The OPM Hacking Scandal Just Got Worse
June 11, 2015
The other day I explained in detail how the mega-hack of the Office of Personnel Management’s internal servers looks like a genuine disaster for the U.S. Government, a setback that will have long-lasting and painful counterintelligence consequences. In particular I explained what the four million Americans whose records have been purloined may be in for:

Whoever now holds OPM’s records possesses something like the Holy Grail from a CI perspective. They can target Americans in their database for recruitment or influence. After all, they know their vices, every last one — the gambling habit, the inability to pay bills on time, the spats with former spouses, the taste for something sexual on the side (perhaps with someone of a different gender than your normal partner) — since all that is recorded in security clearance paperwork (to get an idea of how detailed this gets, you can see the form, called an SF86, here).

Do you have friends in foreign countries, perhaps lovers past and present? They know all about them. That embarrassing dispute with your neighbor over hedges that nearly got you arrested? They know about that too. Your college drug habit? Yes, that too. Even what your friends and neighbors said about you to investigators, highly personal and revealing stuff, that’s in the other side’s possession now.

The bad news keeps piling up with this story, including reports that OPM records may have appeared, for sale, on the “darknet.” Moreover, OPM seems to have initially low-balled just how serious the breach actually was. Even more disturbing, if predictable, is a new report in the New York Times that case “investigators believe that the Chinese hackers who attacked the databases of the Office of Personnel Management may have obtained the names of Chinese relatives, friends and frequent associates of American diplomats and other government officials, information that Beijing could use for blackmail or retaliation.”

We can safely replace “may” in that quote with “almost certainly did” since for Chinese intelligence that would be some of the most valuable information in any of those millions of OPM files. Armed with lists of Chinese citizens worldwide who are in “close and continuing contact” (to cite security clearance lingo) with American officials, Beijing can now seek to exploit those ties for espionage purposes.

This matters because, while many intelligence services exploit ties of ethnicity to further their espionage against the United States — Russians, Cubans, Israelis, even the Greeks — none of the major counterintelligence threats to America are as dependent on blood ties as the Chinese. Simply put, in its efforts at recruiting spies abroad, Beijing is often uncomfortable operating outside its ethnic milieu. Spies run by Beijing who are not ethnic Chinese are very much the exception. This poses less of a problem for them that it might seem, however, as there are something like fifty million “overseas Chinese” worldwide, including about four million living in the United States.

Nearly every espionage case in the United States involving Beijing comes down to the ethnic angle, somewhere. To cite only a few examples, among many, Larry Wu-Tai Chin, a CIA translator/analyst, passed highly classified information to Beijing for over thirty years. Katrina Leung managed to severely damage FBI intelligence against China for years, in a complex and messy operation that confounded the Bureau. Then there’s the messy case of Wen Ho Lee, a scientist employed at Los Alamos National Laboratory, whom U.S. counterintelligence believed passed significant amounts of classified nuclear information to Beijing. Most recently was there was the case of Xiafen “Sherry” Chen, a Federal worker who was caught having unreported meetings with a Chinese regime official.

It should be noted that all the persons mentioned in the previous paragraph were born in China (Lee was born in Taiwan) then immigrated to the United States. They seem to have been persuaded to betray their adopted country on behalf of their native land. Ms. Chen, against whom serious charges were recently dropped, has alleged ethnic bias in the FBI’s pursuit of her, as did Wen Ho Lee. Members of Congress and ethnic activists have joined that chorus too. Interestingly, Beijing has sung the same tune, with regime outlets alleging that anti-Chinese prejudice is at the root of U.S. counterintelligence efforts. However, whatever blame here lies in Beijing, not Washington, DC, since it is China that is exploiting its nationals abroad to further their espionage.

Beijing also uses its citizens abroad to facilitate espionage. An interesting recent case in Hawaii, which is something of a hotbed of Chinese spying, given the large number of U.S. military commands housed on Oahu, involved a retired U.S. Army officer and defense contractor working at U.S. Pacific Command who apparently got honey-trapped by a fetching young Chinese student (this is being a common Chinese tactic). Benjamin Bishop has been sentenced to more than seven years in jail for stealing classified information from work and passing it to a Chinese woman less than half his age, who was in the United States on a student visa.

The modus operandi of Chinese intelligence and its operations abroad are understood by the FBI and the Intelligence Community. However, the extent of the information loss in the OPM hack is so vast that all the counterintelligence awareness in the world may not be able to offset the advantage in the SpyWar that Beijing has won with this vast data theft. If you are (or have been) employed with the Federal government and have listed Chinese persons in any way on your SF86, it’s time to be vigilant.

