Andrea Shalal and Matt Spetalnick report:
Data stolen from U.S. government computers by suspected Chinese hackers included security clearance information and background checks dating back three decades, U.S. officials said on Friday, underlining the scope of one of the largest known cyber attacks on federal networks.
Of the four million federal employees whose data were caught up in the breach, 2.1 million are reportedly current government employees, and the fear is that their information could be used for spear-phishing and to obtain even more sensitive information.
Read more on Reuters.
Ellen Nakashima of the Washington Post reports that according to unnamed agency officials, the information obtained in the hack included
employees’ Social Security numbers, job assignments, performance ratings and training information but
OPM officials declined to comment on whether payroll data was exposed other than to say that no direct-deposit information was compromised. They could not say for certain what data was taken, only what the hackers gained access to.
And of course, the finger-pointing has begun. As the New York Times reports, an audit of the government’s computer security had as recently as November pointed out the serious security shortcomings.
But watch out for those who attempt to use this hack to support irrelevant or harmful legislation. Any legislation proposed should seriously consider the opinions of actual infosecurity and technology experts. So far, the government’s ridiculous claims that we can have strong encryption but the government should be able to break it makes many of us wonder what color the sky is in Washington these days.
The NSA typically approves most of the types of encryption standards we use. I don’t see this going away. Its should be a standard that everyone uses. But, as in the past, I am sure the NSA has asked for an encryption strength be lowered in order for it to be cracked.
Look, encryption is only as good as the storage of the private key(s). An insider, or hacker – if they know the location and obtain these keys, no matter the strength of the encryption, its a sad day.
The battle starts at the front door of any establishment. One needs to shore up different technologies and ensure that the outer perimeter is solid as a rock. Old legacy technology needs to be patched and current or tossed and replaced. Unnecessary services need to be shut off and permissions for people need to be at the minimum required to complete assigned work. Extra privileges need to be documented and set to expire and should be removed immediately after.
Port 80 is a wide open port right to most desktops. I highly suggest that any organization have a VM style website pool which is connected only to the internet. These web servers should be the only thing the public should see. All other communication from the network should be whitelisted. The bad thing about most networks is that surfing is usually a free for all, and thats how most get in trouble. Most organizations should embrace a white-and-black list for surfing and emails. Any type of email scanning software should be set up to its lowest settings to trigger a spam alert on the most vague email content.
Encryption itself does not cure the breaches. There is plenty other issues on networks. The crooks like “dirty news”, for the fame and some times fortune. Its more for “ego-testical” bragging rights. In event a high profile organization gets hacked, it gives them clout amongst other hacking groups, and some times instills others to get the ball rolling and see if they can top the latest hack.
In my opinion, if people work for the government, I think they should do just that. They should be given the tools to do their job, and eliminate most web surfing to any .com sites. It would cut own the amount of security incidents, and work productivity would shoot through the roof.