Second OPM Hack Revealed: Even Worse Than The First
from the the-federal-government,-ladies-and-gentlemen dept
Oh great. So after we learned late yesterday that the hack of all sorts of data from the federal government’s Office of Personnel Management (OPM) was likely much worse than originally believed — including leaking all Social Security numbers unencrypted — and that the so-called cybersecurity “experts” within the government weren’t even the ones who discovered the hack, things are looking even worse. That’s because, late today, it was revealed that there was likely a separate hack, also by Chinese state actors, accessing even more sensitive information:
The forms authorities believed may have been stolen en masse, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant’s Social Security number and that of his or her cohabitant is required.
In a statement, the White House said that on June 8, investigators concluded there was “a high degree of confidence that … systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated.”
“This tells the Chinese the identities of almost everybody who has got a United States security clearance,” said Joel Brenner, a former top U.S. counterintelligence official. “That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That’s a gold mine. It helps you approach and recruit spies.”
And yet… this is the same federal government telling us that it wants more access to everyone else’s data to “protect” us from “cybersecurity threats” — and that encryption is bad? Yikes.
Filed Under: china, hack, leak, opm, security clearance, sf-86, sf86
Comments on “Second OPM Hack Revealed: Even Worse Than The First”
Worrisome, but not surprising
Make the target valuable enough, and it’s not ‘if’, but ‘when’ it will be hacked.
This should be held up as a perfect example of why it’s a terrible idea to engage in mass spying and data collection, because even if the ones doing it never use the information themselves, such a database is an extremely tempting target for anyone, government or otherwise, who believes that the data is valuable.
If the database exists, it will be hacked, it’s only a matter of time, meaning it’s better to never create it in the first place.
Re: Worrisome, but not surprising
But if you do create it, some encryption might come in handy.
Just saying…
Re: Re: Worrisome, but not surprising
The REAL question is – why the hell is this even on the net in the first place?!?!?! You don’t take databases with the most sensitive info and place them on the open net. Basic Security 101. At least make the fuckers have to send a spy in person to infiltrate the facilities – hasn’t decades of James Bond movies taught them anything?
Re: Re: Re: Worrisome, but not surprising
They probably put the database online because… well, it’s the Federal government.
The database was originally created to be used, so while sticking it behind an air gap would have been the smart thing to do, but not the useful option.
It was also probably created because the government has a pathological need to retain any information it ever obtains.
As for exactly how it ended up online? The people actually getting paid for implementing it either picked a simple standard online database setup to allow access from anyone who should be throwing data at it. Or the people overseeing it’s creation were easily wowed by the prospect of the database being available to their people nation wide, without any thought to security because they weren’t techs, just administrators with no real understanding of network security.
You know, the same kinds of people that just say, “well, our people are smart so encryption golden keys are the way to go. Because, we need to see what other people are doing, and our people can figure out a way to keep everyone else out.”
Re: Re: Re:2 Worrisome, but not surprising
Yeah, only the government does stupid stuff like putting sensitive information online. Corporations would never do that and that is why corporations have never had any data breaches and your information is truly safe with them – but not the government!!!
Re: Worrisome, but not surprising
Time to take a page from terrorists book and create some sort of cells for databases? The whole database wouldn’t be compromised just because a part of it was.
Now how the heck you would go around building a database like that I’ll leave as an exercise for the reader 🙂
Re: Re: Worrisome, but not surprising
Ever since Iraq 2003, Western super powers are the terrorists.
Re: Worrisome, but not surprising
Agreed. The Feds can’t even keep their own data secure, and we civilians are supposed to trust them with ours?
This ought to (but won’t) completely kill the idea of key escrow and the Feds logging and archiving private data.
I’m probably more trusting than I should be regarding motives, but I’ve never been trusting re competence. I’ve never applied for a security clearance, and can’t imagine doing so.
Anyone who did trust the Fed’s competence by (honestly) filling out a Standard Form 86 has now been proven a fool – anything embarrassing, or even just useful for leverage (which relatives to threaten…), is now in play.
And these incompetent fools are telling us to trust them with our data?
doomed i tell you, we’re all doomed
Jealousy Personified
The NSA brass took a look at what Standard Form 86 looks like and asked the head data collector “Why don’t we have that kind of data?”
The question arises
If the Chinese are stealing our personal information, why are we still on diplomatic terms with them?
They’ve stolen the top level personal information of our government and now the Chinese know all about their life problems.
I smell blackmail in the air.
I just wonder how stupid the government really is. They just admitted their entire personnel files are now in the possession of a semi-hostile country.
