Wednesday, June 24, 2015

Everything is coming up OPM - What I am reading 6/24/2015

The Register - Login creds for US agencies found scrawled on the web's toilet walls -

A threat intelligence report into the availability of login credentials for US government agencies has identified 47 agencies across 89 unique domains may be compromised.
...
The report comes after the February 2015 Office of Management and Budget (OMB) report [PDF] to Congress, which highlighted 12 agencies which did not require their most privileged users to log in with any form of two-factor authentication.
All 12 of these agencies, (including the Departments of State and Energy) had possibly valid login credentials available on the open web, according to the new report by Recorded Future, a web intelligence company.
Jesus.  At this point why even bother?  Between Manning, Snowden, and the Chinese (and our own crappy infosec practices) every secret the U.S. Government could possible want to protect is out there.  And if it isn't they are busily manufacturing documents to make it look like it is - which I firmly believe to be the case in most of the Snowden revelations.

Washington Post Cyberattack on USIS may have hit even more government agencies -

The massive cyberattack last year on the federal contractor that conducted background investigations for security clearances may have been even more widespread than previously known, affecting the police force that protects Congress and an intelligence agency that helped track down Osama bin Laden. 
...
“Based on this new information, the data breach at USIS appears much more damaging than previously known, affecting our intelligence community, our immigration agencies, and even our police officers here on Capitol Hill,” he said. “It is unclear why USIS withheld this information from Congress for so long, especially since I raised this question more than seven months ago.”

One of the concerns is that the hackers who hit OPM got their login credentials from this previous attack.  Given that, it's disturbing that these companies are still not being fully forthcoming with the extent of the hit they took.

Washington PostComputer system that detected massive government data breach could itself be at ‘high risk,’ audit finds -

OPM “has initiated this project without a complete understanding of the scope of OPM’ s existing technical infrastructure or the scale and costs of the effort required to migrate it to the new environment . . . In our opinion, the project management approach for this major infrastructure overhaul is entirely inadequate, and introduces a very high risk of project failure,” it says.
...

The upgrade project includes a full overhaul of the agency’s technical infrastructure and then migrating the entire infrastructure into a completely new environment.
“While we agree in principle that this is an ideal future goal for the agency’s IT environment, we have serious concerns regarding OPM’s management of this Project. The Project is already underway and the agency has committed substantial funding, but it has not yet addressed several critical project management requirements,” the alert says.

So basically they are just throwing money at the problem without a real plan and hoping things get better.  It's almost a guarantee they won't.



No comments: