{"id":6071,"date":"2015-06-15T12:49:18","date_gmt":"2015-06-15T19:49:18","guid":{"rendered":"http:\/\/bone-in-the-throat.com\/Blog\/?p=6071"},"modified":"2021-08-26T18:28:28","modified_gmt":"2021-08-27T01:28:28","slug":"thrilling-thank-you-opm","status":"publish","type":"post","link":"https:\/\/bone-in-the-throat.com\/Blog\/2015\/06\/15\/thrilling-thank-you-opm\/","title":{"rendered":"Thrilling! Thank you OPM!"},"content":{"rendered":"

\"OPM\"I kept hearing about the data breach at the OPM. I thought to myself, \u201cno big deal,\u201d because I\u2019ve never been a government employee. But then one of the articles I read spoke about a particular form. The form number seemed familiar.<\/p>\n

Out of curiosity I checked my encrypted drive.<\/p>\n

AHHHH SHIT!!!!<\/p>\n

Yep, that’s a form I filled out while I was working for a government contractor.<\/p>\n

DAMN! Checking some of the other forms and sure enough! There’s a TON of information that I provided to my employer. I\u2019m sure that that information got sent at some point to the OPM, and is now in the hands of the Chinese.<\/p>\n

I\u2019m sitting here looking at my encrypted volume that contains this information thinking a couple of things.<\/p>\n

\"Cybersecurity\"First<\/strong>, I\u2019m wondering why I take the security of this information so seriously? Why is it that I\u2019ve spent the money to secure my data and theirs<\/span><\/em>\u00a0(some of the information contained in the forms I filled out for them also contains information that relates directly to THEIR<\/strong> projects<\/em>) and am mindful of what data I have \u201clive\u201d on my system and what data I keep in cold storage? Cold storage in my life is something (like a drive) that is archival, MUST be turned on or attached directly to my computer and is encrypted.<\/p>\n

Second<\/strong>, If I can secure my data with COTS (Commercial Off The Shelf) software why can\u2019t our government?<\/p>\n

Third<\/strong>, Why is the United States Government data vulnerable in the first place? We KNOW the safest computers are computers which are not connected to a network. Granted, that\u2019s impractical because the government must share data.<\/p>\n

\"Hearings\"<\/p>\n

BUT \u00a0it is possible to isolate critical subsystems. One way to do that, don\u2019t allow employees to transport any data offsite. No USB memory sticks or other media, and laptops are available only to those employees who absolutely need mobility. Employees using those laptops have VPN access to the corporate systems and for the most part those laptops when connected to the corporate VPN are Terminals<\/em><\/span><\/strong>\u00a0in the old school meaning of terminals. ie dumb as a rock.<\/p>\n

The point I\u2019m making here is that the need for computer & network security isn\u2019t new. \u00a0So why the hell hasn\u2019t our government kept up with the needs for security?<\/p>\n

Having seen the way government contracts work, I have a guess.<\/p>\n

\"redtape\"<\/p>\n

Imagine a situation where a bunch of cooks get in the soup and specify all manner of equipment down to the smallest detail. Once finished, \u00a0the specification goes from committee to\u00a0committee and after a year or two the spec is approved, money is appropriated and the funds become available.<\/p>\n

Our happy IT guys call a government approved vendor of equipment, and are told that equipment isn\u2019t available anymore. Or worse yet, the equipment or software can be purchased but now it\u2019s a custom build and will be 50% more expensive than the original product and by the way have significantly fewer capabilities than current off the shelf products costing significantly less than the originally specified equipment or software originally sold for.<\/p>\n

\"Old<\/p>\n

So in the one case the specification process starts over again. In the other case the \u201capproved equipment\u201d is less capable, \u00a0yet more expensive, than the machine a hacker in China purchased on the internet yesterday.<\/p>\n

Rather than the\u00a0committees addressing the fundamental problem in terms of appropriations and approvals they\u2019re content to keep failing. Meanwhile the security of government systems continues to fall further and further behind.<\/p><\/blockquote>\n

This isn\u2019t a partisan issue. Regardless of what the administration might say. This is an epic systemic<\/span> failure on the part of an entity that has access to all of our private data. A.K.A The United States Government.<\/p>\n

