Major U.S. Hack by China. 4 Million Records Stolen!

JoJoCal19

U.S. Says Hackers Accessed Data of 4 Million Federal Workers | SecurityWeek.Com

"On Thursday afternoon, The U.S. Office of Personnel Management (OPM) said that it identified a “cybersecurity incident” in April 2015 that potentially exposed personnel data of upwards of 4 million current and former federal employees, including personally identifiable information (PII)."

Wow. Cyberwarfare is an area that really interests me.

zxbane

I just assume none of my information is safe honestly. If it isn't this, it's Target, Home Depot, Blue Cross Blue Shield etc. Comes with the times I guess.

Deathmage

what's the point of next-generation firewalls then....or where these records stolen from unsecured networks?

Khaos1911

Just got offered a Cyber IT position with a gov't contractor who wants me to do cyber work for a three letter gov't org. After reading this, my rate just went up

MTciscoguy

I spent close to 30 years in the Army, was a commissioned officer that graduated from West Point, was wounded in 1991 in Iraq and refused to be retired, so I ended up in basically electronic intelligence gathering and spent 14 years in the Pentagon Cyber Warfare division, believe me, this is going to be how wars are fought in the future and the loss of men in Afghanistan a Iraq although terrible, it is nothing compared to what we will deal with in the future.

If you are just staring out, start studying cyber security and cyber warfare and understand it, you will never hurt for a good paying job. This I know for a fact!

renacido

Deathmage wrote: »

what's the point of next-generation firewalls then....or where these records stolen from unsecured networks?

Next-gen firewalls are great but it takes a lot more than that to make a network secure.

TheFORCE

It does not matter if you have the greatest and latest tool. Nothing is perfect and there are flaws in these tools. What IT Security needs are tools AND PEOPLE! People that make sense of the data, that can rationalize and reason. If you had a sports car, would you let an inexperienced driver race in it or would you rather have a an experienced driver on your team? It is people that IT needs and we need to train them and the government needs to train them! Just like the military troops, you go in the army and they train you, it should be the same for IT. This is what China does, they go to schools and get the smartest kids and they groom them to become IT pros, hackers, programmers, dbas, engineers etcetc.

jvrlopez

At least I've never (to my knowledge) given any of my financial information to OPM...

nascar_paul

jvrlopez wrote: »

At least I've never (to my knowledge) given any of my financial information to OPM...

I think that you've defined the real problem. Due to the growing "Internet of Things" LOTS of data about your life and history are being collected by local, state and federal agencies. Then you've got vendors (big and small). Pretty soon, you'll have to live in a cabin to not have your life history spread out among a myriad of corporate and government servers.
That's when it becomes a big deal that we're falling behind. If it hasn't already. Well, that and when the traffic lights or water filtration goes out because our networks aren't hardened sufficiently.

tpatt100

Just got done uploading all of my photos to Google last night, come get me!

kiki162

Most people would be surprised at the lack of security and change control in place within gov't institutions outside of DoD. Would love to see OPM in general change their hiring practices within the Federal Government so they can attract and retain some of the top IT Security Pros out there, and for gov't agencies to TRAIN their people properly, instead of slapping 8570 on them every 3 years.

Send them to some of the SANS or other security conferences out there. Train these ppl like other countries are training theirs. How much you want a bet that there are a ton of federal employees working in infosec that would love to get their hands dirty. Yet the gov't only requires IAT II or III for most positions, and there are no funds to send them to training. Same thing with the contractors out there. I've talked to so many gov't employees over the years, and pretty much all of them have said there's no motivation unless the job requires it.

NetworkNewb

tpatt100 wrote: »

Just got done uploading all of my photos to Google last night, come get me!

ohhh snap, the gauntlet has been thrown!!

tpatt100

The federal government is a hodgepodge of various newer and legacy systems that need to share information. I saw a contract once for upgrading and properly integrating the systems for the Department of Labor once that was for something like dozens of different systems across fifty states. It's going to take some serious time/MONEY/labor to get the government to a certain baseline. I am not sure how OPM's systems are but I figure these legacy networks are going to be the Achilles's heel for the government.

philz1982

I can't wait for my favorite Podcast to discuss this.

zxbane

What PodCast?