Data that was not encrypted, due to utter stupidity and belief that they would be able to prevent/stop such events with the usual derring do. They failed this one miserably.
Also the same government that has been trying to blackmail/cajole Microsoft and other big computer companies to allow them a backdoor into the systems, and forbidding encryption.
Looks like the government now needs “Life Lock”.
Re: The question arises
“If the Chinese are stealing our personal information, why are we still on diplomatic terms with them?”
Because high-level U.S. and Chinese politicians belong to the same club. They’re basically the same, just with different names.
Re: The question arises
“[…] why are we still on diplomatic terms with them?”
This is how the intelligence game is played. Back in the day, it would have involved someone going in and physically photographing or copying files. Nobody’s going to war or breaking off relations due to something like this, because I can tell you with perfect certainty that everyone involved in international espionage/politics is pulling the same shit. The only real shame on that field is getting caught red-handed with enough evidence for a courtroom. And even then the worst that really happens (publicly, anyway) is the international equivalent of name-calling or a few agents getting tossed in the clink.
Re: The question arises
The US is so in debt to China that the Chinese practically own it now. You could say that the Chinese are just keeping tabs on their investment.
Re: Re: The question arises
This is simply incorrect, care to provide some data to back up your claim?
Re: Re: The question arises
“The US is so in debt to China that the Chinese practically own it now.”
Not true. China isn’t even the #1 holder of US debt. You know who is? US citizens and companies.
Hate it
Okay, now I am beyond mad, 20 years in doing things for my nation and they did stupid mistakes like this. And the kicker, they plan to offer free ID protection for a year to cover this. The SF 86 is a complete record of everything with the exception of what the individual ate for dinner last night. I can honestly say I am scared for my family. Now I need to recreate everything using BS answers to security questions.. I think a suitable answer for all security questions would be IH8UGOVOPMAHOLES
Re: Hate it
Don’t forget lowercase and special characters. In this case, a couple of well-placed exclamation marks might just be what’s called for! 😉
Re: Re: Hate it
I know, but whenever I type a sophisticated password, the NSA which hacked my phone automatically corrects it to be weaker.
Re: Hate it
‘This form will be used by the United States (U.S) Government in conducting background investigations, reinvestigations, and continious elavuations of persons under consideration for, or retention of, national security positions as defined in 5 CRF 732, and for individuals requiring eligibility for access to classified information under Executive Order 12968.’
translation: We may leak such compromising information against you if you discover illegal activity by a U.S Government agency and attempt to disclose such to the media.
https://www.opm.gov/forms/pdf_fill/sf86.pdf
Re: Hate it
Captain, thank you for your 20 years of service. I mean that sincerely.
I’m sure you meant well, and perhaps you even did good things to help your neighbors and the world.
But, with all due respect, trusting the Feds to keep your SF86 information secure was…foolish. And now you’re going to pay the price.
Re: Re: Hate it
Unfortunately, you don’t get a lot of choice in the matter for many lines of work. My info is somewhere in that pile as well, from when I had to get a clearance to do my job….which, given the economic downturn at the time was quite nice to have given the many rounds of layoffs my company had gone through.
Government Agency
If only the US had an agency that’s sole purpose was to find ways to defend our nation from cyber attacks by creating super sophisticated encryption which is easy to use with multiple levels of protection. You know, an organization which would not only prevent Whitehouse.gov from being hacked, but also prevent all networks from being hit. Hmm what would we call it, National Protection Agency NPA. Nah, what about National Security Agency NSA. It has a nice ring to it.
Re: Government Agency
“If only the US had an agency that’s sole purpose was to find ways to defend our nation from cyber attacks“
Because the true purpose of such agencies is to protect the real rulers of America from you the people. Once every four years you get to pretend to pick your own leader.
Encryption anyone
Seems like the war on encryption ought to be over now. Encryption would have helped in this case. The gov’t can’t very well now argue that only criminals need encryption. All you have to do is say, “What, you don’t like encryption? What about OPM? … Thought so.”
Whoever didn’t encrypt this data was negligent at a minimum. Gov’t being what it is, no one will be fired…
Re: Encryption anyone
“The gov’t can’t very well now argue that only criminals need encryption.”
The government doesn’t really care about your privacy. Only its own, not because of anything resembling national security but only because it doesn’t want to get embarrassed.
So is it just the government claiming China did it? At this point I wouldn’t even believe them if they said that NSA did it on WH orders.
Cost vs benefit program.
Let’s weigh the cost vs benefits of having the NSA around.