\"UNIVAC\"<\/p>\n

How do you solve this problem?<\/p>\n

The simplest way is to allow the IT people, The REAL IT<\/strong> people, not the morons that built the healthcare.gov site, say \u201cwe need a router and after figuring out which is the best unit for the money\u2026 They BUY IT!<\/p>\n

That should go for a single router or a RACK of routers.<\/p>\n

Does Dianne Freakin Feinstein have a clue about the difference between a CISCO and a Barracuda? NO!<\/p>\n

So why are people like Feinstein reviewing and voting on these appropriations bills or worse yet wasting time and money having hearings about shit they\u2019ll never understand, when they should be letting the professionals do the job? You can tell pretty darn fast if an IT dept. is pissing money away and a quarterly budget review (again by IT pros who know what\u2019s needed and what it costs<\/em>) would keep the expenditures in check and at the same time maintain security.<\/p>\n

I\u2019ve got another dose of BAD news for you dear reader\u2026<\/p>\n

\"JihadiHacker\"<\/p>\n

The longer our leaders put off fixing the government IT infrastructure, the more expensive it\u2019s going to be.<\/p>\n

Think about putting off having your brakes fixed on your car.<\/p>\n

Brake pads cost $45 a wheel, Brake ROTORS cost $1000 a wheel. Most of us average folks learn the hard lesson, it\u2019s always better to spend the $180 rather than spending the $1180. We all learn it once!<\/p>\n

We never make that mistake again unless we\u2019re wealthy, elitist, \u00a0over-educated, dumbasses.<\/p>\n

Unfortunately, most of our politicians are the latter kind of people not the former.<\/p>\n

\n

Update 2015 06 19<\/p>\n

As more comes out about this breach, I think it\u2019s clear that the government IT people are not up to the challenge.<\/p>\n

Here is a line to an ars Technica<\/em> article titled Encryption \u201cwould not have helped at OPM says DHS official\u201d<\/a><\/p>\n

Below is the article minus the video.<\/p>\n

\n

Encryption \u201cwould not have helped\u201d at OPM, says DHS official<\/h1>\n

\"archuleta-opm-640x359\"<\/a><\/p>\n

Office of Personnel Management Director Katherine Archuleta would be happy to discuss the particulars of the OPM brief with Congress\u2014in a classified briefing.<\/h3>\n

CSPAN<\/p>\n

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency’s computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the\u00a0recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors<\/a>, she said, “It is not feasible to implement on networks that are too old.” She added that the agency is now working to encrypt data within its networks.<\/p>\n

But even if the systems had been encrypted, it likely wouldn’t have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked\u2014likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.<\/p>\n

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, “You failed utterly and totally.” He referred to OPM’s own inspector general reports and hammered Seymour in particular for the 11\u00a0major systems out of 47 that had not been properly certified as secure\u2014which were not contractor systems but systems operated by OPM’s own IT department. “They were in your office, which is a horrible example to be setting,” Chaffetz told Seymour. In total, 65 percent of OPM’s data was stored on those uncertified systems.<\/p>\n

Chaffetz\u00a0pointed out in his opening statement that for the past eight years, according to OPM’s own Inspector General reports, “OPM’s data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information.”<\/p>\n

When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM’s systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, “I would be glad to discuss that in a classified setting.” That was Archuleta’s response to nearly all of the committee members’ questions over the course of the hearing this morning.<\/p>\n

At least we found it<\/h2>\n

Archuleta told the committee that the breach was found only because she had been pushing forward with an aggressive plan to update OPM’s security, centralizing the oversight of IT security under the chief information officer\u00a0and implementing “numerous tools and capabilities.” She claimed that it was during the process of updating tools that the breach was discovered. “But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network and would not have been able to share that information for the protection of the rest of the federal government,” she read from\u00a0her prepared statement<\/a>.<\/p>\n

Dr. Ozment reiterated that when the malware activity behind the breach was discovered, “we loaded that information into Einstein (DHS’ government-wide intrusion detection system) immediately. We also put it into Einstein 3 (the intrusion prevention system currently being rolled out) so that agencies protected by it would be protected from it going forward.”<\/p>\n

But nearly every question of substance about the breach\u2014which systems were affected, how many individuals’ data was exposed, what type of data was accessed, and the potential security implications of that data\u2014was deferred by Archuleta on the grounds that the information was classified. What wasn’t classified was OPM’s horrible track record on security, which dates back at least to the George W. Bush administration\u2014if not further.<\/p>\n

