
The OPM Data Breach [pdf] - daveloyall
https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-the-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf
======
forrestbrazeal
One of the most frustrating things about this whole fiasco is that the OPM
breach finally became public in the summer of 2015, but I and many other
victims weren't officially notified (or offered our measly couple years of
identity protection) until December or later. At the time, I shared some of my
thoughts on the breach here (some of the info may be out of date in light of
the new report; I was piecing stuff together as best as I could):
[https://forrestbrazeal.com/2015/12/08/welp-i-was-an-opm-
hack...](https://forrestbrazeal.com/2015/12/08/welp-i-was-an-opm-hack-victim/)

I was also annoyed that so much of the political posturing around the breach
centered on OPM systems' lack of encryption. I haven't read all of this
report, but it's nice to see the summary focusing on the lack of 2FA, a
security practice that would actually have helped stop an internal
infiltrator.

~~~
gk1
I still never received any notice about it. Was employed by DoD in late 00's,
so am fairly certain my info was in the batch.

~~~
brainfire
I believe Defense had their own, parallel system, so it may not be a given
that you're in the leak.

~~~
nommm-nommm
Cleared employees are in the OPM data leak.

~~~
brainfire
Not all of them. For example, the reported risk to CIA agents in US embassies
in China was that they would suspiciously _not_ be in the leaked data like
actual State dept staff would be.

Apparently the Defense investigators (DSS) merged into OPM in 2004-
[https://en.wikipedia.org/wiki/Defense_Security_Service](https://en.wikipedia.org/wiki/Defense_Security_Service)

------
danso
For folks that want an OCRed version (using ABBYY) for easier Ctrl-F'ing:

[http://data.danwin.com/pdfs/house-oversight-opm-
breach-2016-...](http://data.danwin.com/pdfs/house-oversight-opm-
breach-2016-09-07__OCR.pdf)

(not sure why ABBYY blew its size up to 98MB...)

And here it is in plaintext via pdftotext:

[http://data.danwin.com/pdfs/house-oversight-opm-
breach-2016-...](http://data.danwin.com/pdfs/house-oversight-opm-
breach-2016-09-07__OCR.txt)

------
tptacek
This isn't the "official postmortem". It's the official report of the GOP-led
House Oversight and Government Reform Committee. It's a partisan political
document.

A better title:

Republican House Oversight Report On OPM Data Breach.

~~~
caf
In some places its typical for such legislative committees to also issue
minority/dissenting reports - does that happen in the US?

~~~
jessaustin
Yes the minority members of a committee can issue their own reports, e.g. [0].
It probably won't happen in this case because the "other" party just wants
this issue to go away. Arguing in public would only draw attention.

[0] [http://democrats-
benghazi.house.gov/sites/democrats.benghazi...](http://democrats-
benghazi.house.gov/sites/democrats.benghazi.house.gov/files/documents/Report_of_the_Benghazi_Select_Committee_Democratic_Members-
Honoring_Courage_Improving_Security_and_Fighting_the_Exploitation_of_a_Tragedy.pdf)

~~~
meepmorp
> It probably won't happen in this case because the "other" party just wants
> this issue to go away. Arguing in public would only draw attention.

From tptacek's comment, made ~5 minutes before yours:

[http://democrats.oversight.house.gov/news/press-
releases/cum...](http://democrats.oversight.house.gov/news/press-
releases/cummings-releases-staff-memo-on-cyber-attacks-against-opm)

Why would they want to avoid discussing this?

~~~
jessaustin
That looks like a different thing? I.e. a "memo" prepared by "staff"?

Nevertheless I'm sorry to have made a comment that seemed partisan. The
Democrats and Republicans can both jump in a lake for all I care.

~~~
tptacek
No, it's the response of the ranking minority member of the committee that
produced the report we're all commenting on. It's right there in the title.

------
loteck
_" Additionally, fingerprint data of 5.6 million of these individuals was
stolen."_

They'll need to change their fingerprints immediately!

~~~
streptomycin
The letter they sent me claimed that there is currently no way to create fake
fingerprints, so there's nothing to be worried about, 2 years of identity
theft monitoring is good enough.

~~~
biafra
In what world are they living, where there is "no way to create fake
fingerprints"? Of course that is possible. Here is one example:
[http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren.en](http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren.en)

It is easily possible to create fake fingerprints that can fool any known
finger print scanner. If you know one, that supposedly can't be tricked,
please let me know.

------
linkregister
> The Exfiltration of the Security Clearance Files Could Have Been Prevented.

TL;DR, there were two intrusion actors that were acting in concert. After
being notified by US-CERT of exfiltration activity from the OPM network, OPM
monitored the first one, who conducted the initial breach (use of contractor
login credentials) and then performed survey of their network. They attempted
to flush out her malware but failed to account for a second actor that had
managed to leave an alternate access point into the network.

> "Notably, OPM Director of IT Security Operations, Jeff Wagner, recommended
> deploying ... preventative technology"

So the problem was identified and brought up to committee and still
ignored/tabled by the CIO, Donna Seymour. Preventive measures were only
undertaken after the exfiltration of security clearance data was complete.

~~~
jrnichols
" and still ignored/tabled by the CIO, Donna Seymour. "

Does she still have that job? If so.. ugh.

~~~
kombucha2
She retired [1]

[1] [https://oversight.house.gov/release/chaffetz-responds-to-
ret...](https://oversight.house.gov/release/chaffetz-responds-to-retirement-
of-opm-cio-donna-seymour/)

------
johnhess
Interesting to see the steps they took to expel the APT (physically verifying
the identity of account holders on account resets, taking services offline,
resetting networking equipment).

Even more interesting is that had confidence they'd _actually_ expelled the
APT. Of course, they hadn't totally eliminated a related APT already in place.

This wasn't a "provision a clean box and run a build" reset... it's a massive,
heterogeneous system. I can't even imagine how many vectors a nation-state APT
could use to maintain a foothold.

------
rdtsc
If only we had an agency in charge of protecting and securing these kinds of
systems.

It seems NSA has spent all its budget on cool hacking tools and programs,
exploiting hard drive firmware and routers and other crap. Yet the all SF-86
forms (except CIA's +) got stolen right under our noses. But again, nobody is
going to feel cool defending and securing stuff, everyone wants to be on red
team.

Stolen stuff includes millions of fingerprints. Those are obviously not
hashed, so that's just the raw data I imagine. They'll learn lesson to not
rely on fingerprints as much. Maybe that's one good thing coming out of it.

[+] CIA could still be affected, if for example some people there started at
other agencies, or in the military (CIA likes to hire ex-Marines for example).

~~~
missed_out
After 28 years of DoD service, civilian engineer, I just called it quits. I
got tired of the retaliation for turning in security violations. The last one:
sharing of passwords on a secured network. One violator's response: Where is
it written we cannot share passwords? Why the retaliation? It portrays a bad
image. Nice!

~~~
rewrew
This kind of stupidity is why I think I can never take a gov't job. I don't
think I'd last a week. Sorry you had to put up with it.

~~~
colinbartlett
What about things the US Digital Service or 18F? The image they present is
that those teams are different and outside the standard government
bureaucracy. I'm skeptical.

~~~
zacharycohn
Employee of 18F here, speaking unofficially. We care a lot about security -
both from the technical side and from the policy compliance side!

~~~
rdtsc
How was recruitment?. Someone I know tried to get a got job there, got stuck
in the queue forever. Was told to wait months. So eventually gave up and took
another job.

~~~
kevin_thibedeau
USAJobs is badly in need of an 18F overhaul.

------
j1tt3r
OPM's e-QIP site was vulnerable to heartbleed for at least a week after public
disclosure (2014).

They still claim that they were never exploited. The arrest records,
addresses, and other sensitive info I was able to view say otherwise.

I expected the EINSTEIN program would have helped to quickly defend against
heartbleed after disclosure, but apparently not. US Gov just sucks at
cybersecurity defense.

------
johnhess
sure would be nice to have something better than a raster image of pages 2-231

~~~
metaphor
Agreed, although rasterizing was likely the simplest way to ensure that
redacted information can't be (somehow) reconstructed.

------
ParadisoShlee
Is there a version of that document that is searchable?! OCR or something :(

------
johnhess
tl; dr.

Two distinct attacks, likely related, possibly coordinated took place. The
first was observed in March 2014 and thought to be expelled in late May 2014.

Before that expulsion, a second attack began. While OPM thought it was in the
clear, the 21.5M records were exfiltrated in July 2014. As late as August
2015, that same attack vector was used to steal fingerprint information as
well.

------
marmot777
Is the headline of the report truth or hyperbole?

"The OPM Data Breach: How the Government Jeopardized Our National Security for
More than a Generation"

------
jlgaddis
I've only read up through the executive summary thus far but this looks like
it's going to be a fascinating read.

------
thanatropism
Interestingly enough, I haven't either seen either an emphasis on the main
responsible directors being women; or claims that the agency was a "glass
cliff".

~~~
zaphar
What on earth would either of those have to do with this?

~~~
jrnichols
I think that was a thinly veiled attempt at saying they were "diverse-hires"
(a promotion or hire based on gender politics) instead of having a qualified
individual in the position.

I'm unaware of the qualifications of either director, so who knows.

~~~
thanatropism
No, what I'm saying is that we discuss/speculate on these things too much.

