back to article Hacked US OPM boss: We'll fix our IT security – just give us $21 million

The boss of the US government's thoroughly ransacked Office of Personnel Management has – rightly – come in for a rough ride from members of the House Committee on Oversight and Government Reform. Politicians on both sides of the trenches tore strips off the lamentable state of security in the agency, which was raided by …

  1. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      They were referring to Windows (the OS), in addition to the standard backdoors it comes with.

  2. psychonaut

    "oh, weve got both kinds...country and western"

    extra firewalls.....mcafee AND norton?

    love, Jake and Elwood.

  3. Anonymous Coward
    Anonymous Coward

    If there is a problem with "older systems" then why are they connected directly to the Internet ?

  4. Graham Marsden
    Stop

    Of course...

    ... what the grandstanding politicians with their accusations and speeches (more for the media than for information) were really thinking was "Thank fuck it wasn't anything that *I* am responsible for!"

    1. Anonymous Coward
      Thumb Up

      Re: Of course...

      Actually it was, in a way. They made the laws, they set the budgets and policies... watering down crypto so NSA can spy on everyone more conveniently, and treating hacking as a law enforcement matter instead of a preventive security measure.

      1. Graham Marsden

        Re: Of course...

        Yeah, but there was nothing that could be pinned on them, so they were quite happy to crap on someone else...

        1. Mark 85

          @Graham Marsden - Re: Of course...

          Actually, this comment by her is very telling: she said. "Cybersecurity problems are decades in the making and the whole of government is responsible."

          Congress has been slashing budgets on routine things like computer security for a long time. Hopefully, this will come back to bite Congress in the butt, except of course, they'll blame those who are no longer in Congress.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Graham Marsden - Of course...

            That's a very peculiar definition of "slashed budgets" you're using. There isn't an agency in the country that has had a reduced budget for anything.

            What I do see a lot of is cogs in the system building fiefdoms and fighting other cogs over turf. That includes not implementing mandated requirements like two factor authentication (which was issued way back in 2004 and was to be implemented no later than 2009). And I've seen System Owners claiming the risks posed to operations by patching were too great and therefore the systems needed to be exempted from patching requirements. I also see a fair bit of hiding the damage from discovered hacks. One of the sister groups at my agency determine data was being exfiltrated to China. What got reported was the system was down for maintenance for a few days. The adviser overseeing the repairs said it's better than it was, but if he'd been the one making the call instead of overseeing the work, far more changes would have been made.

      2. Anonymous Coward
        Anonymous Coward

        Re: Of course...

        Well, not to worry. They're offering CIA case officers 18 months credit protection. That ought to take care of everything.

  5. Anonymous Coward
    Anonymous Coward

    We can comment all we like but

    Heed the lesson of others. OK (dear reader) you are unlikely to be hauled up in front of a govt committee but learn their lesson and start making changes. Little and often and keep going until you are happy (which should be never).

    To achieve a reasonable level of security should not cost a fortune but it will take a lot of thought and time and a burning ambition to get it done. If you lack the last then you are fucked.

    1. Sir Runcible Spoon

      Re: We can comment all we like but

      "a burning ambition to get it done. If you lack the last then you are fucked."

      Even (especially?) in high risk environments there are those who are more concerned about cost of deployment than the cost of breach (both material and reputation).

      These people just consider what they do a 'job' and you could no more extract passion from them than you could the money for the cost of a round of beers for the tech team that save their nuts on a weekly basis for no real benefit.

      However, it is possible to inject passion into a project - but it's a draining process and can go off the rails with one well placed internal political manoeuvre from someone looking to make departmental gains.

      Sad, but that's the world we live in :(

  6. Mark 85
    Coat

    Given the way this works...

    Even though she rightly refused to answer sensitive questions in front of the press and good CongressCritters got to go into "full outrage" mode for the cameras. We'll soon know exactly what was taken and how bad it really is. Because as sure as I'm sitting here, some Critter up for re-election will come out of the closed-door session and vent his indignation all over the press with a full-disclosure.

    Meantime, someone will have the bright idea that it's now the auditors fault because their report wasn't super-duper-top-secret-read-it-and-I-will-kill-you which allowed the bad guys to see all the problems and know exactly where to attack. This will cause some poor paperpusher to lose his/her job because they didn't mark as "super-duper...etc".

