
Personal data for more than 130K U.S. Navy sailors hacked - petethomas
http://reuters.com/article/newsOne/idUSKBN13J001
======
sgc
It seems like with the wholesale compromise of US Government personnel from
virtually every branch of government at this point, it is relative child's
play for the new owner(s) of this information to massively influence US policy
and action, almost to the point of control. It might take a few years to
filter through the data and find the weak links, but the damage is basically
inevitable.

Am I missing something here? A statistically relevant subset of people have
important secrets, and a statistically relevant subset of those (perhaps most)
are relatively easy to control when you know them. If the US has similar
information on other governments' personnel, we might even fall into the
caricature of the US guiding their actions while they guide those of the US,
since those controlling and those being controlled will (largely) not be the
same members of their respective governments.

The entire situation seems quite messy.

~~~
avar
If you're a state actor (Russia, China etc.) that has a sufficient funding /
motivation to take a dataset like this and systematically blackmail people in
it for information, it seems naïve to think that those states haven't had this
sort of information for decades already through traditional espionage methods.

~~~
benologist
Bulk collection and bulk processing make today's version very different.

~~~
beachstartup
nation-states had the power of bulk collection and bulk processing 30 years
ago, the difference is now you don't need a human to copy the data to a disk
and walk off with it.

------
niels_olson
As a sailor in the US Navy, let me quote from the Chairman's letter leading
the OPM breach report (1), here he is addressing all federal CIOs:

 _The effectiveness of our country 's response depends on your answer to this
question: Can you as the CIO be trusted with highly personal, highly sensitive
data on millions of Americans?_

I guarantee most Federal CIOs never even saw the report, and wouldn't believe
the question actually applies to them. The folks at DDS did though (including
Matt Cutts), and I'm willing to bet they have it pinned up on the wall.

(1) [https://oversight.house.gov/wp-
content/uploads/2016/09/The-O...](https://oversight.house.gov/wp-
content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-
Our-National-Security-for-More-than-a-Generation.pdf)

~~~
duncan_bayne
> Can you as the CIO be trusted with highly personal, highly sensitive data on
> millions of Americans?

Perhaps a better question is: can _anyone_ be expected to properly secure data
on that scale, against well-resourced malicious actors?

~~~
jdavis703
Has Google ever suffered a breach on this scale? Having worked in IT in the
government vs. the private sector, it really seems as though government could
care less about security.

~~~
eric-hu
Does operation Aurora count by the Chinese government? It was a big enough
deal to Google that they stopped operating a search engine within China's
borders.
[https://en.m.wikipedia.org/wiki/Operation_Aurora](https://en.m.wikipedia.org/wiki/Operation_Aurora)

[https://www.washingtonpost.com/world/national-
security/chine...](https://www.washingtonpost.com/world/national-
security/chinese-hackers-who-breached-google-gained-access-to-sensitive-data-
us-officials-say/2013/05/20/51330428-be34-11e2-89c9-3be8095fe767_story.html)

How about when Google's data center links were tapped by the NSA?

[https://www.washingtonpost.com/world/national-
security/nsa-i...](https://www.washingtonpost.com/world/national-security/nsa-
infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-
say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html)

~~~
jdavis703
I thought it was mostly IP and a couple of accounts that were taken. Nothing
on the scale of millions of records taken? I could be wrong however.

~~~
barkingcat
It was a pretty serious breach as far as I remember. The assailing party was
looking for specific accounts, and got what they were looking for. Just
because they didn't take millions of records didn't mean that they didn't have
access to them.

Google right after the NSA reveal started doubling up on their efforts to use
encrypted links between servers within their data centers, leading me to
believe that it could have been a lot worse - just get access to some non-
critical host, and if the traffic is unencrypted, just hang out with a packet
sniffer and just record all traffic passing by.

Google is much more vigilant with their security (not that they weren't
before, just even more so) - It's better to not underestimate the extent of
breaches.

------
bigiain
'"At this stage of the investigation, there is no evidence to suggest misuse
of the information that was compromised," the Navy said.'

I somehow don't think that whoever targeted a 'a laptop used by a Hewlett
Packard Enterprise Services employee working on a U.S. Navy contract' was
doing so to grab personal data for smash-n-grab identity theft or other things
that'd rapidly leave 'evidence to suggest misuse of the information'...

~~~
hourislate
I don't think the laptop was specifically targeted. People generally don't
follow the rules and walk around with too much information that isn't secure.
They're bamboozled with phishing and like to click on rar files that have
their FEDEX shipping documents for a package they never sent.

Or they have a developer image on their laptop that isn't locked down and
download Warez or Torrent and visit Porno sites.

Until there are consequences when this kind of thing happens, like people
getting fired or severe penalties, I'm afraid it will just continue. It's
either some 15 year old kid in Eastern Europe or the Chinese and Russians have
some more info to build dossiers on the American Armed Forces.

~~~
akerro
>People generally don't follow the rules and walk around with too much
information that isn't secure.

1 :

>A NASA inspector general report this year determined 48 NASA laptops and
mobile computing devices were lost or stolen between April 2009 and April
2011, many containing sensitive data.

[http://www.reuters.com/article/us-space-nasa-security-
idUSBR...](http://www.reuters.com/article/us-space-nasa-security-
idUSBRE8AE05F20121115)

2:

Personally identifiable information of "at least" 10,000 NASA employees and
contractors remains at risk of compromise following last month's theft of an
agency laptop, a spokesman told Computerworld via email Thursday.

[http://www.computerworld.com/article/2493084/security0/nasa-...](http://www.computerworld.com/article/2493084/security0/nasa-
breach-update--stolen-laptop-had-data-on-10-000-users.html)

3:

NASA decides to encrypt all their laptops, because PEOPLE STORE SENSITIVE
INFORMATION UNENCRYPTED on laptops that they take home.

[https://oig.nasa.gov/Special-
Review/SpecialReview(12-17-12)....](https://oig.nasa.gov/Special-
Review/SpecialReview\(12-17-12\).pdf)

~~~
beowulf_cluster
Regarding 3: The encryption scheme we put into place probably isn't going to
slow down a motivated actor. We have master decryption passphrases that are
regularly disseminated among the admins and could foreseeably end up in the
wild (if nothing else, it wouldn't be difficult to social engineer).

And recently, we've started transitioning to new encryption software. Our
implementation of the software prohibits more than one encryption passphrase
per machine. So, in order to share machines between employees, organizations
have begun sharing the same passphrase across all the organization's machines.

Source: HPES employee working on NASA ACES contract

------
s_q_b
This is the reason why clearance forms ask you to disclose all of your past
transgressions: It doesn't matter as much that you have them, but it matters
if you're embarrassed by them.

They want to know that if someone attempts to blackmail you, you would rather
the information become public than betray your country.

------
aswanson
The government and it's contractors...with it's long RFC procurement process
and associated bullshit will always be behind the security curve and will
always be susceptible to these types of attacks as long as they favor a
culture of old veteran people over competence.

~~~
kbart
That's the problem, but on the other hand, "move fast and break things"
doesn't work very well in military. Some middle ground solution is needed
here.

~~~
rev_bird
Agreed. Unfortunately, the opposite of "move fast and break things" is "move
slow and watch them break on their own."

------
dendory
Obvious question I know.. but why were the SSNs of sailors on some HP
contractor's laptop?

~~~
michaelbuckbee
HP does government consulting, it's quite likely they were working on an
application that needed access to that data. When I was a civilian working in
Navy medicine (building apps), that was often the case.

~~~
lawnchair_larry
App developers never need access to real data. Ever.

~~~
random_rr
Haha. Okay. I would hazard a guess that you haven't worked on real world apps
then. Users will do things that you cannot predict. They will break things
like never before.

I've written plenty of code that checks out against out test environment, but
it'll choke on a weird thing in production. You NEED access to real data if
you're going to make any progress in that scenario.

~~~
enraged_camel
Yep, precisely. And it's not just the users that fuck up either. Sometimes,
other systems you have to integrate with are also poorly designed and don't
have proper control mechanisms in place. For instance, I'm working on
integrating with another system right now where the zip_code field has values
like "don't know". You're never going to be able to cover for things like that
unless you have access to the real dataset.

------
matchagaucho
I recall working with a HP Enterprise Services contractor and was amazed at
just how much data was stored on his laptop. Categorized Outlook folders for
each client, every email and contact stored locally. Orders, BOMs, price
lists, RMAs... all on his laptop.

It would not surprise me the Navy contractor had the same setup.

HP's culture is incentivized to propagate 1990's client-server architecture as
a result of their product line. Gov procurement officials and CIOs must demand
that HP move to cloud-based infrastructure with 2-factor authentication.

------
sickbeard
As far as the cyber, I agree to parts of what the NSA said. We should be
better than anybody else, and perhaps we’re not. I don’t think anybody knows
that it was Russia that broke into the Navy. They are saying Russia, Russia,
Russia—I don't, maybe it was. I mean, it could be Russia, but it could also be
China. It could also be lots of other people. It also could be somebody
sitting on their bed that weighs 400 pounds, okay?

------
nichochar
I'm very interested to see how the public reacts to this unorthodox victim
group.

~~~
rhizome
Let's set up some predictions: more or less than the OPM hack?

~~~
Armisael16
Over thanksgiving? This news is already dead.

