Chinese hackers penetrate OPM databases

[turok]

This appears to be one of the biggest and most dangerous security breaches in US history. Thousands of federal employees' personnel records are affected, including national defense and security.


https://finance.yahoo.com/news/unio...ery-federal-employee-195138422--finance.html#

It appears that the hack(s) went through the health-care records maintained by Wellpoint who uses Micro$oft servers & support. M$ is the most hacked and hackable software on the fucking planet...sheesh...shoulda used Red Hat Linux or Open BSD...fer chrissakes!!

http://www.bloomberg.com/news/artic...a-breach-tied-to-theft-of-health-care-records

 

[zyxt9]

come on turok, anything can be hacked. it is likely they acquired someone's ID/PW...at that point it doesn't matter what OS you are running.

that said, the US needed to crack down on this long ago. fuck the "political/financial fallout" of what it would take. if it means hacking their systems to the point we fry all their shit, so be it. at this point, it is probably too late though.

 

[turok]

come on turok, anything can be hacked. it is likely they acquired someone's ID/PW...at that point it doesn't matter what OS you are running.

that said, the US needed to crack down on this long ago. fuck the "political/financial fallout" of what it would take. if it means hacking their systems to the point we fry all their shit, so be it. at this point, it is probably too late though.

It isn't quite as simple as to just swipe someone's UN & PW, they have to hack into the DB and crack the encryption & not raise any alarms or leave obvious tracks behind, since it took FOUR months for the OPM to discover the hacks. They would need to obtain root or admin privileges and likely drill through several layers of security to have total access to the DB. One would think that would include MANUAL fingerprint and/or retinal scan(s) but apparently not.

Maybe the lazy OPM CIO just used her only her maiden name and changed a complicated alpha-numeric+symbols passphrase to her kid or pet's name as a password, but if so that should result in a demotion if not termination-worthy fuckup. But these hackers also did an end-around detour by attacking weaker M$-secured link to begin to eventually gain access to the full DB

I have successfully practiced hacking and cracking so-called "state of the art" WPA2 wireless encryption using just a cheap laptop and an external WiFi dongle in ~12 hours. Some of the newer WiFi-capable routers have a lockout feature that limits the duration (in milliseconds) of repeated attempts @ finding the WPS PIN, but they are the exception, not the rule.

If you know how to login and browse your home-router's software, you may see inbound (hopefully rejected) attempts via UDP/TCP to hack into your router, then try to gain root computer's OS. Your results may vary, but in mine most originated in China and/or less from Eastern Europe.

 

[Michchamp]

It isn't quite as simple as to just swipe someone's UN & PW, they have to hack into the DB and crack the encryption & not raise any alarms or leave obvious tracks behind, since it took FOUR months for the OPM to discover the hacks. They would need to obtain root or admin privileges and likely drill through several layers of security to have total access to the DB. One would think that would include MANUAL fingerprint and/or retinal scan(s) but apparently not.

Maybe the lazy OPM CIO just used her only her maiden name and changed a complicated alpha-numeric+symbols passphrase to her kid or pet's name as a password, but if so that should result in a demotion if not termination-worthy fuckup. But these hackers also did an end-around detour by attacking weaker M$-secured link to begin to eventually gain access to the full DB

I have successfully practiced hacking and cracking so-called "state of the art" WPA2 wireless encryption using just a cheap laptop and an external WiFi dongle in ~12 hours. Some of the newer WiFi-capable routers have a lockout feature that limits the duration (in milliseconds) of repeated attempts @ finding the WPS PIN, but they are the exception, not the rule.

If you know how to login and browse your home-router's software, you may see inbound (hopefully rejected) attempts via UDP/TCP to hack into your router, then try to gain root computer's OS. Your results may vary, but in mine most originated in China and/or less from Eastern Europe.

There are just too many openings into any information system. In the Target hack they found a login and password used by a Target facilities maintenance contractor, and got into pretty much everything that way.

given the reality of human nature (people get lazy, bored, complacent in their jobs over time), and general greediness and incompetency in management, people leave companies all the time & aren't replaced, leaving gaps in IT security responsibilities. or the replacements aren't brought up to speed.

you can address all this stuff in a contract, but in the end it's just a piece of paper. It may make holding a negligent party more accountable, but it won't keep data secure. And contracts are ignored all the time. Or parties forget to account for certain responsibilities when subcontracting out some part of it.

my personal approach is to share as little as possible... don't link accounts. use separate passwords in each case. Don't sign up for the free trinket in exchange for "opting-in"... don't allow them to add you to their marketing list. If an app asks for access to your personal data, contacts, etc. DON'T ADD IT! IT'S NOT WORTH IT.

 

[zyxt9]

on top of all that, my sister was in charge of IT for a major government branch. she quit due to her bosses' unwillingness to follow her security protocols when someone in the applications side who was sleeping with a higher up complained that the security protocols were making it too difficult to meet her teams objectives. she fought a good fight, but upon realizing the relationship realized she was never going to win. she resigned rather than be the one they would come after in the inevitable witch hunt.

the people in charge of these departments are all very good at the political game. even though their actions or inactions likely had an impact on all of this, they will not be touched. someone in a similar position to hers, they are toast. she got out before that could happen, and now is fighting a similar degree of BS in a state government IT job, but that is to clean up the mess of the prior leadership and her new boss comes from a security background so she is getting things cleaned up there finally. but initially it was a real cluster fuck, with all manner of people's identity and financial data exposed...all because the people at the top didn't want to listen to the head of IT security.

 

[zyxt9]

and while the biometric options are some of the best ways to secure things, my sister always said that at the root all of those methods break down to 1s and 0s, so if you can see the 1s and 0s flying across the network and correctly duplicate them (obviously that involves breaking the encryption, but copy them over to a burn computer that you can have crunch the data then destroy it), you can access whatever you want.

anything can be hacked, and the more difficult you make the target, the more the black hats want to break in, so you have to set up multiple levels of encryption and have multiple things scanning the systems, keep everything patched and hope the patches don't create their own flaw that is even worse than what they patched, keep the ports locked down extremely tight, keep the DMZ monitored as well. with the mobile networks, that's an entirely different and insane thing to try and keep locked down because by definition the data is in the air for anyone to sniff.

so many levels go into today's security. TCP/IP has always been a terrible design from a security perspective.

 

[turok]

After doing a little more digging, it appears to me that the Chinese may be working on performing what might eventually turn into a massive distributed DoS on the most crucial-critical aspects of the US' commercial electronic infrastructure. Also there lurks possibly blackmailing some key military officers/government officials by threatening to expose their personal info that they would prefer to be kept "secret".

Can't defeat the US militarily (as yet), so this method would probably be even better if it could be attempted successfully.

There isn't/wasn't very much being said or what is being done (or more likely. what little can be done) about it by our government or is being reported by the MSM, so w/e. As the former POTUS G.W. Bush once famously said to us mere peons soon after the 9/11 attacks...go shopping young man...go shopping!! Pay no attention to that man (or men) behind their screens...

I didn't have internet access very often until recently, so I wasn't aware of how very broadly and in depth the Chinese' hacking activities had become until the past week.

 

[Michchamp]

After doing a little more digging, it appears to me that the Chinese may be working on performing what might eventually turn into a massive distributed DoS on the most crucial-critical aspects of the US' commercial electronic infrastructure. Also there lurks possibly blackmailing some key military officers/government officials by threatening to expose their personal info that they would prefer to be kept "secret".

Can't defeat the US militarily (as yet), so this method would probably be even better if it could be attempted successfully.

There isn't/wasn't very much being said or what is being done (or more likely. what little can be done) about it by our government or is being reported by the MSM, so w/e. As the former POTUS G.W. Bush once famously said to us mere peons soon after the 9/11 attacks...go shopping young man...go shopping!! Pay no attention to that man (or men) behind their screens...

I didn't have internet access very often until recently, so I wasn't aware of how very broadly and in depth the Chinese' hacking activities had become until the past week.

I read an article on this hack. Wow... sounds like they might've gotten a lot of bad information on us.

I've been sort of following the Chinese buildup in the South China Sea, which, just from looking at a map and seeing how far the islands are from China, looks like an incredibly aggressive action by the Chinese. I wonder if this hack is in retaliation for something, or to gain additional leverage? Seems like once China has airfields there, they've more or less won the fight for control of the Sea.

If we get in a fight with China, should we still go shopping? Much of the stuff we'd be buying would be made in China, thanks to off-shoring. I guess most of the profits would at least go to US companies. or at least corporations we consider to be US companies, even though they may be headquartered outside of the US for tax purporses.

 

[Michchamp]

From here:

On May 22, a U.S. Navy P-8A Poseidon surveillance aircraft ? a militarized version of the Boeing 737 ? flew from Clark Air Base in the Philippines over Mischief Reef and Fiery Cross Reef, previously submerged coral features that China occupied in the mid-1990s and late 1980s, and is now expanding into a landmass several times their original size. Recent satellite images show the construction of an airstrip, port facilities, cement factories and barracks, among other installations. U.S. defense officials also revealed that China had put two large artillery vehicles on one island.

In a video captured by CNN, which had a crew on the P-8 flight, China's navy dispatcher warned the plane eight times to leave the area, and each time the U.S. pilots responded by saying: "I am a United States military aircraft conducting lawful military activities acting outside national airspace. I am with due regard in accordance with international law."
​

Good thing we sent one of our calmer pilots on the mission (presumably from the Midwest), and not this guy:

 

[Gulo Blue]

If we get in a fight with China, should we still go shopping? Much of the stuff we'd be buying would be made in China, thanks to off-shoring. I guess most of the profits would at least go to US companies. or at least corporations we consider to be US companies, even though they may be headquartered outside of the US for tax purporses.

Our manufacturing, I think, could be ramped up, not as fast as we'd like, but fast enough if we had to. One thing I think would be more of a limiting factor in a 5-10 year time frame, would be access to rare earth metals.

There's a summary at the beginning of this that says we passed some law in 2013 and a US based corporation began working on rare earth processing in 2014. So I guess we're doing something about it.

https://www.fas.org/sgp/crs/natsec/R41347.pdf

 

[Michchamp]

Our manufacturing, I think, could be ramped up, not as fast as we'd like, but fast enough if we had to. One thing I think would be more of a limiting factor in a 5-10 year time frame, would be access to rare earth metals.

There's a summary at the beginning of this that says we passed some law in 2013 and a US based corporation began working on rare earth processing in 2014. So I guess we're doing something about it.

https://www.fas.org/sgp/crs/natsec/R41347.pdf

Yeah, It would really be consumer electronics we'd be missing out on.

Most clothing apparel comes from other countries in SE Asia, and I think other junk (e.g. kitchen spatulas, plastic crap, etc.) could be easily sourced elsewhere.

That article is interesting. I don't have time to read through it, but the question I have regarding rare earth metals is: is it a matter of China controlling the sources of them, or just buying them up? could we just go dig in Montana, or Saskatchewan for them?

I assume that if they're not evenly distributed around the Earth's crust, at least there are some other sources we could control.

 

[Gulo Blue]

Yeah, It would really be consumer electronics we'd be missing out on.

Most clothing apparel comes from other countries in SE Asia, and I think other junk (e.g. kitchen spatulas, plastic crap, etc.) could be easily sourced elsewhere.

That article is interesting. I don't have time to read through it, but the question I have regarding rare earth metals is: is it a matter of China controlling the sources of them, or just buying them up? could we just go dig in Montana, or Saskatchewan for them?

I assume that if they're not evenly distributed around the Earth's crust, at least there are some other sources we could control.

I don't know how even the distribution is, but I'm pretty sure we have them. The problem is that they don't exist in big lumps. You have to mine tons of earth and use gobs of chemicals to process out the small amount of rare earth material. I think China is just the only place that doesn't mind screwing up the environment on a massive scale for a buck. When I was skimming through that document, part of it was about funding research for alternative materials.