> C, for the Central Verification System (CVS), ... contains ... Personal Identification Verification (PIV) credentials ... and polygraph data
Good lord.
Yet, somehow, someone might still present the solution as needing to spend more money sooner: It was only when OPM was assessing systems to actually implement the sort of continuous monitoring tools ... that OPM security officers discovered traffic outbound from the network. If only they'd demo'd the software a year ago, right? /s
Is anyone getting fired? Why should anyone lift a finger during this 30-day sprint? And what happens on Day 31?
This is the shit the NSA should be worrying about. Securing the US IT infrastructure against nation-state intrusion. Not dragnets of everyone's naked selfies.
I don't disagree. Unfortunately, this all falls on DoD-DISA. The NSA works with DISA to write the policy for how to secure systems (called STIGs) and also has 'Red Teams', but they aren't the arm that certifies these systems before coming online, nor are they the ones the ensure the systems stay secured as new vulnerabilities are found and patched -- that's DISA again.
You obviously know what you're talking about, but DISA can't enforce STIGs across the entire government can they? Some say that's DHS's job, or some Office within DHS (or within an Agency under DHS).
> but DISA can't enforce STIGs across the entire government can they?
No, with a small caveat: If that civilian agency (say DHS) is connected to the GIG[1], then DISA has a say-so and can threaten to disconnect them for failing security audits.
Something to keep in mind is that the STIGs are merely implementation guides to secure a system. Therefore, different agencies have different interpretations. In some cases specific secure implementations break systems and applications (mostly legacy ones), so they avoid securing those particular settings all together.
That makes sense from an org-chart level. But if that's actually the thinking inside, it represents a total lack of ownership on their part to get to the overall goal of security.
If this was the UK the home secretary would have resigned by now - why has the secretary of state (which I understand is the US equivalent) not done so.
The Secretary of State has no responsibility over the agency at question. It is an independent agency with a director appointed by the President. That is who should be resigning over this.
The secretary of state isn't the equivalent of the home secretary. The secretary of state is mainly responsible for foreign policy, so probably more like equivalent to the Foreign Secretary? Although definitely not a strict equivalency.
There isn't really any U.S. equivalent to the Home Secretary, the responsibilities are divided over several offices reporting to the president.
That is the person who is responsible for the OPM.
It operates on a fee-for-service model for 90% of its budget and isn't properly funding IT and IT security. Given she has only been there 18 months, I'm not sure how you can really blame her beyond the fact she didn't follow the "shutdown and repair" recommendation...except for the fact if she did that, she'd have to burn through the OPM's cash reserves as the only way to fund it.
Its honestly more of a flaw in the way Congress built the OPM incentive structure and the fact the director is a revolving door position that changes every 2-4 years.
The government simply just doesn't fund/prioritize IT & IT security properly outside of the intelligence services. They also build these psuedo-private-sector funding models that create the incentive to "ignore" cost centers like Security into critical infrastructure like the OPM. Its really horrific.
It's a long time since any UK politician resigned on principle or on honor. I think the late Robin Cook was the last (over the Iraq invasion which he believed was illegal).
Private Eye has an endless stream of 'highly suspect' (since any suggestion of 'corrupt' may get HN into trouble, just to be clear, I'm not saying 'corrupt'.) activities of various government ministers, none of whom resigned or even came close - despite their misdeeds being exposed. Look at how many were caught in the expenses scandal - some UK politicians even tried to hold on while being convicted of fraud and other criminal convictions (with some initial success too, https://en.wikipedia.org/wiki/Nazir_Ahmed,_Baron_Ahmed). That's never going to fly in the US.
You really need to go back to Margaret Thatcher's cabinet before you can really find many examples of resignation on the back of government screwups.
I think a resignation is more likely in the US than the UK. And it's not at all likely in the US.
I think the whole resignation of honor thing is self defeating. Corrupt and malicious people will never resign out of honor. Why should responsible people who have made a mistake do so?
The end result of honor resignation is that you have politicians who worry more about appearances than actually getting anything done. Does that sound at familiar?
If I understood Schneier's piece correctly, he believes that they had it before Snowden did (and independently of him), which seems extremely plausible - if Snowden could take all those files with nobody noticing, it's likely that a well funded, well equipped and well trained espionage agency has done that independently of him, likely all of them --
And for disinformation and source hiding, I'm sure they all (even internally and to their own "customers") claim now that the source is Snowden. I would if I were in their place.
I though his point was that they would have got it from the Journalist's - His other point was more speculative that there are other spies working for the FSB etc inside the wire at the nsa
All his points are speculative. He basically said "I think they probably have it - either directly or from the journalists". Why do most people believe the journalists are the easier target? They have certainly, at any point in time when stuff was in their possession, been more paranoid and careful than the NSA was before Snowden's reveal.
