Thread: Chinese Espionage: Was the OPM “Hack” Not a Hack, but Treason?

Chinese Espionage: Was the OPM “Hack” Not a Hack, but Treason?

Written by Selwyn Duke

Despite its importance, there’s a story that’s not getting out to the public — at least not as quickly as data that should be secret is getting out to the Chinese. Many of you have heard about the supposed “hack” of the Office of Personnel Management (OPM), in which the Chinese were able to obtain personal information on millions of U.S. government employees. But PJ Media’s Richard Fernandez points out that the term “hack” should be used advisedly. He then quotes technology site Ars Technica:

Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked — likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

As Fernandez explains, “social engineering” is Internet technology lingo and a euphemism for “Someone gave them the password.” And that means that “hack” here could be a euphemism for something else: Treason.

It also seems as if it probably wasn’t too hard for the Chinese to obtain the information. As Ars Technica also explains:

Some of the contractors that have helped OPM with managing internal data have had security issues of their own — including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

In other words, foreign theft of our government data may no longer be the exception, but the rule. Yet with the incompetence reflected in this story, it’s hard to know if a given data breach is the result of bona fide treason or a prevailing Keystone Kops mentality. Were the Chinese given the user credentials, or did they somehow steal them from an individual not qualified to safeguard the information? In the least, at issue here is something akin to criminal negligence.

And critics say it starts at the top. Katherine Archuleta, the director of OPM, says that the breach was “discovered” only when her office implemented a plan to update OPM security — almost a year and a half after she assumed her position. In other words, it appears they stumbled upon it.

But did Archuleta stumble into her job? Fernandez points out that she’s an affirmative-action appointee, with her Opm.govbiography stating she’s part of an “inclusive workforce that reflects the diversity of America.” And what does she know about computer networks or security? Apparently nothing. As her biography informs:

Director Archuleta began her career in public service as a teacher in the Denver public school system. She left teaching to work as an aide to Denver Mayor Federico Peña. When Mayor Peña became Secretary of Transportation during the Clinton Administration, Archuleta continued her public service as his Chief of Staff. Later, Peña was appointed to head the Department of Energy and Archuleta served as a Senior Policy Advisor in the Office of the Secretary.

After the Clinton Administration, she went back to local government and became a Senior Policy Advisor to Denver Mayor John Hickenlooper.

Archuleta spent the first two years of the Obama Administration serving as the Chief of Staff at the Department of Labor to Secretary Hilda Solis.

As the Director of OPM, Archuleta is committed to building an innovative and inclusive workforce that reflects the diversity of America. As a long-time public servant, she is a champion of Federal employees.

So Archuleta may be qualified to secure “diversity,” and this may include the diversity of foreign spies in American networks. And while an OPM data breach doesn’t sound as sexy as James Bond combating Goldfinger, it’s a serious matter. As Congressman Mark Meadows (R-N.C.) explained, reported the Federal Times:

Meadows said the repercussions of the hacks will last for years, if not decades, and hurt American intelligence and military efforts.

"Consider the likelihood that intelligence and military officials will be blackmailed, bribed, and intimidated with the incredibly personal information they have entrusted to the U.S. government. Individuals with Top Secret (TS/SCI) security clearances are required to provide information on arrest records, lawsuits, drug or alcohol problems, divorces, bankruptcies and more — much of which may have been compromise[d]," Meadows said.

Moreover, it should be noted that OPM is an agency that handles personnel records for all the other government agencies.
And the criticism is coming from both sides of the aisle. Congressman Stephen Lynch (D-Mass.) said at a June 16 House Oversight and Government Reform Committee hearing, “‘I think I’m going to know less coming out of this hearing than I did when I walked in because of the obfuscation and the dancing around…. I wish that you were as strenuous and hard working at keeping information out of the hands of hackers as you are at keeping information out of the hands of Congress and federal employees,’ he told Archuleta,” reports the Washington Post. And Representative Ted Lieu (D-Calif.) stated at the hearing that because more competent OPM personnel were required and a signal needed to be sent, he was "looking here today for a few good people to step forward, accept responsibility and resign for the good of the nation." Lieu said there was a “culture problem” at the OPM.

