Hackers stole security check info on at least 25,000 DHS employees
- Thread starter JournalBot
- Start date
Just another example of the truly non existent "digital security". It really seems as if there is a whole industry that calls themselves "security professionals" that turn out the be anything but. If companies like these can't secure their networks, who the hell can?
Upvote
29
(30
/
-1)
I'm trying to think of the next big thing I can claim to do for money but can't and people will still pay me anyway.
Nice work if you can get it.
But on a more serious note. It will only get worse.
Nice work if you can get it.
But on a more serious note. It will only get worse.
Upvote
13
(13
/
0)
As bad as it is that those employees' financial records have been exposed, there is a bigger issue here: how much damage could be done using the stolen information as authentication credentials?
Upvote
20
(20
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492255#p27492255:k91hvo94 said:
Think blackmail of people who provide security...
Upvote
36
(36
/
0)
Wow the Feds need to get their act together, seen better "security" at my local bar than what they seem to have in Washington
Upvote
8
(10
/
-2)
Well, it's not like China needs to impersonate someone to get a credit card or something. This was probably to identify the security folks and get any supplemental info they could (connections in other countries, languages spoken, assignments, etc.). This is the kind of background-noise espionage we expect from foreign countries.[url=http://meincmagazine.com/civis/viewtopic.php?p=27492259#p27492259:2e88hp9s said:
During the Cold War, the list of students taking any particular military linguist course was classified, mainly for OPSEC so that a soldier's travel wouldn't raise any red flags with the Soviets.
Every single time a class of Russian linguists graduated, they'd get cards from the Soviet embassy congratulating them on mastering such a difficult language.
Upvote
35
(35
/
0)
Imagine the NSA would use all its vast knowledge and resources to actually help secure IT infrastructure and communications instead of constantly undermining everything...
Upvote
36
(36
/
0)
Skullsnstuff
Wise, Aged Ars Veteran
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492307#p27492307:2qbze3ws said:
That would undermine their abilities to spy on their own bosses in Congress and fellow security agencies. Wait, what was their mission again? I forgot and so did they.
Upvote
33
(33
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492307#p27492307:25cb7ivt said:
They already do that. There are two parts to the NSA, and all evidence seems to indicate they don't seem to care about each other. There is the part that is into breaking into things and all the nonsense people are up in arms about, and then there is the part that provides input to securing things.
Interesting things can happen when the part that secures things alerts a third party that they have a problem, it gets fixed, then the side that wants to break into things gets angry cause the loophole has been closed.
Don't paint things with a broad brush. Stuff like SElinux is directly because of the NSA.
Upvote
19
(19
/
0)
USIS isn't the only company doing this kind of work, or the only one that loses applicant information. At one, just one US military installation, a new maintenance contractor used the services of Xerox to digitize paper documents submitted by employees of a previous contractor, with the digitized information going to First Advantage (Lexus Nexus) for processing in the employee vetting process.
The paper documents included copies and originals of birth records, certificates, high school diplomas and GED documents, tax filings, marriage documents, medical records, military records, every form of government and corporate documentation it takes to live a person's life.
All of the documents, ALL of them, were subsequently lost, misplaced, gone forever. The contractor ended up requiring every employee submit all records and documents a second time. Not an easy feat when many contract employees are in their late 50s and early 60s, and have no access to old high school records or original birth documents (think Obama), when states and school systems have lost records over the years, schools and hospitals no longer exist. It was a huge cluster jerk.
In the end, no investigation was ever done into the disappearance of the thousands of paper documents, none of the companies admitted wrong doing or accepted responsibility for the lost records and personal information. And it all happened on a government contract at a US DOD installation. So, for anyone considering a career in contract government work, be forewarned.
The paper documents included copies and originals of birth records, certificates, high school diplomas and GED documents, tax filings, marriage documents, medical records, military records, every form of government and corporate documentation it takes to live a person's life.
All of the documents, ALL of them, were subsequently lost, misplaced, gone forever. The contractor ended up requiring every employee submit all records and documents a second time. Not an easy feat when many contract employees are in their late 50s and early 60s, and have no access to old high school records or original birth documents (think Obama), when states and school systems have lost records over the years, schools and hospitals no longer exist. It was a huge cluster jerk.
In the end, no investigation was ever done into the disappearance of the thousands of paper documents, none of the companies admitted wrong doing or accepted responsibility for the lost records and personal information. And it all happened on a government contract at a US DOD installation. So, for anyone considering a career in contract government work, be forewarned.
