Major U.S. Hack by China. 4 Million Records Stolen!

renacido

Cyberscum wrote: »

Im only refering to DoD secure nets, good info though

You get no argument from me that the govt including DoD is behind the curve.

In supersecret cyberwar game, civilian-sector techies pummel active-duty cyberwarriors | Air Force Times | airforcetimes.com

MTciscoguy

Cyberscum wrote: »

^^^^
I hear ya, but patching/firewalls/defense in depth etc... is not going to fix the problem. The problem is undereducated "cyber security" experts working for the gov that ONLY use software/hardware to defend their networks. Using a GUI to "eliminate" hackers like its a video game or something.

Its too late in the game to train these employees to the amount of expertise needed to defend us.

Were better off outsourcing security at this point

Do you now, or have you worked for the DOD? I am just wondering, I spent 30 years in the Army and many of those years were in the Pentagon, working in Cyber Security, Cyber Warfare and Intelligence Gathering.

I can tell you for a fact, things are getting tougher in the DOD and newer employees are being trained to stop intrusions by criminals and foreign governments. It is not an overnight process when dealing with an entity that is the largest employer in the country. There are many things that have been and are being implemented to stop this crap.

Cyberscum

^^^^
Yes and yes. I completely disagree.

bermovick

As do I. I see it on a near-daily basis.

Cyberscum

@Ciscoguy
I will say that the Army seems to have a better understanding of RMF implementation than other branches...
Thats not saying much though

cynicbeard

Deathmage wrote: »

what's the point of next-generation firewalls then....or where these records stolen from unsecured networks?

That's only the network perimeter and you would also be relying on the NGFW to detect the breach. Insider threat, APT? There are many more layers. I am curious to see the anatomy of the breach.

MTciscoguy

If you want to see some big strides in security, we need to start taking our youngest and brightest gamers and put them into state sponsored schools, like the Chinese do at the ages of 5 and 6 and start teaching the techniques and methods for large scale cyber warfare. That is how the spies of the cold war were trained and that is how it is done in the day of electronics, of course the public would not stand for their children being snatched away and immersed in government programs to infiltrate other countries inner systems.

I to would be very interested in seeing the anatomy of this last breach, I have worked with some of my past friends when breaches have happened and they were simple screw ups on our side.

MTciscoguy

Cyberscum,

I would be interested in your clearance level. Are you working directly for the DOD, or are you working for a DOD contractor? Just curious?

cynicbeard

Wow... I just read that the data dates back to 1985.

philz1982

@zxbane.

I like the Defensive Security Podcast. Good, stuff.

philz1982

MTciscoguy wrote: »

Do you now, or have you worked for the DOD? I am just wondering, I spent 30 years in the Army and many of those years were in the Pentagon, working in Cyber Security, Cyber Warfare and Intelligence Gathering.

I can tell you for a fact, things are getting tougher in the DOD and newer employees are being trained to stop intrusions by criminals and foreign governments. It is not an overnight process when dealing with an entity that is the largest employer in the country. There are many things that have been and are being implemented to stop this crap.

I consult for Large private, public, and government agencies. I will tell you there are so many back-end systems and un-tested integration links out there. There are systems publicly exposed using HTTP with all the code on the client side if you know where to look.

Additionally, there is a big problem with social engineering. I watched an e-mail with a file titled finances float around an undisclosed companies email server, and you could tell who opened the email because all the sudden their email account was sending out the email. It was interesting to watch this in real-time. The scary thing is the people who opened the e-mail considered themselves "computer experts"....

MTciscoguy

philz1982 wrote: »

I consult for Large private, public, and government agencies. I will tell you there are so many back-end systems and un-tested integration links out there. There are systems publicly exposed using HTTP with all the code on the client side if you know where to look.

Additionally, there is a big problem with social engineering. I watched an e-mail with a file titled finances float around an undisclosed companies email server, and you could tell who opened the email because all the sudden their email account was sending out the email. It was interesting to watch this in real-time. The scary thing is the people who opened the e-mail considered themselves "computer experts"....

I am not disagreeing at all with you Phil, there are lots of little things that are done wrong that add up to big things going wrong, but I know there are things that are being done to help combat some of this stuff. Despite the fact, I worked for the government for close to 30 years, I am no government cheer leader in any way shape or form.

Where I get a bit irritated is when people keep bashing and saying they are not doing anything to prevent things, especially those who do not have the higher clearances that I hold. Many would be surprised, during my time there were certain breaches we knew were coming and actually allowed to happen so we could up our knowledge level of how they were doing it. There are a lot of big chiefs in the government and all of them think they know what is best, with that attitude prevalent, you find a lot of different dept's fighting between themselves, so much so, they forget what their purpose really is!

With so many competing interests in the government, I don't know that it will ever be completely fixed.

Cyberscum

MTciscoguy wrote: »

Cyberscum,

I would be interested in your clearance level. Are you working directly for the DOD, or are you working for a DOD contractor? Just curious?

Your funny

renacido

There is a ton of open source reporting from the top forensics and incident response consultants where they give (non-attributable) data and statistics on thousands upon thousands of reported breaches. There is also tons of advanced threat intelligence information out there, some free some available by paid subscription. If you aren't looking at this stuff you're fighting while blindfolded.

Phishing, credential theft, unpatched vulnerable systems, uninspected SSL, unsecured remote access, and weak VPN security - THIS is how the bad guys are hitting us.

We simply cannot do our jobs anymore without looking at this stuff:

Are we giving all our users security awareness training so they can spot a phish and they know what's at stake if they abuse the security policy?

Are we still using single-factor authentication to allow remote access?

Are we filtering HTTP traffic but letting them get to whatever via HTTPS?

