Federal Employees SSN and Data Hacked..

Discussion in 'Politics, Religion, Social Issues' started by rhett7660, Jun 11, 2015.

  1. rhett7660 macrumors G4

    rhett7660

    Joined:
    Jan 9, 2008
    Location:
    Sunny, Southern California
    #1
    From the sound of it and from what reports are saying, Hackers may have gotten all the personal data of some four million Federal Employees including social security numbers!

    http://finance.yahoo.com/news/union...very-federal-employee-195138422--finance.html

    Other sites are reporting the same thing, but most are linking back to this article....

    This is great, since I have members of my family working for the Feds... UGH
     
  2. aaronvan Suspended

    aaronvan

    Joined:
    Dec 21, 2011
    Location:
    República Cascadia
    #2
    I read that this data wasn't protected by weak encryption; it had zero encryption. This should result in mass firings, beginning with Katherine Archuleta. It won't however. Like the TSA sandal, the guilty will be "reassigned" and continue to receive their SES paychecks.
     
  3. phrehdd macrumors 68040

    phrehdd

    Joined:
    Oct 25, 2008
    #3
    ...and now we are supposed to entrust the IRS with our "obamacare" sensitive data. Truly pathetic. I'll skip over the idiocy scam about NSA leaving data with phone companies etc. instead of their super data store. I absolutely feel so much safer with data stored 1.5 years with a phone company.
     
  4. rhett7660 thread starter macrumors G4

    rhett7660

    Joined:
    Jan 9, 2008
    Location:
    Sunny, Southern California
    #4
    Yeah, there should be some head rollings on this if it is true.....
     
  5. ucfgrad93 macrumors P6

    ucfgrad93

    Joined:
    Aug 17, 2007
    Location:
    Colorado
    #5
    Agreed, no one will be held accountable which is par for the course in government.
     
  6. bradl, Jun 12, 2015
    Last edited: Jun 12, 2015

    bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #6
    In the FBI's defense, I will say that SSNs do not need to be encrypted.

    Putting on my sysadmin hat (which I do for a living), and dealing with sensitive data that I do, There is a difference here between PII and PCI data. PII (Personal Identifiable Information) data is data that can be used to positively identify someone. This could be anything from name, address, SSN, etc. This does not have any sort of encryption requirement, though companies that deal with it have the ability to encrypt it or obscure it. The only exception to this is HIPAA, where PHI (Personal Health Information) has its own provisions, because it is protected by another law and set of regulations on its own.

    PCI (Payment Card Industry) data, on the other hand, requires encryption, because you are dealing with the transfer of funds from one bank to another. The standard has provisions that would require all digits except the first 6 and last 4 to be obscured, though the files containing that data are highly encrypted. There are also standards to which that level of encryption needs to be, just to conform with the standard; that says nothing about any other requirements a bank would have.

    Having worked with all three of these types of sensitive data, I can say that in the government's defense there isn't any requirement for the data to be encrypted, though that doesn't excuse them from being paranoid and vigilant (something a sysadmin needs to be, as we don't know what the next hack or attack will be, what data they would be looking for, when it would happen, nor the attack vector).

    So yes, they erred on not protecting their data, but they aren't required to encrypt PII.

    BL.
     
  7. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
    #7
    Regulations in my little part of Fed gov require PII to be encrypted.
     
  8. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #8
    Which part may that be? Curious, as regulations may vary from branch to branch.

    BL.
     
  9. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
    #9
    I work for the Army. The disheartening thing about this hack is I heard about it two weeks ago but I didn't get the email from OPM stating that it happened until Tuesday. What's worse is that OPM does all security clearance investigations so they have a lot of data on a lot of people.
     
  10. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #10
    And the military is definitely one of those exceptions that does require PII to be encrypted (and justifiably so). When I worked for the DoD, there was a hell of a lot of requirements for encryption there as well. Hell, they (The DoD) created one of the strongest standards for encryption.

    Again, this takes nothing away from the FBI. They definitely are negligent on this, and if they did have regs that state that PII must be encrypted, they are in for a world of hurt.

    BL.
     
  11. phrehdd macrumors 68040

    phrehdd

    Joined:
    Oct 25, 2008
    #11
    I appreciate your desire to clarify matters but there are a couple of problems here ...

    I never mentioned the FBI but rather, IRS and NSA and phone companies.