 Frazzled wrote:
Don't worry. We've prepared an extremely unpleasant, harshly worded letter to be sent to the Chinese Embassy (but they already read it...heh heh).

Maybe the government should go back to closed networks etc.

 gunslingerpro wrote:
Apparently this also impacted anyone who has ever APPLIED for the government.

I had an application in for a few jobs before I went private sector and was notified that the vendor that does the background checks for the government was also hacked.

 streamdragon wrote:

 gunslingerpro wrote:
Apparently this also impacted anyone who has ever APPLIED for the government.

I had an application in for a few jobs before I went private sector and was notified that the vendor that does the background checks for the government was also hacked.

Was that vendor Altegrity? Please tell me that vendor was Altegrity.


Also: FTC not among the agencies whose records were stolen. *whew*

WASHINGTON (AP) — Hackers linked to China appear to have gained access to the sensitive background information submitted by intelligence and military personnel for security clearances, several U.S. officials said Friday, describing a second cyberbreach of federal records that could dramatically compound the potential damage.

The forms authorities believed to have been accessed, known as Standard Form 86, require applicants to fill out deeply personal information about mental illnesses, drug and alcohol use, past arrests and bankruptcies. They also require the listing of contacts and relatives, potentially exposing any foreign relatives of U.S. intelligence employees to coercion. Both the applicant's Social Security number and that of his or her cohabitant is required.

The officials spoke on condition of anonymity because the security clearance material is classified.

"This tells the Chinese the identities of almost everybody who has got a United States security clearance," said Joel Brenner, a former top U.S. counterintelligence official. "That makes it very hard for any of those people to function as an intelligence officer. The database also tells the Chinese an enormous amount of information about almost everyone with a security clearance. That's a gold mine. It helps you approach and recruit spies."

The Office of Personnel Management, which was the target of the hack, has not officially notified military or intelligence personnel whose security clearance data was breached, but news of the second hack was starting to circulate in both the Pentagon and the CIA.

The officials said they believe the hack into the security clearance database was separate from the breach of federal personnel data announced last week — a breach that is itself appearing far worse than first believed. It could not be learned whether the security database breach happened when an OPM contractor was hacked in 2013, an attack that was discovered last year. Members of Congress received classified briefings about that breach in September, but there was no mention of security clearance information being exposed.

The OPM had no immediate comment Friday.

Nearly all of the millions of security clearance holders, including CIA, National Security Agency and military special operations personnel, are potentially exposed in the security clearance breach, the officials said. More than 2.9 million people had been investigated for a security clearance as of October 2014, according to government records.

In the hack of standard personnel records announced last week, two people briefed on the investigation disclosed Friday that as many as 14 million current and former civilian U.S. government employees have had their information exposed to hackers, a far higher figure than the 4 million the Obama administration initially disclosed.

American officials have said that cybertheft originated in China and that they suspect espionage by the Chinese government, which has denied any involvement.

The newer estimate puts the number of compromised records between 9 million and 14 million going back to the 1980s, said one congressional official and one former U.S. official, who spoke to The Associated Press on condition of anonymity because information disclosed in the confidential briefings includes classified details of the investigation.

There are about 2.6 million executive branch civilians, so the majority of the records exposed relate to former employees. Contractor information also has been stolen, officials said. The data in the hack revealed last week include the records of most federal civilian employees, though not members of Congress and their staffs, members of the military or staff of the intelligence agencies.

On Thursday, a major union said it believes the hackers stole Social Security numbers, military records and veterans' status information, addresses, birth dates, job and pay histories; health insurance, life insurance and pension information; and age, gender and race data.

The personnel records would provide a foreign government an extraordinary roadmap to blackmail, impersonate or otherwise exploit federal employees in an effort to gain access to U.S. secrets —or entry into government computer networks.

Outside experts were pointing to the breaches as a blistering indictment of the U.S. government's ability to secure its own data two years after a National Security Agency contractor, Edward Snowden, was able to steal tens of thousands of the agency's most sensitive documents.

After the Snowden revelations about government surveillance, it became more difficult for the federal government to hire talented younger people into sensitive jobs, particularly at intelligence agencies, said Evan Lesser, managing director of ClearanceJobs.com, a website that matches security-clearance holders to available slots.

"Now, if you get a job with the government, your own personal information may not be secure," he said. "This is going to multiply the government's hiring problems many times."