Yet, the relevant three actually (who cares about the 99.99%?) do have an idea, if you've been following the case. 99.9999% of journalists do not, and never had, a copy of the data. Poitras and Greenwald actually know what they are doing.
Yes, I do know who Bruce is. Do you? Did you actually read the piece[0] we are talking about?
Schneier himself seems to believe that the journalists are likely hacked, but that state actors have had this info long before Snowden:
""" Which brings me to the second potential source of these documents to foreign intelligence agencies: the US and UK governments themselves. I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside. After all, the NSA has been a prime target for decades. """
and
""" The point I make in the article is that those nations didn't have to wait for Snowden. More specifically, GCHQ claims that "we have now seen our agents and assets being targeted." One, agents and assets are not discussed in the Snowden documents. Two, it's two years after Snowden handed those documents to reporters. Whatever is happening, it's unlikely to be related to Snowden. """.
Oh, and when you mention [ex]CIA employees, are you including the head of the CIA[1] or not? Cause, you know, that guy failed miserably at information security.
And by now is it only those 3 that have had access to the data or physical access to the machines - hacking another GMG journalist or machine would be one route.
And Petraeus shows that parachuting outsiders to the DCI's job isn't a good idea and also if your bonking a spook you don't behave like some 15 year old high school student.
My understanding of the Snowden docs is that, while plentiful, much of the most sensitive information is redacted and there are things referenced within them that are detailed outside of anything leaked. I could be wrong but, most people paying close attention assumed the "revelations" were going on, just nobody knew the codenames or specific details about the programs.
They are using Adobe ColdFusion which prior to version 10 was using JRUN as the JVM. Adobe doesn't even support nor let you download version 9 and below anymore.
Granted there are a couple hiccups moving from 9 to 10 but mostly (and understandably) it involved if you were calling Java directly. For the most part its pretty painless to upgrade.
It will likely be one or a few larger forensic investigations. I would wager that a team of a dozen experts or so will start one big investigation calling in other help as needed. In one big windfall they will determine how 80% or more of the data was taken. Then whatever is left will be handled on a case by case basis.
Likely the Unit thing was done to make the bureaucracy that pays for things happy. I have worked places where a 1,000 payments of $1 each was easy to make happen than one $600 purchase.
I feel like the OPM isn't doing enough about this breach. Espionage or not, American citizens outside the IC were affected and deserve to know if they've been compromised. More efforts need to be made to inform potential victims before any more harm comes from this, including greater transparency with regards to what systems have been affected and what the OPM could have done to better secure this data. That, and an apology would be nice.
"Among the things the inspector general found that could have helped hackers was that nearly a quarter of the agency's systems did not have valid authorization procedures," she said. "The reason that's important is because one of the departments that didn't have the correct procedures was the Federal Investigative Services. That's the group responsible for background investigations of federal employees. So that data's very sensitive, and as we know now, this is one of the databases that was hacked."
Let me get this straight. You had really sensitive data, you knew it wasn't secure and huge portions of the systems didn't have valid authorization procedures?
This is pretty eye opening, even for a governmental agency. The scary thing is, this is just the tip of the iceberg. It seems this breach was inevitable considering how many other EPIC FAILS are mentioned in the article.
Hypothetically, could U.S. persons who were affected by this breach claim any sort of financial reprieve for future lost wages? I'd imagine those affected would not be very desirable or even eligible any more for secure work.
In theory, yes, but in practice, that's the entire government apparatus that requires security clearance which is suddenly not eligible for getting a new job (or even keeping their current one). So nothing is going to happen there.
While it would be bad for the spies I don't think it matters much for the people who, eg analyse geospatial data, since they would only need to be vetted for access to the data.
"The ability of consumers to sue for future harm has, in many cases, been limited by a Supreme Court ruling that on its face had little to do with big commercial breaches. [...] In 2013 the Supreme Court ruled 5-4 against them, concluding that the fear of future harm from surveillance wasn’t enough for plaintiffs to have standing to sue."
The article also mentions a pending Supreme Court case (Spokeo v. Robins) which could "'open up the floodgate for lawsuits, in all contexts, but especially in data breach litigation'".
40 comments
[ 3.2 ms ] story [ 93.1 ms ] threadGood lord.
Yet, somehow, someone might still present the solution as needing to spend more money sooner: It was only when OPM was assessing systems to actually implement the sort of continuous monitoring tools ... that OPM security officers discovered traffic outbound from the network. If only they'd demo'd the software a year ago, right? /s
Is anyone getting fired? Why should anyone lift a finger during this 30-day sprint? And what happens on Day 31?
No, with a small caveat: If that civilian agency (say DHS) is connected to the GIG[1], then DISA has a say-so and can threaten to disconnect them for failing security audits.
