Monday, June 22, 2015

Hacking . . . or something

When is hacking not hacking?  When it's subcontracting.

Do you remember the news story of a couple of weeks ago wherein it was revealed that the government data base giving the details of everyone who is or ever was a government employee or contractor had been hacked?  It seems it wasn't hacked.

Department of Homeland Security Assistant Secretary for Cybersecurity Dr. Andy Ozment testified that encryption would "not have helped in this case" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering. And because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network.

Lots more interesting -- not to say appalling -- stuff at Ars Technica here. Including this in the penultimate paragraph:

A consultant who did some work with a company contracted by OPM to manage personnel records for a number of agencies told Ars that he found the Unix systems administrator for the project "was in Argentina and his co-worker was physically located in the [People's Republic of China]. Both had direct access to every row of data in every database: they were root. Another team that worked with these databases had at its head two team members with PRC passports. I know that because I challenged them personally and revoked their privileges. From my perspective, OPM compromised this information more than three years ago and my take on the current breach is 'so what's new?'"

And what other security issues have been subcontracted to the People's Republic of China?

[Originally cited to this article by Jerry Pournelle's excellent site.  Alas, I don't see how to link to the precise paragraph in question.  So here's the page.  Start scrolling.]