Are we scanning, testing, auditing, and patching ALL of our systems? Especially the critical ones that they don't want you to scan for "performance" reasons?

Are your sys admins not patching for old CVEs because they think those don't matter now because they're old?

Is your application whitelisting software deployed to your critical systems, or does your boss not allow that because those are delicate little flowers?

Are you scanning and auditing your headquarters and datacenters but ignoring the remote offices?

Do you have adequate security controls for provisioning your client VPN certificate?

Buying the newest shiny security tool is not enough. Compliance with NIST, HIPAA, GLBC, PCI-DSS, etc is NOT ENOUGH. Securing the perimeter and not worrying about the rest because you were a network engineer and that's your comfort zone is NOT gonna get it done.

We need full spectrum security based on a solid understanding and analysis of the threat environment and risk. The threat intelligence is out there and easily accessible.

renacido

MTciscoguy wrote: »

Cyberscum,

I would be interested in your clearance level. Are you working directly for the DOD, or are you working for a DOD contractor? Just curious?

Let's not ask each other to reveal what security clearances we have. For all I know you could be a member of APT1 asking questions from an office in Beijing. Or someone like that could be lurking on this thread. Capiche?

MTciscoguy

Cyberscum wrote: »

Your funny

Why is that funny, I said I would be interested in knowing. I didn't expect you to disclose anything It seems you and I have different opinions on things, so what, does not mean either of us are bad guys, just stuck up IT geeks!

MTciscoguy

renacido wrote: »

Let's not ask each other to reveal what security clearances we have. For all I know you could be a member of APT1 asking questions from an office in Beijing. Or someone like that could be lurking on this thread. Capiche?

Well you can rest assured I am not that, and I didn't expect him to disclose, it was a rhetorical statement, I would not disclose my clearances either.

And there is no need to "Capiche"

renacido

MTciscoguy wrote: »

Where I get a bit irritated is when people keep bashing and saying they are not doing anything to prevent things, especially those who do not have the higher clearances that I hold.

Those who don't have clearances you have obviously have not worked on networks cleared to that level so assume that their commentary is not germaine to the security provisions of those classified networks.

MTciscoguy wrote: »

Many would be surprised, during my time there were certain breaches we knew were coming and actually allowed to happen so we could up our knowledge level of how they were doing it.

I really hope you were doing this on a honeynet, not on an operational DoD network.

MTciscoguy wrote: »

There are a lot of big chiefs in the government and all of them think they know what is best, with that attitude prevalent, you find a lot of different dept's fighting between themselves, so much so, they forget what their purpose really is!

With so many competing interests in the government, I don't know that it will ever be completely fixed.

100% agree.

renacido

MTciscoguy wrote: »

And there is no need to "Capiche"

My bad. I didn't mean any disrespect but that does come across as smug.

MTciscoguy

renacido wrote: »

My bad. I didn't mean any disrespect but that does come across as smug.

No big deal, I am just throwing wood on the fire at this point, everybody has their opinions and all of our levels of knowledge is different, we are just a bunch of computer/network people sitting around having beers and "discussing" things.

renacido

I do love that we are talking about this and sharing our views, if we as security pros did this a lot more there would be fewer breaches.

Desire Inspires

What are the hackers going to do with all of this data?

MTciscoguy

Desire Inspires wrote: »

What are the hackers going to do with all of this data?

Does it really matter, all it takes is one and then it will be a successful hack, what they do with it, really does not matter.

As this was a Chinese Sponsored Hack, I am sure they were not looking for financial information, they were probing to see what they could find.

bermovick

It might be nice to contract working on a network that took security seriously for once.

The beginning of this year I set up wifi for G6. They installed a dot1x authenticator and had the wifi controller redirect users to a webpage requiring a name, phone number and email ..... none of which was verified. No firewall is installed. No filters or site blockers. NAT is the sole layer of security.

renacido

MTciscoguy wrote: »

Does it really matter, all it takes is one and then it will be a successful hack, what they do with it, really does not matter.

As this was a Chinese Sponsored Hack, I am sure they were not looking for financial information, they were probing to see what they could find.

Actually matters a lot. They stole PII and information regarding personnel and security clearances. Which I assume means they got everything submitted to adjudicate SSBIs. That is very valuable intel. Remember all the info you put in your SF86 for your clearance? That and the DIA's investigation record is in Chinese hands now.

Chinese hackers have been caught red-handed in industrial espionage as well, and this has been well documented by Mandiant and others. They DO go after financial info, intellectual property, proprietary info, PII, all of it. Much of Chinese industry is nationally-owned. Cyberwarfare to China is total warfare - military, political, economic.

MTciscoguy

renacido wrote: »

Actually matters a lot. They stole PII and information regarding personnel and security clearances. Which I assume means they got everything submitted to adjudicate SSBIs. That is very valuable intel. Remember all the info you put in your SF86 for your clearance? That and the DIA's investigation record is in Chinese hands now.

Chinese hackers have been caught red-handed in industrial espionage as well, and this has been well documented by Mandiant and others. They DO go after financial info, intellectual property, proprietary info, PII, all of it. Much of Chinese industry is nationally-owned. Cyberwarfare to China is total warfare - military, political, economic.

Again, you and I have a difference of opinion on this issue.

renacido

MTciscoguy wrote: »

Again, you and I have a difference of opinion on this issue.

http://intelreport.mandiant.com/

MTciscoguy

renacido wrote: »

http://intelreport.mandiant.com/

OK, that works for me

LeBroke

Comrades, I am really liking ze direkshen zis topik is taking. I vud really like some more information everyvan is toking about to show to Tovarisch Putin.

MTciscoguy

I just read an intelligence article by a buddy of mine who still works in the Pentagon and I will revise my opinion on the implications of this hack.