Upvote
15
(16
/
-1)
Remember when Microsoft had to drop everything in the early 2000s to address their security problems (thus delaying Longhorn/Vista in the process)? Remember when the entire software industry had to drop everything to address the Y2K problem?
That's the level of attention that we need for our various databases and accounts. Right now.
Anything less at this point is gross negligence, and there should be jail time for anyone who behaves otherwise. I don't think people are taking the stakes seriously anymore.
There are no more excuses, right on up to the CEO and Presidential level.
That's the level of attention that we need for our various databases and accounts. Right now.
Anything less at this point is gross negligence, and there should be jail time for anyone who behaves otherwise. I don't think people are taking the stakes seriously anymore.
There are no more excuses, right on up to the CEO and Presidential level.
Upvote
27
(27
/
0)
I still don't understand why networks like these are connected to "the internet"
Upvote
14
(15
/
-1)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492259#p27492259:27h8kqqe said:
DHS and the other TLAs do a lot to reduce the chance of blackmail -- or they're supposed to. Background checks exist largely to investigate whether there's something that could be used to blackmail you. If they find something, they make an assessment whether they think it's serious enough for you to actually risk effing jail time to not have it revealed. Usually the answer is no, but if the answer is yes, you aren't cleared.
But you have to be willing to put up with them looking under your fingernails. It's a high price, but if you pay it you know the government isn't worried about the stuff they found there, and they're usually right about whether what they know could be used against you in a serious way.
Upvote
-2
(4
/
-6)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492317#p27492317:877edrpt said:
No, it's the CIA that spies on Congress.
http://www.nytimes.com/2014/08/01/world ... .html?_r=0
Now I just need a FOIA request to find out what they found out that Congress doesn't want us to know.
Upvote
11
(11
/
0)
I emailed Sean about this story last night, so go me... he may have already had it in the hopper though.
Here's the thing that's not in the media though -- USIS is shut down. Pretty much completely. A coworker's husband worked for them, and on Aug 4 he was told that due to the hack all their systems (email, phones, everything) was shut down and they would not be allowed in the office. A couple weeks ago he was told that the investigation was ongoing.
This past Tuesday he filed for unemployment -- he was an hourly employee (not a contractor), and while he apparently didn't like the job, it was at least a paycheck, and at 60+ finding another job is... difficult. Particularly since his preferred line of work (manufacturing) pretty much doesn't exist in this country any more.
OPM (Office of Personnel Management) and DHS have pulled their contracts. He's been told that the company will not reopen for business until at least October. And even then it's questionable. I haven't seen any of this in news stories, but given that he had to file for unemployment, I think I'll believe his wife.
I don't know of any other hack that has led to a company being shutdown for a month... much less 2-3. It helps to remember that there are people who really do get hurt by this kind of shit.
Here's the thing that's not in the media though -- USIS is shut down. Pretty much completely. A coworker's husband worked for them, and on Aug 4 he was told that due to the hack all their systems (email, phones, everything) was shut down and they would not be allowed in the office. A couple weeks ago he was told that the investigation was ongoing.
This past Tuesday he filed for unemployment -- he was an hourly employee (not a contractor), and while he apparently didn't like the job, it was at least a paycheck, and at 60+ finding another job is... difficult. Particularly since his preferred line of work (manufacturing) pretty much doesn't exist in this country any more.
OPM (Office of Personnel Management) and DHS have pulled their contracts. He's been told that the company will not reopen for business until at least October. And even then it's questionable. I haven't seen any of this in news stories, but given that he had to file for unemployment, I think I'll believe his wife.
I don't know of any other hack that has led to a company being shutdown for a month... much less 2-3. It helps to remember that there are people who really do get hurt by this kind of shit.
Upvote
23
(23
/
0)
This is why homosexuals couldn't get security clearances for a long time. Even if you were out of the closet, they assumed your lover or future lover might not be. There was some arduous process to get an exception, but it was probably easier to hide your orientation from the government than it was to get the exception.[url=http://meincmagazine.com/civis/viewtopic.php?p=27492429#p27492429:3cudngb8 said:
The policy did change at some point, but it was due to changing social acceptance of gays, not because the FBI investigators suddenly realized they were discriminating.
Upvote
10
(12
/
-2)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492601#p27492601:1dc4p5kd said:
... and because getting that government job required hiding that fact, it thus become something that could be used against you through blackmail, anyone noticing a self-fulfilling prophecy here?
Upvote
16
(17
/
-1)
I've had to give date of birth and SSN a number of time for base pass clearance. (A bare minimum background check.) I always assumed the data wasn't secure, but such data is easily obtained by hackers anyway.
