Office of Personnel Management Data Hack

I don't have much to say about the recent hack of the US Office of Personnel Management, which has been attributed to China (and seems to be getting worse all the time). We know that government networks aren't any more secure than corporate networks, and might even be less secure.

I agree with Ben Wittes here (although not the imaginary double standard he talks about in the rest of the essay):

For the record, I have no problem with the Chinese going after this kind of data. Espionage is a rough business and the Chinese owe as little to the privacy rights of our citizens as our intelligence services do to the employees of the Chinese government. It's our government's job to protect this material, knowing it could be used to compromise, threaten, or injure its people­ -- not the job of the People's Liberation Army to forebear collection of material that may have real utility.

Former NSA Director Michael Hayden says much the same thing:

If Hayden had had the ability to get the equivalent Chinese records when running CIA or NSA, he says, "I would not have thought twice. I would not have asked permission. I'd have launched the star fleet. And we'd have brought those suckers home at the speed of light." The episode, he says, "is not shame on China. This is shame on us for not protecting that kind of information." The episode is "a tremendously big deal, and my deepest emotion is embarrassment."

My question is this: Has anyone thought about the possibility of the attackers manipulating data in the database? What are the potential attacks that could stem from adding, deleting, and changing data? I don't think they can add a person with a security clearance, but I'd like someone who knows more than I do to understand the risks.

Posted on July 1, 2015 at 6:32 AM • 53 Comments

Comments

MitchJuly 1, 2015 6:47 AM

People seem to forget about Data Integrity and just the confidentiality. Imagine if they manipulated everyone's security clearance level to the lowest or put in bogus findings that seemed real... The clean-up process would take years and millions of dollars.

evanJuly 1, 2015 7:05 AM

This, to me, is a perfect illustration of how problematic the relationship between the NSA and the rest of national security community (not to mention the country) has become. Ensuring the security of US government information resources is an integral part of the agency's remit, but their mission to collect data on regular people in case it might become useful for them in the future confounds that. Even apologists for the NSA's grey (at best) ops insist that it keeps Americans safe. Well, here's an example of the NSA failing miserably at its job to protect America. If the NSA's contempt for your rights isn't enough to make you demand real change, then surely their incompetence is.

As the man predicted, we gave up our liberty in the name of security and we now know have neither.

RobJuly 1, 2015 7:22 AM

"I don't think they can add a person with a security clearance"

Do you have any inside info on the hack that implies this? Seems like the secure thing to do is to assume that they could, unless proven otherwise. Such an ability would be very, very useful to an attacker, and I can't see someone with the access not doing that.

MartinJuly 1, 2015 7:42 AM

If they can have somebody apply for a clearance, get declined, and then go into the database and change their score from "failed" to "no concerns at all, this person is eligible for the highest possible clearance" that would be effectively the same as being able to add new entries into the database from scratch.

ErikJuly 1, 2015 7:44 AM

I can easily see a scenario where China knows they're not the only ones with this access, so they add/delete/change records they want the other intruders to find.

For instance if they're having trouble with a particular Russian person and they know Russia is also reading our personnel files, just add the Russian to the American payroll....

laughing manJuly 1, 2015 8:21 AM

"I don't have much to say about the recent hack of the US Office of Personnel Management..." but I'm going to write a blog post about it. LOLOL.

Bruce, if you don't have anything to add, then don't blog.

PS You closing sentence should either end with "those risks" or "that risk", but certainly not "that risks."

paulJuly 1, 2015 8:45 AM

What everybody else said: with so many millions of people in the database, being able to raise or lower clearance levels is as close to adding as makes no difference. Especially because the lowest levels are pretty much "hasn't lied about where they came from or been convicted of a really serious crime". Also, depending on how the database is managed, all-access hacking might include reviving dead people or renewing clearances that had been revoked.

What I'm wondering now is whether individual agencies maintain their own databases for compartmentalized clearances, because if not that would be a much more juicy target.

GeoffJuly 1, 2015 8:46 AM

But with GCHQ able to spoof anything on the internet it could equally be the UK breaking in :-)

ramriotJuly 1, 2015 8:52 AM

"My question is this: Has anyone thought about the possibility of the attackers manipulating data in the database?"

Aannnd, we have the question for next years Security Theatre Competition!