TechxWizard

Im not surprised. 99% of our stuff is made in China.

bermovick

kiki162 wrote: »

Most people would be surprised at the lack of security and change control in place within gov't institutions outside of DoD.

This isn't just outside DoD. Our NIPR network here is woefully unsecure. Access ports that aren't shutdown or in a parking vlan, R/W snmpv2 communities, you name it.

renacido

The most likely source of the attack is APT-1, and a lot of their known methods (you can find the Mandiant reports on this easily) are phishing and other client-based attacks on vulnerable endpoints / untrained employees.

Harden the perimeter all you want, if you see "security" as just perimeter defense and network security you're gonna get breached via an uneducated user clicking on stupid crap from an unpatched machine.

THIS is one of the main reasons why I've become somewhat of an activist here for considering APPLICABLE SKILLS AND TRAINING based on the specific infosec role, not just doing a damned keyword search on indeed.com and getting a CISSP when you NEED to be solid at hands-on intrusion analysis or auditing or application security. Same applies to those who think OSCP covers all things security just because it's difficult.

beads

And the Russians appear to have broken into the German Government, shutting down many parts of that system. So? This is the espionage. You folks have to stop once in awhile and ask why are these institutions targets in the first place? What is the reward these people are seeking? Unless your working off some bizarre model unavailable to me you come to work, where ever that may be, for a reason - like money/salary. You don't show up because you have nothing better to do, right?

So ask yourself what's in it for the hackers in this case? Is it money? Fraud? To embarrass the US Government? Or perhaps they were drag netting for personal information to possibly compromise US Government employees? Well, that last one is a pretty exhaustive list of potential candidates to mess with. Also happens to be very old school espionage at the beginning of a compromise of an individual.

We need to start thinking a bit more as intelligence analysts at times and less about the individual data points.

- b/eads

renacido

beads wrote: »

And the Russians appear to have broken into the German Government, shutting down many parts of that system. So? This is the espionage. You folks have to stop once in awhile and ask why are these institutions targets in the first place? What is the reward these people are seeking? Unless your working off some bizarre model unavailable to me you come to work, where ever that may be, for a reason - like money/salary. You don't show up because you have nothing better to do, right?

So ask yourself what's in it for the hackers in this case? Is it money? Fraud? To embarrass the US Government? Or perhaps they were drag netting for personal information to possibly compromise US Government employees? Well, that last one is a pretty exhaustive list of potential candidates to mess with. Also happens to be very old school espionage at the beginning of a compromise of an individual.

We need to start thinking a bit more as intelligence analysts at times and less about the individual data points.

- b/eads

Good point and if you are working in IT especially in security and not looking at the threat environment, not assessing risk on a regular basis which means considering motive and targets from the attacker's viewpoint, then your security apparatus is just a game of whack-a-mole.

Might start a thread for sharing links for advanced threat intelligence sources and reviews...

LeBroke

Next generation firewalls are especially amazing when you have barely-secured terminal servers, and a completely unsecured file share holding all kinds of documents only marginally less important than SIN numbers and credit card data.

This is a multinational firm of 10,000 employees my friend recently started to work at.

...Any attempts to remediate it have been met with "but we have important data on there that we can't move," and "I don't have the time to set up NFS permissions, submit a change request to risk management, have them approve it, then create requests with Systems. Oh yeah, we will also need permission from any department such as Finance and Marketing, since they have data on there."

renacido

LeBroke wrote: »

Next generation firewalls are especially amazing when you have barely-secured terminal servers, and a completely unsecured file share holding all kinds of documents only marginally less important than SIN numbers and credit card data.

This is a multinational firm of 10,000 employees my friend recently started to work at.

...Any attempts to remediate it have been met with "but we have important data on there that we can't move," and "I don't have the time to set up NFS permissions, submit a change request to risk management, have them approve it, then create requests with Systems. Oh yeah, we will also need permission from any department such as Finance and Marketing, since they have data on there."