But I always thought it was weird that the government didn't know this data anyway. Perhaps it was to insure they investigated the right person.
But I always thought it was weird that the government didn't know this data anyway. Perhaps it was to insure they investigated the right person.
Upvote
4
(4
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492321#p27492321:j9qmohnj said:
Well, I think they used to do that. Like back when the NSA secretly strengthened IBM's DES algorithm with "better" S-boxes making the encryption standard resistant to an attack vector that apparently was discovered by the NSA before anyone else. They no longer seem to see that as something desirable.
Upvote
4
(5
/
-1)
Is it just me, or is the north american intelligence network turning into an episode of Archer?
Upvote
4
(4
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492255#p27492255:3w38mi1b said:
The background check data includes their SSN, all their recent addresses, a financial background check, and pretty much any relationship data they have ,depending on what level clearance they were cleared for. At least, that is, if they do it right.
Upvote
6
(6
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492461#p27492461:zeoqfvf7 said:
Probably not the hack but the evidence of sloppiness and deception that were revealed along with the hack were what got their contracts pulled. Your friend should consider contacting a lawyer, as the JD may go after the company and he wants to be a witness and not a defendant. It can be difficult to know which the JD considers you.
Upvote
1
(1
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492695#p27492695:ctlykzf1 said:
That's exactly the reason. I have a relatively unusual name and I still get several dozen matches in America on a Google search. But there's only one person that has my SSN.
Upvote
1
(1
/
0)
There are at least two structural problems with the government security apparatus, on both the investigation side (the people who actually conduct the investigations) and the management side (the functionaries who "manage" the process):
One, a lot of the investigators are former military or law enforcement, and aren't qualified for other kinds of jobs. So you get a bunch of investigators that, to put it politely, have a chip on their shoulders and are used to being obeyed by civilians, but don't get a lot of respect in their job - they don't make any decisions, they just go gather information. Kind of a clerical position - not that there's anything wrong with that :-/, but not what they are used to. So,the quality of their work isn't necessarily the best.
Two, many of the manager types are intent on moving up, so they are focused on brown nosing their bosses for good recommendations and are constantly looking for other jobs in the organization, neither of which is conducive to quality work. They pay just enough attention to their current gig to do just good enough to get that transfer into a sexier part of the org.
None of this is conducive to quality work product.
One, a lot of the investigators are former military or law enforcement, and aren't qualified for other kinds of jobs. So you get a bunch of investigators that, to put it politely, have a chip on their shoulders and are used to being obeyed by civilians, but don't get a lot of respect in their job - they don't make any decisions, they just go gather information. Kind of a clerical position - not that there's anything wrong with that :-/, but not what they are used to. So,the quality of their work isn't necessarily the best.
Two, many of the manager types are intent on moving up, so they are focused on brown nosing their bosses for good recommendations and are constantly looking for other jobs in the organization, neither of which is conducive to quality work. They pay just enough attention to their current gig to do just good enough to get that transfer into a sexier part of the org.
None of this is conducive to quality work product.
Upvote
5
(5
/
0)
Huh. When I worked a shitty job at the bottom of the DHS totem pole (TSA), they lost my SF-85 (the fifteen page background check form). Along with a few thousand others. After two years of employment, they told us we all had to fill the thing out again because they weren't sure if anyone's background check was actually done. Or who, if anyone, actually had all that paperwork.
Of course, they couldn't blame Chinese hackers for disappearing paperwork. But at least they paid the same worthless contractor to gather the same information again.
Good to see they're just as careful with the information now that it's on a computer. Incompetent, but faster!
Of course, they couldn't blame Chinese hackers for disappearing paperwork. But at least they paid the same worthless contractor to gather the same information again.
Good to see they're just as careful with the information now that it's on a computer. Incompetent, but faster!
Upvote
10
(10
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27493497#p27493497:xmpwvf67 said:
At least your data was handled with blue gloves!
I used to wonder why these database companies grow like the Borg, especially Oracle. Unless you know what you are doing, it is best to have one company manage all your data. Otherwise stuff slips through the cracks.
Companies are like people, i.e. pack rats. They generally don't toss data, but they often can't locate it either. You can rest assured your private data is in some storage locker and will appear on a bad reality TV show some day.
Upvote
2
(2
/
0)
One million mistakes per second
eduardopozo56
Ars Centurion
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492247#p27492247:16iy07cz said:
They CAN secure their networks. But that costs money, time and resources.
