Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
OPM: Personal Info On 21.5 Million People Exposed In Hack
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Jon M. Kelley
50%
50%
Jon M. Kelley,
User Rank: Moderator
7/24/2015 | 9:22:42 PM
Re: Worriesome and astonishing: OPM can't count
Per OPM press release 19.7 milloin security applications were copied, but those applicants only had 1.8 million dependents. Even if OPM is only counting dependents that were required to list SSNs (e.g. spouses, ex-spouses, cohabitants, et cetera), that means that significantly less than 9% of the applicants were EVER married!  Since the clearance is refreshed every ~5 years, and ex's are never dropped from the form it becomes clear that people with clearances don't breed.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/17/2015 | 9:08:06 AM
Re: Attacker
Absolutely, @xmarksthespot. This is an intelligence nightmare with so many potential ramifications. 
xmarksthespot
50%
50%
xmarksthespot,
User Rank: Strategist
7/17/2015 | 12:11:07 AM
Re: Attacker
I was thinking, another way this information can be used: easier infiltration.  Simply verifying the identification of a person is a primary purpose of the background check.  They want to be certain that person is who they say they are.   If someone was to reapply for a security clearance and they provide information about their history that is even slightly different, big red flags go up.   This database, if acquired by another country, can be used to develop an exact duplicate of a person's assumed legitimate history to submit during application for a national security position, and they could build it out from there.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/14/2015 | 4:58:03 PM
Re: Attacker
Well, security researchers and others are pointing at China. This is pure intel hacking, and devastating in its scope and exposure. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/14/2015 | 3:48:59 PM
Re: There should be a solution.
Better make storage online secure. All we need to focus on confidentiality, integrity and availability and apply that to different layers. Why would anybody be able to acce4ss this much information at any given time? There is no real reason.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/14/2015 | 3:46:37 PM
Re: Lost war
I would say lost. Why wouldn't I? this amount of information with this sensitivity should have not been compromised. Not from US. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/14/2015 | 3:44:26 PM
Re: Lost war
Americans lost. US Government may still be getting what they need to get, we just do not hear it, and obviously they are not protecting the data well enough.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/14/2015 | 3:42:15 PM
Lawsuits
Should we expect any lawsuit against government anytime soon? If this was happening to a private company the government will be all over it. Very surprising that this much sensitive information could be compromised at a given time.
StepAheadPR
50%
50%
StepAheadPR,
User Rank: Strategist
7/14/2015 | 3:06:33 PM
Worriesome and astonishing

The extent of the records stolen is astonishing and worrisome. Over 21 million people exposed, or around 7-8% of the U.S. population, have had personally identifiable information compromised in the attacks.

Although usernames and passwords can be changed, and compromised cards replaced, victims of a breach need to understand that every bit of information exposed is important. Fraudsters are learning that information coupled from various breaches can create more comprehensive 'identity bundles' which sell for a higher value to hackers.

With more complete information, more fraud can take place. As an example, if I'm a hacker and gain access to geographical data on John Smith from breach one, and bank account information from breach two, I can fill out a loan application or apply for a new credit card as John regularly would. 

Fortunately, user behavior analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. Online fraud detection solutions can stop fraudsters in their tracks by identifying suspicious activity, in a completely passive and unintrusive way. This is accomplished by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information.

Without even interrupting a user's experience, fraud can be predicted and prevented from occurring.

HAnatomi
50%
50%
HAnatomi,
User Rank: Apprentice
7/11/2015 | 4:35:09 AM
There should be a solution.
Hopefully someone will soon come up with a solution that enables us to stores the biometric data offline and use them online but does not force us to carry around the device that stores the sensitive data.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4875
PUBLISHED: 2022-01-21
IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190838.
CVE-2020-4876
PUBLISHED: 2022-01-21
IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 190839.
CVE-2020-4877
PUBLISHED: 2022-01-21
IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could be vulnerable to unauthorized modifications by using public fields in public classes. IBM X-Force ID: 190843.
CVE-2020-4879
PUBLISHED: 2022-01-21
IBM Cognos Controller 10.4.0, 10.4.1, and 10.4.2 could allow a remote attacker to bypass security restrictions, caused by improper validation of authentication cookies. IBM X-Force ID: 190847.
CVE-2021-4016
PUBLISHED: 2022-01-21
Rapid7 Insight Agent, versions prior to 3.1.3, suffer from an improper access control vulnerability whereby, the user has access to the snapshot directory. An attacker can access, read and copy any of the files in this directory e.g. asset_info.json or file_info.json, leading to a loss of confident...