130 comments

[ 4.8 ms ] story [ 182 ms ] thread
(comment deleted)
Ah yes, when they themselves are affected, suddenly there is a 230 page report.

Meanwhile you sure as hell can't, you know, get an actual post mortem when they bomb an Afghani hospital.

I don't know if "suddenly" is the most accurate word. This attack originated in May 2014 and was identified sometime in mid 2015. https://www.opm.gov/cybersecurity/cybersecurity-incidents/
That is light speed as far as the government is concerned.

You couldn't get an FOIA answered in that time period.

FOIA aren't exactly something the government cares about, don't think that's an apt comparison
The crazy thing to me was that the 2015 discovery was reportedly [1] due to a "product demo".

Of course, I expect that the company was entirely legitimate, but running an intrusion detection company would apparently be great cover for gaining free vulnerability scans of potential targets.

[1] http://arstechnica.com/security/2015/06/report-hack-of-gover...

"they"

> As the Committee on Oversight and Government Reform, we will work with our colleagues in the minority to exercise effective oversight over the federal government and will work proactively to investigate and expose waste, fraud, and abuse.

Have you tried asking them nicely?

"Additionally, fingerprint data of 5.6 million of these individuals was stolen."

They'll need to change their fingerprints immediately!

I'd like to see YYYY-04-01 RFC on biometrics authenticator expiration protocols.
"As an alternative, users may keep all their fingers in a fingerprint safe and secure them all with a single retina scan, which they can use to open the safe each time they need to use a finger."
Thats why fingerprint is username, not password
In keeping with industry best practice, I require staff to sandpaper off their fingerprints and regrow them every 90 days.

For "security".

A bit extreme isn't that? I just have my staff paint their fingerprints with women's ruby red fingernail paint. It dries to a smooth glass-like finish.

For "security"

The letter they sent me claimed that there is currently no way to create fake fingerprints, so there's nothing to be worried about, 2 years of identity theft monitoring is good enough.
I'm sure you're very comforted by that addition of the qualifier "currently."

Correlated letter from 2011: "Dear streptomycin, your fingerprint data is currently not stolen!"

In what world are they living, where there is "no way to create fake fingerprints"? Of course that is possible. Here is one example: http://dasalte.ccc.de/biometrie/fingerabdruck_kopieren.en

It is easily possible to create fake fingerprints that can fool any known finger print scanner. If you know one, that supposedly can't be tricked, please let me know.

They lied to you. But what else is new.
I wasn't sure if they were lying or merely incompetent when they said that. Mythbusters has an episode of them defeating fingerprint locks using a print lifted from a glass, and the technique they used was anything but sophisticated.
sure would be nice to have something better than a raster image of pages 2-231
Agreed, although rasterizing was likely the simplest way to ensure that redacted information can't be (somehow) reconstructed.
I've only read up through the executive summary thus far but this looks like it's going to be a fascinating read.
This isn't the "official postmortem". It's the official report of the GOP-led House Oversight and Government Reform Committee. It's a partisan political document.

A better title:

Republican House Oversight Report On OPM Data Breach.

Let's be fair: while the source may well be partisan, it is also a technical document. Referring to it simply as a partisan political document doesn't acknowledge its full contents or its value to a technical community.
It is not a technical document. It is a document that contains technical details. For instance: it contains a formal set of "findings", as in the "findings" of law and fact in a trial. Here's one of the first findings:

FINDING: Slow implementation of critical security requirements such as dual factor authentication is a true case of misplaced priorities.

That's not technical language. It's not even formal language.

OPM was/is a clusterfuck. I'm not disputing that. But the authors of this document had a job to do: portray administration appointees in the worst light possible.

Is there something in this document that you can point to as being inaccurate or obviously exaggerated?
I don't know. That's not a hurdle my argument needs to clear.
I disagree. If you're going to say "But the authors of this document had a job to do: portray administration appointees in the worst light possible." then you need to at least show some examples of that.

You're not making an argument. You're trying to pass an opinion as a fact. You need to back up statements like that.

