Lord of Laziness
Registered: May 2001
Location: Over there
Top 10 List: < click >
| That Federal Employee data breach wasn't a hack...We gave the Chinese direct access willingly
The US agency plundered by Chinese hackers made one of the dumbest security moves possible
Jun. 18, 2015, 3:54 PM
Office of Personnel Management (OPM) Director Katherine ArchuletaAPOffice of Personnel Management director Katherine Archuleta testifies on Capitol Hill in Washington, June 16, 2015.
Contractors in Argentina and China were given "direct access to every row of data in every database" when they were hired by the Office of Personnel Management (OPM) to manage the personnel records of more than 14 million federal employees, a federal consultant told ArsTechnica.
The massive breach of OPM's database — made public by the Obama administration this month — prompted speculation over why the agency hadn't encrypted its systems, which contain the sensitive security clearance and background information for intelligence and military personnel.
Encryption, however, according to Ars, would not have helped in this case because administrators responsible for managing these records had root access to the system, Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified yesterday at a two-hour hearing before the House Oversight and Government Reform Committee.
And it turns out that a systems administrator responsible for handling the agency's records "was in Argentina and his co-worker was physically located in the [People's Republic of China]," a consultant who worked with an OPM-contracted company told ArsTechnica.
"Both had direct access to every row of data in every database: they were root."
Experts and politicians are now lambasting the US government for the way agency handled IT security.
"OPM is right in general that encryption is not magic security butter," Dave Aitel, CEO of cybersecurity firm Immunity Inc., told Business Insider. "But the committee is also right in that OPM was massively negligent."
All told, 65% of OPM's data was stored on systems lacking proper security certification, Ars reports, meaning the data was vulnerable to far more people than just those with root access and valid login credentials.
"They [the unsecured systems] were in your office, which is a horrible example to be setting," House Oversight Chairman Jason Chaffetz (R-Utah) told Archuleta during the hearing.
"OPM's data security posture was akin to leaving all your doors and windows unlocked and hoping nobody would walk in and take the information," Chaffetz added.
Office of Personnel Management
The OPM IT team frequently outsources its work to foreign contractors working in their home country. Those holding Chinese passports are no exception.
"Another team that worked with these databases had at its head two team members with [People's Republic of China] passports," the consultant told Ars. "I know that because I challenged them personally and revoked their privileges."
"From my perspective, OPM compromised this information more than three years ago," he added. "And my take on the current breach is 'so what's new?'"
In fact, the breach was unprecedented in its breadth and scope: "Security-wise, this may be the worst breach of personally identifying information ever," Michael Borohovski, CEO of Tinfoil Security, told Business Insider on Friday.
Federal employees and contractors who want government-security clearance have to disclose virtually every aspect of their lives via a 120-page SF 86 questionnaire, which is then stored on OPM's unencrypted database.
The OPM also "conducts more than 90% of all federal background investigations, including those required by the Department of Defense and 100 other federal agencies," Reuters reported last week.
Experts fear the stolen information could be used by the Chinese government to blackmail, exploit, or recruit US intelligence officers, compromising the success and safety of agents operating at home and abroad.
Let me get this straight, no one in the government thought it would be a bad idea to give Chinese nationals direct access to our entire federal employee database? Why do we even contract stuff like this to foreign nationals? There should be a law requiring that only US citizens can work on government projects. It's bad enough we outsource private sector jobs overseas. Of course now it's probably too late for that cause the Chinese government can blackmail any of them will all of their personal data.
"Tresor never sleeps"
Report this post to a moderator | IP: Logged