Even better are the "we can't apply security controls to protect our biggest targets because they're too sensitive."

- "We're exempting our C-level executives because they don't want to be hassled by security." Right, they're only the biggest targets for phishing or data theft.

- "We're not obligated by our regulators to do that." Right, because as long as you're compliant with the law, hackers can't attack you.

- "We CAN'T run those scans on our database servers, that's where we keep our crown jewels and the execs don't want to risk a service interruption from a scan in progress." Yeah, because the miniscule risk of a minor degredation of performance caused by our carefully planned and tested scanning policy far outweighs the risk of the catastrophic, financially ruinous, headline-producing breach due to servers left unpatched and vulnerable to known exploits.


Welcome to infosec.

bpenn

kiki162 wrote: »

Most people would be surprised at the lack of security and change control in place within gov't institutions outside of DoD. Would love to see OPM in general change their hiring practices within the Federal Government so they can attract and retain some of the top IT Security Pros out there, and for gov't agencies to TRAIN their people properly, instead of slapping 8570 on them every 3 years.

Send them to some of the SANS or other security conferences out there. Train these ppl like other countries are training theirs. How much you want a bet that there are a ton of federal employees working in infosec that would love to get their hands dirty. Yet the gov't only requires IAT II or III for most positions, and there are no funds to send them to training. Same thing with the contractors out there. I've talked to so many gov't employees over the years, and pretty much all of them have said there's no motivation unless the job requires it.

As a government contractor, I completely agree. 8570 requirements are a joke and dont really teach us anything. The only way I stay current and with the times is studying for certs in my spare time and using FED VTE.

bpenn

bermovick wrote: »

This isn't just outside DoD. Our NIPR network here is woefully unsecure. Access ports that aren't shutdown or in a parking vlan, R/W snmpv2 communities, you name it.

Here at Eglin, the base has port security turned on and it is extremely difficult to get connectivity unless everything matches the entry in our network database repository. The last base I frequented didnt have port security turned on it was chaos.

Cyberscum

Not surprised. The DoD is decades behind in IA/cyber security. Getting a system accredited in any capacity for any base is like swimming in the ocean, doing the backstroke, against the current, with a 450lb weight tied to you leg, with one arm and no fingers and 2 thumbs on the hand you have.

It will never change in my opinion... Too many retired top level GS's that don't care and just want to get another retirement from the gov.

...This will be a trend that becomes more and more public.

LeBroke

renacido wrote: »

Even better are the "we can't apply security controls to protect our biggest targets because they're too sensitive."

- "We're exempting our C-level executives because they don't want to be hassled by security." Right, they're only the biggest targets for phishing or data theft.

- "We're not obligated by our regulators to do that." Right, because as long as you're compliant with the law, hackers can't attack you.

- "We CAN'T run those scans on our database servers, that's where we keep our crown jewels and the execs don't want to risk a service interruption from a scan in progress." Yeah, because the miniscule risk of a minor degredation of performance caused by our carefully planned and tested scanning policy far outweighs the risk of the catastrophic, financially ruinous, headline-producing breach due to servers left unpatched and vulnerable to known exploits.


Welcome to infosec.

Nah, once in a while you've got some good ones. I'm a Linux server admin, though I've done infosec on the side for a few years. IT manager:

"Oh, you have a hacking background? Great, if you can break into our (old, shitty, hard to support) webapp that two customers insist on using, that'll finally give us a good reason to deprecate it."

Meanwhile, senior admin: "yeah, I love security too. We really need to find holes in our systems so we can patch them out. Just don't run any scans on any production systems so performance doesn't suffer."

Cyberscum

^^^^
I hear ya, but patching/firewalls/defense in depth etc... is not going to fix the problem. The problem is undereducated "cyber security" experts working for the gov that ONLY use software/hardware to defend their networks. Using a GUI to "eliminate" hackers like its a video game or something.

Its too late in the game to train these employees to the amount of expertise needed to defend us.

