Friday, June 19, 2015

OPM "Hacking": was it the result of incompetence or treason? - Richard Fernandez

by Richard Fernandez

The attackers “had valid user credentials and run of network” which they obtained through “social engineering”.

Ars Technica, describing how China “hacked” the OPM database, obtaining the records of millions of Federal Employees, notes that we should we should use the word “hack” advisedly.  The attackers “had valid user credentials and run of network” which they obtained through “social engineering”.
Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would “not have helped in this case” because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.
“Social engineering” for those that don’t know, is an IT security term for “someone gave them the password”. It’s not hard to see how the Chinese might have wheedled out a credential.
Some of the contractors that have helped OPM with managing internal data have had security issues of their own—including potentially giving foreign governments direct access to data long before the recent reported breaches. A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project “was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is ‘so what’s new?’”
Katherine Achuleta, the director of OPM claims that at least she found the “hack” — note the use of scare quotes used to preserve the reputation of real, honest hacking.  ”Archuleta told the committee that the breach was found only because she had been pushing forward with an aggressive plan to update OPM’s security, centralizing the oversight of IT security under the chief information officer and implementing ‘numerous tools and capabilities.’ She claimed that it was during the process of updating tools that the breach was discovered.”

Admiral Kimmel should have used that line at Pearl Harbor. “I noticed the base was bombed and informed Washington immediately.”

Katherine Achuleta, the person in charge of the Crown Jewels has had an interesting career path to her current position. Her biography at reveals a person proud of her membership in an “inclusive workforce that reflects the diversity of America”. Nowhere, however does her biography indicate that she knows diddly squat about computers, computer networks or security.
On May 23, 2013, President Obama appointed Director Archuleta to lead the U.S. Office of Personnel Management (OPM), the agency responsible for attracting and retaining an innovative, diverse and talented workforce to make the Federal government a model employer for the 21st century.
On November 4th, Archuleta was sworn in to begin her tenure as the 10th Director of OPM, and the first Latina to head this federal agency.
Director Archuleta began her career in public service as a teacher in the Denver public school system. She left teaching to work as an aide to Denver Mayor Federico Peña. When Mayor Peña became Secretary of Transportation during the Clinton Administration, Archuleta continued her public service as his Chief of Staff. Later, Peña was appointed to head the Department of Energy and Archuleta served as a Senior Policy Advisor in the Office of the Secretary.
After the Clinton Administration, she went back to local government and became a Senior Policy Advisor to Denver Mayor John Hickenlooper.
Archuleta spent the first two years of the Obama Administration serving as the Chief of Staff at the Department of Labor to Secretary Hilda Solis.
As the Director of OPM, Archuleta is committed to building an innovative and inclusive workforce that reflects the diversity of America. As a long-time public servant, she is a champion of Federal employees.
But OPM is right though. Encryption wouldn’t have helped.  The problem was somewhere else. Modern Western society has its own definition of “social engineering”.  It apparently means putting people in charge of things not because they know anything about it, but because they possess the highest symbolic value.  Race, gender, inclination or identification — especially political identification — are so much more important these days then being able to tell a difference between a hashed key and corned beef hash.

We’re in a race to the bottom.  And this time, we’ll win.

Watch a video of Jason Chaffetz interviewing Katherine Achuleta (scroll down to video)

Richard Fernandez


Copyright - Original materials copyright (c) by the authors.

No comments:

Post a Comment