The Office of Personnel Management got hacked in a major way.
https://en.wikipedia.org/wiki/United_States_Office_of_Personnel_Management
http://www.slate.com/articles/techn...e_s_how_the_government_can_stop_the_next.html
Every federal employee can now expect identity theft problems for the rest of their lives.
Not sure which undercover agents they are referring to having their cover possibly blown.
It is good that the CIA agents will be ok.
A more detail account is here from the always lovely ars technical people:
http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/
The details grow juicier farther into the story.
Not sure how to respond to this.
And finally, how the hack was actually discovered.
http://fortune.com/2015/06/12/cytech-product-demo-opm-breach/
A hell of a product demo.
Ding! Virus detected.
That's a lot of free guesses for all those security questions websites like to ask.
https://en.wikipedia.org/wiki/United_States_Office_of_Personnel_Management
First, the summary from Slate:Spoiler :Function
According to their website, the mission of the OPM is "recruiting, retaining and honoring a world-class force to serve the American people."[4] The OPM is partially responsible for maintaining the appearance of independence and neutrality in the Administrative Law System. While technically employees of the agencies they work for, Administrative Law Judges (or ALJs) are hired exclusively by the OPM, effectively removing any discretional employment procedures from the other agencies. The OPM uses a rigorous selection process which ranks the top three candidates for each ALJ vacancy, and then makes a selection from those candidates, generally giving preference to veterans.
The OPM is also responsible for a large part of the management of security clearances (Federal Investigative Services a/k/a FIS conducts these investigations) for the United States Government. With the exception of the Nuclear Regulatory Commission, which maintains its own system, separate programs for each executive department have gradually been merged into a single, Government-wide clearance system. The OPM is responsible for investigating individuals to give them Secret and Top Secret clearances.[5] SCI compartments, however, are still managed by the particular agency that uses that compartment.
http://www.slate.com/articles/techn...e_s_how_the_government_can_stop_the_next.html
The OPM Breach Is a Catastrophe
Did we learn nothing from Edward Snowden? Or healthcare.gov? The federal government appears not to have. Last week it disclosed its discovery of a long-running and catastrophic breach of the Office of Personnel Management, one which resulted in the theft of 30 years worth of sensitive security-clearance, background-check, and personal data from at least 10 million current, past, and prospective federal employees and veterans. The government didnt merely reveal shoddy IT security on the part of its agencies and contractors. It also revealed unforgivable negligence, because OPM and the government had known about these security problems for two years, already suffered multiple breaches, and done little to nothing about them. While its premature to blame China, which may have perpetrated the hack, its rather too late to point the finger at the government and its disastrous contracting system. With healthcare.gov it merely wasted huge amounts of money on garbage; with the OPM hack it compromised national security simply out of bureaucratic inertia and laziness. No one ever accused Edward Snowden of releasing personnel data en masse, as happened here. In terms of sheer volume, Snowdens National Security Agency leak appears to have nothing on the OPM breach.
Even OPM isnt certain of the breadth of the hack, and the multiple intrusions that occurred beginning at least as early as March 2014 make it difficult to even pin down how many hacks and hackers there were. OPM has confirmed that millions of employees personal data were stolen but has not been more specific. In a letter sent June 11 complaining about lack of information, American Federation of Government Employees National President J. David Cox called one breach an abysmal failure, saying he has concluded the hackers obtained every affected persons Social Security number(s), military records and veterans status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; age, gender, race, union status, and more from Central Personnel Data. It gets worse: OPM is tasked, among other things, with conducting background investigations for security clearances, so this isnt merely a violation of the employees privacy but also a national security threat. Yet another breach was made against the SF-86 database, which stores the results of background checks, including information on drug use, mental health, and applicants friends. All undercover employees whose information touched the OPM may have just had their cover blown. Former NSA senior counsel Joel Brenner called the material a gold mine for a foreign intelligence service, declaring, This is not the end of American human intelligence, but its a significant blow. (Points to the CIA, which refused to have anything to do with the OPM and thus kept its own employees information safe.) Calling this a breach is too modest. Its a systemic failure of security. Worst of all, people inside and outside the OPM already knew that before the breach happened.
Every federal employee can now expect identity theft problems for the rest of their lives.
Not sure which undercover agents they are referring to having their cover possibly blown.
It is good that the CIA agents will be ok.
A more detail account is here from the always lovely ars technical people:
http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/
During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency's computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, "It is not feasible to implement on networks that are too old." She added that the agency is now working to encrypt data within its networks.
