Largest Hack in U.S. history

[Kaitzilla]

The Office of Personnel Management got hacked in a major way.
https://en.wikipedia.org/wiki/United_States_Office_of_Personnel_Management

Spoiler :

Function

According to their website, the mission of the OPM is "recruiting, retaining and honoring a world-class force to serve the American people."[4] The OPM is partially responsible for maintaining the appearance of independence and neutrality in the Administrative Law System. While technically employees of the agencies they work for, Administrative Law Judges (or ALJs) are hired exclusively by the OPM, effectively removing any discretional employment procedures from the other agencies. The OPM uses a rigorous selection process which ranks the top three candidates for each ALJ vacancy, and then makes a selection from those candidates, generally giving preference to veterans.

The OPM is also responsible for a large part of the management of security clearances (Federal Investigative Services a/k/a FIS conducts these investigations) for the United States Government. With the exception of the Nuclear Regulatory Commission, which maintains its own system, separate programs for each executive department have gradually been merged into a single, Government-wide clearance system. The OPM is responsible for investigating individuals to give them Secret and Top Secret clearances.[5] SCI compartments, however, are still managed by the particular agency that uses that compartment.

First, the summary from Slate:
http://www.slate.com/articles/techn...e_s_how_the_government_can_stop_the_next.html

The OPM Breach Is a Catastrophe

Did we learn nothing from Edward Snowden? Or healthcare.gov? The federal government appears not to have. Last week it disclosed its discovery of a long-running and catastrophic breach of the Office of Personnel Management, one which resulted in the theft of 30 years’ worth of sensitive security-clearance, background-check, and personal data from at least 10 million current, past, and prospective federal employees and veterans. The government didn’t merely reveal shoddy IT security on the part of its agencies and contractors. It also revealed unforgivable negligence, because OPM and the government had known about these security problems for two years, already suffered multiple breaches, and done little to nothing about them. While it’s premature to blame China, which may have perpetrated the hack, it’s rather too late to point the finger at the government and its disastrous contracting system. With healthcare.gov it merely wasted huge amounts of money on garbage; with the OPM hack it compromised national security simply out of bureaucratic inertia and laziness. No one ever accused Edward Snowden of releasing personnel data en masse, as happened here. In terms of sheer volume, Snowden’s National Security Agency leak appears to have nothing on the OPM breach.

Even OPM isn’t certain of the breadth of the hack, and the multiple intrusions that occurred beginning at least as early as March 2014 make it difficult to even pin down how many hacks and hackers there were. OPM has confirmed that millions of employees’ personal data were stolen but has not been more specific. In a letter sent June 11 complaining about lack of information, American Federation of Government Employees National President J. David Cox called one breach an “abysmal failure,” saying he has concluded the hackers obtained “every affected person’s Social Security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more” from Central Personnel Data. It gets worse: OPM is tasked, among other things, with conducting background investigations for security clearances, so this isn’t merely a violation of the employees’ privacy but also a national security threat. Yet another breach was made against the SF-86 database, which stores the results of background checks, including information on drug use, mental health, and applicants’ friends. All undercover employees whose information touched the OPM may have just had their cover blown. Former NSA senior counsel Joel Brenner called the material “a gold mine for a foreign intelligence service,” declaring, “This is not the end of American human intelligence, but it’s a significant blow.” (Points to the CIA, which refused to have anything to do with the OPM and thus kept its own employees’ information safe.) Calling this a “breach” is too modest. It’s a systemic failure of security. Worst of all, people inside and outside the OPM already knew that before the breach happened.

Every federal employee can now expect identity theft problems for the rest of their lives.

Not sure which undercover agents they are referring to having their cover possibly blown.
It is good that the CIA agents will be ok.


A more detail account is here from the always lovely ars technical people:
http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency's computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, "It is not feasible to implement on networks that are too old." She added that the agency is now working to encrypt data within its networks.

But even if the systems had been encrypted, it likely wouldn't have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would "not have helped in this case" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, "You failed utterly and totally." He referred to OPM's own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM's own IT department. "They were in your office, which is a horrible example to be setting," Chaffetz told Seymour. In total, 65 percent of OPM's data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM's own Inspector General reports, "OPM's data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information."

When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM's systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, "I would be glad to discuss that in a classified setting." That was Archuleta's response to nearly all of the committee members' questions over the course of the hearing this morning.