Upvote
3
(3
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27494043#p27494043:2m9me24j said:
And no CEO can possibly live on any less than 80% of the income of the company, so why pay for security?
They aren't accountable in the end, so it can be someone elses problem.
When is the last time you saw anyone connected with stupidity this grand face anything more than harsh words and having to wait 6 months for the company to rebrand and go right back to being as incompetent as before?
Upvote
5
(6
/
-1)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492471#p27492471:mk6acwo1 said:
For the upper management, asset forefiture followed by execution. For the grunts, no criminal charges except for the odd case.
Upvote
-2
(0
/
-2)
I am actually surprised that background checks for security clearance are delegated to contractors. This is wrong on several levels.
First, security clearance exists to preserve state secrets, this is not something that should be delegated to any kind of non-governmental institution, it is a state privilege and duty to provide this function. Should we also delegate police functions to outside contractors while we are at it? We know how well this worked in Irak.
Second, this is technically problematic as the theft of these documents prove. No amount of paperwork will guarantee that contractors abide by proper security measures and verifying it on-site likely would cost as much than for the government the data by itself in the first place. Outsourcing this task is a false saving and whoever decided it was a good idea (probably during-or-after the Reagan era I guess? The article should have provided this information for context.) must now measure how much damage this great idea has allowed China to wield upon the US.
Third, as has been said, why is this information on a network connected to the Internet? As much as I hate state secrets because they are so often used to conceal information which should be visible to citizens, this information should be in a fully air-gapped network. There is so much actionable information which can be obtained via the list of people with a clearance that the first priority of anyone handling that list, regardless of any other functional imperative should be to "keep it out of harm's way".
Finally, it is regrettable the article does not try to evaluate how much damage this might cost. As others have mentioned this list essentially gives foreign powers a list of easy targets to hack into and/or blackmail. Knowing two or three people with security clearances doesn't help you much but when you get a whole population of them, you are bound to find something you can blackmail them with and likely as many entry points into all kind of classified data.
It's pretty clear that the government security establishment must be feeling the heat pretty hard now:
they now have 25000 entry points into classified data to monitor and secure, that's quite daunting if possible at all.
edit: typos, style.
First, security clearance exists to preserve state secrets, this is not something that should be delegated to any kind of non-governmental institution, it is a state privilege and duty to provide this function. Should we also delegate police functions to outside contractors while we are at it? We know how well this worked in Irak.
Second, this is technically problematic as the theft of these documents prove. No amount of paperwork will guarantee that contractors abide by proper security measures and verifying it on-site likely would cost as much than for the government the data by itself in the first place. Outsourcing this task is a false saving and whoever decided it was a good idea (probably during-or-after the Reagan era I guess? The article should have provided this information for context.) must now measure how much damage this great idea has allowed China to wield upon the US.
Third, as has been said, why is this information on a network connected to the Internet? As much as I hate state secrets because they are so often used to conceal information which should be visible to citizens, this information should be in a fully air-gapped network. There is so much actionable information which can be obtained via the list of people with a clearance that the first priority of anyone handling that list, regardless of any other functional imperative should be to "keep it out of harm's way".
Finally, it is regrettable the article does not try to evaluate how much damage this might cost. As others have mentioned this list essentially gives foreign powers a list of easy targets to hack into and/or blackmail. Knowing two or three people with security clearances doesn't help you much but when you get a whole population of them, you are bound to find something you can blackmail them with and likely as many entry points into all kind of classified data.
It's pretty clear that the government security establishment must be feeling the heat pretty hard now:
they now have 25000 entry points into classified data to monitor and secure, that's quite daunting if possible at all.
edit: typos, style.
Upvote
3
(3
/
0)
[url=http://meincmagazine.com/civis/viewtopic.php?p=27492253#p27492253:4zb63pnp said:
Since it has been observed by many who "fly signs", or hold signs scrawled out on pieces of cardboard by the side of the road, that such solicitation of donations can be more profitable than any of the usual ways of obtsining income, one might expect an increase in white collar solicitors who used to work for government contractors.
Upvote
1
(1
/
0)
I understand that there are few, if any, fans of the DHS and NSA who post at Ars. But what purpose does it serve to blame the victim(s)? "Americans" and America-haters are so quick to level accusations of stupidity, incompetence or evil at the NSA, CIA, DoD, Congress, the President, ad nauseam. But why not focus the blame at the source of the attacks, and, most importantly, its sponsors?
Maybe Ars has been overrun by state-sponsored (im-)posters?
Maybe Ars has been overrun by state-sponsored (im-)posters?
Upvote
-2
(1
/
-3)
- Status