They were referring to Windows (the OS), in addition to the standard backdoors it comes with.
Hacked US OPM boss: We'll fix our IT security – just give us $21 million
The boss of the US government's thoroughly ransacked Office of Personnel Management has – rightly – come in for a rough ride from members of the House Committee on Oversight and Government Reform. Politicians on both sides of the trenches tore strips off the lamentable state of security in the agency, which was raided by …
COMMENTS
-
This post has been deleted by its author
-
-
-
-
Wednesday 17th June 2015 01:38 GMT Mark 85
@Graham Marsden - Re: Of course...
Actually, this comment by her is very telling: she said. "Cybersecurity problems are decades in the making and the whole of government is responsible."
Congress has been slashing budgets on routine things like computer security for a long time. Hopefully, this will come back to bite Congress in the butt, except of course, they'll blame those who are no longer in Congress.
-
Wednesday 17th June 2015 13:26 GMT Anonymous Coward
Re: @Graham Marsden - Of course...
That's a very peculiar definition of "slashed budgets" you're using. There isn't an agency in the country that has had a reduced budget for anything.
What I do see a lot of is cogs in the system building fiefdoms and fighting other cogs over turf. That includes not implementing mandated requirements like two factor authentication (which was issued way back in 2004 and was to be implemented no later than 2009). And I've seen System Owners claiming the risks posed to operations by patching were too great and therefore the systems needed to be exempted from patching requirements. I also see a fair bit of hiding the damage from discovered hacks. One of the sister groups at my agency determine data was being exfiltrated to China. What got reported was the system was down for maintenance for a few days. The adviser overseeing the repairs said it's better than it was, but if he'd been the one making the call instead of overseeing the work, far more changes would have been made.
-
-
-
-
-
-
Tuesday 16th June 2015 23:58 GMT Anonymous Coward
We can comment all we like but
Heed the lesson of others. OK (dear reader) you are unlikely to be hauled up in front of a govt committee but learn their lesson and start making changes. Little and often and keep going until you are happy (which should be never).
To achieve a reasonable level of security should not cost a fortune but it will take a lot of thought and time and a burning ambition to get it done. If you lack the last then you are fucked.
-
Wednesday 17th June 2015 11:10 GMT Sir Runcible Spoon
Re: We can comment all we like but
"a burning ambition to get it done. If you lack the last then you are fucked."
Even (especially?) in high risk environments there are those who are more concerned about cost of deployment than the cost of breach (both material and reputation).
These people just consider what they do a 'job' and you could no more extract passion from them than you could the money for the cost of a round of beers for the tech team that save their nuts on a weekly basis for no real benefit.
However, it is possible to inject passion into a project - but it's a draining process and can go off the rails with one well placed internal political manoeuvre from someone looking to make departmental gains.
Sad, but that's the world we live in :(
-
-
Wednesday 17th June 2015 02:00 GMT Mark 85
Given the way this works...
Even though she rightly refused to answer sensitive questions in front of the press and good CongressCritters got to go into "full outrage" mode for the cameras. We'll soon know exactly what was taken and how bad it really is. Because as sure as I'm sitting here, some Critter up for re-election will come out of the closed-door session and vent his indignation all over the press with a full-disclosure.
Meantime, someone will have the bright idea that it's now the auditors fault because their report wasn't super-duper-top-secret-read-it-and-I-will-kill-you which allowed the bad guys to see all the problems and know exactly where to attack. This will cause some poor paperpusher to lose his/her job because they didn't mark as "super-duper...etc".
Once that's done, Congress will go back to their normal power plays, insulting each other's party and generally making more of a mess of the US.
Got me coat, I'm going for a long walk and try to not get pissed that there's really no where in the world not run by idiots.
-
Wednesday 17th June 2015 06:50 GMT bazza
Re: Given the way this works...
Got me coat, I'm going for a long walk and try to not get pissed that there's really no where in the world not run by idiots.
Well, we've got our own brand of idiots over here in the UK, but overall it's pretty good. Why don't you come and give it a go?
The beer is a lot better for a start, despite the impressive advances of the US micro breweries.
-
-
Wednesday 17th June 2015 05:52 GMT Anonymous Coward
Authentication is not the answer
That's something proper security professionals learned 20+ years ago. Authentication is for controlling your own employees. Hackers rarely (if ever) authenticate during a hack. They leverage holes in the system.
Nothing out of what is being proposed is relevant to the type of hack being executed here. Someone lifted their entire database bypassing any authentication put in there in the first place. The defence against this is to shovel the "total information awareness" up the a*** of the next person proposing it and create rate limited and controlled query mechanisms to the database so that no attacker can dump the whole thing in one go and disappear with the spoils.
-
Wednesday 17th June 2015 07:10 GMT Anonymous Coward
Re: Authentication is not the answer
You're wrong. In many attacks, some systems left vulnerable are used to obtain the credentials of some privileged users accessing them. The "hole" in this case could be simply a lazy sysadmin using the same - maybe weak - credentials across different systems. Or the same local administrator password used everywhere. Two-factor authentication helps a lot to counter this kind of "wetware vulnerabilties". Very few attacks are performed wholly using only software vulnerabilites - they would require a far bigger effort and systems in a really miserable state.
