Major U.S. Hack by China. 4 Million Records Stolen!

U.S. Says Hackers Accessed Data of 4 Million Federal Workers | SecurityWeek.Com

"On Thursday afternoon, The U.S. Office of Personnel Management (OPM) said that it identified a “cybersecurity incident” in April 2015 that potentially exposed personnel data of upwards of 4 million current and former federal employees, including personally identifiable information (PII)."

Wow. Cyberwarfare is an area that really interests me.

Find more posts tagged with

Comments

Chinook

Truth is the bulk of hacking starts with social engineering of some sort. You probably didn't see the movie Blackhat but Hathaway (the hacker) is standing in this data-center that has been compromised. It's extensively firewalled and Hathway basically taps his finger on his access card on the guys shirt. (meaning it was a form of social engineer).

Like the movie or not, there is a great deal of truth to that. You can spend a lifetime attacking the perimeter of a network, but it's way easier to walk in with a USB drive, drop it in the bathroom stall & put a folder "hot girl pics" on it with a couple of PDF's with DNS redirectors, etc embedded in them. Why put in the effort of learning rare exploits and risk being caught?

IT security is too often seen as a technical only thing. It's not. As someone mentioned above, this is espionage & it includes all the players you'd find in a James Bond movie. The enemy has a Red Team. Each person is a specialist and some of those specialists are people with those USB keys or applying for a job with a fake resume with the goal of getting a tour.

World War 3 HAS already started. It's happening now. Take a look at Norse - IPViking Live and you can see the live action. Then there is the rise of cyber crime as a part of plain old run of the mill crime. Police are just catching on the but the criminals are 2 steps ahead. It won't be long until police forces have an extensive cyber crime division. Some forces can't even analyze a wiped smart phone (rookie level stuff).

And compounding the problem is that those with the hacker mindset often have a hat on that has anti-government streak. The government and military will have to understand that. In a place like the military you're going to have to recruit potential hackers who may not make boot camp let alone the fitness test.

MTciscoguy

In my buddies report/article, he simply stated, Arnold(Terminator) is not going to win this war, it is going to be somebody like the guys that stared in the Movie "Revenge of the Nerds", ladies and gentlemen, it is a whole new world.

JoJoCal19

I feel the US is going to end up on the losing end of the cyberwar. It seems like we are too busy being politically correct while other countries have no problem flaunting (even if they deny it on the front end) their state sponsored hacking groups. And someone mentioned it earlier in this thread, countries like China, North Korea, Russia, etc, they are taking these young kids who show promise in computer science and training them up. Meanwhile our gov is more concerned with making criminal examples out of the smart folks here.

LeBroke

MTciscoguy wrote: »

In my buddies report/article, he simply stated, Arnold(Terminator) is not going to win this war, it is going to be somebody like the guys that stared in the Movie "Revenge of the Nerds", ladies and gentlemen, it is a whole new world.

Played by Ryan Reynolds in glasses (cause he's a nerd!), obviously.

tpatt100

LeBroke wrote: »

Played by Ryan Reynolds in glasses (cause he's a nerd!), obviously.

Well Thor played a hacker recently.....

tpatt100

US Army website defaced by Syrian Electronic Army | Ars Technica

Early today, the official website of the US Army (www.army.mil) was defaced by attackers claiming to be with the Syrian Electronic Army. In addition to a message on the page claiming attribution, the attackers also included a pop-up message to anyone visiting: "Your commanders admit they are training the people they have sent you to die fighting.

renacido

JoJoCal19 wrote: »

I feel the US is going to end up on the losing end of the cyberwar. It seems like we are too busy being politically correct while other countries have no problem flaunting (even if they deny it on the front end) their state sponsored hacking groups. And someone mentioned it earlier in this thread, countries like China, North Korea, Russia, etc, they are taking these young kids who show promise in computer science and training them up. Meanwhile our gov is more concerned with making criminal examples out of the smart folks here.

The US offensive cyber capabilities are highly secretive, certainly within classified programs. And NSA cherry picks its share of geniuses from MIT and Stanford to fill it's needs.

