While OPM still garners most of the attention and the number of potentially compromised records continues to rise – that number now could, possibly, be as high as 32 million – 1 in 10 Americans, other reports show that credentials for other government users can be found on Pastebin. Part of the problem is password reuse between work accounts and other accounts – say Facebook. Part of the problem is that many agencies still don’t require anything more than a password to log in remotely (see articles here and here).
Federal Computer Weekly is reporting that credentials for employees at 47 agencies, including DHS, were found at sites like Pastebin, a toxic waste dump of all kinds of stolen stuff along with legitimate content.
FCW says that as of early 2015, 12 of those agencies did not require two factor authentication to log in remotely, meaning that if you had that userid and password, you were in. This includes privileged users – a horrible security faux pas.
While Congress is finally holding some hearings and beating up everyone in sight besides themselves, they still have not approved the deployment of DHS’s Einstein, while at the same time complaining to agency heads about not securing the networks.
Such is the challenge of government. Getting things done requires an Act of Congress – sometimes literally, sometimes figuratively.
Partly, this is because Congress is often about sound bites and the daily news cycle, so rather than dealing with dull, boring stuff like cybersecurity, they vote on things that will get them 30 seconds of face time on CNN or Fox. Partly, it is because many Congress people have their staff print out their emails for them. There are 4 Congress people who have computer science degrees (4/535 = 0.7%).
Another new item – credentials from KeyPoint Government Solutions were used by hackers to obtain access to OPM systems.
KeyPoint, one of two contractors that OPM used to do background checks was hacked last year. The other contractor, USIS, was also hacked. OPM decided to cancel (technically, not renew) their $2+ billion contract and they have filed for bankruptcy. OPM defended not firing KeyPoint as well. As cost is used as the determining factor for who wins a contract, the American people lose because security is not a consideration.
At the same time, less than half of U.S. companies do vendor security assessments, meaning that a lot of private companies may be in the same boat as OPM and not even know it.