The “Real” OPM Data Breach

Stealing
A lot has been made and should be made of the theft of over 21 million federal employees’ sensitive personnel records and security clearances. 



Everyone rightly, although somewhat selfishly, is worried about identity theft and the compromised privacy of their information.



The government is worried about hostile nation states using the pilfered information to bribe or coerce military, intelligence, high-level politicals, and others to turn and work for them or otherwise to use against them. 



But what is grossly missing in this discussion is not what information presumably the Chinese stole and how they will use it against us, but rather what information they inserted, altered, or otherwise compromised into the OPM personnel and security databases when they got root access to it.



Imagine for a moment what could hostile nations or terrorists can do to this crown jewel database of personnel and security information:



– They could insert phony records for spies, moles, or other dangerous persons into the database–voila, these people are now “federal employees” and perhaps with stellar performance records and high level security clearances able to penetrate the depths of the federal government with impunity or even as superstars!



– They could alter personnel or security records taking prominent or good government employees and sabotaging them to have questionable histories, contacts, financial, drug or criminal problems and thereby frame or take-down key government figures or divert attention from the real bad guys out there and tie our homeland security and law enforcement establishment in knots chasing after phony leads and false wrongdoers and villains.



Given that the timeline of the hack of OPM goes back to March and December 2014, this was more than enough time for our adversary to not only do to our data what they want, but also for the backup tapes to be affected by the corrupt data entering the system. 



The damage done to U.S. national security is unimaginable. As is typically the case with these things, “An ounce of prevention is worth a pound of cure.” Instead of investing in security, now we can invest in “credit monitoring and identity theft protection” for a very sparse three years, while federal employees will go a lifetime in information jeopardy, and the federal government will be literally chasing its tail on personnel security for decades to come. 



With the price so low to our adversaries in attacking our systems, it truly is like stealing and much more. 😉



(Source Photo: Andy Blumenthal)

18 Million–Change The SSNs

SSN

So, maybe one of the most detrimental hysts of information from the Federal government in history. 


Now involving over 18 million current and former federal employees, including military and intelligence personnel. 


No getting around it, but we are major screwed here–this is a treasure trove of personal and privacy information ready to use for identity theft, blackmail, assassination/decapitation attacks at home and work addresses, kidnapping of family members, and literally attacking our national security apparatus from the very inside out–it’s people. 


Imagine, if at the time of its choosing, an adversary attacks our nation, but preempts this with sophisticated and coordinated attacks on our critical government personnel–generals, spy masters, political kingpins, and other key decision makers–thereby distracting them from their duties of safeguarding our nation. 


This is our new Achilles Heel and overall a security disaster bar none!


Well, we can’t go back and put the genie back in the bottle–although wouldn’t it be nice if such critical information (if not encrypted–already unforgivable) would have a self-destruct mechanism on it that we could at least zap it dead.


But for the people whose personal identities are at risk–whose social security numbers (SSNs) and dates of birth (DOBs) have been compromised what can we do? 


While we can’t very well change people DOBs, why not at least issue them new SSNs to help thwart the adversaries peddling in this information in the black markets. 


If we can put a man on the moon, surely we can issue some 18 million new SSNs and mandate government and financial institutions to make the necessary updates to the records. 


This is not rocket science, and certainly we owe this much to our people to help protect them.


Will our government be there for it’s own employees and patriots? 😉


(Source Photo: here with attribution to Donkey Hotey)

People Are Our Greatest Asset, Goodbye!

People

The Chinese are smart and talented, and there is a cyberwar going on. 


They are suspected are having just stolen the personnel information of 4 million federal government workers.


And there are 4.2 million active, including 1.5 million military personnel. 


So if as they are apt to say, “people are our greatest asset”…


…then we just sort of lost the CROWN JEWELS in terms of highly personal, sensitive, and critical information on the people that handle everything from defense and diplomacy to the economy, energy, the environment, justice, and health and wellbeing. 


Oops!


This is getting scary folks. 


When the adversary through cyber (and other) espionage can know our people, our technology, our communications, virtually everything…then we got some big vulnerabilities!