I simply disagree with you.
If you're disagreeing that you "need" to provide proof as a duty, then you're correct.

If you're disagreeing that you "need" to provide proof because your claim is substantiated intrinsically, then you're being pompous and lazy.

This. HN famous != Claims need not be backed by evidence.
The document is a "Majority Staff Report". And the only listed authors are from one party. By definition it is a partisan document. That doesn't mean that it's 100% false (or 100% true), but that's the context for the report.

Regardless of whether or not anything was exaggerated, it's still a partisan, political document. The contents don't change that. This would still be the case if it was a "Minority Staff Report" too...

The past 8, if not the past 24 years, of highly partisan, political, and acrimonious relations between political parties in the U.S. is sufficient context for the observation that this is a single party's view of the incident to be salient.

That of the two major parties, the report is authored by the one with a far more adversarial relationship wwith the truth is also worth mentioning.

Not that the report mightn't contain elements of reality. But this is also likely to be as critical of the opposing part and politically beneficial to the authoring party as possible .

The fact is that this isn't a bipartisan and balanced (possibly, yes, to the point of compromise) report. That is not an opinion.

Tptacek hasn't argued the contents are specifically flawed. But the impartiality of the authors is certainly suspect on well-founded grounds.

Yes, agreed, a partisan document out of a Congressional Committee is inherently biased. I don't think anyone would dispute this as a general principle so there's no reason to think this a special case.
I won't argue with you the difference between a technical document and a document with technical details. You're welcome to that definitional win.

There are interesting technical details in this document about the exact methods, vectors, files, timelines, etc used in both offense and defense of this incident. They would be of interest and value to many in this community regardless of the partisan agenda of the committee.

It is not my argument that this is an uninteresting or uninformative document.
A technical document about a breach would explain the mechanisms for the vulnerabilities and exploits involved, and discuss how systems could be architected and written differently to avoid them.

This document walks up the abstraction chain several notches and attacks the org chart and security policy of the MS Word variety, not the way things were written or configured (except insofar as bad config stemmed from not enough teams of paper not enforced well enough). It is pitched at the kind of CIO/CTO who could just as easily be any other CxO, not at engineers.

That's ridiculous. The OPM data breach was the largest in the US government's history.

If even that, which most of the intelligence and law enforcement officials have said is a catastrophe that won't be fixed for a generation, shouldn't be portrayed in the "worst light possible", then what should?

Enough with the partisan crap. This happened on those people's watch. Regardless of which party named them as the leaders of the OPM, they should be heavily criticized for it.

In fact, I'm actually quite angry myself at the fact that the Obama administration tried to downplay this for as long as possible last year. You actually didn't see much about it in mainstream media, and only some of it in tech media. All because Obama may have not wanted to be remembered as the president on whose watch the OPM breach happened.

So what I get from this is that you're the partisan one, not the OPM report.

None of this has anything to do with my argument.
In some places its typical for such legislative committees to also issue minority/dissenting reports - does that happen in the US?
Yes the minority members of a committee can issue their own reports, e.g. [0]. It probably won't happen in this case because the "other" party just wants this issue to go away. Arguing in public would only draw attention.

[0] http://democrats-benghazi.house.gov/sites/democrats.benghazi...

> It probably won't happen in this case because the "other" party just wants this issue to go away. Arguing in public would only draw attention.

From tptacek's comment, made ~5 minutes before yours:

http://democrats.oversight.house.gov/news/press-releases/cum...

Why would they want to avoid discussing this?

That looks like a different thing? I.e. a "memo" prepared by "staff"?

Nevertheless I'm sorry to have made a comment that seemed partisan. The Democrats and Republicans can both jump in a lake for all I care.

No, it's the response of the ranking minority member of the committee that produced the report we're all commenting on. It's right there in the title.
> Nevertheless I'm sorry to have made a comment that seemed partisan.

I'm interested in figuring out what you mean by your remark. You're saying nobody wanted to talk about it, but it seems for opposite is the case. What prompted your original remark?

It's a political document in other words based on limited information and perspective?
If only we had an agency in charge of protecting and securing these kinds of systems.

