ALERT U.S. data hack may be 4 times larger than the government originally said

[Housecarl]

For links see article source.....
Posted for fair use.....
http://www.cnn.com/2015/06/22/politics/opm-hack-18-milliion/index.html

First on CNN: U.S. data hack may be 4 times larger than the government originally said

By Evan Perez and Shimon Prokupecz, CNN
Updated 1:37 AM ET, Tue June 23, 2015

Washington (CNN)The personal data of an estimated 18 million current, former and prospective federal employees were affected by a cyber breach at the Office of Personnel Management - more than four times the 4.2 million the agency has publicly acknowledged. The number is expected to grow, according to U.S. officials briefed on the investigation.

FBI Director James Comey gave the 18 million estimate in a closed-door briefing to Senators in recent weeks, using the OPM's own internal data, according to U.S. officials briefed on the matter. Those affected could include people who applied for government jobs, but never actually ended up working for the government.

The same hackers who accessed OPM's data are believed to have last year breached an OPM contractor, KeyPoint Government Solutions, U.S. officials said. When the OPM breach was discovered in April, investigators found that KeyPoint security credentials were used to breach the OPM system.

Some investigators believe that after that intrusion last year, OPM officials should have blocked all access from KeyPoint, and that doing so could have prevented more serious damage. But a person briefed on the investigation says OPM officials don't believe such a move would have made a difference. That's because the OPM breach is believed to have pre-dated the KeyPoint breach. Hackers are also believed to have built their own backdoor access to the OPM system, armed with high-level system administrator access to the system. One official called it the "keys to the kingdom." KeyPoint did not respond to CNN's request for comment.

U.S. investigators believe the Chinese government is behind the cyber intrusion, which are considered the worst ever against the U.S. government.

OPM has so far stuck by the 4.2 million estimate, which is the number of people so far notified that their information was compromised. An agency spokesman said the investigation is ongoing and that it hasn't verified the larger number.

The actual number of people affected is expected to grow, in part because hackers accessed a database storing government forms used for security clearances, known as SF86 questionnaires, which contain the private information of multiple family members and associates for each government official affected, these officials said.

OPM officials are facing multiple congressional hearings this week on the hack and their response to it. There's growing frustration among lawmakers and government employees that the Obama administration's response has minimized the severity of breach.

OPM's internal auditors told a House Oversight and Government Affairs Committee last week that key databases housing sensitive national security data, including applications for background checks, had not met federal security standards.

"Not only was a large volume (11 out of 47 systems) of OPM's IT systems operating without a valid Authorization, but several of these systems are among the most critical and sensitive applications owned by the agency," Michael Esser, OPM's assistant inspector general for audits, wrote in testimony prepared for committee.

Katherine Archuleta, who leads OPM, is beginning to face heat for her agency's failure to protect key national security data -- highly prized by foreign intelligence agencies -- as well as for how slowly the agency has provided information.

Rep. Stephen Lynch, D-Mass., at a hearing last week told Archuleta: "I wish that you were as strenuous and hardworking at keeping information out of the hands of hacker as are at keeping information out of the hands of Congress."

_____

Officials: SECOND hack exposed Military and Intel data
Started by Possible Impact‎, 06-12-2015 02:23 PM
http://www.timebomb2000.com/vb/show...s-SECOND-hack-exposed-Military-and-Intel-data

The chinks hacked the US Office of Personnel Management
Started by mzkitty‎, 06-04-2015 02:40 PM
http://www.timebomb2000.com/vb/show...d-the-US-Office-of-Personnel-Management/page3

Chinese Hackers Prepare Battlespace for War with America
Started by Safecastle‎, 06-09-2015 08:34 AM
http://www.timebomb2000.com/vb/show...kers-Prepare-Battlespace-for-War-with-America

How the U.S. thinks Russians hacked the White House
Started by TerriHaute‎, 04-07-2015 02:24 PM
http://www.timebomb2000.com/vb/show...e-U.S.-thinks-Russians-hacked-the-White-House

 

[Publius]

Its posable to set a trap if its chinese gov doing the hack and they would need to inlist the help of Bill Gates.

 

[Sacajawea]

Don't forget the IRS hack.

Honestly, I don't think it's the Russians or the Chinese. The "motive" just isn't there, IMO.

 

[Broken Arrow]

Cool, wonder if they got mine.

 

[Melodi]

Cool, wonder if they got mine.

Very likely, be ready to change all your passwords and watch your credit cards and bank accounts like a hawk. It doesn't matter if you didn't even take the job or if the investigation was in 1980; it is pretty easy once someone has your Social Security number (not supposed to be used as ID but is) to find most modern records; then move on to everyone you listed as a contact, reference or relative.