Something to keep in mind is that the STIGs are merely implementation guides to secure a system. Therefore, different agencies have different interpretations. In some cases specific secure implementations break systems and applications (mostly legacy ones), so they avoid securing those particular settings all together.
1: https://en.wikipedia.org/wiki/Global_Information_Grid
There isn't really any U.S. equivalent to the Home Secretary, the responsibilities are divided over several offices reporting to the president.
Additionally, the Secretary of State is foreign affairs and not the equivalent of the Home Secretary.
https://en.wikipedia.org/wiki/Katherine_Archuleta
That is the person who is responsible for the OPM.
It operates on a fee-for-service model for 90% of its budget and isn't properly funding IT and IT security. Given she has only been there 18 months, I'm not sure how you can really blame her beyond the fact she didn't follow the "shutdown and repair" recommendation...except for the fact if she did that, she'd have to burn through the OPM's cash reserves as the only way to fund it.
Its honestly more of a flaw in the way Congress built the OPM incentive structure and the fact the director is a revolving door position that changes every 2-4 years.
The government simply just doesn't fund/prioritize IT & IT security properly outside of the intelligence services. They also build these psuedo-private-sector funding models that create the incentive to "ignore" cost centers like Security into critical infrastructure like the OPM. Its really horrific.
It's a long time since any UK politician resigned on principle or on honor. I think the late Robin Cook was the last (over the Iraq invasion which he believed was illegal).
Private Eye has an endless stream of 'highly suspect' (since any suggestion of 'corrupt' may get HN into trouble, just to be clear, I'm not saying 'corrupt'.) activities of various government ministers, none of whom resigned or even came close - despite their misdeeds being exposed. Look at how many were caught in the expenses scandal - some UK politicians even tried to hold on while being convicted of fraud and other criminal convictions (with some initial success too, https://en.wikipedia.org/wiki/Nazir_Ahmed,_Baron_Ahmed). That's never going to fly in the US.
You really need to go back to Margaret Thatcher's cabinet before you can really find many examples of resignation on the back of government screwups.
I think a resignation is more likely in the US than the UK. And it's not at all likely in the US.
The end result of honor resignation is that you have politicians who worry more about appearances than actually getting anything done. Does that sound at familiar?
Where I come from, CVS and PIV mean completely different things. One of them is an abomination before God, and the other is a natural act of biology.
(JRun and Windows XP? Really?)
Now id believe Bruce more than a Murdoch Rag
And for disinformation and source hiding, I'm sure they all (even internally and to their own "customers") claim now that the source is Snowden. I would if I were in their place.
ps you do know who Bruce is?
Yes, I do know who Bruce is. Do you? Did you actually read the piece[0] we are talking about?
Schneier himself seems to believe that the journalists are likely hacked, but that state actors have had this info long before Snowden:
""" Which brings me to the second potential source of these documents to foreign intelligence agencies: the US and UK governments themselves. I believe that both China and Russia had access to all the files that Snowden took well before Snowden took them because they've penetrated the NSA networks where those files reside. After all, the NSA has been a prime target for decades. """
and
""" The point I make in the article is that those nations didn't have to wait for Snowden. More specifically, GCHQ claims that "we have now seen our agents and assets being targeted." One, agents and assets are not discussed in the Snowden documents. Two, it's two years after Snowden handed those documents to reporters. Whatever is happening, it's unlikely to be related to Snowden. """.
Oh, and when you mention [ex]CIA employees, are you including the head of the CIA[1] or not? Cause, you know, that guy failed miserably at information security.
[0] https://www.schneier.com/blog/archives/2015/06/the_secrecy_o...
[1] https://en.wikipedia.org/wiki/Petraeus_scandal
And Petraeus shows that parachuting outsiders to the DCI's job isn't a good idea and also if your bonking a spook you don't behave like some 15 year old high school student.
Granted there are a couple hiccups moving from 9 to 10 but mostly (and understandably) it involved if you were calling Java directly. For the most part its pretty painless to upgrade.
At seven bucks a piece, this seems very cheap, especially for a rushed government purchase. Any thoughts? Am I missing something?
Likely the Unit thing was done to make the bureaucracy that pays for things happy. I have worked places where a 1,000 payments of $1 each was easy to make happen than one $600 purchase.
Let me get this straight. You had really sensitive data, you knew it wasn't secure and huge portions of the systems didn't have valid authorization procedures?
This is pretty eye opening, even for a governmental agency. The scary thing is, this is just the tip of the iceberg. It seems this breach was inevitable considering how many other EPIC FAILS are mentioned in the article.
from https://firstlook.org/theintercept/2015/06/12/data-breach-th...
The article also mentions a pending Supreme Court case (Spokeo v. Robins) which could "'open up the floodgate for lawsuits, in all contexts, but especially in data breach litigation'".
http://travel.state.gov/content/travel/english/news/technolo...