Tag Archives: OPM

Office Of Personnel Management Breach and CISA

Congress has been trying to pass some sort of cyber security bill for 3 or 4 years now, but up until last December, was never able to pass one.  Part of the reason is that knowledgeable people understand that this information sharing will likely not help you or me at all.

Last December, Congress quietly placed what was the CISA bill (S.754) inside the federal budget bill that was passed quickly so as to avoid shutting down the government.  There was very little debate – there was no time – and the intelligence community was able to negotiate the weakening of language that required companies that share information with the government – in exchange for which they get immunity in case anyone sues them for doing that – to make sure that there is no personally identifiable information being shared,  While some people read the law as protecting privacy, others read it in the opposite manner.

The weakened privacy protections say that a company cannot share information that they KNOW to be personally identifiable and KNOW that is irrelevant to cyber security.  That seems like a pretty big loophole to share almost anything.  The good news is that many companies will try to avoid sharing any information with the government because of the negative business PR when they get outed as sharing data with the government. See Wikipedia for more information.

What we don’t know is how the government might use this law to “encourage” companies to share information if they want, say, government help or government contracts.

One note.  The law requires DHS and ODNI to provide procedures for sharing information within 60 days of enactment of the law.  If enactment, in this case, means when the President signed it, that means they the procedures must be sent to Congress this week, so stay turned.

So how does this relate to OPM?

Whether the data provided by private industry directly contains your PII or not, it is likely that the data may be sensitive to the company sharing it.  As a result, those companies are counting on the government to protect that information.

Almost a year ago the U.S. Office of Personnel Management acknowledged the fact that hackers made off with information on around 20-25 million Americans – many in positions of trust and who have access to sensitive classified information.

Based on my background, I assumed I was one of those people.

So, I waited for a letter to arrive.  By October I still had not received a letter, which I thought odd.

So I went to the OPM web site and there is a process, they say, that will tell you whether OR NOT your information was breached.  No response.

So I called the OPM call center and asked them to resubmit my request.  And, still, no letter.

Remember, in both of these cases I should have received a letter either way – whether my information was compromised or not.

So I wrote to my Senators and and asked for their help.  One did not respond to my letter;  the other talked to the OPM who said, go their web site.

So I did, again.

Finally, today, about 10 months after the breach was announced, I got a letter.  Yes, I was included.

What was taken?  Name, address, social security number, date and place of birth, where I have lived, education including dates and degrees, employment history, personal foreign travel history, immediate family members (and actually I would call that extended family – it includes brothers and sisters, their spouses and their children),  business acquaintances and personal acquaintances.

Oh yeah, also all 10 of my fingerprints. OPM says they are not sure how an attacker would misuse them, but they are pondering the question.

Based on that, here is my – and a lot of other people – thought on CISA.

If the government cannot keep information such as the list above out of the hands of hackers, how likely is it that they can keep information that I share with them regarding threats – which certainly could include enough information for another hacker to figure out how the original hacker planned to attack me or other sensitive information- including an attack vector that might still be valid – safe and secure.

Especially since once I share it with Homeland Security they can share it with a whole raft of other agencies. so not only do we have to worry if DHS is keeping the information secure, but we also have to worry about the other agencies that get that information from DHS keeping it secure.

It will be interesting to see what the procedures say when they come out – maybe this week.

Addendum:  BestVPN reported that there was a private, invitation only meeting between the government and the CIOs of the largest companies where DHS tried to convince the CIOs that they were from the government and were here to help them.  As Ronald Reagan said, those are the most terrifying words in the English language (see the clip on YouTube).

Curiously, only 58% of the CIOs in attendance think that CISA will increase corporate cooperation with the government.  Because the government, they say, is useless at cyber security.  The FBI even admitted it, the article says, after the OPM breach.

As part of the roll out, DHS and/or NSA has created at least two new systems.  TAXII, a messaging system to exchange information and STIX, a threat parsing system.

DHS says that they will start this program – maybe already done – with a few select companies.  Who might those be?  They have not said and I bet those companies are not going to tout that they are participating.

Information for this post came from BestVPN and other news.