As I mentioned in the bomb shelter thread and can repeat here (we have a check in thread for those affected who have bomb shelter access) - when I was helping people fill out that blasted SF 86 form part of my job was calling references. Because our office had lawyers, law clerks and other professionals; sometimes this meant I had (from the forms mind you) the personal contact number of Justices of the Supreme Court, Governors of US States, Senators and Representatives, Mayors and other worthies. I never actually had to do a reference call for a sitting US President, but I contact just about everyone else (and some other clerks DID talk to current and former Presidents if someone had been an aid, clerk, intern etc).

Of course when I was doing this work, we kept everything on paper and in a locked safe; very little of it except credit reports (which we also had to look up) were on the PROMIS software (yeah that stuff, the same stolen by Iraq to run their military and so insecure when I moved on to another job one sleepy morning I put in the old codes by accident and presto was back in my old agency files - I reported this accidental breach but talk about NO security).

I wonder just how the US government is really going to get out of this one, the potentials for personal damage are just appalling and my hunch is they will quietly pass a bill at 3am (a rider of course) limiting responsibility or payouts to very few people and in relatively small amounts) the numbers of people potentially affected is just staggering.

And that's just the personal stuff, I didn't even go into all the REAL national security issues, compromised agents and the like.

 

[Dozdoats]

Oh well.

That just means there is one more backup out there for all my stuff besides the NSA. Now I can ask the Chinese too.

 

[Broken Arrow]

Very likely, be ready to change all your passwords and watch your credit cards and bank accounts like a hawk. It doesn't matter if you didn't even take the job or if the investigation was in 1980; it is pretty easy once someone has your Social Security number (not supposed to be used as ID but is) to find most modern records; then move on to everyone you listed as a contact, reference or relative.

I guess top secret isn't so secret anymore

 

[mistaken1]

OPM officials are facing multiple congressional hearings this week on the hack and their response to it. There's growing frustration among lawmakers and government employees that the Obama administration's response has minimized the severity of breach.

I am holding my breath waiting for accountability ...... from a group who believe all of their problems are someone else's fault.

 

[Possible Impact]

They had full root access credentials to entire Department Of the Interior (DOI),
which manages the shared service data center that houses OPM's servers.

United States Department of the Interior (DOI)
https://en.wikipedia.org/wiki/United_States_Department_of_the_Interior
Operating units




The hierarchy of the U.S. Department of the Interior.

• Assistant Secretary for Policy, Management, and Budget
  • Deputy Assistant Secretary for Policy and International Affairs
    • Office of Environmental Policy and Compliance
    • Office of International Affairs
    • Office of Native Hawaiian Relations
    • Office of Restoration and Damage Assessment
    • Office of Policy Analysis
  • Deputy Assistant Secretary for Budget, Finance, Performance and Acquisition
    • Office of Budget
    • Office of Financial Management
    • Office of Planning and Performance Management
    • FBMS Program Management Office
    • Office of Acquisition and Property Management
    • Office of Small and Disadvantaged Business Utilization
  • Deputy Assistant Secretary for Human Capital & Diversity
    • Office of Human Resources
    • Office of Occupational Safety and Health
    • Office of Strategic Employee and Organizational Development
    • Office of Youth, Partnerships and Service
    • Office of Civil Rights
  • Deputy Assistant Secretary for Technology, Information and Business Services
    • Office of Collaborative Action and Dispute Resolution
    • Office of Valuation Services
    • Interior Business Center
    • Office of Hearings and Appeals
    • Office of Facilities and Administrative Services
    • Office of the Chief Information Officer
  • Deputy Assistant Secretary for Public Safety, Resource Protection and Emergency Services (DAS-PRE)
    • Office of Emergency Management (OEM)
    • Office of Law Enforcement and Security (OLES)
    • Office of Wildland Fire
    • Office of Aviation Services (OAS)
    • Interagency Borderland Coordinator
  • Deputy Assistant Secretary for Natural Resources Revenue Management
    • Office of Natural Resources Revenue
• Assistant Secretary for Fish, Wildlife, and Parks
  • National Park Service
  • United States Fish and Wildlife Service
• Assistant Secretary for Indian Affairs
  • Deputy Assistant Secretary for Management
    • Office of the Chief Financial Officer (OCFO)
    • Office of the Chief Information Officer (OCIO)
    • Office of Human Capital Management (OHCM)
    • Office of Planning and Policy Analysis (OPPA)
    • Office of Facilities, Environmental and Cultural Resources (OFECR)
  • Deputy Assistant Secretary for Policy and Economic Development
    • Office of Indian Energy and Economic Development (IEED)
    • Office of Indian Gaming (OIG)
    • Office of Self-Governance (OSG)
  • Bureau of Indian Affairs (BIA)
    • Office of Indian Services (OIS)
    • Office of Field Operations (OFO)
    • Office of Justice Services (OJS)
    • Office of Trust Services (OTS)
  • Bureau of Indian Education (BIE)
  • Office of External Affairs
    • Office of Congressional and Legislative Affairs (OCLA)
    • Office of Public Affairs (OPA)
  • Office of Federal Acknowledgment (OFA)
  • Office of Regulatory Management (ORM)
• Assistant Secretary for Land and Minerals Management
  • Bureau of Land Management
  • Office of Surface Mining
  • Bureau of Ocean Energy Management
  • Bureau of Safety and Environmental Enforcement
• Assistant Secretary for Water and Science
  • United States Geological Survey
  • Bureau of Reclamation
• Assistant Secretary for Insular Affairs
  • Office of Insular Affairs
• Solicitor
  • Office of the Solicitor (SOL)
• Office of the Inspector General (OIG)
  • Office of General Counsel
  • Assistant Inspector General for Investigations
    • Office of Investigations
  • Assistant Inspector General for Audits, Inspections, and Evaluations
    • Office of Audits, Inspections, and Evaluations
  • Assistant Inspector General for Management
    • Office of Management
  • Associate Inspector General for External Affairs
  • Associate Inspector General for Whitleblower Protection
  • Strategy Management Office
  • Associate Inspector General for Communications
• Chief Information Officer
• Special Trustee for American Indians