In the same way recent DDOS attacks have been used to slow down access and divert human resources while the real attack happens elsewhere, the detection of a 'simple' data breach indicating an outside party may have copies of sensitive information. Where such information has no integrity checks or trustworthy outside confirmation of validity, should I think render ALL the original information suspect.

So if you are getting or have a newly security cleared person on site, please turn them away and send them back to the OPM for re-clearance, it is only prudent.

CallMeLateForSupperJuly 1, 2015 8:52 AM

"laughing man" fancies him/herself the Spelling & Grammar Police. And falls on his/her sword:
"You closing sentence..." (Your closing sentence...")
"...either end with [x] or [y]..." ("...end with either [x] or [y]...")

I think a child got left behind.

ATJuly 1, 2015 8:58 AM

Surely OPM has off-site backups that can be used to detect manipulation. Maybe security is not a real concern for them, but the issue of data loss has been around for a while.

ChristopherJuly 1, 2015 9:00 AM

Why else attack this system? Seriously, how long were they in there and how recently did they find out?

They could have been in there for years, slightly modifying and shaping security clearance, interview notes, etc.

If they were able to get in, it is highly unlikely they have any type of alerting or notification system for when records get "changed". Do you know of any company with that many records that would have a notification system in place for individual records being modified?

Look at Snowden! With his access he was able to get a treasure chest full of information. How long was it before they knew what he took and how he took it? I mean to this day, do they have any idea of ALL the material he was able to take?

Who's to say the NSA hasn't hacked into OPM so that they could easily place some agents in key positions around Washington, DC....


SamJuly 1, 2015 10:12 AM

@AT
> Surely OPM has off-site backups
It may be too much to assume that basic steps have been taken, given what we're reading. When did they last test restoring the backups, for example?

The linked article says: "Likely included in the hackers’ haul: information about workers’ sexual partners, drug and alcohol abuse, debts, gambling compulsions, marital troubles, and any criminal activity."

Even before considering data alterations - within the context of a wider scope of attacks including social engineering aspects, that's a horrific pile of leverage they just dug up.

albertJuly 1, 2015 11:17 AM

Without details, who knows anything? Did the OPM hack even happen?

Leave the speculation to the TV fiction writers; they do a better job.

Then I wonder why this sort of thing is publicized. The 'first' hack was in 2013*. Now we got a big one*, just in time for the US/China talks. Just coincidence, I'm sure:)


First it was DPRK (OMG, Sony Media!) (https://twitter.com/DPRK_News), now it's China (USOPM). Will Russia be next? India? Brazil? Some other China-aligned SE Asian country? Place your bets. The US State Dept dweebs are hard at work, feeding the Propaganda Machine. Soon the entire Eurasian region will be demonized.

They, much to the chagrin of the USDoS, will never be marginalized.

Have a nice day,

.............................
*according to govt officials.

William J. Casey [former CIA head]: "We'll know our disinformation program is complete when everything the American public believes is false." from the 80's, how far have we fallen?

bobJuly 1, 2015 11:31 AM

@laughing man

Ah, the irony of trolls:

Moans about having nothing to add - misses the last sentence.
Moans about having nothing to add - ignores that's its relevant to the subject of the blog.
Moans about having nothing to add - but can't not comment, even though it has nothing to add.
Moans about grammar - can barely string a sentence together.

Spaceman SpiffJuly 1, 2015 11:36 AM

Manipulating data in the OPM databases? What a wonderful (sic) thought! Yes, this individual (who is one of our agents) has been fully vetted and able to take a sensitive position in the government!

Sorry folks (in the US OPM), but you need to wipe your databases completely, rebuild them to current security standards, and require ALL in the database to resubmit their personal data and bonifides ON PAPER! Nothing of this should be exposed to the internet. Everyone should have their background checks redone (my wife's cousin did this as a US Federal agent for years), and re-qualified.

I still remember the scandals of USSR infiltration of the UK govt. in the 1960s - Handy Mandy (Mandy Rice-Davies), Christine Keeler, et al during the Profumo affair.

Nick PJuly 1, 2015 12:13 PM

@ Spaceman Spiff

That creates nearly as much risk as the computers. If it could even be done. Remember that those checking clearances were so underfunded there was a constant backlog. That's with a steady, manageable stream to check. Your proposal to input and check them all combined with that organization's rep means it could never happen. I agree they should keep it off the Internet, though. This is the kind of thing that should be on leased lines with line encryptors and several types of highly assured guards doing accountability if not attack prevention.

d33tJuly 1, 2015 12:32 PM

From Benjamin Wittes article:
"To put the matter simply, there's a huge double-standard at play here. In the wake of this spate of revelations, I'd like to hear some privacy advocate explain why I should continue to regard the world's great threat to privacy as NSA."