The details grow juicier farther into the story.

But some of the security issues at OPM fall on Congress' shoulders—the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM's investigation process told Ars, was essentially a company made up of "some OPM people who quit the agency and started up USIS on a shoestring." When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—"a bunch of people on an even thinner shoestring. Now if you get investigated, it's by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account."

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM's systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM's data breach may just be the biggest one that the government knows about to date.

Not sure how to respond to this.


And finally, how the hack was actually discovered.
http://fortune.com/2015/06/12/cytech-product-demo-opm-breach/

Earlier this month, the U.S. Office of Personnel Management—effectively, the government’s human resources department—disclosed that it had fallen victim to a massive data breach that may affect roughly 4 million current and former federal employees.* The office has said that it uncovered the breach while beefing up its security posture. Apparently, that discovery was not a solo affair.

Fortune has learned that the detection of that cyber intrusion appears to have arisen during a product demonstration by network security company CyTech Services, corroborating a report that first appeared in the Wall Street Journal. The firm, a Manassas, Va.-based company founded in 2002, had apparently sent a team to pitch its flagship product, a vulnerability assessment tool called CyFIR. During the demonstration, the tool identified the zero-day, aka previously unknown, malware associated with the latest breach, a person familiar the investigation told Fortune.

A hell of a product demo.
Ding! Virus detected.

According to the AP, which first reported on the letter, that cache of data on government workers “contains up to 780 separate pieces of information about an employee.”

That's a lot of free guesses for all those security questions websites like to ask.

* Update: After this story published, OPM Spokesman Sam Schumach contacted Fortune to dismiss the CyTech claim as “inaccurate.” The story has been updated to include his statement.

Additionally, as this story was publishing, the AP reported, citing unnamed sources, that the Office of Personnel Management suffered a second, separate data breach of security clearance data that has exposed the sensitive background information of as many as 2.9 million military and intelligence personnel, including members of the National Security Agency, CIA, military special operations. In addition to that the news wire reported, again citing anonymous sources, that the first hack, referred to throughout the original story above, may have affected as many as 14 million current and former federal civilian employees—way higher than the 4 million figure initially offered by the Obama administration.

Schumach also acknowledged that a second data breach likely occurred and that investigations are ongoing. Regarding the AP’s revised 14 million figure for the number of federal workers affected by the first data breach, he said: “We are in the process of assessing the scope of the information and we do not have an estimate at this time.”

Here is his statement in full, which acknowledges the additional breach:

“The cyber intrusion announced last week affecting personnel records for approximately 4 million current and former federal employees was discovered through enhanced monitoring and detection systems that OPM implemented as part of an aggressive effort in recent months to strengthen our cybersecurity capabilities. Upon detecting that intrusion, OPM launched an investigation – in partnership with the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT) and the FBI – to determine its full scope and impact. On June 8, as the investigation proceeded, the incident response team shared with relevant agencies that there was a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated.

OPM continues to work with US-CERT and the FBI to determine the type of records that may have been compromised and the population of individuals affected. OPM takes very seriously its responsibility to protect the sensitive data we manage. Once we have conclusive information about the breach, we will announce a notification plan for individuals whose information is determined to have been compromised.

OPM remains committed to improving its security capabilities and has invested significant resources in implementing tools that have not only strengthened our security barriers to outside threats, but have also enabled us to detect and thwart our constantly evolving cyber adversaries.

Fortune will continue to update this story with more information as it comes.

 

[Kaitzilla]

Now I'm sure many of you are wondering why I care about this.
Since signing up on the healthcare exchange with all my personal info back in December, I've been the victim of identity theft twice in the past 2 months. (Pure coincidence I'm certain)


The first was someone filing my IRS taxes for me trying to get my tax refund check.
Which delayed my refund a good 3 months
http://www.nbcnews.com/business/taxes/tax-refund-fraud-soaring-little-irs-can-do-n304951

Tax-refund fraud is expected to soar again this tax season, and hit a whopping $21 billion by 2016, from just $6.5 billion two years ago, according to the Internal Revenue Service.

And the problem—which the agency admits is growing quickly—is compounded by an outdated fraud-detection system that has trouble identifying many attempts to trick it.

"The flaws in [the IRS'] system are so basic," said Akli Adjaoute, founder and CEO of artificial intelligence firm Brighterion.

"The whole system is a disaster," Adjaoute said.