The Social Security numbers were not encrypted, the American Federation of Government Employees said, calling that "an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce."

"Unencrypted information of this kind this is disgraceful — it really is disgraceful," Brenner said. "We've had wakeup calls now for 20 years or more, and we keep hitting the snooze button."

Samuel Schumach, an OPM spokesman, would not address how the data was protected or specifics of the information that might have been compromised, but said, "Today's adversaries are sophisticated enough that encryption alone does not guarantee protection." OPM is nonetheless increasing its use of encryption, he said.

The Obama administration had acknowledged that up to 4.2 million current and former employees whose information resides in the Office of Personnel Management server are affected by the December cyberbreach, but it had been vague about exactly what was taken.

J. David Cox, president of the American Federation of Government Employees, said in a letter Thursday to OPM director Katherine Archuleta that based on incomplete information OPM provided to the union, "the hackers are now in possession of all personnel data for every federal employee, every federal retiree and up to 1 million former federal employees."

Another federal employee group, the National Active and Retired Federal Employees Association, said Friday that "at this point, we believe AFGE's assessment of the breach is overstated." It called on the OPM to provide more information.

Rep. Mike Rogers, the former chairman of the House Intelligence Committee, said last week that he believes China will use the recently stolen information for "the mother of all spear-phishing attacks."

Spear-phishing is a technique under which hackers send emails designed to appear legitimate so that users open them and load spyware onto their networks.

___

 Do_I_Not_Like_That wrote:

Forgive my ignorance, but what's pen and paper? Some advanced encryption software?

 whembly wrote:

Its going from bad to catastrophe...

Encryption “would not have helped” at OPM, says DHS official

Attackers had valid user credentials and run of network, bypassing security [whembly: wut?]

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency's computer security when she assumed her post 18 months ago. But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, "It is not feasible to implement on networks that are too old." She added that the agency is now working to encrypt data within its networks.

But even if the systems had been encrypted, it likely wouldn't have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would "not have helped in this case" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, "You failed utterly and totally." He referred to OPM's own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM's own IT department. "They were in your office, which is a horrible example to be setting," Chaffetz told Seymour. In total, 65 percent of OPM's data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM's own Inspector General reports, "OPM's data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information."

When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM's systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, "I would be glad to discuss that in a classified setting." That was Archuleta's response to nearly all of the committee members' questions over the course of the hearing this morning.

At least we found it

Archuleta told the committee that the breach was found only because she had been pushing forward with an aggressive plan to update OPM's security, centralizing the oversight of IT security under the chief information officer and implementing "numerous tools and capabilities." She claimed that it was during the process of updating tools that the breach was discovered. "But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network and would not have been able to share that information for the protection of the rest of the federal government," she read from her prepared statement.

Dr. Ozment reiterated that when the malware activity behind the breach was discovered, "we loaded that information into Einstein (DHS' government-wide intrusion detection system) immediately. We also put it into Einstein 3 (the intrusion prevention system currently being rolled out) so that agencies protected by it would be protected from it going forward."
But nearly every question of substance about the breach—which systems were affected, how many individuals' data was exposed, what type of data was accessed, and the potential security implications of that data—was deferred by Archuleta on the grounds that the information was classified. What wasn't classified was OPM's horrible track record on security, which dates back at least to the George W. Bush administration—if not further.

A history of neglect

During his opening statement, Chaffetz read verbatim from a 2009 OPM inspector general report that noted, "The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance." Similar statements were read from 2010 and 2012 reports, each more dire than the last. The OPM Office of the Inspector General only began upgrading its assessment of the agency's security posture in its fiscal year 2014 report—filed just before news of a breach at a second OPM background investigation contractor surfaced.

Rep. Will Hurd (R-Texas), a freshman member of Congress, told the OPM executives and the other witnesses—DHS' Ozment, Interior Department CIO Sylvia Burns, the new US CIO Tony Scott, and OPM Assistant Inspector General Michael Esser— that "the execution on security has been horrific. Good intentions are not good enough." He asked Seymour pointedly about the legacy systems that had not been adequately protected or upgraded. Seymour replied that some of them were over 20 years old and written in COBOL, and they could not easily be upgraded or replaced. These systems would be difficult to update to include encryption or multi-factor authentication because of their aging code base, and they would require a full rewrite.

