Responding to Chinese hack, feds violated basic security procedures....

Reacting to Chinese hack, the government may not have followed its own cybersecurity rules

By Lisa Rein June 18 at 6:00 AM 

In responding to China’s massive hack of federal personnel data, the government may have run afoul of computer security again.

Over the last nine days, the Office of Personnel Management has sent e-mail notices to hundreds of thousands of federal employees to notify them of the breach and recommend that they click on a link to a private contractor’s Web site to sign up for credit monitoring and other protections.

But those e-mails have been met with increasing alarm by employees — along with retirees and former employees with personal data at risk — who worry that the communications may be a form of “spear phishing” used by adversaries to penetrate sensitive government computer systems.

After the Defense Department raised a red flag about the e-mails its 750,000 civilian employees were starting to receive, OPM officials said late Wednesday that the government had suspended its electronic notifications this week.

“We’ve seen such distrust and concerns about phishing,” OPM spokesman Sam Schumach acknowledged, describing the feedback from many of the 4.2 million current and former employees who are being notified that personnel files containing their Social Security numbers, addresses and other personal information may have been stolen.

Computer experts said the personnel agency — already under fire from lawmakers from both parties for failing to protect sensitive databases from hackers — could be putting federal systems in jeopardy again by asking employees to click on links in the e-mails.

“There’s a risk that you desensitize people by telling them that occasionally, there’s going to be a very important email you have to click on,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology.

He called OPM’s first round of e-mail transmissions the equivalent of “sending a postcard to people saying gee, you just got hacked, go to this website. The hackers could wise up and send their own set of fake identity protection e-mails and get into your computers all over again.”

That’s precisely what worried top Defense officials before the chief information officer of the government’s largest agency told OPM last week to suspend the notifications because they disregarded basic cybersecurity training that’s crucial to ensuring the safety of military networks: Never click on unfamiliar links, attachments or e-mail addresses because they expose employees to spear phishing attacks.

Defense offices across the country posted a bulletin in their internal communication networks from CIO Terry Halvorsen that said OPM was “suspending notification to DoD personnel that their [Personal Identifying Information] may have been breached until an improved, more secure notification and response process can be put in place..”

The notice continued:

“Recognizing that DOD personnel are trained not to open links embedded in emails not digitally signed and/or sent from unknown senders, DoD officials are working closely with other federal partners to establish notification procedures that will allow DoD personnel to reliably and confidently receive these notifications, and register for the benefits to which they are entitled.”

Employees across the government and their unions have raised concerns that the e-mails refer them to the Web site of a private company with a .com address instead of coming from a government domain. Even though they are given a PIN code, many people say they’re wary of giving a contractor their Social Security numbers, addresses and other information they need to provide to qualify for identity theft insurance and credit monitoring.

The contractor, CSID, resumed the e-mail notifications late Wednesday with a change designed to give employees more confidence that the communications are legitimate and the company’s Web site secure, Schumach said. They still have the option to click directly on a link to enroll in credit protection services, but now they can copy and paste the Web site address, https://www.csid.com/opm/ themselves, a more secure strategy.

“To alleviate the concerns of phishing, OPM and [the contractor] have made changes to email notifications by adding additional options for those who want to enroll in the [contractor’s] services directly from the email,” Schumach said. “Now, affected individuals will be able to not only click on the ‘Enroll Now’ button, but will also have the option to copy a non-hyperlink address so they know exactly what website they will be visiting.”

Despite the fixes, OPM’s credibility may still suffer. Director Katherine Archuleta was berated by Democrats and Republicans on Capitol Hill this week for what they called her serious negligence in failing to take long-recommended steps to secure the computer systems containing federal personnel records. Two top Republicans have called on her to resign.

“Even when they try to clean it up, they’re getting it wrong,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, said of  OPM’s response to the data breach.  “A policy saying don’t send clickable links to employees is not rocket science. It’s cybersecurity 101.”

Officials are preparing to send a second round of notifications to millions of employees and contractors that the hackers also got access to their detailed personal histories.

Most federal agencies give their employees regular cybersecurity training. But with their computer systems an obvious target for cyber criminals, DOD civilians and active duty military get extensive instruction in how to store their information securely, create strong passwords and avoid exposing their networks to intruders. Some of the basic no-nos are opening links or attachments from senders they don’t know.

The danger in clicking unfamiliar links is that an employee will fall for a spear phishing scam, hitting bogus links that download malicious programs and infecting the company’s information-technology server.

J. David Cox Sr., president of the American Federation of Government Employees, the largest federal union, said in a statement, “Employees throughout the government need to be very cautious of opening any email that comes from unknown sources, since the hacking of OPM’s databases has made employees extra vulnerable to phishing schemes.”

http://www.washingtonpost.com/blogs/federal-eye/wp/2015/06/18/reacting-to-chinese-hack-the-government-may-not-have-followed-its-own-cybersecurity-rules/


Comments

Post a Comment

Popular posts from this blog

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke...
Read more

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that th...
Read more

New ATM's: withdraw money with veins in your finger

New cash machines: withdraw money with veins in your finger Cash machine technology that reads the pattern of finger veins is already available in Japan and Poland   By Telegraph Reporters 6:59PM BST 15 May 2014 Cash machines could soon be installed with devices that identify customers by reading the veins in their fingers. The technology is already being rolled out in Poland, where 1,730 cash machines will this year be installed with readers, negating the need for a debit card and Pin. Developed by Hitachi, the Japanese electronics firm, the machines read the patterns of the veins just below the surface of the skin on your finger using infra-red sensors. The light is partially absorbed by haemoglobin in the veins to capture a unique finger vein pattern profile, which is matched to a profile. The technology is used by Japanese banks and also in Turkey, offering “groundbreaking levels of accuracy and speed of authentication”, Hitachi said, which in t...
Read more