• Federal Executive Boards
• Interior Museum
• National Indian Gaming Commission (NIGC)

 

[Sacajawea]

PI, sounds like they grabbed a whole bunch of stuff... just to hide the bits they were really after, in a huge stack of other stuff.

 

[Melodi]

PI, sounds like they grabbed a whole bunch of stuff... just to hide the bits they were really after, in a huge stack of other stuff.

Well and they can (and reportedly are) make money selling the basic information on Joe and Jane employee for 10 to 25 cents a page on the "Dark Net" for spammers and hackers...so even that is useful if not really needed.

 

[night driver]

Don't forget the IRS hack.

Honestly, I don't think it's the Russians or the Chinese. The "motive" just isn't there, IMO.

Ma'am, we KNOW it was the Chinese because we gave them the access required to get everything.

 

[Wilbur]

Some investigators believe that after that intrusion last year, OPM officials should have blocked all access from KeyPoint, and that doing so could have prevented more serious damage. But a person briefed on the investigation says OPM officials don't believe such a move would have made a difference. That's because the OPM breach is believed to have pre-dated the KeyPoint breach. Hackers are also believed to have built their own backdoor access to the OPM system, armed with high-level system administrator access to the system. One official called it the "keys to the kingdom." KeyPoint did not respond to CNN's request for comment.

Throw enough money at CONgress and they will be willing to overlook anything. I am sure KeyPoint wrote some large checks after the initial data breach.

 

[Carl2]

Article from a few days ago at arstechnica:

http://arstechnica.com/security/2015/06/encryption-would-not-have-helped-at-opm-says-dhs-official/


Encryption “would not have helped” at OPM, says DHS official
Attackers had valid user credentials and run of network, bypassing security.

by Sean Gallagher - Jun 16, 2015 1:22pm MDT

' ' ' "Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

 

[Sacajawea]

I see, Night Driver. Thanks, Carl2...

It is simply not possible for me to keep up anymore.

 

[Possible Impact]

PI, sounds like they grabbed a whole bunch of stuff... just to hide the bits they were really after, in a huge stack of other stuff.

Root access lets you write too, not just read...

 

[Sacajawea]

Yep; I know that. And while I can't possibly imagine all that this could mean... I've got enough of a picture.

 

[pinkelsteinsmom]

this is simple, they want total control of the internet.

 

[Melodi]

I still can't tell yet if this was the unintended consequences of the unending push to "out source" work that then goes to the "lowest bidder" even when dealing with top secret and confidential information; or if this was an intentional "hit" by China or another State/Private entity that saw a perfect opportunity and ran with it.

It could even be a case of both, Americans, especially those in the intelligence and military fields I've noticed; often have a personal bias where they can only see US Citizens or their friends as Patriotic. The idea that someone from China, Russia, Poland or even Iran might be a Patriotic to their own country is often beyond them. Sometimes the do understand it in Russians but not always even then; so there is a tendency to think that people will "turn traitor" or "respect" the US in place of their home country, and that simply isn't always true.

I mean I can imagine the struggle of a Chinese programer living outside of China that discovers the Americans are insane and just gave him the root codes to their entire security systems for confidential information.

Now speculate that the person either is a good Chinese citizen and/or his elderly parents, sister and nephew still live in China and he gets a call from the Chinese embassy along the lines of "we here you have an interesting new job, we take the safety of all our citizens very seriously; we understand your parent's home may be in the way of some demolition to re-build a New China and that your nephew's exam results are under consideration...would you like to tell us about your new job?"....

 

[Sleeping Cobra]

As i said earlier i will always blame the NSA first before anyone else or any other Country.