
Huge data breach prompts resignation of OPM director - jackgavigan
http://www.bbc.co.uk/news/world-us-canada-33481285
======
caseysoftware
I wrote about this one almost a month ago: [http://caseysoftware.com/blog/why-
this-security-breach-is-wo...](http://caseysoftware.com/blog/why-this-
security-breach-is-worse-than-all-the-others-combined) (spent a day on the
front page here)

Every time OPM says "it was only X" it comes out a few days later that they're
lying.

My original statements have applied since day one: "Whoever took this data has
all the relevant information on anyone (and their families and their friends)
who has received a security clearance. Not some. Not parts. ALL."

and

"If someone just steals your identity, consider yourself lucky."

It was also uncovered that the so-called "hackers" had read/write access to
the system so therefore _EVERYTHING_ in it - whether good or bad - should be
considered suspicious. People who shouldn't have gotten clearances, may have.
People who should have been cleared, may have been blocked.

~~~
mokus
Another aspect worth considering, which I haven't seen mentioned yet, is that
this database clearly fits the standard criteria for Top Secret classification
(potential to cause "exceptionally grave harm" if compromised). I really think
Archuleta and Seymour should be brought up on criminal charges for mishandling
information that should have been classified Top Secret and likely also should
have been associated with a special-access program. Even if the records for an
individual person don't rise to that level, 20-ish million of them together
absolutely do.

That's 1/15 of the entire population of the nation. There just are no words
for the asininity of storing all of that data in a single database in the
first place, IMO - let alone a database that is actually accessible through
_any_ number of network pivots from the internet.

~~~
x0x0
Storing all that data live in a db almost certainly predates Archuleta, and to
be honest, I doubt she was in a position to fix this. Consider the political
capital needed to say, "This system is insecure, and insecurable by design, so
we're taking it offline until it can be secured."

Until you have a breach, essentially nobody would be willing to have that
happen.

    
    
       the "secure" Web gateway to OPM's background investigation systems is a 
       contractor-hosted website at an application service provider. That Web 
       gateway is reached through a Windows Web server running JRun 4.0, Adobe's 
       Java application server, as well as ColdFusion
       [...]
       In 2013, someone hacked into Adobe and stole the ColdFusion source code. And 
       Adobe dropped the JRun product line entirely in 2013—with extended "core" 
       support ending in December of 2014. There is no evidence that OPM or its 
       application provider had purchased expensive extended, dedicated support, 
       but JRun would hardly be the only unsupported platform still used by OPM. 
       The agency still has systems based on Windows XP (supported under a custom 
       support agreement with Microsoft), and many of the core systems run by the 
       agency are based on mainframe applications that haven't been updated since 
       their COBOL code was fixed for the Y2K bug in the late 1990s. [1]
    

A gateway running windows, java, and coldfusion. Not to even mentioned fucking
eol-ed versions of the aforementioned. That simply cannot be secured in any
meaningful fashion.

[1] [http://arstechnica.com/security/2015/06/epic-fail-how-opm-
ha...](http://arstechnica.com/security/2015/06/epic-fail-how-opm-hackers-
tapped-the-mother-lode-of-espionage-data/)

~~~
toyg
The political _and economic_ capital. Big stack updates like this cost a
pretty penny. Who's going to advocate for increased taxation to secure a bunch
of admin databases?

------
CydeWeys
Good. I last worked for the government in 2007 and all of my data was still
included in the breach. Heads rolling is the very least of what needs to
happen when a security error of this magnitude occurs.

~~~
scrapcode
I'm in the same boat. I'm not sure if you've had any kind of clearance, or
know what kind of info you have to give for the investigations (everything),
but this will be terrible for generations I presume. Instead of offering us 18
measly months of credit monitoring, they should offer lifetime/18+ years
credit monitoring for any dependents involved in the paperwork.

I suspect this will cost their ass.

~~~
engi_nerd
How do people take advantage of this 18 months of monitoring? My wife and I
are almost certainly in the impacted population (and the fact that we've had 4
separate fradulent activities on our accounts in the past month isn't
helping...)

~~~
scrapcode
I was sent an e-mail to my .gov address with a code to signup for the service.

~~~
engi_nerd
I'm a former fed...If what I'm hearing is true and they got access to SF86
data on EVERYONE then we are all screwed. Just from that alone the attackers
would be able to build a huge map of all sorts of programs that the government
has not acknowledged.

------
magicalist
For those that missed it, I suggest this look at how comically bad security
was (is) at OPM, to the point there were security reports saying the loss of
productivity by shutting down the database completely would be preferable to
the ridiculously vulnerable state it was in. No one listened.

[http://arstechnica.com/security/2015/06/epic-fail-how-opm-
ha...](http://arstechnica.com/security/2015/06/epic-fail-how-opm-hackers-
tapped-the-mother-lode-of-espionage-data/)

~~~
droopybuns
TL;DR: No 2 factor auth, yer dead?