It seems NSA has spent all its budget on cool hacking tools and programs, exploiting hard drive firmware and routers and other crap. Yet the all SF-86 forms (except CIA's +) got stolen right under our noses. But again, nobody is going to feel cool defending and securing stuff, everyone wants to be on red team.

Stolen stuff includes millions of fingerprints. Those are obviously not hashed, so that's just the raw data I imagine. They'll learn lesson to not rely on fingerprints as much. Maybe that's one good thing coming out of it.

[+] CIA could still be affected, if for example some people there started at other agencies, or in the military (CIA likes to hire ex-Marines for example).

(comment deleted)
One of NSA's primary missions is information assurance. I'm sure they have blue teams. But their mandate is pretty limited in regards to what they can do with civilian infrastructure.
Technically DHS should do it. I don't see DHS having the expertise and brainpower for it.
> It seems NSA has spent all its budget on cool hacking tools and programs

From the report: On March 20, 2014, US-CERT notified OPM that a third party had reported data exfiltration from the OPM's network.

I think it's likely it was NSA that made the notification. Maybe not. Either way, what further could NSA have done about it? The NSA can't make another federal agency improve its computer security. At best it can perform audits: which it appears to have done; OPM had the lowest security posture of any agency.

Should the NSA have prevented the exfiltration? How would that work? Do you want the NSA to have the authority to cut network connections occurring in the U.S. internet? Should the NSA have authority over civilian government agencies? What about hacking and wiping the intruders' endpoints? Sounds like an act of war to me, if those endpoints are on Chinese soil.

I doubt the vast majority of HN'ers want an increase in NSA's authority or scope.

> The NSA can't make another federal agency improve its computer security.

Maybe it should have the power to intervene and stop it? This is still the federal government (it is not about walking into Facebook and shutting it down). I think it is the only agency with the brainpower to do it. It should be been trying to hack it and test the system periodically to identify flaws in it. Then mandate changes.

> Do you want the NSA to have the authority to cut network connections occurring in the U.S. internet?

To the federal agencies. Cyber defence doesn't work with current bloated beaurocracy. Nobody seems to be in charge.

> I doubt the vast majority of HN'ers want an increase in NSA's authority or scope.

I don't know. I would rather them spend more time defending, wouldn't mind expanding their power and diverting more budget towards that.

> Nobody seems to be in charge.

That's indeed the problem. There was a strong push for a while to put NSA in charge of civilian infosec infrastructure. But Congress didn't really want to put a combat support agency in that role. So DHS is technically in charge of that. But we still have the majority of federal agencies stuck fending for themselves when it comes to securing their networks. Without stronger action from Congress, this may never change.

Because when I think of technical sophistication, I think of DHS.
Exactly, they simply have never had the institutional knowledge required to secure government networks.
Their hostile attitude towards computer security pay incentives practically guarantees nobody will jump ship from IOC or TAO. This problem will likely only be resolved by a big media stink.
> Without stronger action from Congress, this may never change.

You should go read the cybersecurity act passed in December of 2015, and realize that DHS is now authorized to force agencies to use it's security and offerings.

> The NSA can't make another federal agency improve its computer security.

Maybe not directly. But the NSA could play a much more positive role in information security generally by moving out of the shadows and making more of its research public. The expertise that the NSA has acquired in securing information needs to be widely disseminated to work its way into engineering curricula and praxis, and that won't happen as long as the NSA communicates by whispering.