Yet this just reflects the wider culture problem in our civilization, say critics. As Fernandez summed up:

OPM is right though. Encryption wouldn’t have helped. The problem was somewhere else. Modern Western society has its own definition of “social engineering”. It apparently means putting people in charge of things not because they know anything about it, but because they possess the highest symbolic value. Race, gender, inclination or identification — especially political identification — are so much more important these days then [sic] being able to tell a difference between a hashed key and corned beef hash.

Tragically, this just reflects Marxist regimes, under which the qualified would be replaced by incompetents with the “correct ideology.”

And what of Barack Obama, the man who appointed Archuleta? He stands behind her, saying that she “is the right person for the job.” And when the job is meeting a quota, this is certainly true.
http://www.thenewamerican.com/usnews...e244-289818721

Social Engineering
by Richard Fernandez
June 17, 2015 - 4:25 pm

Ars Technica, describing how China “hacked” the OPM database, obtaining the records of millions of Federal Employees, notes that we should we should use the word “hack” advisedly. The attackers “had valid user credentials and run of network” which they obtained through “social engineering”.

Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

“Social engineering” for those that don’t know, is an IT security term for “someone gave them the password”. It’s not hard to see how the Chinese might have wheedled out a credential.

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?’”

Katherine Achuleta, the director of OPM claims that at least she found the “hack” — note the use of scare quotes used to preserve the reputation of real, honest hacking. ”Archuleta told the committee that the breach was found only because she had been pushing forward with an aggressive plan to update OPM’s security, centralizing the oversight of IT security under the chief information officer and implementing ‘numerous tools and capabilities.’ She claimed that it was during the process of updating tools that the breach was discovered.”

Admiral Kimmel should have used that line at Pearl Harbor. “I noticed the base was bombed and informed Washington immediately.”

Katherine Achuleta, the person in charge of the Crown Jewels has had an interesting career path to her current position. Her biography at opm.gov reveals a person proud of her membership in an “inclusive workforce that reflects the diversity of America”. Nowhere, however does her biography indicate that she knows diddly squat about computers, computer networks or security.

On May 23, 2013, President Obama appointed Director Archuleta to lead the U.S. Office of Personnel Management (OPM), the agency responsible for attracting and retaining an innovative, diverse and talented workforce to make the Federal government a model employer for the 21st century.

On November 4th, Archuleta was sworn in to begin her tenure as the 10th Director of OPM, and the first Latina to head this federal agency.

Director Archuleta began her career in public service as a teacher in the Denver public school system. She left teaching to work as an aide to Denver Mayor Federico Peña. When Mayor Peña became Secretary of Transportation during the Clinton Administration, Archuleta continued her public service as his Chief of Staff. Later, Peña was appointed to head the Department of Energy and Archuleta served as a Senior Policy Advisor in the Office of the Secretary.

After the Clinton Administration, she went back to local government and became a Senior Policy Advisor to Denver Mayor John Hickenlooper.

Archuleta spent the first two years of the Obama Administration serving as the Chief of Staff at the Department of Labor to Secretary Hilda Solis.

As the Director of OPM, Archuleta is committed to building an innovative and inclusive workforce that reflects the diversity of America. As a long-time public servant, she is a champion of Federal employees.

But OPM is right though. Encryption wouldn’t have helped. The problem was somewhere else. Modern Western society has its own definition of “social engineering”. It apparently means putting people in charge of things not because they know anything about it, but because they possess the highest symbolic value. Race, gender, inclination or identification — especially political identification — are so much more important these days then being able to tell a difference between a hashed key and corned beef hash.