One of the main reasons for the rapid growth is that it takes so little to file a false return—just your your name, date of birth and Social Security number. (Perhaps not coincidentally, this was among the information taken in last week's huge hack on health insurer Anthem. See "What Anthem breach victims need to do now.")

I was curious how they got ahold of my previous years W2 records (which you'd need to fraudulently file taxes), but apparently that is easy due to the IRS placing previous years W2 records online behind a thin veil of "security"

http://arstechnica.com/security/201...-been-hacked-tax-info-stolen-for-100000-plus/

In an official statement issued today, the IRS announced that it has shut down an online service to obtain tax records after determining that "unusual activity had taken place on the application, which indicates that unauthorized third parties had access to some accounts on the transcript application." An initial review of that activity revealed "access was gained to more than 100,000 accounts through the Get Transcript application," according to the IRS statement.

After the IRS disclosed more information, it became clear the user data was not obtained because of a direct hack of government systems. Rather, weak authentication used by the IRS to protect access to taxpayer data is likely at fault. The attackers were able to acquire taxpayer records using stolen personal identifying information, possibly pulled from online financial fraud marketplaces.

The Get Transcript application, a feature of the IRS' site that allows taxpayers to download tax return and tax payment transaction data, was apparently targeted by financial fraudsters between February and mid-May. The service was shut down last week as the IRS investigated the activity, which may have been linked to the fraudulent filing of tax returns and transfer of tax refunds. Attempts were made to access over 200,000 accounts; roughly half failed because of incorrect information inputted during the IRS' authentication process.

The Get Transcript Online feature of IRS.gov allows taxpayers to get "tax account transactions, line-by-line tax return information, or wage and income reported to us for a specific tax year." To obtain a transcript online, all that was needed to start the process was a Social Security number and an active e-mail address. Once the e-mail address was confirmed as legitimate, the system would then ask a number of questions about personal, financial, and tax information—including date of birth, tax filing status, and address—before providing the transcript for download.

This sort of authentication, called knowledge-based authentication, is highly vulnerable to fraud. It's based on information that never changes, and such data is widely available to anyone willing to pay for it from stolen financial information marketplaces. The transcripts that were fraudulently downloaded were likely made accessible due to leaked Social Security numbers and other personal data from any one of the many recent data breaches, including those at health insurers Anthem and CareFirst. In fact, security reporter Brian Krebs reported on the risks inherent in the IRS' transcript request system way back in March. He warned taxpayers to sign up for accounts on IRS.gov if only to prevent someone from creating a fraudulent account for their records first.

Krebs reported on a specific case involving a man who had tried to file taxes online, only to find out that someone had filed using his personal information before him. The attacker then used the victim's information to get a refund direct deposit. "When he tried to get a transcript of the fraudulent return using the 'Get Transcript' function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown e-mail address," Krebs reported. The fraudulent return had been filed through the IRS's own free tax filing site.

Highly vulnerable to fraud indeed!
You'd think the IRS would notice the refund check being sent to a different bank account or a different state, but such things just slip through the cracks I guess.

====================================

The 2nd identity fraud I successfully resisted
The guy on the phone was way too pleasant, charismatic, and good at speaking English to be an actual Employee of ATT.

I got a call from "ATT" that said ATT Customer Service Department on the caller ID.
The guy asked me to take a customer satisfaction survey and asked all kinds of questions about how I liked their service.
Was told I'd get $40 off my bill if I took the survey.

Then at the end, I was told I'd get the credit on my account if I gave the last 4 digits of my Social Security number so they could verify everything.
I told him no and would they please send me something through the mail and that was that.


After searching online, I found that if I had given the last 4 digits, the thieves would have added another phone line to my plan and made $100's worth of international phone calls.
http://www.nbc-2.com/story/22811096/some-att-customers-falling-victim-to-scam#.VYIUHzjbJEY

LEE COUNTY, FL -
A new cell phone scam targeting AT&T customers in Southwest Florida is growing. AT&T employees tell us dozens of people have been coming into local stores claiming they were scammed.
AT&T is investigating the specifics of this scam, but here's what we know.

