Dossiers on US spies, military snatched in 'SECOND govt data leak' A second data breach at the US Office of Personnel Management has compromised even more sensitive information about government employees than the first breach that was revealed earlier this week, sources claim. It's possible at least 14 million Americans have chapter and verse on their lives leaked, we're told. The Associated …
Why dont I just get on the internet and post my entire identity myself to save the hackers time?
Its going to get to the point we can claim identity theft for almost any bad action that occurs, insufficient funds...well someone must have stole my identity...
I get like a letter from the military, banks, health insurance, government every few months saying my information may have been compromised....Who else wants it send me an email address and Ill send it right over if you havent gotten it off bit torrent or some tor site yet....FML
"Its going to get to the point we can claim identity theft for almost any bad action that occurs, insufficient funds...well someone must have stole my identity..."
A friend of mine used to have a job in a certain bank's fraud dept, tracking down people who were "impersonating themselves" - ie, getting cards, maxing them out and then claiming their identity had been stolen and they hadn't really spent all that money...
The IT questions in Section 27 are interesting:
Have you illegally or without proper authorization accessed or attempted to access any information technology system?
Have you illegally or without authorization, modified, destroyed, manipulated, or denied others access to information residing on an information technology system or attempted any of the above?
Have you introduced, removed, or used hardware, software, or media in connection with any information technology system without authorization, when specifically prohibited by rules, procedures, guidelines, or regulations or attempted any of the above?
If you're applying for clearance to work at the NSA, the correct answer is presumably "yes".
This post has been deleted by its author
Except this isn't just 'government' - this is real peoples' lives we are talking about here.
What if you had to have this clearance to work on a particular project for a US company and your details ended up in this database? How would you feel then, knowing that your loved ones might be in danger if you know something they want? Or how about the worry of traveling abroad and wondering if you'll get 'snatched'?
Ok, a bit melodramatic perhaps, but it's a possibility. It's also one very good reason I don't actual put information online about what I do, it's just not worth the risk of painting a target on yourself if someone decides they want that information - whether it is another state or a criminal gang.
For some reason I am reminded of the railway workers working on the Jubilee line at Canary Wharf jeering at the now unemployed workers leaving Lehman Brothers with their box of possessions in their arms - none of whom you could ever accuse of being a fat-cat or responsible for the crash - they were just office workers. Not nice.
That sounds like an excellent idea AC. One question though: If you were to set up such an organisation, how would you ensure it spent its time productively down in the stuffy server room, diligently sweating over firewall rules and meticulously scrutinising all the (imported) hardware and not out whiling away its time on phun & phrivolous diversions like playing with Angela Merkel's mobe, or attempting to hoard the entire world's IP traffic, or whatever?
Yes, one wonders where the U.S. Cybersecurity Command (The arm of the NSA that is supposed to defend U.S. networks) was on this one. Maybe their guys had all been borrowed by the rest of the NSA to go through honest citizens' mobile phone metadata.
After all, who could possibly want to attack a bunch of servers that had the security background check data for just about everyone who works for the U.S. government and is not in the DoD/intelligence agencies?
"... back at the ranch, they want _less_ powerful encryption, and _more_ back doors into equipment."
No they don't. They're just saying that (over and over and over again) in the hope of undermining some of The Snowden "Revelations". Don't take the word of politicians and spooks at phace value. Idiot!*
*(by your own admission) ;o)
Total information awareness == total information clusterf*ck.
This is data held in the name of "national security" so I suspect it has no back date cutoff. In fact, I suspect they went ahead and digitized data from the earlier times and added it to the archive.
It's just unbelievable that this sort of information isn't tucked into a properly secured, possibly air-gapped network. I'm also not believing the revered NSA was unaware of it. As recall reading somewhere (and naturally, I can't find the reference now) that they are also tasked with protecting government systems from outside attack.
I think if I worked for any agency (especially any of the 3-letter ones), I'd be looking for a new job because sooner or later, someone's going to come looking for those employees.
As a citizen, I'm wondering if it would be just as well to pave over the Fort Meade compound and turn it into a parking lot. It might be just as effective.
Problem being millions and millions of people have security clearances (me included)..the form is over 100 pages...how would you get millions of people into an air gapped network to fill it out...hence its available on the internet and my guess is it wasnt nearly as hard to get into as even they are acting like it was.
I would hope it would be very well secured, but since in my experience many of their these programs dont take some basic steps and many of the ones they do don't really do that much to protect the system so I am hardly surprised.
how would you get millions of people into an air gapped network to fill it out
Err... You are mistaking two things. The process of filling it out and the process of keeping the record.
While the data is filled out, checked, verified and clearance granted or denied the record cannot be air gapped. However that is at most thousands at any given time.
Once the clearance is granted the record should go into deep freeze storage and not be accessed unless you need it for investigative purposes. You can at most instigate a one-way incoming data feed strictly in specific format for audit purposes (literally cut off the return wires/fiber). Even if queries are allowed they should be viciously rate limited.
This was the procedure in the days when this was on paper. You could not just ask "Can I have the whole archive, thank you". This should have been the design today, when it is electronic. However someone fond of big data and total information awareness made the data searchable and accessible in realtime.
It's the same story as with Snowden and Microsoft Sharepoint. Someone committed a court-martial offence by authorizing the storage of classified data in a form which is not fit for purpose. However instead of having the stupid moron court-martialed, named, shamed, his government pension removed and thrown into chokey we are now blaming the Chinese.