There is no double standard for me with regard to the OPM database theft, but a mix of standards exists in terms of thinking like a privacy advocate when thinking about this act. I don't think that the government employees who have now had their personal docs stolen by an unknown thief deserved to be doxed. I do think that a multitude of double standards exist within the US government, which of course is made up by government employees. I think that many other privacy advocates or people who are just interested in getting what we have promised ourselves on paper and supposedly fought for the last few hundred years probably see some irony in the theft. I doubt anyone in the media wants to say "I told you so" when it is still obviously too soon and many innocent people have been robbed due to gross negligence that will go completely unpunished.

A list of things come to mind when thinking about this breach of security:

1) Secretly undermined, weakened security standards are hard to cry about when the people responsible for weakening the security at the US Office of Personnel Management are likely in the database that was stolen. At least some or a lot of them. (If this is not true please somebody explicitly correct my statement)

2) NSA is responsible for eroding the security of database software and the crypto that sometimes comes with it, because of this NSA is definitely, largely responsible for the breach.

3) If the people in the database sue the US Government (themselves) for damages maybe we will end up on the same side after all (doubtful).

4) In terms of advocating for the privacy of the people in the OPM database, if it was in fact China who stole the data (I doubt there is any real evidence) they are not bound by a contract with the American people, but the NSA is (still kind of). Breaching the Constitution by way of secret interpretations of law and making up your own laws does not let you off the hook for breaking the original laws billions and billions of times. (understatement)

5) This data can be used or sold many times over forever. Even the offspring of these people can be extorted or worse using this data. Maybe it will get sold back to NSA for use against their own people without oversight?

6) Quoting Hayden in an article about double standards and privacy advocates being bad guys for not advocating loudly enough is comic relief.

7) Privacy advocates have already attempted (and failed for now) to bring reason and order back to the US Government from a long, rancid bout of lawlessness and high crime conveniently excused by 9/11 or the threat of another (second hand smoke should be a greater fear). OPM victims are also slated for any benefits to come in the future if privacy advocates win.

8) If NSA is doing their "job", make an agreement with China not to use the information. Think "nuclear arms treaties".

9) If you want to hear from privacy advocates on your article or website, use something besides "Facebook" as the tracking / login wares.

10) There is more, but this list is getting boorish.

In terms of data being manipulated in the database itself, the attacker would have to manipulate all other past copies of the data as well in order for it to be a serious coup in that way. I don't see this as a real threat. I do see a deeply owned system as a threat, because future data could be tampered with invisibly. If this is not true, then I have lost some respect for Chinese government sanctioned hacking. After a breach of this magnitude (as well as others), I would assume all is lost in terms of security with regard to US government data. There is no money for politicians in protecting their own people based on results. Was this database really on the Internet?

You know I think it is really too bad that the US government has continued to vilify hackers in the US. They might be able to help build systems that are better than the snake oil garbage that the big corps are selling the American people. Real hackers don't tend to work for governments (especially governments that barely exist) though, so I guess snake oil it is.

I guess it's time to get ready for that great big IRS/Obamacare/Medicare et al data breach coming right up huh? Maybe it will happen while the two crime families and the other guys and gals are campaigning for President.

DuaneJuly 1, 2015 12:35 PM

It is an interesting question, but I doubt it for three reasons:

1) The primary aim would be to download a copy of the data. Learning the data structures and injecting a credible change would take more time.
2) I can't think of very many good strategic reasons to do it. If a foreign government had a mole they might want them to have increased access but it would be a risk that somehow they would slip up or the data would be compared against backups and the changes would be detected.
3) People with security clearance work with other people. It would seem unusual and likely noticed if a clerk suddenly found they had access to a wide amount of electronic records or their key cards opened many more doors.

rgaffJuly 1, 2015 1:36 PM

Welcome to the party, NSA... you purposefully secretly weaken all computers and electronics and standards worldwide so you (and everyone!) can snoop more easily, yet we have the most computers and electronics in the world in this very country, making us the most vulnerable to your shenanigans... What you (NSA) have done to us (and to yourself!) should be considered criminal, and you all belong in prison! That's all I have to say about OPM hack.

joeJuly 1, 2015 1:53 PM

@Duane: "It is an interesting question, but I doubt it for three reasons"

4th reason (a corollary to Reason 1): Rather than change records to sneak a mole in, the foreign government now has access to the personal secrets of thousands of potential moles that they could turn.