NSA- Helped destroy the world’s view on the US being a great nation. Ticked off everyone on the planet with the exception of the guy living under the rock in the GEICO commercial. And cost a lot of money each year to operate even though people are going hungry in the streets.
$60 Security program- Found major security violation and malware on the span of a 30 minute sales demo. Did not possible off the entire planet. And can back up everything it does in a clear manner. Looks like the NSA needs to shut down.
And one of the roles that the NSA is supposed to perform for the US Government is ‘Information Assurance’:
https://www.nsa.gov/ia/ia_at_nsa/index.shtml
“NSA’s Information Assurance Directorate (IAD) protects and defends National Security Information and Information Systems, in accordance with National Security Directive 42. National Security Systems are defined as systems that handle classified information or information otherwise critical to military or intelligence activities.
IAD is responsible for NSA’s defensive mission and is widely acknowledged for leading innovative security solutions. Partnering extensively with government, industry, and academia, allows IAD to ensure appropriate security solutions are in place to protect and defend information systems, as well as our Nation’s critical infrastructure. IAD’s work is guided by its vision to create “Confidence in Cyberspace.”
Seems to me that it’s high time we drag the current and former heads of the NSA before Congress and ask them how this happened on their watch. Of course, like what happened with the financial crises, bringing anything into the public sphere would be tantamount to being ‘too big to fail’
Uh, guess what just happened……
One more reason to screen my phone calls:
“This is the IRS, if we do not receive payment within the next 30 minutes, we will send someone to your house to arrest you…”
“Our son was killed in Afghanistan/Iraq and we need to pay for funeral costs. The government isn’t helping us. Would you please donate some money?”
“You have won $1,000,000!!! Just wire us $1,500 from your bank account to cover the processing fees and the money will be delivered!”
“Hello, this is Chinese Intelligence. Have you thought about the lucrative business of trading government secrets?”
So isn’t it about time someone asked Mitch McConnell why he wants to make it easier for the Chinese government to steal US secrets?
I wonder how long before we start hearing about people in foreign countries being arrested and tried as spies, courtesy of the Chinese. Be curious if anyone in charge of the security for this happened to receive a large cash payoff in their bank accounts prior.
OPM Managers Need Lessons in Online Security 101
This is in an unmitigated disaster for the US.
Putting all that sensitive data on a computer connected to the Internet was a bad idea from the get-go and those in charge should have realised that from the beginning. If nothing else the very act of putting it online meant that they were painting a large red target on that data, daring hackers to have a go at breaching security and exfiltrating it. Which, thanks in part to pitiful security, they not only succeeded in doing, but were able to get away withOUT detection until pure chance and a product demo exposed them.
At the very least somebody needs to get fired fcr this, although chances are it will be some poor schmuck at the coaslface end rather than those higher-ups whose decisions (or lack thereof) led to this fiasco.
I am aghast.
Can anyone tell me why data this sensitive was not stored encrypted?
Does the US government not have an IT department?
Re: I am aghast.
It was outsourced to China.
Well, thats what you get when your government is full of delusional corrupt idiots.
You would think there was a lesson here for the US gov:
1. You can hardly blame the Chinese [if it was them] when NSA is doing same
2. There is no excuse for not securing deeply personal info in your possession. Businesses are required by law to do that. Encrypt the data, air gap the really sensitive stuff
3. Breaking that encryption for your own purposes pretty much invalidates 2. Encryption is useless if it has a back door.
Unfortunately the response to this will be nothing but red faced silence. What should really happen now is that the US get rid of all the intelligence staff compromised (this is a way bigger risk than Snowden) and start again. This lot are so corrupt, that is probably a good idea anyway.
Looks like everyone’s been doxed. Oh well, it seems like everyone’s personal information is already on the Internet these days so what difference does it make anymore.
Re: Re:
I’m sure it’s not a big deal, after all, ‘If you’re not doing something wrong, you have nothing to hide’, and of course we can’t forget that the data was being held by a third party, so there was no real expectation of privacy anyway.
Fuck, I’ve had to get government security clearance before for a job, that means the Chinese have my info now…
Re: Re:
Personally, I am more nervous about the US having my personal info than about China having it.
NSA/Israel not China
All roads lead to the Whitehouse.
No evidence of Chinese = evidence of NSA probability
Not really, but c’mon, it’s the NSA and it’s friends (Israel) doing this spying.
Learning from the Pros
Gotta love the Chinese resilience.
Having been hacked and blackmailed by the US spy agencies for years, they have finally turned the tables and joined The Five Eyes Blackmail Game, by learning how to blackmail the Five Eyes’ member nation’s spies themselves.
I guess the leaders of the Five Eyes thought that they could secretly survey and blackmail the world and the world would just obey them and bend over, and not try and protect itself from them. They didn’t even bother to secure their own data because they think the rest of the world is composed of lesser beings.
What a bunch of self-important, arrogant, morons.
The leaders of the Five Eyes have opened a can of worms they are definitely not going to like, as they have forced the world to fight back against the monster – to fight fire with fire and learn how to blackmail the blackmailers.
Coming soon: Public Encryption Security Training Control
===================(PEST Control)=================
—
Someone tell me how this is because of Snowden?
Well, good to know china has my SSN now.
Data insecurity
1) Office of Personnel Management didn’t use encryption to store Social Security & Credit Card numbers.
2) Office of Personnel Management used Microsoft Windows, the most exploited(hacked) operating system in History.
That sounds like good stuff to have available online
What I don’t understand is why stuff like this needs to be accessible from internet connected systems? You hear FUD about attacks on the power grid and how we need cyberwarfare capabilities. But the simple answer is to not have this stuff connected to the internet.
Much worse than Edward Snowden affair
the OPM disaster is MUCH worse than the Edward Snowden affair. Snowden only exposed illegal government activity — much like Watergate — which we now regard as an heroic action.
OPM is a REAL disaster
as far as China and Russia having Ed Snowden data: if they did they sure wouldn’t let you know about it. The latest on Ed Snowden is just static to help cover up the OPM mess
hot mess, make that
Another thought
Since the second of the two incursions has been revealed, one must wonder how far back the records that have been stolen go back? Years or decades?
Because when you read it properly, Edward Snowden’s personnel information is part of it, as are probably most of the NSA’s.
I wonder if he knew about the operational insecurity of the OPM?
You have to admit that it would have saved an awful lot of hot mess if he had warned the government about it before it happened.
In that case, he would have been awarded a medal for it and given a better job.
But history had another idea. That’s why he’s in Russia and facing charges that he stole data from the government and our government’s had their information stolen by a foreign entity called China.
It boggles the mind to know that the government completely overlooked their own data and failed to do the most basic security steps to protect it.
Snowden is the least of their problems right now.
Way to go, USA!
Re: Another thought
“I wonder if he knew about the operational insecurity of the OPM? “
Maybe. Doesn’t really matter.
“You have to admit that it would have saved an awful lot of hot mess if he had warned the government about it before it happened.”
Unlikely. History shows – repeatedly – that such warnings – at best – would have been ignored and at worst would have been received with great hostility.
“In that case, he would have been awarded a medal for it and given a better job.”
No. Having embarrassed the Authorizing Official (required under FISMA, look it up) for whichever system it was, he’d have been lucky to have gotten the equivalent of an “atta boy, good job, go back to work” and subsequently having the report shelved, not be be looked at again until some reporter filed a FOIA request for it.
Re: Another thought
You have to admit that it would have saved an awful lot of hot mess if he had warned the government about it before it happened.
In that case, he would have been awarded a medal for it and given a better job.
No, he would have been prosecuted on multiple felony computer abuse charges.
Re: Another thought
“You have to admit that it would have saved an awful lot of hot mess if he had warned the government about it before it happened.”
He did.
Re: Re: Another thought
Snowden warned about OPM vulnerabilities?
Re: Re: Re: Another thought
Ahhh, no. I misinterpreted the statement. Snowden warned about the severe problems in the security infrastructure in general. He didn’t call out the OPM specifically, as far as I know. But it still counts are warning in my book.
This is exactly what happens...
When you give up privacy for security.
I mean, don’t get me wrong – there’s no question that this is really bad. But if we, as a country, continue to centralize information on everybody in the name of security, then before too many years have elapsed, we’re going look back on this particular breach as being small scale and, dare I say it, quaint.
I am sorry, but I can’t believe they don’t notice all that data leaving sensitive networks. It really sounds more like the government using excuses like this to try and get the public behind them expanding the offensive and defensive hacking operations.
Re: Re:
I am sorry, but I can’t believe they don’t notice all that data leaving sensitive networks. It really sounds more like the government using excuses like this to try and get the public behind them expanding the offensive and defensive hacking operations.
I don’t doubt they would be willing to do such a thing, but I think you’re giving their competence too much credit.
Not at all surprised
I have had the unfortunate experience in dealing with the OPM throughout my lifetime. I a widow of a man who never got to see his unborn child. Working for our great Government.
The OPM has done nothing but harass, illegally with hold full annuity payments.
I am not at all surprised there was this horrible breach. They are too busy picking on widows.