I am having an impossible time following this story. So vague. Thanks for the
most descriptive link yet (although still totally lacking). I watched the
cspan event and all I could derive was that inadequate logging meant they
couldn't say how bad the event was. Totally unclear.

~~~
higherpurpose
If you have 4 hours to kill, this House hearing video clears many things
(about how incompetent, but also how dismissive both Archuleta and Donna
Seymour, the CIO, were - Seymour still not fired yet).

[https://www.youtube.com/watch?v=pVPPTooB80E](https://www.youtube.com/watch?v=pVPPTooB80E)

And this is part 1:

[https://www.youtube.com/watch?v=Ass73n7lH0c](https://www.youtube.com/watch?v=Ass73n7lH0c)

------
scrapcode
I hope we can use a breach of this magnitude to really start thinking about
how we authenticate in real life. The current system is broken. The whole SSN
thing is bad enough in and of itsself.

Anything you can ask from me to authenticate myself: copy of a birth
certificate, copy of my drivers license, social security number, information
about where i grew up or my family... someone else has all of that now, which
means they can now easily get original copies.

------
adzicg
> usernames and passwords that background investigation applicants used

if this is correct, I guess that means passwords were stored in cleartext or
reversibly encrypted. that is either epic stupidity, or someone wanted to keep
passwords of potential employees so they could use them elsewhere

~~~
eli
Malice is very unlikely. If I had to guess, maintaining interoperability with
legacy systems probably played a role.

~~~
r00fus
Which points to corruption and inability to control your vendors (i.e.,
regulatory capture).

Ultimately in large organizations like this that are arguably well funded, the
answer often lies in corruption (and not necessarily just the bureaucracy, but
also the legislators who earmark crazy stuff like specific vendors and
specifications that are handpicked for their favorite funders).

~~~
cordite
Sounds like the DoD asking for bids for a support for a product, which can
only be legally fulfilled by the authors of the product--instead of
considering replacing the product where more than one can actually bid for it.

~~~
icebraining
_Sounds like the DoD asking for bids for a support for a product, which can
only be legally fulfilled by the authors of the product_

Why can it only be fulfilled by the authors?

~~~
cordite
Because the authors don't have a contract licensing program for consultants

------
celticninja
If governments cannot keep data like that safe what are the chances of most
other data owners being able to do the same? The way that we need to give it
out all over the Web is a recipe for disaster as we are shown time and time
again.

~~~
magicalist
Well the good news is that they were barely putting any effort into keeping it
secure, so reasonable efforts are not in vain.

The bad news is that almost your entire government is barely putting any
effort into keeping your data secure.

------
rebootthesystem
What I want to know if if she resigned and was immediately re-hired at another
cushy high-paying government job. In other words a transition with no
financial consequences whatsoever. The correct consequence is that this woman
ought to be kicked out on her ass, lose her pension and go out there in the
open market to find a non-government job matching her degree of incompetence.

To a large extent firings or layoffs in government amount to shuffling people
around rather than what most would conclude from such a headline.

How many additional OPM's and Healtcare.gov's do we have to witness before
people revolt and demand excellence out of government?

Today we seem to be content with the idea that government operates at
precisely the opposite end of the scale, a place where a range of behaviors
from sucking at your job to lying and criminal behavior seem to be considered
virtues. And what's worst, there are no consequences for being utterly
incompetent, lying or acting criminally?

The breach wasn't the problem. The problem is how fucked government is at
nearly every level. That's what needs fixing.

------
WalterBright
Looks like they missed a basic aspect of operational security -
compartmentalization. Sensitive databases must be compartmentalized so a
breach in one is not a breach in all. No login credential, for example, should
grant access to all of the database.

------
appleflaxen
Yes; this is exactly what her psychological profile suggested she would do.

Excellent.

------
dsq
Political loyalists appointed by lawyers. No more explanation necessary.

------
deepnet
Plaintext in 2015 ! Inexcusable.

~~~
sp332
The attackers stole legitimate login credentials. Encryption wouldn't help
with that.

~~~
carbocation
I run a bunch of websites which store bcrypted hashes of users' passwords. If
you had my SQL login, you'd just find bcrypted hashes. It would absolutely
prevent you from discovering their actual passwords in a meaningful amount of
time.

~~~
technion
You would, however, have plaintext copies of every piece of other sensitive
information in that database.

Who cares is passwords are harder to brute force, once an attacker has walked
away with everything in the OPM leak?

Don't get me wrong, I'm hugely in favour of hashed passwords. But with this
sort of data it's a long way from making a complete database leak a nonissue.

~~~
carbocation
I was responding to a comment about plaintext login credentials. I'm not
claiming that bcrypting passwords somehow makes a database full of exquisitely
private details somehow unimportant.