OPM Awards Contract For ID Protection From Second Breach

There are reports in the news that Identity Theft Guard Solutions won the contract to offer identity theft protection for the 21.5 million victims of the second OPM breach.

This is 90 days after the breach was disclosed.  It is unclear how long it will be before people get letters and have the ability to sign up with this company.

If this was a private company that had been breached, people would be screaming about this.  The government usually gets a free pass because it is hard to sue the government.

The contract will cost us, the taxpayers between $133 million and $329 million over 3 years, depending on the options (power windows, maybe, the news is not reporting the details).

This is separate from the $500 million contract request posted by the GSA to prepare for future breaches.

The lack of preparation by the OPM (and many private companies) is the cause of the delay in notifying breach victims.  Any business executive watching this who does not have an incident response plan already approved might use this as a lesson,

Earlier, OPM had said that they expected the winner to start sending out letters within a week, but that it would take a couple of months to get all the letters sent out.

This means that it could be Thanksgiving or Christmas before breach victims get the official notification letter.  Merry Christmas.  If it does wind up taking 6 months after the breach was announced to just get the letters out, I suspect that may spark some interest in lawsuits.

This, of course, has nothing to do with the issue that credit monitoring will do nothing to protect you from, say, a blackmailer who has your entire criminal record or mental health history as disclosed on the forms that the government was supposed to protect.

Also, it is certainly possible that there will be a protest of the contract award  – that is fairly common in federal contract awards.

Stay tuned for the next chapter.

Information for this post came from the Washington Times.

Shorts: Neiman Marcus, UCLA Healthcare, OPM, USPS Breach, National Breach Law

The Seventh Circuit Appeals Court, normally pro-business, has reversed a lower court ruling and said that the class action lawsuit against Neiman Marcus can go forward.  Often, these suits are dismissed saying that plaintiffs haven’t experienced any harm since fraudulent credit card charges have been removed.   This decision means that businesses hopes that class action suits will get dismissed as long as they reverse customer’s fraudulent charges is an argument that is holding less weight.  One interesting point that came out was that even though Neimans discovered the breach during the Christmas shopping season, they waiting until after New Years to disclose it so as to not hurt Christmas sales.  The court did not rule on the merits of the case, so stay tuned.

Source: IAPP

 

A UCLA Healthcare patient has filed a class action lawsuit against the hospital system in light of their recently announced breach.  While this is not a surprise, they are suing under the concept of breach of contract.  Part of the reasoning is that medical ID theft, unlike credit card theft, cannot be resolved by issuing a new piece of plastic, but instead can last for decades.  On the black market, a credit card might sell for $5, while a medical file might sell for $60+ based on that theory.

Under California law, patients could be awarded  up to $1,000 in statutory damages and $3,000 in punitive dames for each violation.  If each record is a violation, 4.5 million records could generate a large invoice.

Source: Consumer Affairs

 

The Senate appropriations committee voted to fund at least 10 years of credit monitoring plus a $5 million fund for reparations for the 22 million victims of the OPM breach, but no funding of OPM itself.

This ensures that the lax security and antiquated software will continue to run the country’s largest personnel department, leaving it vulnerable to the next group of hackers.  I have no question that Congress was and continues to be responsible for the OPM breach.

Source: Rollcall

 

The Postal Service Inspector General released a report blaming the USPS breach last year on poor training (their fault), lack of accountability for risk acceptance decisions (shared fault) and continued use of antiquated, unsupported systems (Congress’ fault).

The IG said that the Postal Service cannot attract qualified cyber security personal because they offer salaries of about HALF of what industry offers.  The blame for this lies with Congress, who sets government salaries.

As a result of this and other reasons, the IG says that the Postal Service was unable to prevent, detect or respond to threats.

Until Congress decides that cyber security is important government wide and passes laws that force agencies to treat cyber security seriously, we will continue to see more government breaches.  Given that Federal, state and local governments are not treating cyber security with any urgency, they are likely to be a popular target for years.

Source: Fierce Government IT

 

Just in case you have any doubt that I totally blame Congress for this cyber security mess….