It starts innocently enough with a phone call from someone claiming to be with AT&T offering you a credit on your bill to take a short survey.
The questions are all about service, but by the end you have unknowingly given up just enough information to grant the scammer access to your account.
It happened to Randy Saineghi

"Somebody called me from your number, from your phone number," Saineghi said. Calling back the number he says is proof he was scammed.
He doesn't know anyone from Gambia. But the number has called him once before.
No answer before, but today we were there when someone picked up.
"Someone called me from this number, I think they tried to steal my phone" he told the person on the other end of line.
Randy and his wife say this is their proof they were victims of a clever phone scam.

"This was a pretty good one," Saineghi said.
You see Randy works in IT, so he's seen things like this before.
"I'm not easily duped by these types of scams, I'm pretty hip to the things that are going on," Saineghi said.

Randy says it all started after he and wife bought new phones with AT&T.
"About a week later, I received a call from what the caller ID said was AT&T customer service customer support," Saineghi explained.
The caller offering up a $40 credit for answering a survey. There was nothing fishy about the questions--until the very end.
"He asked me verify for account, verify just for account verification. My name, my address and the last four of my social," Saineghi said.

About a week later, the couple received an alert an international calling plan had been added to the line. Soon after that their phones stopped working altogether.
"It said that our SIM cards were not good and we couldn't make any calls except for emergency calls," Saineghi said.
AT&T told the couple their SIM cards had been hijacked and that their account info had been modified online.
"The timing was perfect. Why wouldn't they follow up with a new user," Saineghi said.

AT&T officials say they're looking into this scam and remind people that they would never contact you asking for personal information.
"It was very professional, seemed like it had been done over and over," Saineghi said.
AT&T officials tell us they're checking to see how widespread this scam is.

The moral of the story is, the CALLER ID can be Faked!
And don't give up the last 4 digits of your social security number!
They don't need the whole thing to screw you.

 

[Formaldehyde]

Well, the good news is that if it was indeed the Chinese government, instead of hackers inside China, there likely won't be any identity theft problems. They will probably just use the information to recruit spies and to determine which of our spies are hacking their own systems.

Perhaps we should simply make an agreement with the Chinese. We won't hack their computers and spy on their internet traffic anymore if they agree to do the same.

Not to mention that everybody involved in allowing all this to happen should be fired and permanently blacklisted from working on any federal, state, county, or municipal computer systems. Nor can they work for any contractor that does business with the government. That goes double for the managers who decided to allow this information to even be present on the internet. It should have been stored in a properly secure environment without any internet access.

 

[JollyRoger]

So the moral I get from this story was that Hillary Clinton was being wise in using a private server and the IRS needs its budget increased.

 

[Kaitzilla]

Well, the good news is that if it was indeed the Chinese government, instead of hackers inside China, there likely won't be any identity theft problems. They will probably just use the information to recruit spies and to determine which of our spies are hacking their own systems.

Perhaps we should make an agreement with the Chinese. We won't hack their computers and spy on their internet traffic anymore if they agree to do the same.

Good to see you again Formaldehyde

I think I read somewhere that Obama was considering economic sanctions.
A no-hacking agreement would be nice, but I think both sides would break it constantly.


Due to the latest hack, all federal employees got a sad email.
http://www.buzzfeed.com/sheerafrenk...collective-panic-after-massive-ha#.pgk4Lm0WOq

SAN FRANCISCO — Millions of current and former U.S. Federal employees received an email Friday urging them to take exhaustive security precautions in the wake of the largest hack on the U.S. government in history.

The email, which includes tips such as “be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about you, your employees, your colleagues or any other internal information,” urges all federal employees to run a credit check to make sure their bank accounts or credit cards have not already been compromised.

Several current and former Federal employees who spoke to BuzzFeed News about the breach described a state of panic and confusion within their offices. The breach on the Office of Personnel Management (OPM), first disclosed last week, is already the largest breach in U.S. government history. The OPM said it was currently working with the FBI, as well as with other relevant bodies, to determine the extent of the breach, which could affect many more employees than originally disclosed.

Matthew Palmer, who recently quit his job at the State Department, said he did not receive the email but was notified by a colleague that he should “change every password ever created.”

“I basically vacillate between being really panicked and being really angry at the government that this information was not secured in some better way,” said Palmer. “Who is in danger? I listed friends on those forms and my family members… are some hackers going to start going after them?”

Palmer said that the email sent to federal employees Friday from the OPM read like a “panic button.”

“They are basically telling us to be suspicious of everything and just keep checking to see if someone steals our identity, but how is that an actual plan if millions of us were affected?” asked Palmer. The email, which included specific details on how the OPM would notify employees if their data was hacked, and how to verify the details of the sender was designed so it could not be forwarded – though it was just as easy to cut-and-paste the text of the message.

