Vulnerabilities / Threats //

Advanced Threats

6/12/2015
03:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

OPM Breach Scope Widens, Employee Group Blasts Agency For Not Encrypting Data

Lack of encryption 'indefensible' and 'outrageous,' American Federation of Government Employees says.

Concerns that up to 14 million records may have been exposed in the recently disclosed data breach at the U.S. Office (OPM) Personnel Management were compounded by reports Thursday that a lot of the data in those records may have been unencrypted.

In a letter to OPM director Katherine Archuleta, the American Federation of Government Employees (AFGE) lamented the sketchy information that has been released on the breach so far and insisted the scope was much broader than let on. AFGE national president David Cox said he has reason to believe that the hackers behind the OPM intrusion accessed personnel records on every single federal employee, federal retiree, and up to one million former federal workers.

Based on the information that OPM has released, the hackers appear to have targeted the agency’s Central Personnel Data File database, Cox said. That would mean the hackers have every employee’s Social Security Number, military records, veteran's status information, address, birth date, pay, life insurance, age, race, and other information.

“Worst, we believe Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous,” Cox wrote.

The Associated Press, quoting unnamed government sources, said the records in question date back to 1980 and belong predominantly to former federal employees.

The OPM itself has not disclosed what systems were affected and said it believes the intrusion occurred in December 2014. The agency has also been somewhat vague on the specifics of how the breach was discovered, merely noting that it became aware of the intrusion when implementing new security measures.

However, ABC News reported that unnamed sources had told it the initial intrusion had actually happened more than a year ago and remained undetected since then. The hackers then worked their way through four different segments of OPM systems, ABC said, describing what appears to have been lateral movement by the attackers across the network. And according to the Wall Street Journal, the breach was actually discovered in mid-April during a product demonstration by security vendor CyTech.

CyTech did not immediately respond to a Dark Reading request for comment.

The breach, especially given its widening scope, is sure to focus attention on the use—or lack of use—of encryption to protect sensitive data by government agencies.

According to the OPM, it manages sensitive data on more than 30 million people. The prospect that all, or a lot of the data is unencrypted has already sparked outrage from AFGE and it's almost certain that the agency will get a lot more grief on the issue in coming months.

“Let’s be clear here, the excuses the government uses to not have encrypted all of that sensitive data are wholly unacceptable," said Richard Blech, CEO and co-founder of Secure Channels in a statement. “There is no viable reason for sensitive government data to be left in a database that was cleartext and unencrypted, unless the goal was to have it stolen.”

What’s not immediately clear is how useful encryption would have been in this situation, especially if the hackers accessed the Central Personnel File database using valid login credentials. In that case, the hackers would likely have had the same access to the data and the encryption keys as the legitimate owner of the account.

And also, while encryption might be a best practice, it's not entirely surprising that OPM did not encrypt it, adds Rich Stiennon, chief research analyst at IT-Harvest.

“Encryption is the last line of defense for sensitive data at-rest,” Stiennon says. “But it is still hard for many organizations to pull off, because with encryption comes the headache of key management. Encrypted data, especially in an active database such as that kept by OPM, has to be decrypted on-the-fly when it is accessed,” he said.

An attacker can either attempt to steal the encryption keys along with the database, or simply gain authorized access and suck the data out, he said. “Encryption alone is not enough against a determined hacker. The recent IRS hack is an example of how just using a web front end can be manipulated into giving access to decrypted data.”

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Gallavin
100%
0%
Gallavin,
User Rank: Apprentice
6/19/2015 | 11:05:14 AM
Re: Encryption is NOT a panacea
Your firewalls don't matter if you allow "root" access to people. Encryption doesn't matter , nothing matters. Privielged access controls were totally absent here...which given the nature of the information and the fact it was thrid partied out to a NON US firm , is frankly, mindboggling. 

I find it distrurbing the amount of data breaches lately and the lack of understanding on HOW the real damage is caused.

Here is a fact to chew on...

100% of all advanced attacks exploit privileged credentials. In this case however, they didn't even have to exploit them because they were given full authorization to access anything they wanted from the get go.

Hello!?!?!? Anyone over at the OPM ever hear of "least privlieged" access policies! Geez.

Scarier yet , even though most in the business would say it's ill advised to offer such carte blanc access to any administrator in the private sector, giving root access to admin's is still quite common in all industries , from small businesses to large mulkti national corporations. 

Ask Sony Pictures, Athem, Premera, and Target. 
RayM227
100%
0%
RayM227,
User Rank: Apprentice
6/16/2015 | 11:31:32 PM
Re: Encryption is NOT a panacea
I'd like to know what route the attackers took into the OPM network(s), if firewall rules were in place that should have prevented or slowed their access, and how the account and password information was obtained. Was it an administrative direct database access, or access to a front end application? I think it's important for other IT professionals to know this.
aws0513
100%
0%
aws0513,
User Rank: Ninja
6/15/2015 | 2:44:27 PM
Encryption is NOT a panacea
This compromise was not caused by lack of data encryption practices.  Even if true, data encryption would not have stopped this.

This compromise was conducted using resource accesses that had the necessary credentials and keys to view encrypted data.

The people yelling about encryption shortfalls may have legitimate claims about data-at-rest (DAR) issues, but are coming across as clueless to the real causes for breaches of this magnatude: compromise of data using accesses that have been provided by the system.

I agree, especially on notebook and mobile device platforms, that encryption of data is a good practice if done correctly.  But data encryption is not and will never be a protection against the compromised user account (with access rights) scenario.
Game Change: Meet the Mach37 Fall Startups
Ericka Chickowski, Contributing Writer, Dark Reading,  10/18/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.