Cotton began providing software and services based on a handshake agreement. OPM racked up more than $800,000 in bills from CyTech—but no contract was executed and CyTech was not paid.
Wow. So I guess one lesson here is to never provide help to the government in an emergency without something in writing. That's just sad.
>"Since this was a task more suited to Cylance Protect, they rolled out that tool in a free trial mode, and it "lit up like a Christmas tree." At this point, OPM began using Protect extensively in its diagnostic process, despite not committing to license it from Cylance; they eventually agreed to do so on June 30th, a day before the trial period was set to elapse. Cylance did not actually receive payment for months."
- it seems that the takeaway is even more devastating. Don't start work unless they have already paid.
Because they said it "lit up like a christmas tree". Couldn't find the virustotal stats page comparing vendors but Cylance had ~5x higher than the next false positive leader. It's not bad if you can filter them out and have contextual awareness but lighting up like a Christmas tree means little.
On the other hand, if you know something is bad for false positives then unless it is so bad as to be unusable, you would expect that, on average, getting a few results is dubious, but lighting up like a christmas tree probably means something is actually there.
That's really not a safe assumption — an incorrect result repeated thousands of times does not become correct — and it definitely means that you now have a big problem of reviewing and validating tons of noise which will delay the time before you find whatever valid results are present.
I've seen multiple tools in this class — code scanners, IDSes, or web app scanners — which caused security problems by training everyone to assume that the results are always false-positives until they missed something real or soaking up so much human time that nobody made progress on the major improvements which would have prevented a breach.
If you haven't frozen your credit with the three credit bureaus (whether you were part of the OPM hack or not!) you really should.
Actually from a fraud standpoint Experian was much worse. Whomever hacked OPM was probably a state actor and more interested in the data for other purposes.
Credit monitoring is useless. It just lets you know earlier (maybe) that you have a mess to clean up. What should be criminal is the utter lack of real security/identity validation from banks, financial institutions, the IRS, etc. that causes the mess after these breaches.
Incredible how underplayed this story has been in the media. When it comes to the US government, there is nothing that China doesn't know about everybody who's anybody.
That seems like it ought to be a bigger deal than it is. Instead, it doesn't see to bother many people, and it's not as if anything could be done about if it did.
The lack of ability to do anything about it is probably why you don't hear much about it, but a lot of the people who were affected by it are still salty. One thing that you didn't mention though, is that the info included a ton of info about non government people. The background investigation forms include names, addresses, contact information, etc., for the families, friends, co-workers, and neighbors, of people who worked for the government. The hack was a trove of information that could be used in social engineering attacks against anyone who was within 1-2 degrees of separation of anybody that worked with or for the government.
I think the new normal is that anything that any company or government knows about you is effectively public knowledge. Neither the government nor the private sector has shown that it has the ability to secure data over the long term.
Wow. So I guess one lesson here is to never provide help to the government in an emergency without something in writing. That's just sad.
[EDIT]: The linked article describes this in more detail: https://foreignpolicy.com/2016/09/07/how-opm-bilked-a-securi...