We’re in a race to the bottom. And this time, we’ll win.

http://pjmedia.com/richardfernandez/...ng/#more-43720

Encryption “would not have helped” at OPM, says DHS official

Attackers had valid user credentials and run of network, bypassing security.

by Sean Gallagher -
Jun 16, 2015 2:22pm CDT
Office of Personnel Management Director Katherine Archuleta would be happy to discuss the particulars of the OPM brief with Congress—in a classified briefing.
CSPAN

During testimony today in a grueling two-hour hearing before the House Oversight and Government Reform Committee, Office of Personnel Management (OPM) Director Katherine Archuleta claimed that she had recognized huge problems with the agency's computer security when she assumed her post 18 months ago.

But when pressed on why systems had not been protected with encryption prior to the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, she said, "It is not feasible to implement on networks that are too old." She added that the agency is now working to encrypt data within its networks.

But even if the systems had been encrypted, it likely wouldn't have mattered. Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would "not have helped in this case" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta and OPM Chief Information Officer Donna Seymour, "You failed utterly and totally." He referred to OPM's own inspector general reports and hammered Seymour in particular for the 11 major systems out of 47 that had not been properly certified as secure—which were not contractor systems but systems operated by OPM's own IT department. "They were in your office, which is a horrible example to be setting," Chaffetz told Seymour. In total, 65 percent of OPM's data was stored on those uncertified systems.

Chaffetz pointed out in his opening statement that for the past eight years, according to OPM's own Inspector General reports, "OPM's data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information."

Rep. Jason Chaffetz's opening remarks during the OPM Data Breach hearing on June 16 at 10:00am Eastern Time.

When Chaffetz asked Archuleta directly about the number of people who had been affected by the breach of OPM's systems and whether it included contractor information as well as that of federal employees, Archuleta replied repeatedly, "I would be glad to discuss that in a classified setting." That was Archuleta's response to nearly all of the committee members' questions over the course of the hearing this morning.

At least we found it

Archuleta told the committee that the breach was found only because she had been pushing forward with an aggressive plan to update OPM's security, centralizing the oversight of IT security under the chief information officer and implementing "numerous tools and capabilities." She claimed that it was during the process of updating tools that the breach was discovered. "But for the fact that OPM implemented new, more stringent security tools in its environment, we would have never known that malicious activity had previously existed on the network and would not have been able to share that information for the protection of the rest of the federal government," she read from her prepared statement.

Dr. Ozment reiterated that when the malware activity behind the breach was discovered, "we loaded that information into Einstein (DHS' government-wide intrusion detection system) immediately. We also put it into Einstein 3 (the intrusion prevention system currently being rolled out) so that agencies protected by it would be protected from it going forward."But nearly every question of substance about the breach—which systems were affected, how many individuals' data was exposed, what type of data was accessed, and the potential security implications of that data—was deferred by Archuleta on the grounds that the information was classified. What wasn't classified was OPM's horrible track record on security, which dates back at least to the George W. Bush administration—if not further.

A history of neglect

During his opening statement, Chaffetz read verbatim from a 2009 OPM inspector general report that noted, "The continuing weakness in OPM information security program results directly from inadequate governance. Most if not all of the [information security] exceptions we noted this year result from a lack of leadership, policy, and guidance." Similar statements were read from 2010 and 2012 reports, each more dire than the last. The OPM Office of the Inspector General only began upgrading its assessment of the agency's security posture in its fiscal year 2014 report—filed just before news of a breach at a second OPM background investigation contractor surfaced.

Rep. Will Hurd (R-Texas), a freshman member of Congress, told the OPM executives and the other witnesses—DHS' Ozment, Interior Department CIO Sylvia Burns, the new US CIO Tony Scott, and OPM Assistant Inspector General Michael Esser— that "the execution on security has been horrific. Good intentions are not good enough." He asked Seymour pointedly about the legacy systems that had not been adequately protected or upgraded. Seymour replied that some of them were over 20 years old and written in COBOL, and they could not easily be upgraded or replaced. These systems would be difficult to update to include encryption or multi-factor authentication because of their aging code base, and they would require a full rewrite.



OPM CIO Donna Seymour said that systems couldn't simply have encryption added because some of them were over 20 years old and written in COBOL.

Personnel systems have often been treated with less sensitivity about security by government agencies.

