Global Security, Privacy, & Risk Management

Dear OPM – Thanks for exposing my data!…”Clean up your own backyard!” (Elvis) October 20, 2015

Let me start with Elvis’ “Clean up your own Backyard”

“Back porch preacher preaching at me
Acting like he wrote the golden rules
Shaking his fist and speeching at me
Shouting from his soap box like a fool
Come Sunday morning he’s lying in bed
With his eye all red, with the wine in his head
Wishing he was dead when he oughta be
Heading for Sunday school

Clean up your own backyard
Oh don’t you hand me none of your lines
Clean up your own backyard
You tend to your business, I’ll tend to mine”

Today I received a letter from the United States Office of Personnel Management or OPM informing me that my personal data had been stolen in a data breach.  As a quick reminder the OPM was the victim of a major data breach in which over 22.4 million current and former federal workers and military members’ personal information was stolen by the Chinese Government although the Obama administration did not formally accuse Beijing.

The breach was finally disclosed by the OPM in June 2015 but started in March 2014. So what was stolen?  According to the report I received today…it included (ready for this)…1) Social Security Number 2) Full Name 3) Address 4) Education History 5) Employment History 6) Information on my dependents and close family and 7) my SF86 from when I applied for my security clearance…among other data. For those who are unaware..the SF86 is a 127 page document titled “Questionnaire for National Security Positions” that asks questions about every aspect of a person’s life to include 1) Friends’ names, 2) Emotional and Psychological health, 3) use of alcohol and drugs 4) financial issues 5) affiliations with groups and more!  This information is much more personal and sensitive than just a social security administration.

I find it amusing that within 2 days of Target notifying that they had been victimized by criminals who stole millions of credit card numbers that the “Honorable” Senator Menendez (D NJ) a sitting US Senator (and “back porch preacher” who is now under criminal indictment) would deride Target and ask whether the: “…FTC has the teeth to hold retailers who failed to protect consumers’ information accountable,” He then continued: “if a company doesn’t invest in security to ensure customer data can’t be stolen, “then you have to question why a company would not do that.” The Target CFO would be forced to APOLOGIZE to the US Congress for security ‘failures’ yet when the OPM is breached the US Government distances itself from any liability.  This is sine qua non for any action in which the Federal Government fails..they simply deny that they failed.  According to OPM spokesperson Samuel Shumach: “The intrusions into OPM’s systems were criminal acts committed by unknown adversaries for criminal purposes, As a result, we have done and continue to do everything possible to protect the security of OPM systems and the records contained in those systems. We will also continue to contact those who may have been affected, and to offer credit monitoring.”  The OPM, their letter, graciously offered (read closely) “These services are offered as a convenience to you,” “However, nothing in this letter should be construed as OPM or the U.S. Government accepting liability for any of the matters covered by this letter or for any other purpose. Our government officials simply hold corporations which have credit card data stolen to a different standard. 

In November, 2014 the OPM was subject to an audit against the Federal Information Management Systems Act (FISMA).  Here are some of the more relevant findings:

•  OPM does not maintain a comprehensive inventory of servers, databases, and network devices. In addition, we are unable to independently attest that OPM has a mature vulnerability scanning program.
• Eleven major OPM systems are operating without a valid Authorization. This represents a Material weakness in the internal control structure of OPM’s IT Security Program.
• Program offices are not adequately incorporating known weaknesses into Plans of Action and Milestones (POA&Ms) and the majority of of systems contain POA&Ms that are over 120 days old.
• Multi-factor authentication is not required to access OPM systems in accordance with OPM memorandum M-11-11.

For those in the infsec world these findings should both anger and horrify you.  A government organization that handles the most sensitive of personal data cannot even be bothered to implement two-factor authentication?  For those of us who have served either in the military or the government this incompetence is neither surprising nor unexpected. The absolute lack of accountability the US Government takes with regard to its own failings is troubling yet, again, not unexpected.

Couple this with the fact that it was discovered the the sitting US Secretary of State was using a ‘personal server’ for official business and that the server was found to have contained classified information.  :This server, it was disclosed used Microsoft’s Remote Desktop Protocol (RDP) for management directly from the Internet.  This, as any amateur infosec professional knows, is a serious security violation. More recently, the director of the CIA, John Brennan and the Director of Homeland Security Jeh Johnson had their personal email accounts hacked  by a Palestinian sympathizer and, according to the hacker, those systems also contained data that appears to have been classified.  Let’s not forget that the White House and Department of State (among others) were also breached in 2014.

With these lunatics running the asylum it is little wonder that the OPM has been breached by the Chinese.  Maybe a more accurate description would be monkeys running the zoo or even clowns running the circus.  Either way, until the US Government can clean up its own backyard it that “back porch preacher” should  “Tend to it’s own business and I’ll tend to mine.”