FreeSpeechJuly 1, 2015 1:53 PM

Let's beat down this frequent false equivalence between the actions of criminal governments and the actions of democratic governments. Governments that don't allow their subjects a reasonable approximation of freedom of speech are far over on the criminal side of the spectrum of decent to criminal governments. Those criminal governments don't have a right to hack any democratic government, they have a right to go to prison.

And don't let it confuse the issue that every government commits some crimes and commits some infringement of freedom of speech. That doesn't make all governments the same or even close. People can have reasonable disagreement about exactly how much freedom of speech should be allowed and exactly what is a crime or legitimate government activity. But governments that disallow freedom of political speech are easy to separate out from the gray area, way over into clearly illegitimate criminal governments.

OmriJuly 1, 2015 4:18 PM

If I found someone in that database that I wanted to blackmail, and wanted to get away with it as long as possible, the first thing I'd do is sanitize his security clearance file. Let Uncle Sam forget about Mr. DoD Employee's embarrassing incident that night at ComicCon, while I discretely remind him of it in order to procure what I want.

Bruce SchneierJuly 1, 2015 5:18 PM

"Bruce, if you don't have anything to add, then don't blog."

I think that occasionally, but if I did it I wouldn't post 3/4 of what I post. So I've decided that posting things I find interesting is a positive thing, even if I don't have anything to add.

In this case, though, I did have something to add to the debate: the last paragraph.

"PS You closing sentence should either end with "'those risks'" or "'that risk'", but certainly not "'that risks.'"

Fixed. Thank you.

tyrJuly 1, 2015 5:24 PM


After reading Zuboffs paper I'm wondering if this
breach was by a non state actor. It was a treasure
trove of information available to anyone with a
bit of technical competence. So far there is no
indicator of ethical behavior in the corporate
surveillance sector.

I know this flies in the face of the hysterical
desires for a simple answer to every question but
it might be worth a look.

rgaffJuly 1, 2015 6:16 PM

@FreeSpeech

So a government and top country ruler that orders indiscriminate killing of medical workers... is that a "decent" or "criminal" government? Or does it sound more like something that should be put on trial for war crimes? Here: http://www.bbc.com/news/world-us-canada-24557333

And a government that directly goes against its own constitution and bill of rights and the international human rights declaration that it's a signee on, I suppose that's the very definition of "decent" behavior... right? You're so full of it.

JustinJuly 1, 2015 6:28 PM

@ Bruce Schneier

My question is this: Has anyone thought about the possibility of the attackers manipulating data in the database? What are the potential attacks that could stem from adding, deleting, and changing data? I don't think they can add a person with a security clearance, but I'd like someone who knows more than I do to understand the risks.

Do you really think that someone who is familiar with the issues, understands the risks, and knows more than you do, is going to post it on your blog? We already discussed this in the comment section on one of your other posts, and I certainly gave my opinion. People could go through a lot of hassle or unnecessary extra investigation, or even be fired if they end up with incorrect information on their forms SF-86. I don't know any more than you do, and nobody who does is likely to post here. There is only so much to say on the topic.

@ rgaff

Now what government are you representing here?

Larry EdelsteinJuly 1, 2015 7:13 PM

But Bruce - why don't you have anything to add? Or at least, why so little to say? This is the worst breach of security in my lifetime. I'm finding it hard to maintain my composure, because I see the ramifications as disastrous. Is this quote - "This is not the end of American human intelligence, but it’s a significant blow" - inaccurate? If not, why are you not trumpeting this issue? Who gives a crap about anything else?

@Ladlestein

rgaffJuly 1, 2015 8:25 PM

@ Justin

Are you asking me of what country I am a citizen? I live in and am a citizen of the good ol' US of A! I am ashamed of it. I have lived in other countries for a number of years though, if you search my history of postings here and do some analysis you might be able to guess which ones and when.