It appears that hopes for any kind of national cyber breach bill are pretty dim after Republicans watered down the bills in committee to to pointing of meaningless to attempt to get something passed, which the Democrats rebelled against.

Passing a useless bill would allow politicians to say “see how wonderful we are” while not requiring big campaign donors to do anything meaningful.  Credit card fraud is no longer the big problem as the banks, for the most part, are doing a much better job of catching it.  Unlike Congress, the banks are worried about losing their own money,  Below is an example of a text that I got from the bank the other day:

Chase

Source: Rollcall

Fallout From OPM Breach Continues

Not surprisingly, the fallout from the OPM breach continues.  Here are a few new items in the news after OPM Director Archuletta was basically fired.

  • The OPM has changed it’s privacy policy to allow investigators to probe it’s databases.  This happened after the discovery of “significant entryways” for hackers in at least 3 more databases.  The change allows external agencies, contractors and any “appropriate persons and entities” to access OPM systems.  This could be worse than the attack because I don’t have a lot of confidence that the OPM will manage this well.
  • While the OPM picked a contractor to help them manage the first breach in a day, under the table, with no bids (and took a lot of heat over it), they put out an RFI last week for this breach.  One of the potential bidders is LifeLock, although they may be low on the list due to their new problems with the FTC.  Preliminarily, they want to pick a vendor on August 14th, with notices going out starting the next week.  This points to how hard it is to get ahead of the breach steamroller if you did not plan ahead.
  • Lawmakers are asking the GAO to review how effective credit monitoring is in this situation.  Also, how adequate it is.  I have said before it is mostly useless and totally inadequate.  We will see what the GAO says.  Unfortunately, I am not aware of any product on the market that would work well in this case.  They are also asking if these services make you more vulnerable in the future (as I suggested yesterday with LifeLock).
  • Questions are being asked if the hackers might have been able to change security clearance information – either questionnaires or status.  The OPM would not say, meaning that they cannot assure us that the hackers could not do that.  If the integrity of that information is suspect, that is a BIG problem.
  • Valerie Plame, former CIA operative and now author, who herself was outed by President George Bush’s staff as retaliation for comments her husband Joe Wilson made, said that the attackers “are going to be able to exploit this information for decades.”.  Unfortunately, that is an understatement.
  • Some people have blasted the White House for not identifying the Chinese as the source.  Here is the reasoning.   The NSA does exactly the same thing.  Hopefully, they don’t get caught.  If we start indicting the Chinese for this, they will likely point out that we do it to – probably with some evidence.  We don’t want another Snowden.
  • Lastly, the OPM is telling agencies that they are going to share in the OPM’s pain.  In particular, they are going to pay for the cost of dealing with the breach.  Given this breach will likely cost the OPM hundreds of millions and the government does not buy insurance, someone has to pay for it.  The agencies are not happy, but also not surprised that they will have to write some big checks.

It’s gonna get even messier before we clean this stuff up.

 

 

 

Information for this post came from IAPP, the International Association Of Privacy Professionals.

OPM Is Not Alone – 47 Agencies Credentials May Be Compromised

While OPM still garners most of the attention and the number of potentially compromised records continues to rise – that number now could, possibly, be as high as 32 million – 1 in 10 Americans, other reports show that credentials for other government users can be found on Pastebin.  Part of the problem is password reuse between work accounts and other accounts – say Facebook.  Part of the problem is that many agencies still don’t require anything more than a password to log in remotely (see articles here and here).

Federal Computer Weekly is reporting that credentials for employees at 47 agencies, including DHS, were found at sites like Pastebin, a toxic waste dump of all kinds of stolen stuff along with legitimate content.

FCW says that as of early 2015, 12 of those agencies did not require two factor authentication to log in remotely, meaning that if you had that userid and password, you were in.  This includes privileged users – a horrible security faux pas.

While Congress is finally holding some hearings and beating up everyone in sight besides themselves, they still have not approved the deployment of DHS’s Einstein, while at the same time complaining to agency heads about not securing the networks.

Such is the challenge of government.  Getting things done requires an Act of Congress – sometimes literally, sometimes figuratively.