Personnel systems have often been treated with less sensitivity about security by government agencies. Even health systems have had issues, such as the Department of Veterans' Affairs national telehealth program, which was breached in December of 2014. And there have been two previous breaches of OPM background investigation data through contractors—first the now-defunct USIS in August of last year, and then KeyPoint Government Solutions less than four months later. Those breaches included data about both government employees and contractors working for the government.

But some of the security issues at OPM fall on Congress' shoulders—the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM's investigation process told Ars, was essentially a company made up of "some OPM people who quit the agency and started up USIS on a shoestring." When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—"a bunch of people on an even thinner shoestring. Now if you get investigated, it's by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account."

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM's systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM's data breach may just be the biggest one that the government knows about to date.

.@JonahNRO sums it up: http://t.co/2155lQUE8w pic.twitter.com/RBMtUG0yfz

— National Review (@NRO) June 17, 2015

 Co'tor Shas wrote:
And this is why you don't give vital security access to people not working for, and vetted by, the government. My god, is the entire department run by baboons? Even I could see that was a bad idea. My tech-illiterate, 87YO grandmother could probably see that was a bad idea.

 Co'tor Shas wrote:
And this is why you don't give vital security access to people not working for, and vetted by, the government. My god, is the entire department run by baboons? Even I could see that was a bad idea. My tech-illiterate, 87YO grandmother could probably see that was a bad idea.

 CptJake wrote:
The typ of security needed to prevent this incident and similar wouldn't be paid for by skipping a tank or two or even an F35.

 BobtheInquisitor wrote:

 Co'tor Shas wrote:
And this is why you don't give vital security access to people not working for, and vetted by, the government. My god, is the entire department run by baboons? Even I could see that was a bad idea. My tech-illiterate, 87YO grandmother could probably see that was a bad idea.

Exactly this kind of situation was proposed in local county government and there was a huge backlash because OF COURSE it's a bad idea to outsource your IT and security for a government position that handles million's of people's ID.SSN, Medical Records, and certain bits of financial data.

But the Federal Government somehow missed that?

 Tannhauser42 wrote:

 CptJake wrote:
The typ of security needed to prevent this incident and similar wouldn't be paid for by skipping a tank or two or even an F35.

And for focusing on a single word within my post, you missed my point entirely...
Besides, even with an inside source due to social engineering or otherwise, a good security system should have detected the wholesale theft of that much data.

 Co'tor Shas wrote:
And this is why you don't give vital security access to people not working for, and vetted by, the government. My god, is the entire department run by baboons? Even I could see that was a bad idea. My tech-illiterate, 87YO grandmother could probably see that was a bad idea.

 Bullockist wrote:

 Co'tor Shas wrote:
And this is why you don't give vital security access to people not working for, and vetted by, the government. My god, is the entire department run by baboons? Even I could see that was a bad idea. My tech-illiterate, 87YO grandmother could probably see that was a bad idea.

And the new front runner in republican pre-selection is Co'tor Shas' 87 year old tech-illiterate grandmother running on a platform of "keeping those metal boxes with the blinking lights safe from the Chinee

 NuggzTheNinja wrote:


Not to downplay things, but I look at this and think, blackmail me to who with what? My employer knows everything there is to know (and these hackers stole the information from them, so good luck threatening to sell their own information back to them), and I have nothing to hide from my family, so what's the problem exactly? I'm genuinely curious.

I'm more concerned with identity theft, to be honest. If I were of Chinese descent, I'd be worried about a Chinese spy lookalike smoking me and taking my place.

 CptJake wrote:

 NuggzTheNinja wrote:


Not to downplay things, but I look at this and think, blackmail me to who with what? My employer knows everything there is to know (and these hackers stole the information from them, so good luck threatening to sell their own information back to them), and I have nothing to hide from my family, so what's the problem exactly? I'm genuinely curious.

I'm more concerned with identity theft, to be honest. If I were of Chinese descent, I'd be worried about a Chinese spy lookalike smoking me and taking my place.

Identity theft is clearly a major issue with this breach, but there is another one which does not include blackmail.

When you take other available info (either open source or collected via other means) and apply what was gathered here a good crew of analysts with a decent set of tools (even using old hand drawn link diagrams) are going to be able to piece together info on organizations/mission sets (or capabilities) and manning, along with individual assignments and do some damned good OB work which has many uses. They will be able to diagram out quite a bit more than we wish they could. If nothing else, it will provide a means to focus/target further collection efforts.

 whembly wrote:
I need help...

How do you explain this level of ineptitude?
http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/
TL;DR: OPM IT were outsourced to foreigner contractors, with root access, working from their home country. In this case, China.