The USA is widely considered by security researchers to be the only global cyber superpower. If you consider the capabilities reported in the Snowden link you have no reason to doubt that.

kurosaki00

I dont know about the US Goverment, but private entities need to step up the InfoSec infrastructure. I still stumble around with managers and Admins that give security no thought at all and consider stuff like this science fiction.

MTciscoguy

tpatt100 wrote: »

US Army website defaced by Syrian Electronic Army | Ars Technica

There is virtually nothing that they can do on that website, it has no real connection to the secure databases, it is simply an annoyance. I can hack virtually any regular website in the world and post annoying messages, we used to have that stuff happen almost daily when we first started the Iraq war and the Afghanistan war. Hacking the US Army propaganda website is not going to allow you access to anything really important.

tpatt100

MTciscoguy wrote: »

There is virtually nothing that they can do on that website, it has no real connection to the secure databases, it is simply an annoyance. I can hack virtually any regular website in the world and post annoying messages, we used to have that stuff happen almost daily when we first started the Iraq war and the Afghanistan war. Hacking the US Army propaganda website is not going to allow you access to anything really important.

They really don't have to get information from defacing a website, the point is to embarrass/make the news. The public doesn't know what they can or cannot get, all that matters is if the site is tied to something important even if it is by name only.

MTciscoguy

No Message

cyberguypr

More insight into this: Why the “biggest government hack ever” got past the feds

This sums it up pretty well: "Inertia, a lack of internal expertise, and a decade of neglect at OPM led to breach".

On one end you have the people who developed Stuxnet. On the other end you have agencies like OPM caught with their pants down missing basic controls. The gap between red and blue is gigantic and needs to be closed ASAP. I don't know you but I don't count on this happening any time soon.

N2IT

JoJo it really is exciting.

Throw up a road map on how to get there.

Cyberscum

cyberguypr wrote: »

More insight into this: Why the

This sums it up pretty well: "Inertia, a lack of internal expertise, and a decade of neglect at OPM led to breach".

On one end you have the people who developed Stuxnet. On the other end you have agencies like OPM caught with their pants down missing basic controls. The gap between red and blue is gigantic and needs to be closed ASAP. I don't know you but I don't count on this happening any time soon.

All doom and gloom. Im glad we share a lack of optimism about the situation.

Mitechniq

renacido wrote: »

You get no argument from me that the govt including DoD is behind the curve.

In supersecret cyberwar game, civilian-sector techies pummel active-duty cyberwarriors | Air Force Times | airforcetimes.com

I am little late in the game on this thread, so pardon me for maybe mentioning something that was already stated in the last 3 pages. I will start with the article mentioned by Renacido, understand this was not pure civilians as the title would like to allude but guard and reservist which also work on the civilian side in companies such as Oracle, Microsoft, RSA and Symantec to name a few. I can only speak for the Air Force but I would like to place a positive spin on DOD in Cyber Warfare.

The DOD is currently looking at creating Cyber Centers in highly IT concentrated cities such as Austin, San Fransisco and Seattle.
There is a Presidential Directive to create Cyber Protection Teams from Guardsmen, which can work within the State unlike it's active duty brethren based on US Title Code (10 vs 32). Currently in the state of Texas, we are currently working with Industrial Companies, Oil and the State Department to layout how we can create synergy amongst a diverse group of entities and requirements.
There is currently a program for AF Cyber Officer's to spend a year in Civilian Company SOC's around the US.
We currently send Air Force recruiters to Black Hat and other Hacking Conventions, these recruiters do not have a booth or where a uniform. You will not know they are recruiters unless they want you to join.

I was told a while back that we don't let any airmen off the street fly a F-16 yet we let them on the very Network we are trying to defend. Most, if not all public breaches have come from an internal user. This is the 'vampire effect', the vampire cannot come into your network unless you have given him permission (clicking on a link, inserting a media device, or opening an email).

Unlike other domains of war 'Land, Sea and Air', rest assure Cyber is one you will never know how good we actually are unless you have a 'NEED TO KNOW.'

Cyberscum

^^^
Understand that I agree that the DoD is taking cyber threats more serious. They are making attempts to resolve the situation as well. There is a lot of training available to our troops and DoD employees, but in my experience it seems to be a lack of motivation. Only on rare occasions do I see INFOSEC personnel that truly enjoy what they do. They are usually overtasked, burnt out or doing it only for money. They get sent to RMF, Net Sec, Pen Sec classes and come back with some cool drinking stories at most. There have been many that initially loved security, but have been beat down by the bureaucracy of the gov. I want to add that this problem is not just IT, many other career fields have similar complaints about their respective jobs.

