
Attack Gave Chinese Hackers Privileged Access to U.S. Systems - chmaynard
http://www.nytimes.com/2015/06/21/us/attack-gave-chinese-hackers-privileged-access-to-us-systems.html
======
mirimir
> “This was classic espionage, just on a scale we’ve never seen before from a
> traditional adversary,” one senior administration official said. “And it’s
> not a satisfactory answer to say, ‘We found it and stopped it,’ when we
> should have seen it coming years ago.”

Doesn't the NSA doesn't operate at such scales? Or is it just that the US
doesn't expect adversaries to be as capable?

>[Ms. Archuleta's] performance in classified briefings also frustrated several
lawmakers. “I don’t get the sense at all they understand the problem,” said
Representative Jim Langevin, a Rhode Island Democrat, who called for Ms.
Archuleta’s resignation. “They seem like deer in the headlights.”

They were arguably asking the wrong person. But it is a bad sign if no
security experts report to her.

> At the personnel office, a set of new intrusion tools used on the system set
> off an alarm in March, Ms. Seymour said. The F.B.I. and the United States
> Computer Emergency Response Team, which works on network intrusions, found
> evidence that the hackers had obtained the credentials used by people who
> run the computer systems.

That's standard procedure for the NSA. No surprise there.

> “They are casting a very wide net,” John Hultquist, a senior manager of
> cyberespionage threat intelligence at iSight Partners, said of the hackers
> targeting of Americans’ personal data. “We’re in a new space here and we
> don’t entirely know what they’re trying to do with it.”

They're looking for vulnerabilities. Again, no surprise.

There's also the fact that most hardware comes from China now. As they get up
to speed on firmware exploits, the fit will really be hitting the shan.

~~~
mpyne
> Doesn't the NSA doesn't operate at such scales? Or is it just that the US
> doesn't expect adversaries to be as capable?

NSA does. And the USG is well-aware that China and Russia and even Iran could
do this too.

So regarding _why_ things were left way at OPM, your guess is as good as
mine... I mean "just don't let China hack in" is pretty unachievable (they
even got Google a few years back, after all), but at least structure your
networks to make it so that hacking one database doesn't give away the keys to
everything, move highly-sensitive material off-network completely, etc.

But these things require changes, which requires money (and brainpower), and
buy-in from dozens of other government agencies, and probably more things
besides.

None of this is to _excuse_ OPM--I would expect my government leaders to suck
resources from elsewhere if need be, accept temporary degradation to other
systems that interfaced to this personnel database, or in short to _do
whatever they had to do to pro-actively address the threat they knew was out
there_. And they didn't.

> That's standard procedure for the NSA. No surprise there.

Should be "That's standard procedure for state espionage agencies". I mean, if
you're approaching this from the perspective that China is doing this only
because NSA is out there you're already misinformed. Half of the reason NSA
_has_ been doing this is because Russia and China and friends will be doing
things like this anyways.

In China's case especially they drastically re-oriented their entire military
and geo-strategic outlook following the Third Taiwan Strait Crisis. This
incident occurred between 1995-1996, and culminated in the U.S. sending _2_
full carrier strike groups near Taiwan, one of the groups actually sailed
through the Strait of Taiwan, sending a pointed message about who had military
supremacy in the South China Sea.

The rise in Chinese military power many of spoken of effectively started
here... but they didn't limit their buildup to "hard" forms of national power.

Indeed, given the reliance on so much of the global electronics supply chain
on Chinese factories there's a lot of opportunity for appearances of SHTF...

------
guscost
I'm not a fan of the Times so take that into consideration, but this strikes
me as an attempt to play up the cyberwar angle and whitewash the astonishing
incompetence at the OPM. Namely, Ars has a source saying that sysadmin roles
were outsourced (!) to at least one person in Argentina and one other person
_in China_ :

[http://arstechnica.com/security/2015/06/encryption-would-
not...](http://arstechnica.com/security/2015/06/encryption-would-not-have-
helped-at-opm-says-dhs-official/)

> A consultant who did some work with a company contracted by OPM to manage
> personnel records for a number of agencies told Ars that he found the Unix
> systems administrator for the project "was in Argentina and his co-worker
> was physically located in the [People's Republic of China]. Both had direct
> access to every row of data in every database: they were root. Another team
> that worked with these databases had at its head two team members with PRC
> passports. I know that because I challenged them personally and revoked
> their privileges. From my perspective, OPM compromised this information more
> than three years ago and my take on the current breach is 'so what's new?'"

This is speculation, but I'm going to guess that the sysadmin in China either
was an intelligence agent from the beginning, or was coerced into handing over
root access to the Chinese military. Not very sophisticated at all, as is the
case for a depressing number of high-profile hacks.