No. Maybe it's because I'm almost passing out - having read all night (Hunter S. Thompson's Hell's Angels etc) - but it suddenly seemed to me it was more believable that there was no 'hack'. This is just to make the US public (and all the other paranoid Westerners) to lose whatever vague sense of comprehension they might have thought they had re: cyber(sic)urity that coupled with the limited possibility anyway that they'd have seen this as primarily a US fail, they'll now be so utterly lost they'll all but beg the var. Govs to do absolutely anything the Intelligence Agencies say they need to do, just when there is the hint - on both sides of the Atlantic - of the pretence of a smidgeon of accountability turning up and giving us ideas above our station.
(Nb. Apologies if this is as hard to read as it feels. More than me falling asleep at the [mouse]wheel, here, near the end of the book is some Ginsberg. I saw the best minds of my generation destroyed by trying to parse Ginsberg).
"Apologies if this is as hard to read as it feels."
It is!
It's an interesting idea though... if I managed to parse it correctly! A sort of cyber-variant of the "9 11" conspiracy theories, except plausible because:
1) You're not suggesting that the US TLAs killed thousands of Yanks. Or actually did anything at all.
2) There's no reason (other than the politicians' words - and we know what they're worth) to believe that anything at all has even happened.
If you're right, I'm not sure the motives are what you (appeared to) imply. I can't see how you'd spin this entertaining débâcle into a compelling argument to stem the apparent tide against US surveillance... "Er, you remember all that data you were making all that fuss about? Well, you'll never guess what. Some bastard's only gone and nicked it. So we're gonna have to collect it all again. All-right?" (?!)
Definitely worth keeping an eye peeled for signs of slightly more subtle / less direct motive in a similar vein. An obvious candidate that just popped in: I wonder what odds one can get for a flutter on this incidentoid, in due course of course, being "traced" to Huawei network kit...
I have a more boring TLA explanation: CYA
So far we have seen the following official explanations in the press:
"zer0 day vunerablities"
"Snowden told the Russians and Chinese where all our spies are"
"Breach uncovered during a security product demo" Wall Street Journal.
Only number 3 smacks of reality. I suspect the dire state of US Gov't data system security is just beginning to be discovered by the pols.
If heads don't roll now, they never will. This is because bureaucrats and politicians are all the same, protect thine own ass first, everything else comes second, including your data security and personal privacy.
The next "mitigation" will be to unplug all the government networks and go back to using typewriters. That' ll show'em.
Let's see how easily the Chinese can hack into our (unlocked) filing cabinets.
And don't you worry, there will be free identity theft insurance, all paid for by Joe Q. Public.
The pols have known about this for decades. But they haven't done anything about it because it's not sexy. It's like their choices when building new roads or repairing the old ones. Since they can put either their or their friend's name on the new road, it gets an earmark every time. Filling the potholes, not so much.
Let's see how easily the Chinese can hack into our (unlocked) filing cabinets.
Fairly easily via the cleaning crews. In fact that's been a problem for a friend of mine. Seems while he was on leave for several weeks they had six alerts for people who should have known better leaving "For official use only" documents on desks in unlocked rooms. Office is in an uproar as the powers that be issue pointless new edicts to try to eradicate the problem. Solution seems simple to me: fire the person on whose desk the information was found, or the person who had access to the information or both.
The problem with suggesting Cleared Personnel get a new job, is that with the SF-86 database cracked.. well, we'd have to get a new life. The SF-86 contains everything over the last 7-10 years; and for some details, your entire life. This can put friends/family (all have to be listed) at risk, leave some personnel open to blackmail, and give an intelligence operator myriad openings for more subtle information pumping.
It also has all the answers to the "are you really you?" verification questions that the credit agencies use: "Where did you live in 2003?" "What is your second child's middle name?" "What was your annual salary in 2011?" ..All in one handy book.
How do you air gap it and still leave it instantaneously available to nearly every other federal department at all of their locations? The two are mutually exclusive. Given our current environment the immediate access concern won out over the air gap concern.
It was recently reported, that after Russians snatched Snowden, Putin's first response was ordering of 300 legacy typewriters for Kremlin staffers. When none of broadly worldwide used US designed PCs and other digital devices, american built OSes and smartphones were free from NSA introduced backdoors and encryption vulnerabilities, while NSA was fully busy in hiding from public their secretely found zero-day software exploits, perhaps Obama should had to follow the only logically possible sound advice. One can not hack what is not there. It was only a matter of time that foreign governments and criminals beyond NSA controls would understand how americans shot themselves in the foot and start doing the same in reverse. Sadly, that is how Russia's new führer outsmarted Obama. One can assume that there would not even be a war between Russia and Ukraine, if American spying data, agents, policies would not be exposed now to any government who want to make fun of them now.
This post has been deleted by its author
This leak, put together with the recent leaks of USA medical / health insurance records together create quite a significant ability to blackmail / coerce key security and military staff.
Interestingly, over the last 12 months there have been multiple attempts both by infected e-mail and phone, of spear-fishing attempts at some (if not all) of the UK providers of health care records. So far there has not been any - known - successful penetration. So far the private UK providers seemed to have resisted penetration - but can the same be said of the NHS Summary Care Records? If that was breached then the potential for damage is quite large.
These are probably the desperate attempts of British people trying to access their own information, the user API's being the last thing built on any system and the Health Care IT projects never getting past the "aborted trial roll-out and massive lawsuit issuance" stage according to stories on El Reg.
Interesting how today's news (14th June) is suddenly full of reports of 'sources' saying that 'Russian and Chinese intelligence experts have decrypted Snowden's documents and now we have had to move all our spies', whereas NOT getting much publicity is 'Russia/China whatever has downloaded all that information unencrypted anyhow'.
I have no idea whether strong encryption was a) used on the stuff Snowden took and b) whether it would be possible to decrypt it if it was. But what a good way of passing on the blame to a scapegoat.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
