood appeal".
Crafty buggers.