~~~
DanielBMarkham
This is a good example of journalists forcing stories into the narrative most
likely to get eyeballs rather than the narrative that fits the most.

You make this a political incompetence story, you lose probably 25% of the
readership, including the writing and ediforial staff at the times. But hey,
powerful politicians of all stripes love a good cyberwar story.

Meanwhile the PRC will funnel money into both parties during the upcoming
election so that they keep influence no matter the results.

No conspiracy required, just a few big players acting in their own local best
interests.

~~~
guscost
Do me a favor, any time you are inclined to read "conspiracy" in what I'm
saying look up how Julian Assange famously used the word here:

[http://cryptome.org/0002/ja-conspiracies.pdf](http://cryptome.org/0002/ja-
conspiracies.pdf)

I think you'll find we have a similar understanding.

------
Zirro
Imagine if some of the NSAs offensive budget had been used to update and
secure these old systems instead. In terms of security I believe that the pay-
off would have been much greater.

------
rodgerd
Well, that certainly gives me boundless confidence in the idea of expanding
the reach of the US security apparatus to encryption backdoors. They can
clearly secure and manage all that data.

------
randomname2
Chilling testimony where the OPM director is being grilled.

Apparently this information was accessed due to mere OPM incompetence. One has
to wonder how she's not fired yet:

[http://adam.curry.com/enc/20150618193418_opmdirectorkatherin...](http://adam.curry.com/enc/20150618193418_opmdirectorkatherinearchulettacyberencryptionconsultant.mp3)

~~~
jacobolus
This audio clip doesn’t prove anything about her personal competence, and the
congressman grilling her is grandstanding.

What’s she supposed to say? If the OPM shut down their systems until
everything was rewritten from scratch up to some security auditors’ standards,
the same congressman would be flipping tables because all the agencies relying
on OPM’s systems’ operation would also grind to a halt, costing the precious
taxpayers X gajilion dollars per day.

Anyone else put in as director of the OPM would have done the same thing she
did, and high-level decisions are being made as an institution based on
internal discussion, not imposed from top down. There’s really nothing
satisfactory that someone in her position is going to be able to say after an
incident like this other than “we’re doing a thorough investigation of the
break in and we’re doing everything we can to fix this as soon as possible.”

Does the OPM undervalue security? Clearly. That’s an institutional problem
though, not the director’s personal problem. More generally, most institutions
don’t sufficiently value security, including government agencies everywhere in
the world at every level, corporations, etc. Doing security right is
expensive, and fixing up systems from the 70s and 80s without service
interruption is really really expensive.

As another commenter mentioned, it would be pretty great if we could divert
some substantial portion of the ridiculous budget the NSA has been getting to
build a massive database of everyones nude photos and web search history
toward securing domestic computer systems instead.

------
scrapcode
I was affected and compromised by this.

In response I was given 18 months of credit monitoring, where during
registration it confirmed my identity by asking me questions like "What street
did you grow up on?" and "What city does your nearest sibling live in?"

I find that pretty ironic. I'm just grateful that I don't have children yet.

------
theklub
How long before they roll back to paper?