Anyone who thinks we don't need no stinkin' Constitution and Bill of Rights and wants to just trash it all to get "better security" needs to move to one of those other countries that has no such freedom and see what it's like first!

JonKnowsNothingJuly 1, 2015 8:30 PM

re: Bruce's opening line:
I don't have much to say about the recent hack of the US Office of Personnel Management

I would think that anyone who's read anything about the current state of the internet would be able to "read the tea leaves" here. 18,000,000+ records and details on every Federal employee doesn't require a lot of commentary. (per Reuters and the FBI)

re: closing request

My question is this: Has anyone thought about the possibility of the attackers manipulating data in the database?

I would have thought by now, anyone with even a smidgen of tech-NO-how-NO-way would have understood that the manipulation of data is On Going and as Pervasive as the surveillance itself. Data presented to courts can be and is falsified at any point along the routes of transmission. We no longer have "paper archives" or "clay tablets"; we have 101010101010. Flip a bit, and fry someone. There is no truth left to be found inside any digital database. Any admin or person with access can alter the contents and those who tunnel under the floorboards are there to do exactly that.

A forum spammer used to post "Real Fake Passports for Sale!". Now, they can omit the "Fake" part.

Why anyone with the technical expertise of people reading this forum would even consider that anything on the internet or held in the cloud or even air-gasping-at-straws would be "un altered" would sure put to the question: "Who ARE they working for?"

The Intercept has a timely piece: How Photography Can Destroy Reality
Even professional photographers cannot hold back from manipulating the 10101010101010s

How Photography Can Destroy Reality https://firstlook.org/theintercept/2015/07/01/how-photography-can-destroy-reality/ (url fractured to prevent auto-run. remove the space from the header) (/blockquote)

JonKnowsNothingJuly 1, 2015 8:35 PM

Hmmmm Anyone able to twiddle the 1010101 of my post to fix the URL issue? Maybe remove the syntax error while you're in there...

Thanks NSA! You guys are THE BEST!

NSAJuly 1, 2015 8:52 PM

@ JonKnowsNothing

Glad to help. We're only here to improve reality as you know it. :)

PeterHJuly 1, 2015 10:43 PM

@ Bruce S

"My question is this: Has anyone thought about the possibility of the attackers manipulating data in the database?"

I'm not in the "know" but your question has a logical answer. It doesn't matter. Just like people can lie and then try to beat lie detectors, the authenticity of data in db could be manipulated at rest, upon entry, or given. If there's a bit to be flipped to show whether s/he passed a lie detector, then it could be manipulated right in the db post investigation, but I doubt it's that easy. It simply shouldn't work that way, otherwise we'd have lost both world wars.

65535July 1, 2015 11:59 PM

“Has anyone thought about the possibility of the attackers manipulating data in the database? What are the potential attacks that could stem from adding, deleting, and changing data? I don't think they can add a person with a security clearance…” –Bruce S.

If there is a flurry “unnamed source” in the NYT or other top media outlets that say, “No. That impossible,” than you can assume it is has probably been done.

There are other tests, such a keeping a check on those with Security Clearances and see if they have to “re-submit” or take polygraph test on a wide basis [there are bound to be leaks]. There are probably other tests which experts can easily think up. Got any ideas Clive R?

MicJuly 2, 2015 1:04 AM

Why don't they simply import a database dump which restores the database to its status right before the attack was carried out?

Im fully aware that is isn't hat easy but for data sensitive as these special precautions should have been taken.

Just my 0.02€

Mic

name.withheld.for.obvious.reasonsJuly 2, 2015 4:57 AM

@ Bruce Schneier

So I've decided that posting things I find interesting is a positive thing, even if I don't have anything to add.

A week ago I posted a supposition; The DoD is recently completed their first phase of the "Continuous Evaluation" program that is a hybrid of the NSA system tied to clearance holders. This means that individuals, 100,000 of them, were being monitored in real-time for compliance respecting one of the individuals clearance. In short, real-time and bulk data convolved with other records of a security clearance holder...it's not clear if triggering modifies the status of the holder automatically...

My suspicion is it works like this, a server-based application constantly tracks inputs for clearance holders across a series of intel databases--the reference database, the start of the first tuple, is more than likely coming from OPM. I don't know if there is bi-directional access (in/out) and MAC level access (move, add, change).