Partly, this is because Congress is often about sound bites and the daily news cycle, so rather than dealing with dull, boring stuff like cybersecurity, they vote on things that will get them 30 seconds of face time on CNN or Fox.  Partly, it is because many Congress people have their staff print out their emails for them.  There are 4 Congress people who have computer science degrees (4/535 = 0.7%).

Another new item – credentials from KeyPoint Government Solutions were used by hackers to obtain access to OPM systems.

KeyPoint, one of two contractors that OPM used to do background checks was hacked last year.  The other contractor, USIS, was also hacked.  OPM decided to cancel (technically, not renew) their $2+ billion contract and they have filed for bankruptcy.  OPM defended not firing KeyPoint as well.  As cost is used as the determining factor for who wins a contract, the American people lose because security is not a consideration.

At the same time, less than half of U.S. companies do vendor security assessments, meaning that a lot of private companies may be in the same boat as OPM and not even know it.

 

Office of Personnel Management Breached Again

News sources around the country are reporting that the Office Of Personnel Management was breached and it likely was breached for a long time.   The OPM provides HR services for executive branch agencies and provides services like doing security background checks for the DoD and others.  The OPM is releasing very few details at this point other than the breach is affecting a little over 4 million people.

The OPM issued a press release announcing the breach but giving very few details.  For example, they are not saying when it started or exactly what data was taken.  Hopefully, that will be released.

What they did say is that they have been working over the last year to improve their cyber security and as a result, in April 2015, they became aware of the breach.  How long the hackers were in there is unclear.

You may remember that OPM was hacked last year (see NY Times article) and there were concerns that the eQIP database, which stores very personal information on contractors and employees who have applied for security clearances was hacked.

In addition, OPM contractor Keypoint Government Solutions (see article) was hacked and hackers got away with about 48,000 records.  Keypoint is still a vendor to OPM.

Also last year, USIS, another background check vendor, was actually fired over a similar breach.  They lost contracts valued at $2.6 billion as a result of this breach (see post), forcing them to lay off 2,500 employees and coming close to bankruptcy.

The government is attributing the breach to China;  China is not exactly denying it.  China’s foreign ministry said that it is very hard to prove who is responsible for a cyber attack.  At least they hope so.  You may remember that President Obama attributed the Sony attack to China and people, including me, said how do you know.  It finally came out that we had hacked North Korea and were inside their networks for years, so we probably did know.  Is the same true for China?  No one is saying.  Yet.

What does this mean for you and me?

It means that hackers are going to go where the data is and one fallout as organizations collect more and more data, is that they become bigger targets for hackers.

I remember when I worked for a defense contractor many years ago and applied for a clearance, I filled out a form in pen and a typist typed up a final copy, which was mailed to Washington.  The only way hackers could hack the OPM then, was to break into the OPM offices in Washington.  That likely would result in the hackers being shot and killed, a less pleasing outcome.  In addition, to steal data on 4 million people would likely require a semi tractor trailer backed up to the OPM offices for hours if not days, something that would likely be noticed.

Process improvements don’t always take security into account.  For example, was the data at OPM encrypted?  If so, conceptually, was the key stored on a hook by the door.  Likely.  This means that if they got an authorized user’s credentials, the fact that the data was encrypted doesn’t help.

This will, predictably, several events –

Some Congress critters will say how terrible the President is that he allowed the Chinese in.  Of course, the buck stops here, at the Oval Office, but it is not like companies all over the world are not being attacked.  Some are Republican, some are Democratic.  This is not a political affiliation problem.

The FBI will probably say that if only they had the ability to read your secure communications that this would not have happened.  Hopefully they won’t since this did not start in the U.S.  If they said that if only they could see all Chinese communications, then they might be right.

For defense contractors, they may see more and deeper security audits.  This is no fun for defense contractors.

Ultimately, until we start taking cyber security seriously (remember that people’s top two favorite passwords are 123456 and password), nothing is likely to change.

So, as I lately have been saying – security or convenience – pick one.

Common cyber hygiene does make it harder – not impossible.  Install patches, don’t click on links in emails.  Hang up on the guy on the phone who calls and says, in a thick foreign accent, that he is from the computer support department and he is here to help you.

There is no simple answer.  Sorry.