    Once that's done, Congress will go back to their normal power plays, insulting each other's party and generally making more of a mess of the US.

    Got me coat, I'm going for a long walk and try to not get pissed that there's really no where in the world not run by idiots.

    1. bazza Silver badge

      Re: Given the way this works...

      Got me coat, I'm going for a long walk and try to not get pissed that there's really no where in the world not run by idiots.

      Well, we've got our own brand of idiots over here in the UK, but overall it's pretty good. Why don't you come and give it a go?

      The beer is a lot better for a start, despite the impressive advances of the US micro breweries.

      1. Mark 85
        Happy

        Re: Given the way this works...

        Well.. that settles it. I'll trade one group of idiots running things for another and for better beer. Might be worth it. Now to sort out if I'm on a "no-fly" list because of posts to El Reg.

  7. Anonymous Coward
    Anonymous Coward

    Authentication is not the answer

    That's something proper security professionals learned 20+ years ago. Authentication is for controlling your own employees. Hackers rarely (if ever) authenticate during a hack. They leverage holes in the system.

    Nothing out of what is being proposed is relevant to the type of hack being executed here. Someone lifted their entire database bypassing any authentication put in there in the first place. The defence against this is to shovel the "total information awareness" up the a*** of the next person proposing it and create rate limited and controlled query mechanisms to the database so that no attacker can dump the whole thing in one go and disappear with the spoils.

    1. Anonymous Coward
      Anonymous Coward

      Re: Authentication is not the answer

      You're wrong. In many attacks, some systems left vulnerable are used to obtain the credentials of some privileged users accessing them. The "hole" in this case could be simply a lazy sysadmin using the same - maybe weak - credentials across different systems. Or the same local administrator password used everywhere. Two-factor authentication helps a lot to counter this kind of "wetware vulnerabilties". Very few attacks are performed wholly using only software vulnerabilites - they would require a far bigger effort and systems in a really miserable state.

      That said, stronger authentiation is just one layer of protection, others are needed, including knowing how many and what systems you're running, and protecting them adequately - you're proposal won't work becaue do you believe they lifted all those data with a SQL injection (hint: it was said SSN were not encrypted, usually a query returns data already unencrypted...)? Maybet they stole the database files directly or a backup, how your "controlled query" mechanism would work in such a situation?

      There are application firewal and other database security features that could help to spot and block dangerous queries, but again, if you got the DBA credentials, there's a good chance you can bypass them. And if you got access to unencrypted files, you don't need to query at all.

      1. Pascal Monett Silver badge

        Re: " they would require a far bigger effort and systems in a really miserable state"

        If I got the gist of the article correctly, the systems are in a really miserable state.

        Too old to be secured ? What kind of cop-out is that ? You can always add a firewall in front of it, no ?

        1. Trevor_Pott Gold badge

          Re: " they would require a far bigger effort and systems in a really miserable state"

          "Too old to be secured ? What kind of cop-out is that ? You can always add a firewall in front of it, no ?"

          Yeah, but you can't add two factor authentication or various other features. "Secured" may have a meaning here based in legislation or regulation that means something different to you and I.

  8. Anonymous Coward
    Holmes

    I know where we can get the $21 million....

    The NSA has what-is-it, a $10 billion budget? $12 billion? I forget what the leaked black budget found in the Snowden papers said.

    Fort Meade won't miss $21 million, especially if it is spent on actual cybersecurity.

    1. Anonymous Coward
      Anonymous Coward

      Re: I know where we can get the $21 million....

      The risk is that those $21m then are mostly spent to buy new iPhones and iPads.... and not to actually secure systems. I would really like to see the annual OPM budget, and where money were spent.

      Not that the private sector is often better - I've seen enough companies more worried about "upgrading" the managers cars, laptops, tablets, phones than securing their systems - after all you can't show off with a secure datacenter...

  9. nsld

    Apparently

    It's all Edward Snowden''s fault.

    Will be the standard excuse trotted out in 5,4,3.......

    1. Anonymous Coward
      Anonymous Coward

      Re: Apparently

      Sunday Times beat you to it. It's all over the news right now, complete with a sort-of retraction where they said they just print what 10 Downing St tells them.

  10. Anonymous Coward
    Anonymous Coward

    Easy to fix

    -Audit your entire network and maintain a config database of all assets found - repeat regularly

    -Patch all devices found, both o/s and apps and hardware - desktops, servers, firewalls, switches et al - repeat and audit

    -Run automated vulnerabilty scans - and fix what it finds

    -Restrict use of root/admin everywhere

    -Get intrusion detection systems and act on alerts

    -Get anti-virus installed and updated and monitor malware found

    -Have a no accces policy to deny new hardware being added to the network unless authorised

    -Since you've been compromised already, you will also need to rebuild some of it from scratch

    -Get the best pen testers you can find and challenge them to get in

    The above is doable with a competant IT team - we have all of this in place and more at our firm. It doesn't make you unfallable, since even a chink in the armour will let a knife through, but it does raise the bar and improve your odds.

    1. Pascal Monett Silver badge

      You contradict yourself

      You say it's easy to fix, then you list a bunch of items and state that it "is doable with a competent IT team" - meaning you acknowledge that all that is decidedly not easy and requires expertise.

      If it was easy to do, every company would have it included in whatever OS they use and it would happen automatically - like connecting to the network via Ethernet or WiFi.

      But it is not easy at all, which is why most companies, even sizeable ones, do not have an intrusion detection system, do not run vulnerability scans (automated or not), nor do they have the luxury of restricting root access because most of them use IT as they use Word - as long as it works, forget about it. Hell, we can be happy if most of them have any kind of anti-virus installed.

      Not that I approve that behavior, but that's what they do.

      1. Small Furry Animal

        Re: You contradict yourself

        "Not that I approve that behavior, but that's what they do."

        ... and thank $DEITY that they do. When the brown stuff hits the fan, they have to call me or one of my fellow professionals. Hacked company is panicking. I name a figure off the top of my head and they agree instantly.

        Mind you, it sometimes takes them an age to pay the invoice.

    2. Anonymous Coward
      Anonymous Coward

      Re: Easy to fix

      By policy every one of those is in effect. But they've been hacked. Bad.

      Because somewhere in the system there's always some critical app that requires a waiver for one of those rules. Frequently many such somethings which turn the whole thing into swiss cheese/cheese cloth.

    3. Anonymous Coward
      Anonymous Coward

      Re: Easy to fix

      Government and Businesses work in much the same way...they say they care about security UNTIL it costs money or makes a system "harder" to use. Then its like hey just give John admin access, oh wait you mean the IDS might make a false match and block something valid...nah just dont let it block anything. Oh the vulnerability scan found xx you can only fix xx by upgrading because that version is no longer supported and will cost x millions to fix, sooooo we just wont fix it. I have literally have heard every one of those as I am sure most of us have and you can argue till your blue in the face, but then something happens you know you tried to warn them but somehow it still ends up being your fault....its a no win situation.

  11. Anonymous Coward
    Anonymous Coward

    Coercion

    The whole point of declaring your dirty laundry on a clearance application form is so the vetters know everything and can make an assessment on the risk... in theory,

    Nothing on that form should be useful for coercion

    1. Speltier

      Re: Coercion

      Which brings up an interesting point. Supposed a person filed an SF86 and admitted to illegal drug distribution (really. Go look at SF86. Pretend the person is really honest, and believes that an honest answer won't be used for prosecution as stated on the form). OPM or USIS (kinda close to "ISIS"...) promptly boots the candidate from consideration, but what happens to the SF86 data, now stolen. Said person is now VP of some company selling super secret doodads to the Fed and the purloiner of data now knows that that person has dirtier than most dirty laundry....

      Not to speak of the assessments of the SF86, likely stored with the SF86. You know, all that data collected by the shoe leather brigade supposedly checking the background for a security clearance.

      And if the person lies on the form, he'd better practice passing the lie detector test.

  12. Anonymous Coward
    Anonymous Coward

    Yeah, I agree the point of putting it on the form is so your dirty laundry is out in the open. In reality I think it has little to do with someone's trust level. But in the grander scale there is everything and more in that database to steal all 4 million peoples identity easily.

  13. John Smith 19 Gold badge
    Unhappy

    They can fix this for $21m

    Bargain.

    If I believed you could fix it for $21m.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like