Yes, maybe they should release a kernel security scheme for Linux that incorporates some lessons learned. Maybe they could call it SELinux.
I mentioned SELinux in a previous comment along the same vein.
(comment deleted)
After 28 years of DoD service, civilian engineer, I just called it quits. I got tired of the retaliation for turning in security violations. The last one: sharing of passwords on a secured network. One violator's response: Where is it written we cannot share passwords? Why the retaliation? It portrays a bad image. Nice!
This kind of stupidity is why I think I can never take a gov't job. I don't think I'd last a week. Sorry you had to put up with it.
Any reason why you think this is unique to government employment? My experience in both gov't and private sector work suggests it's ordinary human nature.
What about things the US Digital Service or 18F? The image they present is that those teams are different and outside the standard government bureaucracy. I'm skeptical.
Employee of 18F here, speaking unofficially. We care a lot about security - both from the technical side and from the policy compliance side!
How was recruitment?. Someone I know tried to get a got job there, got stuck in the queue forever. Was told to wait months. So eventually gave up and took another job.
USAJobs is badly in need of an 18F overhaul.
(comment deleted)
Sometimes it's a matter of being in the right place at the right time. I applied (and was rejected) for at least 50 federal positions before I was hired. My organization needed someone fast to replace a 20-year fed who was retiring. They compiled a list of all the candidates who made the cert, and in the end, a veteran was selected. Except she wasn't a veteran, not even close. She had lied on her application, and assumed that no one would follow through - and she was almost right, because OPM clearly didn't do anything. But one of my bosses is an Air Force reservist, and he caught it right away. They went back to the original list, and to make a long story short, I was hired even though I'm a non-veteran with only private sector experience. To anyone who is really determined to make it happen, I've heard Kathryn Troutman's books recommended by coworkers.
Hiring in gov't is hard. We've had to pause and refactor our hiring process several times. Long delays are just as frustrating to us, trust me. It's getting better all the time though.
> We care a lot about security

Which is doubtless why you ignore the TIC guidelines, etc

Sucks. Consider writing a book / get in touch with theintercept on a new machine from public wifi. https://theintercept.com/securedrop/

FWIW: Someone I know whom worked for DIA as a sysadmin about 10-15 years ago recalled multiple instances of TS/SCI folks being fired for surfing for porn over monitored networks... career- & clearance-ending. Maybe that's the only culturally-unacceptable sin in that community, apart from making the org/folks look bad?

(comment deleted)
Sounds like one of those situations where you're damned if you do and damned if you don't. Even the most eloquent bitchslap directed at such users, even if you disguise it as user education, can still cause strife. :/
> you're damned if you do and damned if you don't

Most of my military experience followed this maxim. For example: You witness your squadmates doing something against the rules. Do you do the Official thing and report that to your unit commander, as you required to by guidelines and the definition of "good soldier"? Because if you do, now your entire squad will ostracize you, make your life complete shit, and possibly leave you to die on the battlefield. If you don't, you had better hope they don't get caught, because if it comes out that you knew about it and didn't say anything, now you are in just as much trouble.

This happened literally every day.

Seriously? I don't think I've ever seen a security policy where it was not written that you cannot share passwords!
This was probably at State Department. They have difficulty communicating security guidelines to staff and management.
241 pages and not one mention of NIST or FIPS.
There's actual several mentions of NIST, ATOs, and FISMA, all of which implicitly cover FIPS by reference.

#acronymheatdeath

>It seems NSA has spent all its budget on cool hacking tools and programs, exploiting hard drive firmware and routers and other crap. Yet the all SF-86 forms (except CIA's +) got stolen right under our noses. But again, nobody is going to feel cool defending and securing stuff, everyone wants to be on red team.

Damn right. This is one of the aspects of the Snowden leaks that was underplayed. The NSA seems to think that the best defense is a good offense, and maybe they have good reasons for that but from the outside it seems like they're just overly affected with wanting to feel 'l33t'.

https://medium.com/@bruces/the-ecuadorian-library-a1ebd2b4a0...

Exactly this. The US government thinks about computer security as a kind of war - cyberwar - and for better or for worse it has adapted the mindset that "security by demonstrated capability to drop scary bombs with brutal precision and efficiency" is more realistic than "security by making every building bomb proof."

Geopolitics these days isn't about impenetrable borders, it's about deterrence by ability to project force. They are looking at IT security the same way.

Re-orienting the NSA's mission to focus on improving security through public research and technology transfer (like SELinux) is the most viable option for stopping the current arms race. There seem to be a shortage of people at the NSA who have the visionary power to imagine a future in which computing is secure. Which is a shame, because it is a future we can realize; the building blocks are here.
As other people touch on, a good offense is something the NSA can actually do themselves. They don't have the authority to be a good defense. They had - and have - no ability to compel OPM to get their shit together.

