Evan HarperOctober 26, 2016 1:57 PM

.rar files are used to store compressed data and are often employed by hackers to shrink files for efficient exfiltration

whoa if true

ramriotOctober 26, 2016 2:09 PM

One worrying point is that the article says no use has been detected for the information exfiltrated.

Couple that with the admission that much of their data did not have solid integrity assertions and you come to the worrying potential that perhaps the 'theft' was not the overall game plan.

Perhaps the long term goal here is to introduce or alter information in OPM's database to allow or hide real world espionage actions.

Ross SniderOctober 26, 2016 2:30 PM

In the Stone, Iron, and Bronze Age, Stone, Iron and Bronze became critical components of weaponry.

In the Information Age laymen somehow think information isn't - and won't be - a critical part of weaponry.

From the new insidious kinds of propaganda to the collection and disruption of information flows necessary to make national security decisions, information is already a critical aspect of warfighting in our century.

mchackmanOctober 26, 2016 2:30 PM

My data was leaked in OPM Hack, around the same time the government was notifying veterans of the breach I had my bank account hacked/drained. Thieves drained my account via numerous $100 transactions through a gas station over 1,000 miles away from me. My bank covered the costs. Not staying the two incidents are connected, but they might be.

WillOctober 26, 2016 4:45 PM

> OPM’s cybersecurity staff had been peeling back SSL’s camouflage to get a clearer view of the data sloshing in and out of the agency’s systems.


> The OPM brain trust received no credit for implementing the SSL decryption program that had led to the attack’s discovery,

How were they "peeling back" and "decrypting" the SSL? Was this the OPM's cybersecurity staff MitM by pushing their own certs, or? Anyone any ideas?

BobOctober 26, 2016 5:33 PM

@Ross Snider

Basing a justification for tearing apart and weaponizing various Internet communities and subcultures on a colloquialism isn't a compelling argument.

Ross SniderOctober 26, 2016 6:09 PM


I in no way intend to justify information warfare.

I merely state it as a fact of life.

Regarding "colloquialism": Periodization uses the technologies that define power relations in society to organize humanity into 'ages'. In referring to the information age within the context of periodization I've merely invoked the fact that information technology is a defining force in modern power relations. The only thing I've done to this is rounded down 'power' (ability to decide favorable outcomes) to 'military' (the application of kinetic force to decide favorable outcomes).

Not at all dishonest and not at all a justification.

I apologize if it reads like justification. I reread it and it doesn't seem like that to me, still. It was not written to intend that it is a good thing.

BobOctober 26, 2016 7:07 PM

@Ross Snider

Why is this not the Electric Age or The Automation Age? Why, of all the defining power-relationship mechanisms, do you specifically say this is the Information Age?

Clive RobinsonOctober 26, 2016 10:10 PM

@ Bob,

Why is this not the Electric Age or The Automation Age?

Have a look at what historians use to define WWII and WWI.

I think you will find they did just that with wireless/radar and mechanisation for tanks/armoured cars/aircraft.

milkshakenOctober 26, 2016 11:00 PM

government creating these centralized databases on every USGov employee including their background checks and level of clearance - this is far more valuable than some stupid health insurance patient stuff. What did they expect? Also, the assertion that the compromised information has not been misused yet - how will they ever know? If Chinese did it, and were methodical the way it is described, they will likely use it to fill in background in carefully selected cases - i.e. former US government official now working for a bank that is active in Asia. In that can we are not likely to find out.

DroneOctober 26, 2016 11:08 PM

Amazing (if not outright criminal) big government incompetence...

And think of it, depending on who you vote for on Nov. 8th, they may end up running the entire U.S. health care system!

LarryOctober 27, 2016 4:39 AM

@Drone(& others),
You're not really "amazed" are you? Big government has always been incompetent & criminal!!

albertOctober 27, 2016 1:25 PM

@Larry, et al,

Way back in the late 90's, I was researching a VB problem, and ended up talking to a (very competent) IT guy, from the VA, in DC*. They were still using DOS (with a network kludge) on their PCs. Spoiled by my position in a really big Multinational Corporation, I asked why. He said they just can't get funding for upgrades. Even though our vets are better treated today, they are still a lower priority they deserve. Wonder if the VA is still a lower priority entity.

Spending money on security seems anathema within and without the gov't. Also, there are too many private companies involved in gov't IT security. Who keeps track of them?

About 10 years ago, I once (and only once) used a debit card for a deposit on a rental at a big chain home improvement store. (they wouldn't take cash). A week later, I had a $300 charge for a vacuum cleaner purchase in Dallas (>1000 miles away). The charge was canceled, but guess where the chains headquarters is? I called them anyway. Coincidence? Who knows? That was the first time I used a debit card on that account, and the last. I don't even activate 'em now.

I wonder if the purchase happened in one of their stores? :)
* :)
. .. . .. --- ....

BobOctober 28, 2016 11:46 AM


Can't speak firsthand for OPM, but Bluecoat sells proxies that will let you create your own certificates to intercept SSL traffic. Then you can publish the certs through group policy to your organization.

kevinmOctober 30, 2016 8:51 AM

All they had to do was run some log analysis, parse the proxy logs to see what CONNECT sessions beacon at regular intervals or send traffic outside office hours. No decryption is necessary for that and anyway if the RAR files were encrypted then SSL decryption would tell them little.

kevinmOctober 30, 2016 8:55 AM

@Evan Harper

RAR files are always suspicious, the algorithm is open for unpacking but the compression algorithm requires a license so it is not implemented in the standard WinZIP, 7-zip et. al. Therefore it is more commonly used by people who have little respect for license compliance. Exfiltration of large encrypted RAR archives (or ZIP, 7z etc.) is always suspicious.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.