US OPM, DoJ and DHS Hacked

After the OPM (US Office of Personnel Management) was hacked and at least 5.6 million people’s personal details including fingerprints were stolen, three US government agencies refused to attend and testify at a Congressional briefing. The OPM, DHS (US Department of Homeland Security) and OMB (US Office of Management and Budget) all refused to attend and testify because the briefing would be ‘on the record’.

I can’t say I blame them. Governments’ ability to keep secret information secret seems rather poor.

So now we have news that the DHS and the DoJ (US Department of Justice) have been ‘hacked’ and some of their personnel data stolen; DHS: 9,000 employees, DoJ: 20,000 employees.

Some commentators have focussed on the apparent stupidity of the IT service desk people who apparently received a call from the hacker and gave him access, bypassing the password and OTP (one-time-password) or ID card controls. Well yes, it does seem a bit daft but I’ll bet the service desk worked from a script or checklist to determine whether or not to grant access and that the hacker was able to supply enough information (no doubt acquired from other sources, perhaps even the OPM hack) to satisfy the procedure.

IT services always have authentication bypass procedures to accomodate people who forget passwords, lose tokens or freeze their access by mistyping their details too often. The trick is to get the balance right between getting people back able to work and the security of the systems. My guess is that the people that run the IT services for DoJ and DHS (not the service desk call handlers) failed to review their bypass procedures adequately after the OPM hack. Once certain personal data is in the public domain it must not be possible to use it as identification information for another service.

However, I don’t think that granting access was the main security failing in this case. Having been granted access, the hacker was then able to access thousands of personnel records. What sort of system user needs direct access to that sort of information? Were there no internal controls limiting what could be accessed or downloaded? To work with 9,000 or 20,000 personnel records, you don’t need a listing, you need summaries: salary range, distribution and limits, age, ethnicity, sex. Why on earth was an apparently legitimate system user allowed access to the underlying data? That’s the main security weakness in this case. If we allow unrestricted access to the underlying data for some system users then sooner or later we will find we’ve given the data to a Private Manning or an Edward Snowden - and we know what happens then.

Post a comment

All comments are held for moderation; simple HTML formatting accepted.

Send feedback by e-mail , alternatively complete the form below.

[ Different Image ]

*Name:	(published)
*E-mail:	(not published)
Website:	(URL, linked with Name)
*Comment:

Comments must be in English. They must be relevant to the post and must not refer only to other comments.
Abusive or aggressive comments are not permitted.
URLs in the body of comments will be shown as text, not links.
Obfuscated URLs (bit.ly, TinyURL.com etc) will be resolved if possible. Obfuscated URLs can be used maliciously.
URLs will be truncated to remove query strings. Query strings are often used to track individuals.
Please use a real e-mail address
Text only, no encrypted or encoded 'blobs', no scripting