In terms of defense, they've got a severe case of Congress-induces toothlessness.

Here's the kicker, technically NSA can't even do offense (attack). That's what US Cybercom is for. The NSA primary missions are SIGNIT and IA as a combat support agency. So they can gather information on foreign adversaries (and defend DoD networks), but they don't have the mandate to actually perform cyberwarfare. Or for that matter defend civilian networks against attack.
NSA and USCC is a distinction without a difference. They've even got the same head honcho.
Both organizations focus on similar concepts (after all exploitation and attack are two sides of the same coin). But there is a legal distinction which is important. NSA legally cannot do all that CYBERCOM can do.
You're absolutely correct, it's legally a massive difference. In practice, they're more or less the same people groups of the same people.

So I tend to view the distinction between the two as something of a legal fiction.

NIST sets the standards (FIPS).

Most programs for security guidelines seem to be descendants and ongoing implementations of HSPD-12.

I believe the Office of the Inspector General would be in charge of auditing in some cases, but it's usually up to each individual agency.

> Yet the all SF-86 forms

Not quite all of them. OPM doesn't seem to keep track of any paper SF-86s that were phased out in favor of the first web site iteration around 2001. Those earlier records may be safe. The image PDF isn't searchable so I couldn't confirm this.

Yap, 2000 or sounds about right.
Correct me if I'm wrong, but I thought NSA is only in charge of protecting classified systems. OPM data wasn't in a classified system.
At least you can change your password. Good luck getting new fingerprints.
> If only we had an agency in charge of protecting and securing these kinds of systems.

Firstly, why do you insist in letting OPM off the hook?

Secondly, even if we stipulate that OPM isn't at fault and that someone should have stopped this, you should read about roles and responsibilities in the government before blindly blaming NSA. Start here. https://www.us-cert.gov/about-us

> why do you insist in letting OPM off the hook?

I am not. It failed massively. Letting it do what it kept doing before is not going to work. We have hard evidence of its failure. There is no point mentioning it, it is obvious.

> , you should read about roles and responsibilities in the government before blindly blaming NSA. Start here. https://www.us-cert.gov/about-us

So where was US-CERT all this time? It was active since 2003. It had more than a decade to ramp up and get up to speed.

Why where all the electronic SF-86 forms stolen? You'd think out of all the places, they would protect, that would be close to the top.

> before blindly blaming NSA

Because they are probably the only ones that have the smarts to do it? Also isn't that their mission as well. https://www.nsa.gov/what-we-do/ . Second line is "Defends vital networks". OPM files with detailed and personal details on millions of current and past government workers who have clearance is pretty vital one would think.

> The Exfiltration of the Security Clearance Files Could Have Been Prevented.

TL;DR, there were two intrusion actors that were acting in concert. After being notified by US-CERT of exfiltration activity from the OPM network, OPM monitored the first one, who conducted the initial breach (use of contractor login credentials) and then performed survey of their network. They attempted to flush out her malware but failed to account for a second actor that had managed to leave an alternate access point into the network.

> "Notably, OPM Director of IT Security Operations, Jeff Wagner, recommended deploying ... preventative technology"

So the problem was identified and brought up to committee and still ignored/tabled by the CIO, Donna Seymour. Preventive measures were only undertaken after the exfiltration of security clearance data was complete.

Interesting to see the steps they took to expel the APT (physically verifying the identity of account holders on account resets, taking services offline, resetting networking equipment).

Even more interesting is that had confidence they'd actually expelled the APT. Of course, they hadn't totally eliminated a related APT already in place.

This wasn't a "provision a clean box and run a build" reset... it's a massive, heterogeneous system. I can't even imagine how many vectors a nation-state APT could use to maintain a foothold.

(comment deleted)
tl; dr.

Two distinct attacks, likely related, possibly coordinated took place. The first was observed in March 2014 and thought to be expelled in late May 2014.