The email also includes warnings against phishing attacks, as well as false URL’s and strange attachments in emails.

“It just seems like a basic ‘101 to stay safe on the internet’ rather than a specific plan of actions,” said Palmer. “It’s been a week and we still have no idea what they are doing to protect us.”

While Palmer agreed to speak on record as he is no longer employed by the U.S. government, several other current federal employees only agreed to speak to BuzzFeed News if they could remain anonymous.

The government employees described being in a “collective panic” about the hack of their personal data.


“You don’t understand how detailed the forms are. It’s over a hundred pages of you listing everything about yourself – who you are sleeping with, who your friends are – it’s like a cheat sheet to your life,” said a State Department employee in Washington D.C. “I just went and changed my bank password because part of it was my elementary school’s name, and that name is in my file.”

The 117-page questionnaire that all federal employees must complete upon being hired asks detailed questions about a new employees personal and private life. The questions, intended to insure that the employees do not have a conflict of interest and to allow the government to vet those around them, can be found online.

“It just seems like if there was ever anything that you should protect, it would be these files,” said the State Department employee.

One U.S. diplomat, who only recently married the man he has been dating for over 10 years, said the breach was a “worst case scenario.”

“I worked in the Arab World a long time, so I always kept my private life private. My husband and I are now trying to figure out if I can continue my career here, or if we are no longer safe,” he told BuzzFeed News by phone, from a country in the Middle East, where he is currently stationed.

But not every State Department employee remains convinced of the severity of the breach. “We’re sort of meh about it all,” another current employee told BuzzFeed News after speaking with coworkers. “After five tours in high-to-critical threat intelligence risk posts, I figure pretty much every hostile government has my personal info, medical records, and sexual proclivities well figured out.”

On Thursday, the President of the American Federation of Government Employees (AFGE) claimed that all federal employees and retirees, as well as one million former federal employees, had their personal information stolen in the OPM breach. The AP later ran a story quoting unnamed sources estimating that 14 million current and former U.S. government employees had their data exposed.

“Based on the sketchy information OPM has provided, we believe that the Central Personnel Data File was the targeted database, and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees,” wrote AFGE President J. David Cox. “We believe that hackers have every affected person’s Social Security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race union status, and more.”

A 117 page questionnaire!?

WOW

 

[Formaldehyde]

That is just silly. The security questionnaire I filled out back in the early 70s really just wanted to know all your addresses for the past 15 years, so the FBI knew where to go to check you out if they felt it was necessary based on your clearance. Federal employees without security clearances just filled out a normal job application form.

Someone should point out to them that personal and financial information is really none of their business.

 

[onejayhawk]

So the moral I get from this story was that Hillary Clinton was being wise in using a private server and the IRS needs its budget increased.

Don't be silly. She lost a bunch of her emails. It was like those records that were accidentally shredded during the White House years.

J

 

[Formaldehyde]

The excuse many Republicans used to criticize her decision was that it would be too easy to hack her personal server, unlike federal servers which are so secure they are nearly invincible...

 

[SS-18 ICBM]

This thread isn't about [US political figure that you hate]?

Anyway, what are the main groups tasked with US civilian government cybersecurity, if any?

 

[Formaldehyde]

Frequently it is someone who took some computer courses at a "close cover before striking" ripoff college, just like a typical business.

 

[Kaitzilla]

So the moral I get from this story was that Hillary Clinton was being wise in using a private server and the IRS needs its budget increased.

I seem to remember something about this controversy from 2 or 3 months ago.


Link to video.

So smooth.

Let's see what the State Department said about it.
http://www.politico.com/story/2015/...nt-email-practices-not-acceptable-117687.html

A senior State Department official testifying at the first congressional hearing focusing on former Secretary of State Hillary Clinton’s use of a private email account for official business called such an arrangement “not acceptable” and said other employees have been warned against it.

“I think that the action we’ve taken in the course of recovering these emails have made it very clear what people’s responsibilities are with respect to recordkeeping,” Assistant Secretary of State for Administration Joyce Barr told the Senate Judiciary Committee. “I think the message is loud and clear that that is not acceptable.”

Barr was less clear about whether the practice was clearly forbidden when Clinton served as secretary of state from 2009 to 2013...


