Read the damning dossier on the security stupidity that let China ransack OPM's systems The congressional investigation into the hacking of the US Office of Personnel Management has shown how a cascade of stupidity that allowed not one but two hackers access to critical government secrets. The 227-page report [PDF] details how two hacking teams, both thought to be state-sponsored groups from China, managed to …
This has got to be the first time I've heard that.
.. especially in the context of a government organisation.
Personally, I think the OPM hack was unforgivable as it put a stupid amount of people personally at risk. It means people with a high clearance will get targeted as foreign intelligence now knows for a fact who they are. Worse, it may now also know weaknesses to exploit.
Given that they were given enough warning, I reckon whoever was in charge of security (on C-level) should be facing severe consequences.
The cio was new and hired after the hackers were inside the house. I saw published memo that she was improving the situation. I really thing it was more of case of not enough staff to keep up with the infrastructure care, feeding, maintenance and protection than simply amount of salary. Especially, considering the news about issues at nasa.
It's nothing to do with the government, it's the state. Americans seem to be congenitally unable to distinguish these two entirely separate and distinct entities, "with hilarious consequences" especially among the mouth-breathing capslock brigade.
Benghazi was a ludicrous witch-hunt concocted by Republicans trying to attack Hillary Clinton. This is the real deal. People in dangerous parts of the world, doing good work, will die because of this.
I have some sympathy with an org that gets hacked -- there but for the grace of god, and all-- but OPM were warned again and again by their agency peers (NSA, CERT etc) that they were exposed and they did sweet FA.
I'm also disturbed by the note on page viii of the report about how they screwed over a supplier, CyTech, by having them work for two weeks, not pay them, and then (!!!) wiped all the evidence that the supplier had collected, so that the congressional oversight committee could not see it. Smells --no, reeks-- of a grade A, ass-covering, nuclear panic meltdown.
Unfortunately this has been very typical of the Obama administration. In OPM's case, the top management was more focused on "diversity" than doing their job. In HRC's case, the Benghazi mess could also be traced to HRC not focusing on her job as SoS, which in itself is not criminal. OTOH, there is very good evidence that she mishandled classified material in violation of the law on such material, and many sections of the laws she violated do not require "intent" for connection.
@IvyKing
Unfortunately this has been very typical of the Obama administration.
Did you actually read the article, at all? The roots of this go back way before the current administration, and have absolutely nothing to do with who is the current President.
But you seem to have a problem with Obama, so it must be personally all his fault.
I suppose you blame him for the fact I had a shit summer this year, as well.
I would appear that HRC's mail server was a lot more secure than the official government systems. Frankly this whole aspect of the 'merican presidential race is baffling - we're supposed to hate HRC because she ran a mail server and love DT because he doesn't even read e-mail, let alone run a mail server.
Security thru obscurity is good. ? Lol. I would tend to agree with your statement about her server but heard only that the data was turned over and not the system files. Considering the state department mail system was having drama, I do wonder why not the private system. Perhaps, she was simply smart /lucky enough to not click on phish.
Benghazi wasn't a ludicrous witch hunt. It was an abject failure on HRC's part personally. There are other endemic issues with US embassy security that stretch back well before this administration, but that specific attack's eventual success was a direct result of HRC's leadership. Part of her remit was embassy security worldwide. There were too many issues for any one SOS to fix, but she could have at least started.
HRC's email server issues will never be fully known. There could well have been hackers running rampant on it (and the available evidence suggests there were) but her staff did their best to dispose of anything incriminating - which is incriminating in itself.
Also, OPM was warned well before Pres. Obama took office and he knew of at least some of the issues when he appointed Katherine Archuleta (after other directors had failed). I won't lay the blame on Pres. Obama because he at least tried to appoint someone to houseclean. He might have been a little naïve about the bureaucracy in OPM however. Now would be a good time to sack the whole lot of OPM leadership including the head of IT. It won't be done because the bureaucracy controls DC and even an administration that reflects the values of the majority of the members of said bureaucracy can't fix it.
If the Secretary of State has ANYTHING WHATSOEVER to do with specific security arrangements at foreign embassies and the like, you're doing it wrong at a far more fundamental level than having the wrong politicians in power. This is how you end up with insanity like politicall elected judges and police chiefs. No wonder the US is so fucked...