A history of neglect<\/h2>\n

During his opening statement, Chaffetz read verbatim from a 2009 OPM inspector general report that noted, “The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance.” Similar statements were read from 2010 and 2012 reports, each more dire than the last. The OPM Office of the Inspector General\u00a0only began upgrading its assessment of the agency’s security posture in its fiscal year 2014 report\u2014filed just before news of a breach at a second OPM background investigation contractor surfaced.<\/p>\n

Rep. Will Hurd (R-Texas), a freshman member of Congress, told the OPM executives and the other witnesses\u2014DHS’ Ozment, Interior Department CIO Sylvia Burns, the new US CIO Tony Scott, and OPM Assistant Inspector General Michael Esser\u2014 that “the execution on security has been horrific. Good intentions are not good enough.” He asked Seymour pointedly about the legacy systems that had not been adequately protected or upgraded. Seymour replied that some of them were over 20 years old and written in\u00a0COBOL<\/a>, and they could not easily be upgraded or replaced. These systems would be difficult to update to include encryption or multi-factor authentication because of their aging code base, and they would require a full rewrite.<\/p>\n

\"seymour-opm-640x359\"<\/a><\/p>\n

Enlarge<\/a>\u00a0\/ OPM CIO Donna Seymour said that systems couldn’t simply have encryption added because some of them were over 20 years old and written in COBOL.<\/h3>\n

Personnel systems have often been treated with less sensitivity about security by government agencies. Even health systems have had issues, such as the Department of Veterans’ Affairs national telehealth program, which was breached in December of 2014. And there have been two previous breaches of OPM background investigation data through contractors\u2014first the\u00a0now-defunct USIS<\/a>\u00a0in August of last year, and then KeyPoint Government Solutions less than four months later. Those breaches included data about both government employees and contractors working for the government.<\/p>\n

But some of the security issues at OPM fall on Congress’ shoulders\u2014the breaches of\u00a0contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM’s investigation process told Ars, was essentially a company made up of “some OPM people who quit the agency and started up USIS on a shoestring.” When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint\u2014”a bunch of people on an even thinner shoestring. Now if you get investigated, it’s by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account.”<\/p>\n

Some\u00a0of the contractors that have helped OPM with managing internal data have had security issues of their own\u2014including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People’s Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?'”<\/p>\n

Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM’s systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM’s data breach may just be the biggest one that the government knows about to date.<\/p>\n

\n

<END><\/p>\n","protected":false},"excerpt":{"rendered":"

I kept hearing about the data breach at the OPM. I thought to myself, \u201cno big deal,\u201d because I\u2019ve never been a government employee. But then one of the articles I read spoke about a particular form. The form number seemed familiar. Out of curiosity I checked my encrypted drive. AHHHH SHIT!!!! Yep, that’s a … <\/p>\n

Continue reading “Thrilling! Thank you OPM!”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,104,10,6,9],"tags":[174],"class_list":["post-6071","post","type-post","status-publish","format-standard","hentry","category-gop-dem","category-government","category-modern-problems","category-rants","category-technology","tag-technology"],"_links":{"self":[{"href":"https:\/\/bone-in-the-throat.com\/Blog\/wp-json\/wp\/v2\/posts\/6071","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bone-in-the-throat.com\/Blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bone-in-the-throat.com\/Blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bone-in-the-throat.com\/Blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bone-in-the-throat.com\/Blog\/wp-json\/wp\/v2\/comments?post=6071"}],"version-history":[{"count":8,"href":"https:\/\/bone-in-the-throat.com\/Blog\/wp-json\/wp\/v2\/posts\/6071\/revisions"}],"predecessor-version":[{"id":6128,"href":"https:\/\/bone-in-the-throat.com\/Blog\/wp-json\/wp\/v2\/posts\/6071\/revisions\/6128"}],"wp:attachment":[{"href":"https:\/\/bone-in-the-throat.com\/Blog\/wp-json\/wp\/v2\/media?parent=6071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bone-in-the-throat.com\/Blog\/wp-json\/wp\/v2\/categories?post=6071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bone-in-the-throat.com\/Blog\/wp-json\/wp\/v2\/tags?post=6071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}