    For those unaware, HIPAA was intended to protect sensitive customer data as related to health and medical. Consider it a set of rules of compliance that businesses and agencies in this venue must comply. However, merely having it in place is no guarantee. As example, some hospitals and doctors use transcription. Under HIPAA, they can send the data out to have this exercise done. When I say "out," that means all the way to another country such as India. Even with full disclosure agreement in place, there is no way to control/police properly the handling of the data and it is left to "trust" (should be a four letter word). Similar can be said for programming done outside the USA where under HIPAA (and SOX for that matter) there isn't any provision to prove that the software is safe (as in no back doors as another example).

    IRS - This is an entity with two strikes against them with respect to USA citizens - past breaches and misuse of information from within (Lerner). These are the people who now have all your* data with respect to Obamacare. You can see where this is going so I wont go on further.

    The gathering of Federal data may be far more than name and SSN. In fact, there are the most commonly two items associated with identity theft. Then again, while not as widely acknowledged, items like blackmail have gone on and will continue.

    During Y2K days I had my first brush with HIPAA and later in another company, SOX (Sorbanes Oxley) and was happy to see some sort of regulation until it became clear there were gaping holes, loopholes and more. We are not protected as much as we, the general population should be. When your privacy is compromised for the sake of dollars, we have a problem.

    I'll skip over all the kinds of security measure that must be in place to have a good start as it remains a rather tedious exercise but SSN encryption is just a small subset in dealing with security as a part of risk management.
     
  12. aaronvan Suspended

    aaronvan

    Joined:
    Dec 21, 2011
    Location:
    República Cascadia
    #12
    I'm pretty sure all federal PII data has to be encrypted. If it doesn't, then that's yet another failure of the incompetent Obama administration that was all over net neutrality but permitted Chinese hackers to steal gigabytes of unencrypted sensitive information on U.S. citizens.
     
  13. NT1440 macrumors G4

    NT1440

    Joined:
    May 18, 2008
    Location:
    Hartford, CT
    #13
    ...you gonna fire the 2+ decades of System Admins that created this system?

    It's no secret that the US Government, aside from SIGINT, has archaic systems that take literally years to update, and an overhaul will take a decade at the least.

    Just look at the FAA air traffic control systems, literally the same system put in during the 80's.

    Our government IT systems are just another part of the rapidly decaying infrastructure in this country. I'm not surprised this has happened at all because as usual, the USA refuses to invest in not literally falling apart at it's own peril.
     
  14. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #14
    I just linked the standard which stated that the data doesn't have to be encrypted. Besides, all of the Federal laws coming into effect for PII were proposed and/or passed in (wait for it.....) 2005. No encryption requirements were included in those laws when they were proposed or passed into law.

    In short, you're blaming the wrong POTUS.

    Fair disclaimer: as a Linux Sysadmin, I have worked for the following entities dealing with sensitive data:

    DoD
    Medi-Cal (California's Medicare/Medicaid programs)
    California DMV

    My current job is a sysadmin at a company that provisions credit card swiping terminals as well as credit card fraud analysis. So for the past 15 years, I've been dealing with PII, HIPAA, and PCI data.

    Other examples of PII data: address, phone number, IP address, VIN number, passport number, login name, userID, and driver's license.

    None of those require encryption per any standard for PII. If the Feds internally have their own standard for encrypting PII data, that's on them, but everywhere I have worked, there has been no requirement for PII encryption.

    Again, that says nothing about protecting the data (read: disk retention, safeguards in place to prevent access to the data). The breach is the crux of the issue, not the encryption.

    BL.
     
  15. aaronvan Suspended

    aaronvan

    Joined:
    Dec 21, 2011
    Location:
    República Cascadia
    #15
    That is true. Were the servers even behind a firewall? Who was responsible for their NSM? Was anyone?
     
  16. phrehdd macrumors 68040

    phrehdd

    Joined:
    Oct 25, 2008
    #16
    There are, as I stated before, several facets of risk management. It is naive to say that it would take a decade to make it work. For some it might be a top down structure of highest risk or yield (what is the most damaging data if acquired) and start to put more security in place - even if its a temporary "fix."

    If the government can expect large businesses to do it, they can do it as well. The issue, as pointed out, isn't simply encrypting data. There is far more to it and the real answer is yes, it can be done, yes it should be done and the sooner the better.

    Btw, "SysAdmin" is a catch all term and while some may indeed do some truly excellent work with respect to information security and risk management, it is not the title normally associated with decisions and types of security to include in infrastructure. We were fortunate enough that bradl is one of those that does deal with it.

    The government most likely would have (or at least we would hope) a department for Information Security that either stands separate of IT or is a part of IT within their various divisions, offices and departments. There really isn't any excuse for what went on other than it exposed just how vulnerable and antiquated the measures we have in place are today.