Even health systems have had issues, such as the Department of Veterans' Affairs national telehealth program, which was breached in December of 2014. And there have been two previous breaches of OPM background investigation data through contractors—first the now-defunct USIS in August of last year, and then KeyPoint Government Solutions less than four months later. Those breaches included data about both government employees and contractors working for the government.

But some of the security issues at OPM fall on Congress' shoulders—the breaches of contractors in particular. Until recently, federal agents carried out background investigations for OPM. Then Congress cut the budget for investigations, and they were outsourced to USIS, which, as one person familiar with OPM's investigation process told Ars, was essentially a company made up of "some OPM people who quit the agency and started up USIS on a shoestring." When USIS was breached and most of its data (if not all of it) was stolen, the company lost its government contracts and was replaced by KeyPoint—"a bunch of people on an even thinner shoestring. Now if you get investigated, it's by a person with a personal Gmail account because the company that does the investigation literally has no IT infrastructure. And this Gmail account is not one of those where a company contracts with Google for business services. It is a personal Gmail account."

Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

Given the scope and duration of the data breaches, it may be impossible for the US government to get a handle on the exact extent of the damage done just by the latest attack on OPM's systems. If anything is clear, it is that the aging infrastructure of many civilian agencies in Washington magnify the problems the government faces in securing its networks, and OPM's data breach may just be the biggest one that the government knows about to date.
http://arstechnica.com/security/2015...-dhs-official/

"Social engineering" refers most often to tricking someone into revealing credentials--not convincing them to knowingly reveal them to a hostile party. The question I have about the OPM leak is why is this information on computers connected to the Internet anyway? DoD classified information is not permitted on computers connected to the Internet. There is a good reason for a small amount of this information to be on Internet connected computers because applicants for security clearances use the WWW to submit this application for clearance to the OPM. However, this information should be removed from an Internet connected computer once the clearance is granted.

A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root

Really.

First on CNN: U.S. data hack may be 4 times larger than the government originally said

By Evan Perez and Shimon Prokupecz, CNN
Updated 5:58 PM ET, Mon June 22, 2015

Story highlights

• A data hack that the U.S. government says originated in China may affect far more people than originally reported
• The U.S. Office of Personnel Management still says the hack could affect 4.2 million Americans
• The FBI director told lawmakers the actual number could be 18 million Americans

Washington (CNN)The personal data of an estimated 18 million current, former and prospective federal employees were affected by a cyber breach at the Office of Personnel Management - more than four times the 4.2 million the agency has publicly acknowledged. The number is expected to grow, according to U.S. officials briefed on the investigation.

FBI Director James Comey gave the 18 million estimate in a closed-door briefing to Senators in recent weeks, using the OPM's own internal data, according to U.S. officials briefed on the matter. Those affected could include people who applied for government jobs, but never actually ended up working for the government.

The same hackers who accessed OPM's data are believed to have last year breached an OPM contractor, KeyPoint Government Solutions, U.S. officials said. When the OPM breach was discovered in April, investigators found that KeyPoint security credentials were used to breach the OPM system.

Some investigators believe that after that intrusion last year, OPM officials should have blocked all access from KeyPoint, and that doing so could have prevented more serious damage. But a person briefed on the investigation says OPM officials don't believe such a move would have made a difference. That's because the OPM breach is believed to have pre-dated the KeyPoint breach. Hackers are also believed to have built their own backdoor access to the OPM system, armed with high-level system administrator access to the system. One official called it the "keys to the kingdom." KeyPoint did not respond to CNN's request for comment.

U.S. investigators believe the Chinese government is behind the cyber intrusion, which are considered the worst ever against the U.S. government.

OPM has so far stuck by the 4.2 million estimate, which is the number of people so far notified that their information was compromised. An agency spokesman said the investigation is ongoing and that it hasn't verified the larger number.

The actual number of people affected is expected to grow, in part because hackers accessed a database storing government forms used for security clearances, known as SF86 questionnaires, which contain the private information of multiple family members and associates for each government official affected, these officials said.