Were better off outsourcing security at this point

jvrlopez

LeBroke wrote: »

Nah, once in a while you've got some good ones. I'm a Linux server admin, though I've done infosec on the side for a few years. IT manager:

"Oh, you have a hacking background? Great, if you can break into our (old, shitty, hard to support) webapp that two customers insist on using, that'll finally give us a good reason to deprecate it."

Meanwhile, senior admin: "yeah, I love security too. We really need to find holes in our systems so we can patch them out. Just don't run any scans on any production systems so performance doesn't suffer."

This. I've come across the "this asset is too important to interrupt so don't target it proactively" attitude so much its hilarious. Meanwhile I'm asked to target standalone machines for vulnerabilities that aren't even remotely a concern for the box.

TheFORCE

LeBroke wrote: »

Next generation firewalls are especially amazing when you have barely-secured terminal servers, and a completely unsecured file share holding all kinds of documents only marginally less important than SIN numbers and credit card data.

This is a multinational firm of 10,000 employees my friend recently started to work at.

...Any attempts to remediate it have been met with "but we have important data on there that we can't move," and "I don't have the time to set up NFS permissions, submit a change request to risk management, have them approve it, then create requests with Systems. Oh yeah, we will also need permission from any department such as Finance and Marketing, since they have data on there."

This is happening everywhere! and it is one of te hardest things to change! People are an animal of habits, cultural change is hard to happen!

renacido

Cyberscum wrote: »

^^^^
I hear ya, but patching/firewalls/defense in depth etc... is not going to fix the problem. The problem is undereducated "cyber security" experts working for the gov that ONLY use software/hardware to defend their networks. Using a GUI to "eliminate" hackers like its a video game or something.

Its too late in the game to train these employees to the amount of expertise needed to defend us.

Were better off outsourcing security at this point

According to forensic reports and trend analysis from Mandiant (FireEye) and Verizon, the most common attack vector used in 2014 and so far in 2015 was spear phishing. Of all recipients of a phish, 23% opened the email and 11% opened an attached file. If you're not rocking a security awareness program for your users, your stats are probably even higher.

For 99.9% of all exploited vulnerabilities, the associated CVE was published over a year prior and the patch to remediate the vulnerability was available for several months (71% had patches released >1 year prior to exploit). The most reliable indicator that a vulnerability would be successfully exploited in 2014 was that the CVE was added to Metasploit. So this shows that vulnerability scans and patching are still absolutely critical, and contrary to what some here believe, 99.9% of all exploits are not done by some genius in a loft somewhere in Russia finding deftly evading and exploiting zero-days with Python and Bash scripts he bangs out on the fly like some James Bond villian, to the contrary the exploit tool of choice among blackhats is the very same that they teach in that "out-dated" "script kiddie" C|EH curriculum.

2015 Data Breach Investigations Report (DBIR) | Verizon Enterprise Solutions

https://www.mandiant.com/resources/mandiant-reports/

Cyberscum

renacido wrote: »

According to forensic reports and trend analysis from Mandiant (FireEye) and Verizon, the most common attack vector used in 2014 and so far in 2015 was spear phishing. Of all recipients of a phish, 23% opened the email and 11% opened an attached file. If you're not rocking a security awareness program for your users, your stats are probably even higher.

For 99.9% of all exploited vulnerabilities, the associated CVE was published over a year prior and the patch to remediate the vulnerability was available for several months (71% had patches released >1 year prior to exploit). The most reliable indicator that a vulnerability would be successfully exploited in 2014 was that the CVE was added to Metasploit. So this shows that vulnerability scans and patching are still absolutely critical, and contrary to what some here believe, 99.9% of all exploits are not done by some genius in a loft somewhere in Russia finding deftly evading and exploiting zero-days with Python and Bash scripts he bangs out on the fly like some James Bond villian, to the contrary the exploit tool of choice among blackhats is the very same that they teach in that "out-dated" "script kiddie" C|EH curriculum.

2015 Data Breach Investigations Report (DBIR) | Verizon Enterprise Solutions

https://www.mandiant.com/resources/mandiant-reports/

Im only refering to DoD secure nets, good info though