    People may have an opinion on this matter and some are a bit more drawn from experience or education but even those that are not familiar with the details are right in demanding more and finding this situation quite unsettling.
     
  17. bradl, Jun 13, 2015
    Last edited: Jun 13, 2015

    bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #17
    Good question. If it wasn't, you're right in asking why it wasn't. IMHO, they should have been:
    • encrypted on disk with a retention policy in place,
    • in a database on an isolated network with very limited access,
    • firewalled,
    • with only required applications accessing the database,
    • firewalled (campus firewall/DMZ),
    • applications served by a web server,
    • Web Application Firewall,
    • perimeter firewall.

    But that's just me. You'd think that federal IT should have more in place than what they did. Now, this raises the question of how long it wasn't encrypted; that is where initial blame goes.

    Well said. My company has its ISO completely separated from my group (IT). Because not only are they responsible for security at my job, they are also responsible for auditing the work that IT does. That way, we can correct it before our client's auditors catch it, so we can remain in compliance with PCI, SAS70, and other ISO standards.

    We've had SSL encryption since the mid 1990s (1995 at least), so why it took them so long to identify this as sensitive data (8 years at least) is a problem.

    BL.
     
  18. zioxide macrumors 603

    zioxide

    Joined:
    Dec 11, 2006
    #18
    Unfortunately the government agencies who are supposed to be working to secure these computer systems are too busy trying to spy on Americans and put backdoors in encryption to "FIGHT TER'RISTS!" instead of actually trying to secure our nation's computer systems.
     
  19. Happybunny macrumors 68000

    Joined:
    Sep 9, 2010
    #19
    I find this indignation about this hack to be both hypocritical and naive, after the crap that NSA pulled around the world, did you really think that the USA was going to be immune from hacking.
     
  20. phrehdd macrumors 68040

    phrehdd

    Joined:
    Oct 25, 2008
    #20
    I am unsure what you mean by hypocritical and naive. Could you elucidate please.
     
  21. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #21
    Makes you wonder if why they have been pushing for us to have weak encryption, so they could have something to crack if someone comes across their watch as suspicious.

    After PRISM and everything else the NSA has done, you would think that they'd have their yard in order so they could fend off anything done to them in retaliation. They didn't.

    All in all, this comes down to being a great example of why "do as I say, not as I do" is absolute bollocks.

    BL.
     
  22. lowendlinux Contributor

    lowendlinux

    Joined:
    Sep 24, 2014
    Location:
    North Country (way upstate NY)
    #22
    And it looks like I was part of the crew that got stolen:(
     
  23. VulchR macrumors 68020

    VulchR

    Joined:
    Jun 8, 2009
    Location:
    Scotland
    #23
    Agreed. Live by the sword, die by the sword. I once worked for the US government and my details might have been compromised. Suffice it to say I am not amused. I have the same concerns about US hacking as I do about the use of drones. Do policy makers in the US really believe that drones will be used only by US forces and not terrorists?
     
  24. aaronvan Suspended

    aaronvan

    Joined:
    Dec 21, 2011
    Location:
    República Cascadia
    #24
    I doubt anyone is hacking into the NSA's servers. However, OPM certainly doesn't have the same skill set nor do they--I suspect--have an esprit de corps that would make them care. I can't imagine (probably unfairly) such a plodding bureaucracy being populated by anyone but clock-watchers and political hacks. And it not like the USGOV has an single authority overseeing it's sprawling IT infrastructure.
     
  25. bradl macrumors 68040

    bradl

    Joined:
    Jun 16, 2008
    #25
    I doubt they'd hit the NSA as well.. they even came up with their own security-enhanced version of Linux, and have that implemented throughout their network.

    But what I was meaning by yard was their entire yard. WH, all Departments, all branches, Congress, the entire lot. But when you think about it, out of all of the places they could attempt to hit, they chose what to the common person would be considered the weakest: Human Resources. Now they are coming to the realization that HR is one of the most sensitive places within any organization, let alone the federal government.

    But then again, they (the government) have been running in reactive mode since 2001, and not in proactive mode. Internal audits and penetration tests could and would have easily indicated this hole.

    Furthermore, there were some hearings on this in Congress over the past few days. It came to light that some of the servers that were hit were at least 10 years old, running software and OS from that time.. meaning Windows Server 2003, Windows XP, and possibly Windows NT. They are in a world of hurt, and don't know what to do about the patches they have to apply that would break the legacy software they are using... and are mandated to have this fixed within 30 days.

    Sounds like a great opportunity for an IT gig! or not... :confused:

    BL.
     

Share This Page