.
6/16/15, "Encryption “would not have helped” at OPM, says DHS official," Ars Technica, Sean Gallagher
"Attackers had valid user credentials and run of network, bypassing security."
"During testimony today in a grueling two-hour hearing before the
House Oversight and Government Reform Committee, Office of Personnel
Management (OPM) Director Katherine Archuleta claimed that she had
recognized huge problems with the agency's computer security when she
assumed her post 18 months ago. But when pressed on why systems had not
been protected with encryption prior to the recent
discovery of an intrusion that gave attackers access to sensitive data
on millions of government employees and government contractors, she
said, "It is not feasible to implement on networks that are too old."
She added that the agency is now working to encrypt data within its
networks.
But even if the systems had been encrypted, it likely wouldn't have
mattered. Department of Homeland Security Assistant Secretary for
Cybersecurity Dr. Andy Ozment testified that encryption would "not have
helped in this case" because the attackers had gained valid user
credentials to the systems that they attacked—likely through social
engineering. And because of the lack of multifactor authentication on
these systems, the attackers would have been able to use those
credentials at will to access systems from within and potentially even
from outside the network.
............
House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and
OPM Chief Information Officer Donna Seymour, "You failed utterly and
totally." He referred to OPM's own inspector general reports and
hammered Seymour in particular for the 11 major systems out of 47 that
had not been properly certified as secure—which were not contractor
systems but systems operated by OPM's own IT department. "They were in
your office, which is a horrible example to be setting," Chaffetz told
Seymour. In total, 65 percent of OPM's data was stored on those
uncertified systems.
Chaffetz pointed out in his opening statement that for the past eight
years, according to OPM's own Inspector General reports, "OPM's data
security posture was akin to leaving all your doors and windows unlocked
and hoping nobody would walk in and take the information."
When Chaffetz asked Archuleta directly about the number of people who
had been affected by the breach of OPM's systems and whether it
included contractor information as well as that of federal employees,
Archuleta replied repeatedly, "I would be glad to discuss that in a
classified setting." That was Archuleta's response to nearly all of the
committee members' questions over the course of the hearing this
morning.
Archuleta told the committee that the breach was found only because
she had been pushing forward with an aggressive plan to update OPM's
security, centralizing the oversight of IT security under the chief
information officer and implementing "numerous tools and capabilities."
She claimed that it was during the process of updating tools that the
breach was discovered."...
[Ed. note: This has been disputed per Wired.com, 6/11/15: "But the Wall Street Journal reported today that the breach was actually discovered during a sales demonstration by a security company named CyTech Services (paywall), showing the OPM its forensic product."]
(continuing): ""But for the fact that OPM implemented new, more
stringent security tools in its environment, we would have never known
that malicious activity had previously existed on the network and would
not have been able to share that information for the protection of the
rest of the federal government," she read from her prepared statement.
Dr. Ozment reiterated that when the malware activity behind the breach
was discovered, "we loaded that information into Einstein (DHS'
government-wide intrusion detection system) immediately. We also put it
into Einstein 3 (the intrusion prevention system currently being rolled
out) so that agencies protected by it would be protected from it going
forward."
But nearly every question of substance about the breach—which systems
were affected, how many individuals' data was exposed, what type of
data was accessed, and the potential security implications of that
data—was deferred by Archuleta on the grounds that the information was
classified. What wasn't classified was OPM's horrible track record on
security, which dates back at least to the George W. Bush
administration—if not further.
During his opening statement, Chaffetz read verbatim from a 2009 OPM
inspector general report that noted, "The continuing weakness in OPM
information security program results directly from inadequate
governance. Most if not all of the [information security] exceptions we
noted this year result from a lack of leadership, policy, and guidance."
Similar statements were read from 2010 and 2012 reports, each more dire
than the last. The OPM Office of the Inspector General only began
upgrading its assessment of the agency's security posture in its fiscal
year 2014 report—filed just before news of a breach at a second OPM
background investigation contractor surfaced.
Rep. Will Hurd (R-Texas), a freshman member of Congress, told the OPM
executives and the other witnesses—DHS' Ozment, Interior Department CIO
Sylvia Burns, the new US CIO Tony Scott, and OPM Assistant Inspector
General Michael Esser— that "the execution on security has been
horrific. Good intentions are not good enough." He asked Seymour
pointedly about the legacy systems that had not been adequately
protected or upgraded. Seymour replied that some of them were over 20
years old and written in COBOL,
and they could not easily be upgraded or replaced. These systems would
be difficult to update to include encryption or multi-factor
authentication because of their aging code base, and they would require a
full rewrite.
Personnel systems have often been treated with less sensitivity about
security by government agencies. Even health systems have had issues,
such as the Department of Veterans' Affairs national telehealth program,
which was breached in December of 2014. And there have been two
previous breaches of OPM background investigation data through
contractors—first the now-defunct USIS
in August of last year, and then KeyPoint Government Solutions less
than four months later. Those breaches included data about both
government employees and contractors working for the government.
............
But some of the security issues at OPM fall on Congress'
shoulders—the breaches of contractors in particular. Until recently,
federal agents carried out background investigations for OPM. Then
Congress cut the budget for investigations, and they were outsourced to
USIS, which, as one person familiar with OPM's investigation process
told Ars, was essentially a company made up of "some OPM people who quit
the agency and started up USIS on a shoestring." When USIS was breached
and most of its data (if not all of it) was stolen, the company lost
its government contracts and was replaced by KeyPoint—"a bunch of people
on an even thinner shoestring. Now if you get investigated, it's by a
person with a personal Gmail account because the company that does the
investigation literally has no IT infrastructure. And this Gmail account
is not one of those where a company contracts with Google for business
services. It is a personal Gmail account." ..............
