Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

6/12/2015
03:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

OPM Breach Scope Widens, Employee Group Blasts Agency For Not Encrypting Data

Lack of encryption 'indefensible' and 'outrageous,' American Federation of Government Employees says.

Concerns that up to 14 million records may have been exposed in the recently disclosed data breach at the U.S. Office (OPM) Personnel Management were compounded by reports Thursday that a lot of the data in those records may have been unencrypted.

In a letter to OPM director Katherine Archuleta, the American Federation of Government Employees (AFGE) lamented the sketchy information that has been released on the breach so far and insisted the scope was much broader than let on. AFGE national president David Cox said he has reason to believe that the hackers behind the OPM intrusion accessed personnel records on every single federal employee, federal retiree, and up to one million former federal workers.

Based on the information that OPM has released, the hackers appear to have targeted the agency’s Central Personnel Data File database, Cox said. That would mean the hackers have every employee’s Social Security Number, military records, veteran's status information, address, birth date, pay, life insurance, age, race, and other information.

“Worst, we believe Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous,” Cox wrote.

The Associated Press, quoting unnamed government sources, said the records in question date back to 1980 and belong predominantly to former federal employees.

The OPM itself has not disclosed what systems were affected and said it believes the intrusion occurred in December 2014. The agency has also been somewhat vague on the specifics of how the breach was discovered, merely noting that it became aware of the intrusion when implementing new security measures.

However, ABC News reported that unnamed sources had told it the initial intrusion had actually happened more than a year ago and remained undetected since then. The hackers then worked their way through four different segments of OPM systems, ABC said, describing what appears to have been lateral movement by the attackers across the network. And according to the Wall Street Journal, the breach was actually discovered in mid-April during a product demonstration by security vendor CyTech.

CyTech did not immediately respond to a Dark Reading request for comment.

The breach, especially given its widening scope, is sure to focus attention on the use—or lack of use—of encryption to protect sensitive data by government agencies.

According to the OPM, it manages sensitive data on more than 30 million people. The prospect that all, or a lot of the data is unencrypted has already sparked outrage from AFGE and it's almost certain that the agency will get a lot more grief on the issue in coming months.

“Let’s be clear here, the excuses the government uses to not have encrypted all of that sensitive data are wholly unacceptable," said Richard Blech, CEO and co-founder of Secure Channels in a statement. “There is no viable reason for sensitive government data to be left in a database that was cleartext and unencrypted, unless the goal was to have it stolen.”

What’s not immediately clear is how useful encryption would have been in this situation, especially if the hackers accessed the Central Personnel File database using valid login credentials. In that case, the hackers would likely have had the same access to the data and the encryption keys as the legitimate owner of the account.

And also, while encryption might be a best practice, it's not entirely surprising that OPM did not encrypt it, adds Rich Stiennon, chief research analyst at IT-Harvest.

“Encryption is the last line of defense for sensitive data at-rest,” Stiennon says. “But it is still hard for many organizations to pull off, because with encryption comes the headache of key management. Encrypted data, especially in an active database such as that kept by OPM, has to be decrypted on-the-fly when it is accessed,” he said.

An attacker can either attempt to steal the encryption keys along with the database, or simply gain authorized access and suck the data out, he said. “Encryption alone is not enough against a determined hacker. The recent IRS hack is an example of how just using a web front end can be manipulated into giving access to decrypted data.”

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Gallavin
100%
0%
Gallavin,
User Rank: Apprentice
6/19/2015 | 11:05:14 AM
Re: Encryption is NOT a panacea
Your firewalls don't matter if you allow "root" access to people. Encryption doesn't matter , nothing matters. Privielged access controls were totally absent here...which given the nature of the information and the fact it was thrid partied out to a NON US firm , is frankly, mindboggling. 

I find it distrurbing the amount of data breaches lately and the lack of understanding on HOW the real damage is caused.

Here is a fact to chew on...

100% of all advanced attacks exploit privileged credentials. In this case however, they didn't even have to exploit them because they were given full authorization to access anything they wanted from the get go.

Hello!?!?!? Anyone over at the OPM ever hear of "least privlieged" access policies! Geez.

Scarier yet , even though most in the business would say it's ill advised to offer such carte blanc access to any administrator in the private sector, giving root access to admin's is still quite common in all industries , from small businesses to large mulkti national corporations. 

Ask Sony Pictures, Athem, Premera, and Target. 
RayM227
100%
0%
RayM227,
User Rank: Apprentice
6/16/2015 | 11:31:32 PM
Re: Encryption is NOT a panacea
I'd like to know what route the attackers took into the OPM network(s), if firewall rules were in place that should have prevented or slowed their access, and how the account and password information was obtained. Was it an administrative direct database access, or access to a front end application? I think it's important for other IT professionals to know this.
aws0513
100%
0%
aws0513,
User Rank: Ninja
6/15/2015 | 2:44:27 PM
Encryption is NOT a panacea
This compromise was not caused by lack of data encryption practices.  Even if true, data encryption would not have stopped this.

This compromise was conducted using resource accesses that had the necessary credentials and keys to view encrypted data.

The people yelling about encryption shortfalls may have legitimate claims about data-at-rest (DAR) issues, but are coming across as clueless to the real causes for breaches of this magnatude: compromise of data using accesses that have been provided by the system.

I agree, especially on notebook and mobile device platforms, that encryption of data is a good practice if done correctly.  But data encryption is not and will never be a protection against the compromised user account (with access rights) scenario.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.