...
One Democratic senator at the hearing, Al Franken of Minnesota, came to Clinton’s defense by arguing that Congress shares some of the blame. He noted that it was not until October 2014, after Clinton left State, that a law was passed making clear that government employees had to forward emails sent or received on private accounts to official accounts.

“Congress has been slow to modernize and update federal law relating to government records and the Federal Records Act,” Franken said. “It strikes me that this is one of many instances in which federal law lags behind the technology. … In general this is an issue that Congress needs to grapple with.”

Last October, the State Department asked four former secretaries to return any official records — including emails — dating from their service at Foggy Bottom.

In December, Clinton turned over 55,000 pages of emails she said included all work-related messages sent on her private account. She also said she had erased a similar quantity of emails her lawyers deemed private in nature.

Barr said the State Department is now processing the work-related Clinton emails for release under FOIA, but Cornyn noted that the State Department is essentially taking Clinton’s word that she provided all her work-related emails.

“You don’t have any way of verifying you have all of the official emails she processed on her personal email account?” the Texas senator asked.

“We have been told she has provided those to us,” Barr replied.

Cornyn also said Clinton’s use of a private server could have allowed the emails to be compromised by hackers or foreign intelligence services.

“Would that concern you?” the senator asked.

“Perhaps,” replied Barr, a career Foreign Service officer and former U.S. Ambassador to Namibia.

Other portions of the hearing focused on FOIA and recordkeeping practices across the government, with some senators marveling at the fact that the State Department and other agencies don’t routinely archive their official email.

“How on Earth could we have a records management operation in one of the most important areas of government that seems to be so bush league?” Tillis asked. “This just does not happen in the private sector. … There are a lot of tools available to make this archiving almost as easy and seamless as possible.”

I think I smell a cabinet post in Joyce "Perhaps" Barr's future.

Seriously though, with all the other massive hacks going on with the federal government lately (white house emails, IRS stuff, omb, snowden etc.), the possibility of a hack due to bad procedures just doesn't seem newsworthy anymore.

 

[Kaitzilla]

Here's the latest news on the President's response to the data breach.
http://freebeacon.com/national-security/obama-considering-range-of-options-in-response-to-opm-hack/

Officials have so far not reached a firm conclusion about who was behind the attack, she said.

Monaco’s comments on possible responses to the cyber attack were the first to indicate that the administration is considering more than economic sanctions in retaliation. Josh Earnest, the White House press secretary, suggested Friday that sanctions were among the options.

Monaco did not respond when asked why neither the president nor his advisers have condemned the cyber attack against the Office of Personnel Management, which has been described by U.S. officials as one of the most damaging compromises of sensitive information in recent years.

Monaco, in her speech, said that the administration’s current tools for responding to cyber attacks include sanctions, indictments, diplomacy, and intelligence operations.

The OPM breach was first discovered in April and then determined to have begun around December.

Obama said after the G-7 summit in Germany that he would not identify the source of the OPM attack and instead said the vulnerability of federal computer networks is increasing.

The OPM revealed Friday that its investigation into the initial loss of personal data on 4 million federal employees had expanded and revealed that additional data was compromised, including sensitive information on some of the 700,000 government officials who hold security clearances and are involved in secret activities.

Monaco declined to comment when asked whether China was behind the cyber attack, as officials have said privately. However, she identified China and Russia as the main state-sponsored cyber threats, with Iran and North Korea as two others.

The Obama administration has experienced a string of major security compromises. They have included the 2009 leak of thousands of classified documents to Wikileaks, the theft of over 1 million classified documents by the renegade National Security Agency contractor Edward Snowden, and the recent cyber attacks on government networks.

U.S. officials have said the OPM cyber attack has been traced to Chinese hackers, including a group that has been dubbed “Deep Panda.” Earlier cyber attacks on State Department and White House networks were linked to Russian hackers.

Deep Panda

Officially the US government isn't sure who hacked OMB.
Obama said he won't say once he finds out.
And unofficially the Chinese did it.

What will be our response?

“These are a suite of tools that we want to make sure we have in our tool box for every eventuality,” she said. “You’ve seen how we responded to the Sony attack. We want to make sure there’s a range of things that we have at our disposal as we face more and more of these different types [of cyber attacks].”

The PLA indictments, which Monaco said she began when she headed the Justice Department’s national security division is one set of reprisals.