The CE program is only described in summary but appears in current reports regarding the DoJ and ODNI. The CE program is nearing full operation, the thing I found most interesting about the program is that SA-1, SA-2 level personnel are exempt from scrutiny under the CE program. This should make lower level personnel very happy to be working for their boss under a different, better than you, umbrella.

Clive RobinsonJuly 2, 2015 7:04 AM

@ Mic,

Why don't they simply import a database dump which restores the database to its status right before the attack was carried out?

Prob 1 - when did the attack start, and how do you know?

Prob 2 - do you know the backup system has not been got at?

Thus going back to a point before the attack, is almost impossible to judge. Then there are other issues to consider,

Prob 3 - in that time how many records have been added, modified, updated or deleted officialy?

It quickly becomes clear that a total start from scratch from paper records etc is required, which brings up the next set of issues,

Prob 4 - do non electronic records exist?

Prob 5 - are the paper records comoleate?

Prob 6 - are the paper records in a usable format?

But to address Bruce's modification issue, if the paper records are incomplete or unavailable what do you do?

The sensible thing is to ask everybody to fill them in again from scratch. But what do you do when the new forms differ from thhhe current electronic records?

Whilst there are "issues" there are not of necesity "solutions" for those issues, and worse many solutions will throw up more issues.

Are things resolvable with what they currently have on paper or un tainted electronic records --if such exist--, the simple answer is not easily if at all.

Thus the final solution they come up with will almost certainly be an unreliable fudge, even if they do start again from scratch...

CuriousJuly 2, 2015 8:23 AM

Some thoughts from someone that aren't particularly knowledgable about OPM:

I am wondering if maybe some of the records at OPM contain intentionally faked information, perhaps offering plausible deniability or a fake persona for people that perhaps work as spies and whatnot. Using the same photo for lots of individual records would stand out (as if there was multiple files for multiple identities of any one individual).

I don't know if the following is even relevant, but I guess it might be bad if someone like OPM had records on 100% of government personnel, for which people doing clandestine stuff simply were omitted from being recorded at all, which might perhaps have them stand out like a sore thumb so to speak, if the entire record was compromised and if such people were observed in some capacity that would have them tagged as working together with say military or other personnel in security/clandestine services.

Having said that, it us unclear to me if something like OPM have records on 100% of people working for the government in non trivial positions.

ChristianJuly 2, 2015 1:15 PM

Consider adding Infosec Institute to your list of organizations that provide cybersecurity certifications. They offer a vast variety of certifications including Certified Penetration Tester and Computer Forensics. Both of which were developed by InfoSec Institute and I think are very much applicable to the cyber security field.

If you are an employer who is interested in any of the courses they provide I would recommend reaching out to Carolina Velazquez at (608) 286-2110 or by email at carolina.velazquez@infosecinstitute.com.

LessThanObviousJuly 2, 2015 1:35 PM

The OPM breach in addition to all the other scary possibilities serves as a reminder to me how inadequate our current means of identifying people has become. We use social security numbers often in combination with other "things you know" which generally are data points like DOB, mothers maiden name and a collection of other odd questions that anyone willing to spend some research time could often find out somewhat easily.

It's time to start treating the social security number as nothing more than an account number for your social security benefits and not as an item with any value for secure identification. Anything shared with multiple other humans and written on multiple forms has very little value for positive ID.

I've had thoughts like adding an electronic tokenization system to government issued IDs, but I'm curious what others in the security community think would be practical with regard to implementation expense, useability and security capability.

HahJuly 2, 2015 2:21 PM

Well perhaps people will now properly consider that *anyone* possessing such detailed information on them is a risk, and therefore be disinclined to work for the government. What a win that would be!

mozJuly 2, 2015 5:09 PM

The way I would manipulate the database is to make sure that people who were serious about security and protecting the American people had something small but damning added to their profile and reduce or remove their clearance. At the same time, if people looked like irresponsible hackers and peeping toms then I would delete bad signs from their profile and give them an extra level or two of clearance.

Of course this would never work, but if it did you would be able to tell. You would end up with an insecure NSA that was very good at breaking into things and full of people, especially at senior level, who believed in spying on people even at the cost of the security of their own country. I'd then use their incompetence to syphon data off "secure" US networks and into my own databases.

