Sunday, June 7, 2015

Some Thoughts on the OPM Breach

**Updates What’s In a Background Investigation, Anyway?

Dissecting the OPM Breach
Ex-DHS Cybersecurity Leader Mark Weatherford Analyzes Hack
By Eric Chabrow, June 5, 2015.

Main Article

On June 4th, the same day the New York Times and ProPublica reported on Snowden documents showing that
the Obama administration has expanded the National Security Agency’s warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking
but also shows that
the NSA sought permission to target hackers even when it could not establish any links to foreign powers,
the government disclosed another data breach of government computers, this time at the US Office of Personnel Management (OPM), the agency that among other tasks related to government employees and employment also conducts
background investigations for prospective employees and security clearances across government, with hundreds of thousands of cases each year.
There have been lots of responses to these revelations.  Amie Stepanovich linked the data breach to the NSA revelation, asking/explaining that they would be doing the investigation. My uneducated guess is that in addition to hunting overseas hackers, NSA is also doing insider threat hunting.  Since the breach happened sometime last year and OPM discovered it in April, some asked why reveal the breach now?

One answer to "why now" is to remember that Snowden's revelations came right before a US-China meeting where Obama was going to complain about Chinese theft of US intellectual property.  Disclosing last year's breach now could flip the tables back to the US doing the criticizing

Disclosure of the latest computer breach comes ahead of the annual U.S.-China Strategic and Economic Dialogue scheduled for June 22-24 in Washington, D.C. Cyber security was already expected to be high on the agenda.
Marcy wrote about the irony of the hack in the bulk collection debate
The same report notes that the hack may be linked to the hack of similar scope of Anthem earlier this year.
This is, as a lot of the current and former government employees I follow on Twitter are realizing this morning, a devastating hack, one which will have repercussions both in the private lives of those whose data has been hacked as well as generally for America’s national security, because the data in the OPM servers offers a road map for further espionage targeting.
It is also something the US does all the time — and not just against official government employees of adversary nations, but also against civilian or quasi civilian telecom targets, as well as employees of corporations of interest.
The US Intelligence Community let us have a debate over a mere fraction of the bulk data being collected by the NSA — that collected domestically to target Americans. But for the stuff targeting foreigners on a far greater scale, President Obama proclaimed we would continue collecting in bulk but limit its use to all the major purposes we were already using it for before we ever got around to debating the Section 215 dragnet.
(1) espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;
(2) threats to the United States and its interests from terrorism;
(3) threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;
(4) cybersecurity threats;
(5) threats to U.S. or allied Armed Forces or other U.S or allied personnel;
(6) transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.
That scope goes well beyond the scope of those affected in this OPM hack.
Whistlebower attorney Brad Moss used OPM breach to criticize Snowden

Marcy gives one answer to Brad writing
Once the government does whatever it can to protect the millions compromised by this hack, I hope it will provide an opportunity to do two things: focus on actual cyber-defense, rather than an offensive approach that itself entails and therefore legitimates precisely this kind of bulk collection, and reflect on whether the world we’ve built, in which millions of innocent people get swept up in spying because it’s easy to do so, is really one we want to pursue. Ideally, such reflection might lead to some norm-setting that sharply limits the kinds of targets who can be bulk collected (though OPM would solidly fit in any imaginable such limits).
The other answer for Brad is that Snowden would be criticizing the zero-day exploits that the Washington Post says this attack was (and ZDnet).  As Snowden describes, offensive tools used by the NSA are the same tools used by our adversaries.  Brad does make one good comment though, but I don't know what the implications are yet.

However one problem I have with the article is the explanation of a zero-day, described as 
“zero-day” — a previously unknown cyber-tool — to take advantage of a vulnerability that allowed the intruders to gain access into the system.
"Previously unknown tool" makes it sound like it is a new hacking tool.  New vulnerability or entry point is a clearer description, as it is not a new tool. 

Tim Shorrock tweeted an article that USIS was still doing security for OPM after doing background checks for Snowden and Navy Yard shooter Aaron Alexis, and suffering its own cyber attack disclosed last year. 

Robert Caruso has a series of tweets listing categories of people who are affected by the OPM breach, from many national security journalists to almost anyone who flies and in replying to Adam Goldstein explains that USIS was doing OPM's job for them

OPM announced in response to the breach that
OPM has partnered with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation (FBI) to determine the full impact to Federal personnel.
Here is a problem with relying on CERT

One difference with this hack of a government system (and not a good one) compared with other recent high profile breaches is
Researchers note that in contrast to the hacks of Home Depot and Target, personal data that might have been stolen from OPM, Anthem and the other companies has not shown up on the black market, where it can be sold to identity thieves. That is another sign, they said, that the intrusions are not being made for commercial purposes.
Back to the new Snowden revelations however, my thoughts right now are that the "hacker hunter" program is really an insider threat program as well.  See here and here

No comments:

Post a Comment