
The OPM hack explained: Bad security practices meet China's Captain America - wglb
https://www.csoonline.com/article/3318238/data-breach/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html
======
drewg123
_Cotton began providing software and services based on a handshake agreement.
OPM racked up more than $800,000 in bills from CyTech—but no contract was
executed and CyTech was not paid._

Wow. So I guess one lesson here is to never provide help to the government in
an emergency without something in writing. That's just sad.

[EDIT]: The linked article describes this in more detail:
[https://foreignpolicy.com/2016/09/07/how-opm-bilked-a-
securi...](https://foreignpolicy.com/2016/09/07/how-opm-bilked-a-security-
contractor-that-confirmed-a-major-hack-cytech/)

~~~
starbeast
Given this bit -

>"Since this was a task more suited to Cylance Protect, they rolled out that
tool in a free trial mode, and it "lit up like a Christmas tree." At this
point, OPM began using Protect extensively in its diagnostic process, despite
not committing to license it from Cylance; they eventually agreed to do so on
June 30th, a day before the trial period was set to elapse. Cylance did not
actually receive payment for months."

\- it seems that the takeaway is even more devastating. Don't start work
unless they have already paid.

~~~
badrabbit
Just a note,cylance is infamous for false positives.

~~~
stonogo
What does that matter? The current standard is millions of false negatives.

~~~
badrabbit
Because they said it "lit up like a christmas tree". Couldn't find the
virustotal stats page comparing vendors but Cylance had ~5x higher than the
next false positive leader. It's not bad if you can filter them out and have
contextual awareness but lighting up like a Christmas tree means little.

~~~
starbeast
On the other hand, if you know something is bad for false positives then
unless it is so bad as to be unusable, you would expect that, on average,
getting a few results is dubious, but lighting up like a christmas tree
probably means something is actually there.

~~~
acdha
That's really not a safe assumption — an incorrect result repeated thousands
of times does not become correct — and it definitely means that you now have a
big problem of reviewing and validating tons of noise which will delay the
time before you find whatever valid results are present.

I've seen multiple tools in this class — code scanners, IDSes, or web app
scanners — which caused security problems by training everyone to assume that
the results are always false-positives until they missed something real or
soaking up so much human time that nobody made progress on the major
improvements which would have prevented a breach.

------
caseysoftware
I wrote about this one three years ago: [https://caseysoftware.com/blog/opm-
background-check-hack-a-d...](https://caseysoftware.com/blog/opm-background-
check-hack-a-different-angle)

Basically, what if a secondary goal of the hack was to modify the data? Who
was denied or granted a security clearance after the attackers got access?

If you were a State-sponsored actor, making sure your guy got into the key
position would be easier if you could taint the competition.

------
EricE
If you haven't frozen your credit with the three credit bureaus (whether you
were part of the OPM hack or not!) you really should.

Actually from a fraud standpoint Experian was much worse. Whomever hacked OPM
was probably a state actor and more interested in the data for other purposes.

Credit monitoring is useless. It just lets you know earlier (maybe) that you
have a mess to clean up. What should be criminal is the utter lack of real
security/identity validation from banks, financial institutions, the IRS, etc.
that causes the mess after these breaches.

~~~
toomuchtodo
> Actually from a fraud standpoint Experian was much worse.

I think you meant Equifax.

~~~
emmelaich
(not the op but) Experian was hacked too.

------
CamperBob2
Incredible how underplayed this story has been in the media. When it comes to
the US government, there is nothing that China doesn't know about everybody
who's anybody.

That seems like it ought to be a bigger deal than it is. Instead, it doesn't
see to bother many people, and it's not as if anything could be done about if
it did.

~~~
dx87
The lack of ability to do anything about it is probably why you don't hear
much about it, but a lot of the people who were affected by it are still
salty. One thing that you didn't mention though, is that the info included a
ton of info about non government people. The background investigation forms
include names, addresses, contact information, etc., for the families,
friends, co-workers, and neighbors, of people who worked for the government.
The hack was a trove of information that could be used in social engineering
attacks against anyone who was within 1-2 degrees of separation of anybody
that worked with or for the government.

