Vulnerabilities / Threats //

Advanced Threats

6/12/2015
03:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

OPM Breach Scope Widens, Employee Group Blasts Agency For Not Encrypting Data

Lack of encryption 'indefensible' and 'outrageous,' American Federation of Government Employees says.

Concerns that up to 14 million records may have been exposed in the recently disclosed data breach at the U.S. Office (OPM) Personnel Management were compounded by reports Thursday that a lot of the data in those records may have been unencrypted.

In a letter to OPM director Katherine Archuleta, the American Federation of Government Employees (AFGE) lamented the sketchy information that has been released on the breach so far and insisted the scope was much broader than let on. AFGE national president David Cox said he has reason to believe that the hackers behind the OPM intrusion accessed personnel records on every single federal employee, federal retiree, and up to one million former federal workers.

Based on the information that OPM has released, the hackers appear to have targeted the agency’s Central Personnel Data File database, Cox said. That would mean the hackers have every employee’s Social Security Number, military records, veteran's status information, address, birth date, pay, life insurance, age, race, and other information.

“Worst, we believe Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous,” Cox wrote.

The Associated Press, quoting unnamed government sources, said the records in question date back to 1980 and belong predominantly to former federal employees.

The OPM itself has not disclosed what systems were affected and said it believes the intrusion occurred in December 2014. The agency has also been somewhat vague on the specifics of how the breach was discovered, merely noting that it became aware of the intrusion when implementing new security measures.

However, ABC News reported that unnamed sources had told it the initial intrusion had actually happened more than a year ago and remained undetected since then. The hackers then worked their way through four different segments of OPM systems, ABC said, describing what appears to have been lateral movement by the attackers across the network. And according to the Wall Street Journal, the breach was actually discovered in mid-April during a product demonstration by security vendor CyTech.

CyTech did not immediately respond to a Dark Reading request for comment.

The breach, especially given its widening scope, is sure to focus attention on the use—or lack of use—of encryption to protect sensitive data by government agencies.

According to the OPM, it manages sensitive data on more than 30 million people. The prospect that all, or a lot of the data is unencrypted has already sparked outrage from AFGE and it's almost certain that the agency will get a lot more grief on the issue in coming months.

“Let’s be clear here, the excuses the government uses to not have encrypted all of that sensitive data are wholly unacceptable," said Richard Blech, CEO and co-founder of Secure Channels in a statement. “There is no viable reason for sensitive government data to be left in a database that was cleartext and unencrypted, unless the goal was to have it stolen.”

What’s not immediately clear is how useful encryption would have been in this situation, especially if the hackers accessed the Central Personnel File database using valid login credentials. In that case, the hackers would likely have had the same access to the data and the encryption keys as the legitimate owner of the account.

And also, while encryption might be a best practice, it's not entirely surprising that OPM did not encrypt it, adds Rich Stiennon, chief research analyst at IT-Harvest.

“Encryption is the last line of defense for sensitive data at-rest,” Stiennon says. “But it is still hard for many organizations to pull off, because with encryption comes the headache of key management. Encrypted data, especially in an active database such as that kept by OPM, has to be decrypted on-the-fly when it is accessed,” he said.

An attacker can either attempt to steal the encryption keys along with the database, or simply gain authorized access and suck the data out, he said. “Encryption alone is not enough against a determined hacker. The recent IRS hack is an example of how just using a web front end can be manipulated into giving access to decrypted data.”

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Gallavin
100%
0%
Gallavin,
User Rank: Apprentice
6/19/2015 | 11:05:14 AM
Re: Encryption is NOT a panacea
Your firewalls don't matter if you allow "root" access to people. Encryption doesn't matter , nothing matters. Privielged access controls were totally absent here...which given the nature of the information and the fact it was thrid partied out to a NON US firm , is frankly, mindboggling. 

I find it distrurbing the amount of data breaches lately and the lack of understanding on HOW the real damage is caused.

Here is a fact to chew on...

100% of all advanced attacks exploit privileged credentials. In this case however, they didn't even have to exploit them because they were given full authorization to access anything they wanted from the get go.

Hello!?!?!? Anyone over at the OPM ever hear of "least privlieged" access policies! Geez.

Scarier yet , even though most in the business would say it's ill advised to offer such carte blanc access to any administrator in the private sector, giving root access to admin's is still quite common in all industries , from small businesses to large mulkti national corporations. 

Ask Sony Pictures, Athem, Premera, and Target. 
RayM227
100%
0%
RayM227,
User Rank: Apprentice
6/16/2015 | 11:31:32 PM
Re: Encryption is NOT a panacea
I'd like to know what route the attackers took into the OPM network(s), if firewall rules were in place that should have prevented or slowed their access, and how the account and password information was obtained. Was it an administrative direct database access, or access to a front end application? I think it's important for other IT professionals to know this.
aws0513
100%
0%
aws0513,
User Rank: Ninja
6/15/2015 | 2:44:27 PM
Encryption is NOT a panacea
This compromise was not caused by lack of data encryption practices.  Even if true, data encryption would not have stopped this.

This compromise was conducted using resource accesses that had the necessary credentials and keys to view encrypted data.

The people yelling about encryption shortfalls may have legitimate claims about data-at-rest (DAR) issues, but are coming across as clueless to the real causes for breaches of this magnatude: compromise of data using accesses that have been provided by the system.

I agree, especially on notebook and mobile device platforms, that encryption of data is a good practice if done correctly.  But data encryption is not and will never be a protection against the compromised user account (with access rights) scenario.
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
What We Talk About When We Talk About Risk
Jack Jones, Chairman, FAIR Institute,  7/11/2018
Major International Airport System Access Sold for $10 on Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  7/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3090
PUBLISHED: 2018-07-18
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compr...
CVE-2018-3091
PUBLISHED: 2018-07-18
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.16. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compr...
CVE-2018-3092
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...
CVE-2018-3093
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...
CVE-2018-3094
PUBLISHED: 2018-07-18
Vulnerability in the Oracle Outside In Technology component of Oracle Fusion Middleware (subcomponent: Outside In Filters). The supported version that is affected is 8.5.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Outside In T...