Some of the contractors that have helped OPM with managing internal
data have had security issues of their own—including potentially giving
foreign governments direct access to data long before the recent
reported breaches. A consultant who did some work with a company
contracted by OPM to manage personnel records for a number of agencies
told Ars that he found the Unix systems administrator for the project
"was in Argentina and his co-worker was physically located in the
[People's Republic of China]. Both had direct access to every row of
data in every database: they were root. Another team that worked with
these databases had at its head two team members with PRC [China] passports. I
know that because I challenged them personally and revoked their
privileges. From my perspective, OPM compromised this information more
than three years ago and my take on the current breach is 'so what's
new?'"
Given the scope and duration of the data breaches, it may be
impossible for the US government to get a handle on the exact extent of
the damage done just by the latest attack on OPM's systems. If anything
is clear, it is that the aging infrastructure of many civilian agencies
in Washington magnify the problems the government faces in securing its
networks, and OPM's data breach may just be the biggest one that the
government knows about to date." via Richard Fernandez
=======================
=======================
6/11/15, "Why The OPM Breach Is Such a Security and Privacy Debacle," wired.com, Kim Zetter and Andy Greenberg
"What’s more, in initial media stories about the breach, the Department
of Homeland Security had touted the government’s EINSTEIN detection
program, suggesting it was responsible for uncovering the hack. Nope,
also wrong.
Although reports are conflicting about how the OPM discovered the
breach, it took investigators four months to uncover it, which means the
EINSTEIN system failed. According to a statement from the OPM, the
breach was found after administrators made upgrades to unspecified
systems. But the Wall Street Journal reported today that the breach was actually discovered during a sales demonstration by a security company named CyTech Services (paywall), showing the OPM its forensic product."...
===================
===================
NASA computers were hacked 13 times in 2011, also weren't encrypted. Following are 3 citations:
3/2/12, “NASA says it was hacked 13 times last year,” Reuters
“NASA said hackers broke into its computer systems 13 times last year, stealing employee credentials and
gaining access to mission-critical projects in breaches that
could compromise U.S. national security.”…
===================
==================
"48 NASA devices were lost or stolen between 4/2009 and 4/2011." NASA still hadn't encrypted its computers in 2012 when a NASA employee's unencrypted laptop with "sensitive" information was stolen from a locked car:
11/15/12, “NASA to encrypt data after its latest laptop loss,” BBC
“US space agency Nasa has ordered that the data on all its laptops must be encrypted, after losing another one of its portable computers. Until
the process is complete, it has forbidden staff from removing
Nasa-issued laptops containing sensitive information from its
facilities.
The order follows the loss of a device containing “sensitive personally identifiable information”. There have been several similar incidents over recent years.
Nasa said the latest incident had occurred on 31 October, when a
laptop and documents were stolen from a locked vehicle of one of its
employees at Nasa headquarters in Washington DC. The machine was password protected, but the agency acknowledged that the information might still be accessible to hackers since it was not encrypted.
Encryption would have scrambled the data, requiring a
complicated code to make it understandable again. As a result, Nasa has
warned its workers to watch out for bogus messages.
“All employees should be aware of any
phone calls, emails, and other communications from individuals claiming
to be from Nasa or other official sources that ask for personal
information or verification of it,” an agency-wide email published by news site Spaceref stated.
“Because of the amount of information that must be reviewed and validated electronically and manually, it may take up to 60 days for all individuals impacted by this breach to be identified and contacted.”…
The Nasa Watch blog, which comments on affairs at the agency, had previously criticised it for a series of other data losses.
It noted
that the organisation had been warned in 2009 that it was not taking
enough steps to sufficiently protect information
and had reported the loss or theft of 48 of its mobile computing devices between April 2009 and April 2011.
This is not the first time Nasa has promised action to address the problem.
In March, Nasa administrator Charles Bolden told the House Appropriations Committee Subcommittee on Commerce that he was going to sign a directive ordering all portable devices to use encryption, after
acknowledging the agency was “woefully deficient” when compared to other government departments.”
=================
====================
"NASA has a history of laptops with personally identifiable information being stolen."
11/14/12, “NASA Suffers “Large” Data Breach Affecting Employees, Contractors, and Others,“ spectrum.ieee.org, R. Charette
“Yesterday, NASA sent a message to all NASA employees informing them of a data breach involving an agency stolen laptop.
According to the NASA message posted at SpaceRef.com, “On October 31, 2012, a NASA laptop and official NASA documents issued to a Headquarters employee were stolen from the employee’s locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others. Although the laptop was password protected, it did not have whole disk encryption software, which means
the information on the laptop could be accessible to unauthorized individuals.
We
are thoroughly assessing and investigating the incident, and taking
every possible action to mitigate the risk of harm or inconvenience to
affected employees.”
The message goes on to state that NASA will be sending letters to affected individuals,
once the agency figures out who they are,
which may take up to 60 days. Those individuals receiving letters will
be offered a free credit and ID monitoring service….
NASA plans to have
all of its laptops running whole disk encryption software by 21 December
2012….
Why it has taken so long for NASA to finally decide to fully encrypt its laptops remains a mystery, given its long-time poor record on IT security. As noted at NASA Watch, NASA has a
history of laptops with personally identifiable information being stolen,
one as recently as March.
Maybe NASA decided to act this time because it involved a NASA Headquarters’ person who in all likelihood is very senior and
should have known better than to possess a laptop with no data encryption.”
.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment