OPM Just Tip of the Iceberg: Hacking Expected to ‘Dramatically Accelerate’
by Bill Straub June 26, 2015 - 3:40 pm
Senate chairman says Obama administration not "devoting enough attention to this reality.”
(WASHINGTON – The director of the Office of Management and Budget maintains that her agency has taken “significant steps” to protect sensitive cyber data but recent security breaches clearly establish that efforts to guard against future hacking attempts must “dramatically accelerate.”
Katherine Archuleta, who assumed her post 18 months ago, told members of the Senate Homeland Security & Governmental Affairs Committee that her office is under “constant attack by evolving and advanced persistent threats and criminal actors” who are “sophisticated, well-funded and focused.” Given that, steps must be taken not only on behalf of those individuals whose personal information has been accessed “but also as a matter of national security.”
These cyberattacks, she told the panel, “will not stop. If anything, they will increase.”
OPM announced early in June that over the past year hackers stole personnel records of about 4.2 million federal employees. Subsequently, it was revealed that the attack was actually far greater and involved some of the most sensitive data the federal government maintains on its employees, and likely, many more records, perhaps as many as 18 million.
The massive data theft is considered one of the largest – if not the largest – security breach within the federal government to date. One internal OPM assessment, disclosed to Congress by the FBI, said the hacking likely was conducted by a Chinese intelligence-gathering operation.
Some lawmakers, including Rep. Jason Chaffetz (R-Utah), chairman of the House Oversight and Government Reform Committee, have called for Archuleta’s resignation because of the security failure.
“It is hard to overstate the seriousness of this breach,” said Sen. Ron Johnson (R-Wis.), the committee chairman. “It has put people’s lives and our nation at risk.”
OPM has been hacked five times in the past three years and the agency “still has not responded to effectively secure its network,” Johnson said, asserting that cybersecurity “must be a top priority.”
“Cybersecurity on federal agency networks has proved to be grossly inadequate,” Johnson said. “Foreign actors, cyber criminals and hacktivists are accessing our networks with ease and impunity. While our defenses are antiquated, our adversaries are by comparison proving to be highly sophisticated. Meanwhile, agencies are concentrating their resources trying to dictate cybersecurity requirements for private companies, which in many cases are implementing cybersecurity better and more cheaply.”
Archuleta said she became aware of OPM’s security vulnerabilities within what she characterized as “the agency’s aging legacy systems” when she assumed office and made the modernization and security of the network and its systems a priority.
Regardless, Archuleta said two kinds of data found in two different systems — personnel records and background investigations — were affected in two recent incidents. While the agency has placed the number of records involved in the personnel data breach at 4.2 million, it continues to analyze the background investigation data to determine what was compromised.
“We are not at a point where we are able to provide a more definitive report on this issue,” she said.
Regarding reports that as many as 18 million records may have been compromised, Archuleta said the figure refers to a “preliminary, unverified and approximate number of unique social security numbers in the background investigations data. It is not a number that I feel comfortable, at this time, represents the total number of affected individuals. The Social Security number portion of the analysis is still under active review and we do not have a more definitive number.”
Archuleta told lawmakers she intends to address the ongoing problems by hiring a new cybersecurity adviser who will report directly to the director. She also cited OPM’s Strategic Information Technology Plan aimed at modernizing and securing the agency’s aging legacy system.
“Many of the improvements have been to address critical immediate needs, such as the security vulnerabilities in our network,” she said. “These upgrades include: the installation of additional firewalls; restriction of remote access without two-factor authentication; continuous monitoring of all connections to ensure that only legitimate connections have access; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of cyber-crime tools that could compromise our networks.”
It was those upgrades, she said, that led to the discovery of “malicious activity,” enabling OPM to immediately share the information so that other agencies could protect their networks.
“OPM thwarts millions of intrusion attempts on its networks in an average month,” Archuleta said. “We are working around the clock to identify and mitigate security weaknesses. The reality is that integrating comprehensive security technologies into large, complex outdated IT systems is a lengthy and resource-intensive effort. It is a challenging reality, but one that we are determined to address.”
OPM utilizes encryption when possible but the age of some of the legacy systems often renders data encryption impossible. She added that encryption would not have prevented the data theft of this data because “the malicious actors were able to steal privileged user credentials and could decrypt the data.”
For those approximately 4 million current and former federal civilian employees who were potentially affected by the incident announced on June 4 regarding personnel information, OPM is offering credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. This comprehensive, 18-month membership includes credit report access, credit monitoring, identity theft insurance, and recovery services and is available immediately at no cost to affected individuals identified by OPM.
Patrick McFarland, OPM’s inspector general, also testified, telling lawmakers that despite Archuleta’s rationalizing over legacy systems that some of the systems involved in the data breaches “run on modern operating and database management systems.”
“Consequently, modern security technology such as encryption or data loss prevention could have been implemented on these specific systems,” he said. “Also, OPM has stated that because the agency’s IT environment is based on legacy technology, it is necessary to complete a full overhaul of the existing technical infrastructure in order to address the immediate security concerns. While we agree in principle that this is an ideal future goal for the agency’s IT environment, there are steps that OPM can take — or has already taken — to secure its current IT environment.”
McFarland said he supports OPM’s efforts to modernize its IT environment but expressed concern that “there is a high risk that its efforts will ultimately be unsuccessful.” The agency could wind up with half of its systems in different environments. Neither, he said, would be fully secure and OPM would be in a position where it is forced to pay indefinitely for the overhead costs of both infrastructures.
“System development projects by their very nature are complex and prone to failure,” he said. “Even with the application of strict project management techniques, many projects either fail entirely or are only partially successful. Even so, there is a chance that this effort will ultimately succeed given time, leadership and strong project management.”
Archuleta also told the committee that OPM is offering credit monitoring services and identity theft insurance to the 4.2 million workers who could be affected by the breach.
Johnson said it doesn’t appear that the Obama administration “is devoting enough attention to this reality.”
“We need leadership to develop and implement an effective plan to stop future cyberattacks,” he said. “Without effective cybersecurity, our nation will not be safe and secure.”
Please see link below from one of our partners for an example of video analytic software tools automatically identifying and tracking an airborne UAV using four different modes of analysis.
These tools have been used in many military contracts and are now being incorporated in commercial systems for police, fire, emergency medical first responders. We have seen other demonstrations where the software can identify drunk or reckless drivers.
The video analytics can issue and send alarms, alerts, reports,and actions to signal police and others, or to cause our drones to launch, fly, record and monitor adversary behavior.
We demonstrated video analytic software issuing Promia Raven alert events to our monitoring screens in the DoD JIFX exercises a year ago in Camp Roberts.
We are upgrading our video analytic lab and team and we are moving forward. We plan to produce many new rules and video examples that can be coordinated with video streams from military cameras and drones from Vision Technologies and others.
The tools have runtimes in Raspberry PI, Arduino and embedded Ubuntu as well as other platforms so we can embed the analytic functions locally where the cameras reside as we discussed.
This configuration supports a distributed system of thousands of camera sources to potentially coordinate together. The Promia Raven system already manages global distribution of rules to detect emerging cyber attacks. We plan to extend the Raven to manage large scale distribution of new video analytic rules as needed to detect visual events in a city or a country and respond appropriately.
US takes out gang that used Zeus malware to steal millions
Zeus malware used to attack Bank of America, First National Bank of Omaha and others
By Layer 8 on Fri, 04/11/14 - 1:08pm.
The US Department of Justice today charged nine members of a group that used Zeus malware to infect thousands of business computers with Zeus malware and illegally siphon-off millions of dollars into over-seas bank accounts.
The DoJ said an indictment was unsealed in connection with the arraignment this week at the federal courthouse in Lincoln, Neb., of two Ukrainian nationals, Yuriy Konovalenko, 31, and Yevhen Kulibaba, 36. Konovalenko and Kulibaba were recently extradited from the United Kingdom. All of the defendants had been charged by a federal grand jury in August 2012 with conspiracy to participate in racketeering activity, conspiracy to commit computer fraud and identity theft, aggravated identity theft, and multiple counts of bank fraud.
+More on Network World: The coolest Air Force UFO videos+
According to the indictment, the defendants participated in an enterprise and scheme that installed, without authorization, malicious software known as Zeus or "Zbot" on victims' computers associated with Bank of America, First National Bank of Omaha, Nebraska, the Franciscan Sisters of Chicago and Key Bank.
The defendants are charged with using that malicious software to capture bank account numbers, passwords, personal identification numbers, RSA SecureID token codes and similar information necessary to log into online banking accounts. The indictment alleges that the defendants falsely represented to banks that they were employees of the victims and authorized to make transfers of funds from the victims' bank accounts, causing the banks to make unauthorized transfers of funds from the victims' accounts, the DoJ stated.
As part of the enterprise and scheme, the defendants allegedly used US residents as "money mules" who received funds transferred over the Automated Clearing House network or through other interstate wire systems from victims' bank accounts into the money mules' own bank accounts. These money mules then allegedly withdrew some of those funds and wired the money overseas to conspirators, the DoJ stated.
According to court documents unsealed today, Kulibaba allegedly operated the conspirators' money laundering network in the United Kingdom by providing money mules and their associated banking credentials to launder the money withdrawn from U.S.-based victim accounts. Konovalenko allegedly provided money mules' and victims' banking credentials to Kulibaba and facilitated the collection of victims' data from other conspirators.
The DoJ noted that four identified defendants remain at large:
- Vyacheslav Igorevich Penchukov, 32, of Ukraine, who allegedly coordinated the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.
- Ivan Viktorvich Klepikov, 30, of Ukraine, the alleged systems administrator who handled the technical aspects of the criminal scheme and also received alerts once a bank account had been compromised.
- Alexey Dmitrievich Bron, 26, of Ukraine, the alleged financial manager of the criminal operations who managed the transfer of money through an online money system known as Webmoney.
- Alexey Tikonov, of Russia, an alleged coder or developer who assisted the criminal enterprise by developing new codes to compromise banking systems.
The indictment also charges three other individuals as John Doe #1, John Doe #2 and John Doe #3.
From a recent Network World story: Zeus is the top banking Trojan, according to Dell SecureWorks, which made major discoveries about criminally-operated botnets based on the malware that date back to 2007. Zeus is often described as sophisticated banking Trojan malware that can execute an array of financially-oriented attacks, such as grabbing online credentials and siphoning off funds in payment systems.
According to the SecureWorks report, "Top Banking Botnets of 2013," Zeus banking Trojan variants accounted for about half of all banking malware seen in 2013. SecureWorks points out that Zeus is now being used not just to attack financial institutions but also stock trading, social-networking and e-mail services, plus portals for entertainment or dating, for example.
Follow Michael Cooney on Twitter: nwwlayer8 and on Facebook