What the Republicans did after the fact doesn't change that the Benghazi attacks was a ludicrous arms deal in a very dangerous part of the world that went very wrong.
No less than 3 people died "doing good work" trying to keep the ambassador Stevens from getting killed. That no air support came from NAS Sigonella or Aviano Air Force base in Italy tells me that someone higher up in the chain of command hung Ambassador Stevens out to dry along with everyone else at the consulate and the annex.
Why they didn't send even one F-16 or F/A-18 the 1,000 or so miles from Aviano to Benghazi or the 500 or so miles from Sigonella to Benghzi to help is anyone's guess but they could have been scrambled when the attack started and arrived before it ended.
"increasing the amount it pays security staff, so that it can get the best talent"
Surely firing all the current staff first however as they've proven to be incredibly incompetent.
Also find it a bit weird that the NSA merely warns you that you are riddled with malware. I'd have thought maybe they'd have popped round for a chat, turned your servers off and purged them. Unless it was somehow in their best interest to allow a massive hack like this to take place of course..
What evidence is there that it the hack was done by state-sponsored groups from China Who decided to put such confidential personal records on a computer connected to the Internet. Assuming that OPM was aware of a breech since 2005, why were 'fingerprint files' still doing on a computer accessible to the Internet right up to 2015.
Omar - you have to be new here - have you never read the BOFH?.
Stuff like this happens all the time - upper manglement orders middle manglement to make their life easier and fix it so that they can run the office from their phone. Middle manglement tell the techs what they want. The techs say, "but this is a security risk" and the middle manglement tell them to do it anyway because the PHB has ordered it.
But maybe they just outsourced the whole project to the lowest bidder ...
well 2007 then, I received the following reply to my complaint that the application for an NHS post was not via a secure channel :
"Thank you for your email.
The site is secure, in that it is in a secure
data centre with several layers of network
access security. Your data is stored in a
protected database server, only available to you
when you log in with your username and password
and, where applications are completed, available
for viewing by the employer that advertised the
vacancy that you submitted the application for.
Your data is not 'sent' anywhere, but is
viewable through the web browser by you and the
employer for which the application was intended
once you or they have logged in to the site.
Making an application online without encryption
is in line with normal practice on jobs and
recruitment sites. However, more importantly,
all aspects of the service and how it operates
have been the subject of a review by an
independent security consultant and by the Dept
of Health security officer before the service
went live.
I hope that this has addressed your concerns. "
Plus cá change eh? Names redacted to protect the guilty.
Yup It's the same old government way of doing things. Extend the contracts, increase the pay so it costs more tax dollars, and you can't fire the rejects that can't do the job.
Hire and give our hackers a good paying job as they are better than what you are going to find out of some college where the professor is teaching skills from the last generation. Put the person ( a Hacker) whom they respect the most as the best in the top position, and listen to what he says. DO NOT put some pompous AHOLE in charge. Set up your teams with the best equipment money can buy. That's the way to efficiently spend our tax dollars.
Yup It's the same old government way of doing things. Extend the contracts, increase the pay so it costs more tax dollars, and you can't fire the rejects that can't do the job.
Hire and give our hackers a good paying job as they are better than what you are going to find out of some college where the professor is teaching skills from the last generation. Put the person ( a Hacker) whom they respect the most as the best in he top position, and listen to what he says. DO NOT put some pompous AHOLE in charge. Set up your teams with the best equipment money can buy. That's the way to efficiently spend our tax dollars.
Given the specific nature of this data it should have been extremely well protected. I mean you hear how some F35 design data might have gone missing. Big deal, potentially, if there is a hot war with someone who got that data. This stuff is presumably highly defended.
However, OPM info is not just _potentially_damaging. Anyone who has it wanting to coerce or turn US govt employees can use it right away, no need for a war. Think back about the Cold War and all the spying going on in those days. This would have been the jackpot, for decades. In a fallback they can always turn it loose for identity theft - for profit or destabilization.
People up and down OPMs IT org should be _fired_ over this. Not _just_ top managers, also any techies/mgmt in a position to remediate/mitigate but incompetent enough to let it happen. The only real excuse if points where it can truly be shown to be a flagged budget/resource shortfall - then that axe should chew its way up the relevant management, from the levels where spending authority starts, going up.
Not scapegoating, no, but rooting out incompetence, yes. "Pour encourager les autres"
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