Bit far fetched though; don't you think?

chris lJuly 2, 2015 7:58 PM

@LessThanObvious
Gov't IDs already have a tokenization system in them-- the DOD CAC and the HSPD-12 PIV-II cards are basically the same thing, and store the user information, some biometrics (fingerprint points, and I think your picture, too), and a certificate that has to be renewed periodically. In principle they're used as part of a secure login system for gov't computers, but many systems don't support it, and there are circumstances that it doesn't deal well with. It's not uncommon for one person to be operating multiple computers at once, each of which may or may not need network access, and may or may not be on the same network.

I think SSN has been dead for a while as "ID" - a lot of systems still demand it because it hasn't been coded out, but there's starting to be recognition that it's useless as a secret number or password.

As far as what you can do with improving identification-- the most you can ever do with an ID is verify that the person using it is the person you gave it to, and even that's iffy for most forms of ID. The problem that many organizations, including the US gov't, is confusing identity with intentions or suitability. Identity doesn't tell you much, and as has been repeatedly pointed out with respect to aircraft security, if everybody and their bags get thoroughly inspected before getting on, it really doesn't matter who or how evil they are-- they don't have the resource to do much badness.

@moz
you were supposed to save that for the next movie plot contest!

fajensenJuly 3, 2015 3:41 AM

If one can change the personnel records, one can do either a serious DOS-attack or an really insidious one:

If, say, 10-25% of the employees and contractors suddenly loose their clearance due to fake records, that would be bad - but wasteful.

One could also do something else entirely, look up the few(!) people who are competent and who perform outstandingly, then arrange only for those people to lose their clearance. Using bureaucracy to cleanse the enemy government of competence and skill, without killing anyone - that would be brilliant, and very effective*.

As a casual observer of recent US foreign policy .... I have formed the opinion that rebuilding the entire staff-roster from scratch would be the only way to be sure.

chris lJuly 3, 2015 12:05 PM

I work at a place where essentially everyone is a contractor who has been investigated by OPM (at least SF85) and there's a fairly large population of cleared people (SF86) who are likely to have had their PII lifted in the OPM attacks. I just today finally got a warning email that there have been spearphishing attacks masquerading as both OPM and CSID (the company contracted by OPM to do credit protection).

This does bring up a significant issue of authentication-- the agency I work for (and presumably most others) contracts out a lot of services where it's critical that one be able to authenticate the source of a message. The credit protection contract is one, and our emergency contact system is another-- they periodically do tests and send out bunches of emails and voicemails from what appears to be a strange source. It's been pointed out at least a few times that this is a potential source of confusion and spoofability, but there's no indication of any plans to change it or add some way to authenticate.

William PayneJuly 3, 2015 1:50 PM

In terms of the risks associated with the covert manipulation of data by hostile actors, both in terms of likelihood and potential for damaged caused, I think we need to look beyond state-on-state aggression:

For example, I would have thought that fund managers and traders of currency and national debt related financial instruments would be prime targets for the attentions of state signals intelligence agencies.

If they were careful, and went about things systematically, small manipulations of the figures stored in a handful of Excel spreadsheets over extended periods of time could plausibly have enormous long term repercussions on the fiscal position and economic security of various states.

Of course, this is purely speculative, but still well within the bounds of plausibility given the capabilities that states (and other non-state actors) all around the world have at their disposal.

Jesse ConroyJuly 3, 2015 4:54 PM

Go to the Big Window in Vegas. Put every dollar you can lay hands on that the key hack is an inside job. Sure, the Chinese have pressed against these walls for a long time, but the door was opened from inside the palace. It's an inside job. 100%

JustinJuly 3, 2015 7:37 PM

@Jesse Conroy

See, Bruce? Somebody who might know what he's talking about...

fajensenJuly 6, 2015 1:57 AM

@William Payne
Of course, this is purely speculative,
No, it is not. Systematic fraud and money-laundering in the financial industry is well documented and numerous settlements have been made - even up to single-digit percentages of the loot when the authorities got really "tough".

Loretta Lynch, who is now the Attorney General(!), forced the HSBC execs postpone bonuses as "penalty" for HSBC's money-laundering for Mexican cartels running into billions of USD.

As they say in Japan: The fish rots from the head!

LessThanObviousJuly 6, 2015 5:51 PM

@chris l

Do you think that the technology used by smartcards or DOD CAC and the HSPD-12 PIV-II cards would be a practical means of identity verification for every U.S. citizen for stopping identity theft and other such crimes?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.