Amazing Government Stupidity

[Morreion]

Encryption “would not have helped” at OPM, says DHS official (Ars Technica)
Attackers had valid user credentials and run of network, bypassing security.

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency's computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, "It is not feasible to implement on networks that are too old." She added that the agency is now working to encrypt data within its networks.

But even if the systems had been encrypted, it likely wouldn't have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would "not have helped in this case" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

...Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"


We hired contractors from mainland China to work on the US government's computer systems containing classified files, files they could browse at will? In all of the stupidity that our government engages in, this has to be the dumbest sh*t I've ever heard of. For those that don't know, China has been stealing our corporate, technological and military secrets at least since the 1990s. It boggles the mind how this country survives from day to day with this kind of idiocy. The people that allowed this to happen deserve to be thrown in a dungeon. I usually don't get this upset, but this has to be one of the dumbest moments in human history.


China's hackers got what they came for (The Hill)

The Chinese hackers who are believed to have cracked into the federal government’s networks might not be back for a while.

They got what they came for.

“I think they have 95 percent of what they want from both U.S. industry and government,” said Tom Kellermann, chief cybersecurity officer at security research firm Trend Micro.

While China’s aggressive hacking operations are certain to continue, experts say the mammoth data breach at the Office of Personnel Management is a watershed event that will allow Beijing to move from broad reconnaissance to narrowly tailored snooping.

Having already obtained private information on up to 14 million federal employees — including Social Security numbers, arrest and financial records, and details on mental illness and drug and alcohol use — China’s hacking teams can now retreat to the shadows.

“For this point in time we won’t see another massive attack like this. Instead, it will be more targeted ones,” said Tony Cole, global government chief technical officer for security firm FireEye, which has conducted extensive research on Chinese cyber campaigns.

U.S. officials are still trying to figure out the full scope of the data breach, which is believed to have affected security clearance information for the military and spy agencies.

While the United States has not publicly blamed China, investigators privately say China was behind the cyberattack.

The OPM hacks have likely helped China fill out an exhaustive database of federal workers that their teams have slowly been building for over a year.

“Knowing almost every person is incredibly helpful,” said Dmitri Alperovitch, co-founder of cybersecurity firm CrowdStrike, which monitors critical infrastructure attacks. “That type of information they presumably never had access to before.”

Because the hack went undiscovered for a year, the hackers likely had time to do an exhaustive sweep through federal networks.

“If somebody was in last year and they had that much time,” Cole said, “then the odds are that they have a huge cache and have really taken all the crown jewels in that system.”

It appears the digital infiltrators were casting a wide net, similar to the tactics used when targeting health insurers like Anthem and Premera Blue Cross.

While those attacks compromised the Social Security numbers and personal information of more than 90 million people, researchers suspect that the goal was collecting information on U.S. government officials.

With the OPM hack, they likely hit the mother lode.

[Regolyth]

She really didn't want to answer those questions, huh?

So it seems to me that their systems, and procedures, are old and insufficient. I get people in my office and go onsite to other businesses everyday who don't want to upgrade their computers, devices, security services, etc. They say it's "working fine" and why fix what isn't broken? They would rather wait until a server crashes or something gets hacked, then call up with an emergency request (when I'm likely in the middle of three other things). It seems the government is no different.