OPM officials are facing multiple congressional hearings this week on the hack and their response to it. There's growing frustration among lawmakers and government employees that the Obama administration's response has minimized the severity of breach.
OPM's internal auditors told a House Oversight and Government Affairs Committee last week that key databases housing sensitive national security data, including applications for background checks, had not met federal security standards.

"Not only was a large volume (11 out of 47 systems) of OPM's IT systems operating without a valid Authorization, but several of these systems are among the most critical and sensitive applications owned by the agency," Michael Esser, OPM's assistant inspector general for audits, wrote in testimony prepared for committee.

Katherine Archuleta, who leads OPM, is beginning to face heat for her agency's failure to protect key national security data -- highly prized by foreign intelligence agencies -- as well as for how slowly the agency has provided information.

Rep. Stephen Lynch, D-Mass., at a hearing last week told Archuleta: "I wish that you were as strenuous and hardworking at keeping information out of the hands of hacker as are at keeping information out of the hands of Congress."

http://www.cnn.com/2015/06/22/politi...ion/index.html

The US agency plundered by Chinese hackers made one of the dumbest security moves possible

• Natasha Bertrand
• Jun. 18, 2015, 10:54 AM

Read more: http://www.businessinsider.com/the-u...#ixzz3dvMI7wbf
Contractors in Argentina and China were given "direct access to every row of data in every database" when they were hired by the Office of Personnel Management (OPM) to manage the personnel records of more than 14 million federal employees, a federal consultant told ArsTechnica.

The massive breach of OPM's database — made public by the Obama administration this month — prompted speculation over why the agency hadn't encrypted its systems, which contain the sensitive security clearance and background information for intelligence and military personnel.
Encryption, however, according to Ars, would not have helped in this case because administrators responsible for managing these records had root access to the system, Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified yesterday at a two-hour hearing before the House Oversight and Government Reform Committee.
And it turns out that a systems administrator responsible for handling the agency's records "was in Argentina and his co-worker was physically located in the [People's Republic of China]," a consultant who worked with an OPM-contracted company told ArsTechnica.
"Both had direct access to every row of data in every database: they were root."
Experts and politicians are now lambasting the US government for the way agency handled IT security.

"OPM is right in general that encryption is not magic security butter," Dave Aitel, CEO of cybersecurity firm Immunity Inc., told Business Insider. "But the committee is also right in that OPM was massively negligent."

All told, 65% of OPM's data was stored on systems lacking proper security certification, Ars reports, meaning the data was vulnerable to far more people than just those with root access and valid login credentials.
"They [the unsecured systems] were in your office, which is a horrible example to be setting," House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta during the hearing.
"OPM's data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information," Chaffetz added.

The OPM IT team frequently outsources its work to foreign contractors working in their home country. Those holding Chinese passports are no exception.
"Another team that worked with these databases had at its head two team members with [People's Republic of China] passports," the consultant told Ars. "I know that because I challenged them personally and revoked their privileges."
"From my perspective, OPM compromised this information more than three years ago," he added. "And my take on the current breach is 'so what's new?'"
In fact, the breach was unprecedented in its breadth and scope: "Security-wise, this may be the worst breach of personally identifying information ever," Michael Borohovski, CEO of Tinfoil Security, told Business Insider on Friday.
REUTERS/Gary CameronAn employee of the US Office of Personnel Management departs the building during the lunch hour in Washington, June 5, 2015.

Federal employees and contractors who want government-security clearance have to disclose virtually every aspect of their lives via a 120-page SF 86 questionnaire, which is then stored on OPM's unencrypted database.
The OPM also "conducts more than 90% of all federal background investigations, including those required by the Department of Defense and 100 other federal agencies," Reuters reported last week.
Experts fear the stolen information could be used by the Chinese government to blackmail, exploit, or recruit US intelligence officers, compromising the success and safety of agents operating at home and abroad.

Read more: http://www.businessinsider.com/the-u...#ixzz3dvLmKaBI

http://www.alipac.us/f19/1998-hacker...saster-320583/