Before that expulsion, a second attack began. While OPM thought it was in the clear, the 21.5M records were exfiltrated in July 2014. As late as August 2015, that same attack vector was used to steal fingerprint information as well.

Interestingly enough, I haven't either seen either an emphasis on the main responsible directors being women; or claims that the agency was a "glass cliff".
What on earth would either of those have to do with this?
I think that was a thinly veiled attempt at saying they were "diverse-hires" (a promotion or hire based on gender politics) instead of having a qualified individual in the position.

I'm unaware of the qualifications of either director, so who knows.

No, what I'm saying is that we discuss/speculate on these things too much.
One of the most frustrating things about this whole fiasco is that the OPM breach finally became public in the summer of 2015, but I and many other victims weren't officially notified (or offered our measly couple years of identity protection) until December or later. At the time, I shared some of my thoughts on the breach here (some of the info may be out of date in light of the new report; I was piecing stuff together as best as I could): https://forrestbrazeal.com/2015/12/08/welp-i-was-an-opm-hack...

I was also annoyed that so much of the political posturing around the breach centered on OPM systems' lack of encryption. I haven't read all of this report, but it's nice to see the summary focusing on the lack of 2FA, a security practice that would actually have helped stop an internal infiltrator.

I still never received any notice about it. Was employed by DoD in late 00's, so am fairly certain my info was in the batch.
I believe Defense had their own, parallel system, so it may not be a given that you're in the leak.
Cleared employees are in the OPM data leak.
Not all of them. For example, the reported risk to CIA agents in US embassies in China was that they would suspiciously not be in the leaked data like actual State dept staff would be.

Apparently the Defense investigators (DSS) merged into OPM in 2004- https://en.wikipedia.org/wiki/Defense_Security_Service

My understanding is that if you submitted an SF-86 form in the last 10 to 15 years, you were affected.
You'd remember filling out an SF-86. But yes, I was definitely in the breach, yet I have not been notified.
I just got my postcard informing me I was affected last month. I tossed the offer of credit protection because I'm already stacking multiple "we're sorry" credit protections from other breaches.

The thing that burns me though, is that the credit protection is for a limited time. The severity of this breach and they can't give us a lifetime of protection?!?

What is "credit protection"?
In the US, most things are based on credit and not on actual money you have. If your credit is bad you can't do basic things like get a car, a house or a loan. If your identity is stolen someone else can do things in your name, and for example not pay back a loan. This causes your credit rating to sink, on top of the other problems (like people coming to your house because you didn't pay them).

If you check out http://money.visualcapitalist.com/all-of-the-worlds-money-an... you can see the derivatives and debt are a huge chunk of the not-actual-money part of the economy, which one way or the other is based on credit, credit ratings or ratings in general.

While this probably doesn't scale back to 1 person's identity, it does show that having someone mess with your credit is a whole lot worse than someone just stealing some money.

I get that credit scores are important. They are also in Germany. But what does credit protection do? Pay all the debts? Fix my score with all rating agencies?
It monitors your credit score for unusual lending to stop fraud. Normally, they also include insurance to cover any fraudulent activity associated with your identity.
They will email you if you have a new inquiry or new account on your credit report(s). They will help you remove incorrect information and sometimes provide some financial assistance getting your documents replaced. Other than that they don't do much. They can't prevent someone from opening an account (only a credit freeze does that) and they can't tell you about non-credit identity theft.
You should take it. The opm breach offers the best credit and identity theft monitoring you can get. You can actually input your emails and other information and they will notify you when it's found in online dumps, etc. They also tell you the source of the dump.
as a foreign citizen, previously living and working for the DoT through a contractor, i was never notified as well. pretty sure my data got leaked as well.
OPM's e-QIP site was vulnerable to heartbleed for at least a week after public disclosure (2014).

They still claim that they were never exploited. The arrest records, addresses, and other sensitive info I was able to view say otherwise.

I expected the EINSTEIN program would have helped to quickly defend against heartbleed after disclosure, but apparently not. US Gov just sucks at cybersecurity defense.

Is there a version of that document that is searchable?! OCR or something :(
Is the headline of the report truth or hyperbole?

"The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation"