
“EPIC” fail–how OPM hackers tapped the mother lode of espionage data - ghosh
http://arstechnica.com/security/2015/06/epic-fail-how-opm-hackers-tapped-the-mother-lode-of-espionage-data/
======
arh68
> _C, for the Central Verification System (CVS), ... contains ... Personal
> Identification Verification (PIV) credentials ... and polygraph data_

Good lord.

Yet, somehow, someone might still present the solution as needing to spend
more money sooner: _It was only when OPM was assessing systems to actually
implement the sort of continuous monitoring tools ... that OPM security
officers discovered traffic outbound from the network_. If only they'd demo'd
the software a year ago, right? /s

Is anyone getting fired? Why should anyone lift a finger during this 30-day
sprint? And what happens on Day 31?

~~~
walshemj
If this was the UK the home secretary would have resigned by now - why has the
secretary of state (which I understand is the US equivalent) not done so.

~~~
jrochkind1
The secretary of state isn't the equivalent of the home secretary. The
secretary of state is mainly responsible for foreign policy, so probably more
like equivalent to the Foreign Secretary? Although definitely not a strict
equivalency.

There isn't really any U.S. equivalent to the Home Secretary, the
responsibilities are divided over several offices reporting to the president.

~~~
walshemj
Ah I see ty

------
at-fates-hands
_" Among the things the inspector general found that could have helped hackers
was that nearly a quarter of the agency's systems did not have valid
authorization procedures," she said. "The reason that's important is because
one of the departments that didn't have the correct procedures was the Federal
Investigative Services. That's the group responsible for background
investigations of federal employees. So that data's very sensitive, and as we
know now, this is one of the databases that was hacked."_

Let me get this straight. You had really sensitive data, you knew it wasn't
secure and huge portions of the systems didn't have valid authorization
procedures?

This is pretty eye opening, even for a governmental agency. The scary thing
is, this is just the tip of the iceberg. It seems this breach was inevitable
considering how many other EPIC FAILS are mentioned in the article.

------
rodgerd
And to think the UKUSA agencies tried to cover up this clusterfuck by having
the Murdoch rags blame it on Snowden.

(JRun and Windows XP? Really?)

~~~
walshemj
That's a different thing and BTW Bruce Schenier thinks that the FSB and the
Chinese have Snowdens data by now the.

Now id believe Bruce more than a Murdoch Rag

~~~
beagle3
If I understood Schneier's piece correctly, he believes that they had it
before Snowden did (and independently of him), which seems extremely plausible
- if Snowden could take all those files with nobody noticing, it's likely that
a well funded, well equipped and well trained espionage agency has done that
independently of him, likely all of them --

And for disinformation and source hiding, I'm sure they all (even internally
and to their own "customers") claim now that the source is Snowden. I would if
I were in their place.

~~~
walshemj
I though his point was that they would have got it from the Journalist's - His
other point was more speculative that there are other spies working for the
FSB etc inside the wire at the nsa

~~~
beagle3
All his points are speculative. He basically said "I think they probably have
it - either directly or from the journalists". Why do most people believe the
journalists are the easier target? They have certainly, at any point in time
when stuff was in their possession, been more paranoid and careful than the
NSA was before Snowden's reveal.

~~~
walshemj
Because 99.99% of journalists are not cyber security professionals and are a
much easier target than an ex CIA and NSA employee.

ps you do know who Bruce is?

~~~
beagle3
Yet, the relevant three actually (who cares about the 99.99%?) do have an
idea, if you've been following the case. 99.9999% of journalists do not, and
never had, a copy of the data. Poitras and Greenwald actually know what they
are doing.

Yes, I do know who Bruce is. Do you? Did you actually read the piece[0] we are
talking about?

Schneier himself seems to believe that the journalists are likely hacked, but
that state actors have had this info long before Snowden:

""" Which brings me to the second potential source of these documents to
foreign intelligence agencies: the US and UK governments themselves. I believe
that both China and Russia had access to all the files that Snowden took well
before Snowden took them because they've penetrated the NSA networks where
those files reside. After all, the NSA has been a prime target for decades.
"""

and

""" The point I make in the article is that those nations didn't have to wait
for Snowden. More specifically, GCHQ claims that "we have now seen our agents
and assets being targeted." One, agents and assets are not discussed in the
Snowden documents. Two, it's two years after Snowden handed those documents to
reporters. Whatever is happening, it's unlikely to be related to Snowden. """.

Oh, and when you mention [ex]CIA employees, are you including the head of the
CIA[1] or not? Cause, you know, that guy failed miserably at information
security.

[0]
[https://www.schneier.com/blog/archives/2015/06/the_secrecy_o...](https://www.schneier.com/blog/archives/2015/06/the_secrecy_of_.html)

[1]
[https://en.wikipedia.org/wiki/Petraeus_scandal](https://en.wikipedia.org/wiki/Petraeus_scandal)

~~~
walshemj
And by now is it only those 3 that have had access to the data or physical
access to the machines - hacking another GMG journalist or machine would be
one route.

And Petraeus shows that parachuting outsiders to the DCI's job isn't a good
idea and also if your bonking a spook you don't behave like some 15 year old
high school student.

------
emiliobumachar
'The $20.8 million "first call" was for 3.2 million "units" of credit
monitoring and identity theft recovery services'

At seven bucks a piece, this seems very cheap, especially for a rushed
government purchase. Any thoughts? Am I missing something?

~~~
sqeaky
It will likely be one or a few larger forensic investigations. I would wager
that a team of a dozen experts or so will start one big investigation calling
in other help as needed. In one big windfall they will determine how 80% or
more of the data was taken. Then whatever is left will be handled on a case by
case basis.

Likely the Unit thing was done to make the bureaucracy that pays for things
happy. I have worked places where a 1,000 payments of $1 each was easy to make
happen than one $600 purchase.

------
Lancey
I feel like the OPM isn't doing enough about this breach. Espionage or not,
American citizens outside the IC were affected and deserve to know if they've
been compromised. More efforts need to be made to inform potential victims
before any more harm comes from this, including greater transparency with
regards to what systems have been affected and what the OPM could have done to
better secure this data. That, and an apology would be nice.

------
_Marak_
Would not be surprised if this was related to the US temporarily stopping the
issuance of visas.

[http://travel.state.gov/content/travel/english/news/technolo...](http://travel.state.gov/content/travel/english/news/technological-
systems-issue.html)

------
amitparikh
Hypothetically, could U.S. persons who were affected by this breach claim any
sort of financial reprieve for future lost wages? I'd imagine those affected
would not be very desirable or even eligible any more for secure work.

~~~
logn
"The ability of consumers to sue for future harm has, in many cases, been
limited by a Supreme Court ruling that on its face had little to do with big
commercial breaches. [...] In 2013 the Supreme Court ruled 5-4 against them,
concluding that the fear of future harm from surveillance wasn’t enough for
plaintiffs to have standing to sue."

from [https://firstlook.org/theintercept/2015/06/12/data-breach-
th...](https://firstlook.org/theintercept/2015/06/12/data-breach-threat-of-
future-harm/)

The article also mentions a pending Supreme Court case (Spokeo v. Robins)
which could "'open up the floodgate for lawsuits, in all contexts, but
especially in data breach litigation'".