The indictments of the Chinese, who are members of a known Chinese military hacking unit, were modeled after past indictments of wanted foreign terrorists as a way to signal that even if the U.S. government is unable to “get our hands on” the actors that their crimes are addressed, she said.

That will teach those Chinese hackers!
They'll totally get owned the day they set foot on US soil.

 

[Kaitzilla]

Anyway, what are the main groups tasked with US civilian government cybersecurity, if any?

I really don't know.

I thought maybe the Department of Homeland Security, but I looked around and I'm not sure who is in charge.
https://www.whitehouse.gov/issues/foreign-policy/cybersecurity/national-initiative

Possibly it is this guy:
https://www.whitehouse.gov/blog/author/Michael Daniel


Also, I think I found the 117 page questionnaire.
It doesn't appear to be one that every federal employee has to fill out, but in fact is the security clearance one. (Or maybe all federal employees DO need to fill it out? )
https://www.opm.gov/forms/pdf_fill/sf86.pdf

I love question 29.3

29.3 Have you EVER advocated any acts of terrorism or activities designed to overthrow the U.S. Government by force? [Yes/No]

Complete the following if you responded 'Yes' to having EVER advocated any acts of terrorism or activities designed to overthrow the U.S. Government by force.
Entry #1
Provide the reason(s) for advocating acts of terrorism.
[___________________________________]

Provide the dates of advocating acts of terrorism.
From Date (Month/Year) [___________] To Date (Month/Year) [____________]

 

[Kyriakos]

I thought this would be about tv news journalist, tbh

 

[Kaitzilla]

http://www.navytimes.com/story/mili...learance-breach-troops-affected-opm/28866125/

Some military officials believe the recent hack targeting the civilian-run OPM seized information from tens of thousands of Standard Form 86s, which are required for all service members and civilians seeking a security clearance. That includes service members of all ranks, officers and enlisted, in a wide range of job specialties and assignments.

"They got everyone's SF-86," one Pentagon official familiar with the investigation told Military Times.

The SF-86, a 127-page document, asks government employees to disclose information about family members, friends and past employment as well as details on alcohol and drug use, mental illness, credit ratings, bankruptcies, arrest records and court actions.

Given the scale of the breach as publicly disclosed by the Obama administration and OPM, it's likely that the hackers obtained the SF-86 data of every military member who filled out the form on a computer, something that has been standard practice in Defense Department for well over a decade, said a retired senior intelligence community official who writes a blog under the pen name Victor Socotra.

Now that China has intimate details on everyone with a security clearance in our government, who is going to get fired for this debacle?

Think of all the blackmail that could occur now!
"Spy for us or we tell your wife about your affair"
"Spy for us or your current job finds out about your past mental health issues"


http://www.reuters.com/article/2015/06/15/us-cybersecurity-usa-exposure-idUSKBN0OV0CC20150615

When a retired 51-year-old military man disclosed in a U.S. security clearance application that he had a 20-year affair with his former college roommate's wife, it was supposed to remain a secret between him and the government.

The disclosure last week that hackers had penetrated a database containing such intimate and possibly damaging facts about millions of government and private employees has shaken Washington.

The hacking of the White House Office of Personnel Management (OPM) could provide a treasure trove for foreign spies.

 

[Ajidica]

One of my mom's friends from grad school used to be the Director of the OPM. I guess he is glad he is no longer there!

 

[IglooDame]

Personally, I'm SO glad my SF86 and clearance predated online recordkeeping.

Professionally, it's just... appalling. It's the dream reconnaissance hack.

 

[civvver]

Wow, epic fail. I guess that's why you need to get your withholdings just right so you owe a small amount or get a very small refund at years end. then the tax refund stealers won't get ya! I'm terrified of real identity theft though, like someone opening an account in my name I don't know of or stealing my bank account info. Hopefully that's more protected and insured but who knows these days?

I've had fraudulent charges on my credit cards multiple times over the years but those are quite easy to clear up fortunately. Just annoying while they mail the new card to you.

 

[JollyRoger]

If you alter your withholdings out of fear, the refund stealing terrorists win.

 

[civvver]

Nah I already altered them a couple years ago after getting a refund over $4000. I figured it was much better for my budget to get an extra ~300 a month. It just doesn't make sense to wait a whole year to get your money. Now I'd get close to 0 except that I work overtime occasionally and they withhold a huge percentage from that for whatever reason.