If we can’t defend ourselves adequately (at least for now), I hope at least we are doing okay on the offense! 😉


(Source Photo: Andy Blumenthal)

Dire Warnings On Cybersecurity

Security Camera
This week Adm. Michael Rogers, the Director of the National Security Agency and head of U.S. Cyber Command issued a stark warning to the nation about the state of cybersecurity:



With our cybersecurity over the next decade, “It’s only a matter of the ‘when,’ not the ‘if,’ that we are going to see something dramatic.



The Wall Street Journal reports that he gave ” a candid acknowledgement that the U.S. ISN’T yet prepared to manage the threat!”



China and “one or two others” [i.e. Russia etc.] are infiltrating our SCADA networks that manage our industrial control systems, including our power turbines and transmission systems,.



The cyber spies from the nation states are “leaving behind computer code that could be used to disable the networks  in the future.”



Can you imagine…you must imagine, you must prepare–not if, but when. 



(Source Photo: Andy Blumenthal)

Remodulate The Shields For Cyber Security

I really like the concept for Cyber Security by Shape Security.

They have an appliance called a ShapeShifter that uses polymorphism to constantly change a website’s code in order to prevent scripted botnet attacks–even as the web pages themselves maintain their look and feel.

In essence they make the site a moving target, rather than a sitting duck.

This is like Star Trek’s modulating shield frequencies that would prevent enemies from obtaining the frequency of the shield emitters so they could then modify their weapons to bypass the shield and get in a deadly attack.

In real life, as hackers readily change their malware, attack vectors, and social engineering tactics, we need to be agile and adapt faster than the enemy to thwart them.

Changing defense tactics has also been used by agencies like Homeland Security to alter screening methods and throw potential terrorists off from a routine that could be more easily overcome.

I think the future of IT Security really lies in the shapeshifter strategy, where the enemy can’t easily penetrate our defenses, because we’re moving so fast that they can’t even find our vulnerabilities and design an effective attack before we change it and up our game again.

And hence, the evil Borg will be vanquished… 😉

Government Shutdown – Starbucks

Government Shutdown - Starbucks

So today is Day #2 of the Federal Government Shutdown.

This is a picture from the local Starbucks that is typically billowing at lunch time–as you can see it’s basically a morgue.

Unfortunately, hard-working Federal employees, contractors, and local business are feeling the impact!

Even from those that are still working, there is word of “survivor’s guilt”–like with a plane crash or other calamity, when those who survive the catastrophe question why they were so fortunate when the others weren’t so lucky and perished.

With both the budget shutdown and the impending debt ceiling showdown–we are facing the perfect storm, with real negotiation and compromise yet to emerge.

With this all, our significant national problems aren’t going away–to the contrary, Iran and North Korea are still global nuclear threats, Syria still has chemical weapons, the economy remains on shaky ground (in the paper today, the once high-flying pharmaceutical company Merck is planning to lay off 20%!), the national debt continues to spiral out of control (albeit at a “slower pace”), cybersecurity remains a major national security risk (although Cyber Command continues to stand up its new headquarters and firepower), and so much more.

Bubble stocks rose again yesterday after an almost 20% one-year return. Not only that, but the safety of gold took a beating again after an almost 40% one-year decline (full disclosure, I am a recent investor in the latter). One has to wonder how long it will take for sanity to prevail once again.

(Source Photo: Andy Blumenthal)

Raising The Bar On Cybersecurity

Good video by the The Washington Post (2 June 2012) on the importance and challenges of cybersecurity.

There are 12 billion devices on the Internet today and this is projected to soar to 50 billion in the next decade.

Cybersecurity is paramount to protecting the vast amounts of critical infrastructure connected to the Internet.

There is a lot riding over the Internet–power, transportation, finance, commerce, defense, and more–and the vulnerabilities inherent in this is huge!

Some notable quotes from the video:

– “Spying, intrusions, and attacks on government and corporate networks occur every hour of every day.”

– “Some sort of cyberwar is generally considered an inevitability.”

– “Cyberwar although a scary terms–I think it is as scary as it sounds.”

– “Right now the bar is so low, it doesn’t take a government, it doesn’t take organized crime to exploit this stuff–that’s what’s dangerous!”

We all have to do our part to raise the bar on cybersecurity–and let’s do it–now, now, now.

(Source Photo: here with attribution to University of Maryland Press Releases)