That said, stronger authentiation is just one layer of protection, others are needed, including knowing how many and what systems you're running, and protecting them adequately - you're proposal won't work becaue do you believe they lifted all those data with a SQL injection (hint: it was said SSN were not encrypted, usually a query returns data already unencrypted...)? Maybet they stole the database files directly or a backup, how your "controlled query" mechanism would work in such a situation?
There are application firewal and other database security features that could help to spot and block dangerous queries, but again, if you got the DBA credentials, there's a good chance you can bypass them. And if you got access to unencrypted files, you don't need to query at all.
-
-
Friday 19th June 2015 19:51 GMT Trevor_Pott
Re: " they would require a far bigger effort and systems in a really miserable state"
"Too old to be secured ? What kind of cop-out is that ? You can always add a firewall in front of it, no ?"
Yeah, but you can't add two factor authentication or various other features. "Secured" may have a meaning here based in legislation or regulation that means something different to you and I.
-
-
-
-
-
Wednesday 17th June 2015 07:14 GMT Anonymous Coward
Re: I know where we can get the $21 million....
The risk is that those $21m then are mostly spent to buy new iPhones and iPads.... and not to actually secure systems. I would really like to see the annual OPM budget, and where money were spent.
Not that the private sector is often better - I've seen enough companies more worried about "upgrading" the managers cars, laptops, tablets, phones than securing their systems - after all you can't show off with a secure datacenter...
-
-
Wednesday 17th June 2015 07:59 GMT Anonymous Coward
Easy to fix
-Audit your entire network and maintain a config database of all assets found - repeat regularly
-Patch all devices found, both o/s and apps and hardware - desktops, servers, firewalls, switches et al - repeat and audit
-Run automated vulnerabilty scans - and fix what it finds
-Restrict use of root/admin everywhere
-Get intrusion detection systems and act on alerts
-Get anti-virus installed and updated and monitor malware found
-Have a no accces policy to deny new hardware being added to the network unless authorised
-Since you've been compromised already, you will also need to rebuild some of it from scratch
-Get the best pen testers you can find and challenge them to get in
The above is doable with a competant IT team - we have all of this in place and more at our firm. It doesn't make you unfallable, since even a chink in the armour will let a knife through, but it does raise the bar and improve your odds.
-
Wednesday 17th June 2015 08:19 GMT Pascal Monett
You contradict yourself
You say it's easy to fix, then you list a bunch of items and state that it "is doable with a competent IT team" - meaning you acknowledge that all that is decidedly not easy and requires expertise.
If it was easy to do, every company would have it included in whatever OS they use and it would happen automatically - like connecting to the network via Ethernet or WiFi.
But it is not easy at all, which is why most companies, even sizeable ones, do not have an intrusion detection system, do not run vulnerability scans (automated or not), nor do they have the luxury of restricting root access because most of them use IT as they use Word - as long as it works, forget about it. Hell, we can be happy if most of them have any kind of anti-virus installed.
Not that I approve that behavior, but that's what they do.
-
Wednesday 17th June 2015 08:44 GMT Small Furry Animal
Re: You contradict yourself
"Not that I approve that behavior, but that's what they do."
... and thank $DEITY that they do. When the brown stuff hits the fan, they have to call me or one of my fellow professionals. Hacked company is panicking. I name a figure off the top of my head and they agree instantly.
Mind you, it sometimes takes them an age to pay the invoice.
-
-
Wednesday 17th June 2015 13:37 GMT Anonymous Coward
Re: Easy to fix
By policy every one of those is in effect. But they've been hacked. Bad.
Because somewhere in the system there's always some critical app that requires a waiver for one of those rules. Frequently many such somethings which turn the whole thing into swiss cheese/cheese cloth.
-
Wednesday 17th June 2015 13:40 GMT Anonymous Coward
Re: Easy to fix
Government and Businesses work in much the same way...they say they care about security UNTIL it costs money or makes a system "harder" to use. Then its like hey just give John admin access, oh wait you mean the IDS might make a false match and block something valid...nah just dont let it block anything. Oh the vulnerability scan found xx you can only fix xx by upgrading because that version is no longer supported and will cost x millions to fix, sooooo we just wont fix it. I have literally have heard every one of those as I am sure most of us have and you can argue till your blue in the face, but then something happens you know you tried to warn them but somehow it still ends up being your fault....its a no win situation.
-
-
-
Wednesday 17th June 2015 21:54 GMT Speltier
Re: Coercion
Which brings up an interesting point. Supposed a person filed an SF86 and admitted to illegal drug distribution (really. Go look at SF86. Pretend the person is really honest, and believes that an honest answer won't be used for prosecution as stated on the form). OPM or USIS (kinda close to "ISIS"...) promptly boots the candidate from consideration, but what happens to the SF86 data, now stolen. Said person is now VP of some company selling super secret doodads to the Fed and the purloiner of data now knows that that person has dirtier than most dirty laundry....
Not to speak of the assessments of the SF86, likely stored with the SF86. You know, all that data collected by the shoe leather brigade supposedly checking the background for a security clearance.
And if the person lies on the form, he'd better practice passing the lie detector test.
-