But even if the systems had been encrypted, it likely wouldn't have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would "not have helped in this case" because the attackers had gained valid user credentials to the systems that they attackedlikely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, "You failed utterly and totally." He referred to OPM's own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as securewhich were not contractor systems but systems operated by OPM's own IT department. "They were in your office, which is a horrible example to be setting," Chaffetz told Seymour. In total, 65 percent of OPM's data was stored on those uncertified systems.
Chaffetz pointed out in his opening statement that for the past eight years, according to OPM's own Inspector General reports, "OPM's data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information."
When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM's systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, "I would be glad to discuss that in a classified setting." That was Archuleta's response to nearly all of the committee members' questions over the course of the hearing this morning.
The details grow juicier farther into the story.
But some of the security issues at OPM fall on Congress' shouldersthe breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM's investigation process told Ars, was essentially a company made up of "some OPM people who quit the agency and started up USIS on a shoestring." When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint"a bunch of people on an even thinner shoestring. Now if you get investigated, it's by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account."
Some of the contractors that have helped OPM with managing internal data have had security issues of their ownincluding potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"
Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM's systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM's data breach may just be the biggest one that the government knows about to date.
Not sure how to respond to this.
And finally, how the hack was actually discovered.
http://fortune.com/2015/06/12/cytech-product-demo-opm-breach/
Earlier this month, the U.S. Office of Personnel Managementeffectively, the governments human resources departmentdisclosed that it had fallen victim to a massive data breach that may affect roughly 4 million current and former federal employees.* The office has said that it uncovered the breach while beefing up its security posture. Apparently, that discovery was not a solo affair.
Fortune has learned that the detection of that cyber intrusion appears to have arisen during a product demonstration by network security company CyTech Services, corroborating a report that first appeared in the Wall Street Journal. The firm, a Manassas, Va.-based company founded in 2002, had apparently sent a team to pitch its flagship product, a vulnerability assessment tool called CyFIR. During the demonstration, the tool identified the zero-day, aka previously unknown, malware associated with the latest breach, a person familiar the investigation told Fortune.
A hell of a product demo.
Ding! Virus detected.
According to the AP, which first reported on the letter, that cache of data on government workers contains up to 780 separate pieces of information about an employee.
That's a lot of free guesses for all those security questions websites like to ask.
* Update: After this story published, OPM Spokesman Sam Schumach contacted Fortune to dismiss the CyTech claim as inaccurate. The story has been updated to include his statement.
Additionally, as this story was publishing, the AP reported, citing unnamed sources, that the Office of Personnel Management suffered a second, separate data breach of security clearance data that has exposed the sensitive background information of as many as 2.9 million military and intelligence personnel, including members of the National Security Agency, CIA, military special operations. In addition to that the news wire reported, again citing anonymous sources, that the first hack, referred to throughout the original story above, may have affected as many as 14 million current and former federal civilian employeesway higher than the 4 million figure initially offered by the Obama administration.
Schumach also acknowledged that a second data breach likely occurred and that investigations are ongoing. Regarding the APs revised 14 million figure for the number of federal workers affected by the first data breach, he said: We are in the process of assessing the scope of the information and we do not have an estimate at this time.
Here is his statement in full, which acknowledges the additional breach:
The cyber intrusion announced last week affecting personnel records for approximately 4 million current and former federal employees was discovered through enhanced monitoring and detection systems that OPM implemented as part of an aggressive effort in recent months to strengthen our cybersecurity capabilities. Upon detecting that intrusion, OPM launched an investigation in partnership with the Department of Homeland Securitys U.S. Computer Emergency Readiness Team (US-CERT) and the FBI to determine its full scope and impact. On June 8, as the investigation proceeded, the incident response team shared with relevant agencies that there was a high degree of confidence that OPM systems containing information related to the background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated.
OPM continues to work with US-CERT and the FBI to determine the type of records that may have been compromised and the population of individuals affected. OPM takes very seriously its responsibility to protect the sensitive data we manage. Once we have conclusive information about the breach, we will announce a notification plan for individuals whose information is determined to have been compromised.
OPM remains committed to improving its security capabilities and has invested significant resources in implementing tools that have not only strengthened our security barriers to outside threats, but have also enabled us to detect and thwart our constantly evolving cyber adversaries.
Fortune will continue to update this story with more information as it comes.