Just my 2 cents.

Mitechniq

Cyberscum,

I think there is 2 realms that are very different in scope when it comes to DOD Cyber, your point of view is more in-line with Information Assurance (not quite sure why they changed the name to Cyber Security, I guess they didn't want to be left behind.) I would agree with your analysis and their mind set currently. Dealing with policies, scanning and telling people what not to do on the Network can be very cumbersome and most don't even have a technical background.. My point of view is Cyber Operations, Defense and Intel.. what I like to say the 'kids on the keyboard'. Our techniques, tactics in this realm is far superior then any other country.

Cyberscum

Mitechniq wrote: »

Cyberscum,

I think there is 2 realms that are very different in scope when it comes to DOD Cyber, your point of view is more in-line with Information Assurance (not quite sure why they changed the name to Cyber Security, I guess they didn't want to be left behind.) I would agree with your analysis and their mind set currently. Dealing with policies, scanning and telling people what not to do on the Network can be very cumbersome and most don't even have a technical background.. My point of view is Cyber Operations, Defense and Intel.. what I like to say the 'kids on the keyboard'. Our techniques, tactics in this realm is far superior then any other country.

I feel that the DoD needs to figure out a way to combine the two fields more appropriately. having techs with no policy exp or IAM's with no tech exp is a recipe for disaster. Many times I have seen one trying to circumvent the other.

I do agree Intel is tip of the spear.

renacido

Mitechniq wrote: »

Cyberscum,

I think there is 2 realms that are very different in scope when it comes to DOD Cyber, your point of view is more in-line with Information Assurance (not quite sure why they changed the name to Cyber Security, I guess they didn't want to be left behind.) I would agree with your analysis and their mind set currently. Dealing with policies, scanning and telling people what not to do on the Network can be very cumbersome and most don't even have a technical background.. My point of view is Cyber Operations, Defense and Intel.. what I like to say the 'kids on the keyboard'. Our techniques, tactics in this realm is far superior then any other country.

I'm retired AF, had a role in the manpower study that led to the creation of the 1B4 Cyber Ops AFSC, and worked with the AF Center for Cyber Research (though I wasn't assigned to them). I know the AF is working hard to develop and modernize it's cyber warfare capabilities. What the article I posted demonstrates and the point I wanted to make was the gap that exists in expertise between the private sector and defense sector, particularly in blue team/network defense. I was an ISSM/ISSO/IAM and I know first-hand. Too often the focus was on compliance. And IT operations always pushes back on security for the sake of usability. Too often the goal was complying with a somewhat arbitrary set of security controls, just enough to pass an external audit by the IG or AFCA or the MAJCOM IAM or whomever, and meeting the minimum necessary level of vulnerability remediation to keep critical systems from being quarantined or preventing a major incident that could be embarrassing to leadership.

Not nearly enough effort was put into assessing the threats and risks, or doing real internal security testing, auditing, assessing. Requirements were mandated from on high without the supporting training, expertise, guidance, etc., and so people did the best they could do to get their Approval To Operate and not fail their inspections. Compliance does not equal security.

People were put into security roles with little to no experience based on a job series, AFSC, MOS, and even 8570 was looked at more as guidance than strict policy (that I was an enclave ISSM/IAM-II for years and I'm JUST NOW submitting my CISSP endorsement application to ISC2 should tell you something). Even with 8570 the minimum training was provided to gain the minimum cert, additional training/certification was scorned as "resume fodder".

Hopefully in the 2+ years since I took off my uniform for the last time things have greatly improved. Hopefully there is way more interaction between the Red Team and the Blue Team than a silly pentest every once in a blue moon by some dudes from Lackland who drop an afiter-action report on the commander's desk and bounce without even talking to the Security team about their findings.

Cyberscum

And now it gets real.

Records from government data breach surface on 'darknet,' says expert | Fox News

Matt2

Keeps getting worse, sadly not surprised. Even the best efforts won't prevent breeches, but they should at least notice them a lot sooner!