June 13, 2015

"Hackers have breached a database containing a wealth of sensitive information from federal employees’ security background checks..."

"... the Obama administration said Friday — news that experts say could deal a devastating blow to U.S. intelligence gathering.... The hackers are believed to have obtained data from a security intake form known as a Standard Form-86, which includes details such as financial trouble, past convictions, drug use and close relationships with citizens of other countries. The form is used for background checks of current, former and prospective federal employees...."

ADDED: Here's the PDF of Standard Form-86. Excerpt:

In the last seven (7) years, have you consulted with a health care professional regarding an emotional or mental health condition or were you hospitalized for such a condition? Answer 'No' if the counseling was for any of the following reasons and was not court-ordered:

- strictly marital, family, grief not related to violence by you; or
- strictly related to adjustments from service in a military combat environment

Please respond to this question with the following additional instruction: Victims of sexual assault who have consulted with the health care professional regarding an emotional or mental health condition during this period strictly in relation to the sexual assault are instructed to answer No.

50 comments:

mccullough said...

Obama's college transcripts are still secure

T J Sawyer said...

It is difficult to believe that any organization would place information they don't want distributed indiscriminately in front of an Internet connection.

Etienne said...
This comment has been removed by the author.
traditionalguy said...

With a government like we have now in place under Obama in DC there had better be a God who blesses us because only a supernatural actor can protect us from the near intentional fifth columnist betrayals of our citizens to every enemy on the planet. But after the next unexpected round of attacks and deaths , what differenc will it make to Clinton, Inc.

Because Global Warming.

Etienne said...
This comment has been removed by the author.
rhhardin said...

That ought to make refusal to fill out any federal form exempt on grounds of self-incrimination.

The IRS's pledge not to use tax information in any other way was how it got past the self-incrimination challenge. That no longer seems to be operative.

rhhardin said...

Here is your new 4096 digit social security number. Don't write it down and change it every month. Do not use your birthday.

I use ROT13 for everything. Let them find a backdoor into that if they can.

Megaera said...

Am I the only person left in the world who remembers that Obama appointed a Cybersecurity Czar (and, it should go without saying, the obligatory high-priced and metastasizing suppporting staff) who was supposed to deal with just these issues? And wonders where that Czar has been these last several months? Obama issued some very specific Executive Orders back in 2013 about agency cybersecurity ... why do we now learn that OPM didn't actually even have a tech security staff until LAST BLOODY YEAR? Is anyone in the MSM going to ask, in the wake of these fresh and burgeoning disasters, what the Administration has been doing for the last 6-plus years? This is just a repeat of the Ebola mess, where government will demand the funds to appoint a whole new plague administrator -- without ever admitting that it already HAD a plague administrator who had been sitting on her expensive thumbs for years and accomplished NOTHING while effectively embezzling millions. Except, of course, we didn't actually have a full-scale disaster in that case, whereas in this case we indisputably do.

rhhardin said...

RSA used to have number factoring challenges, with prizes up to $10,000 I think. They cancelled the contest.

Etienne said...

rhhardin said...I use ROT13 for everything. Let them find a backdoor into that if they can.

Ha! Funny! I'm starting to think that's what the US government uses to protect national security data.

Scott M said...

And these are the people that wanted the IRS to handle all of your private medical data. Stunning.

rhhardin said...

You can buy a little time by doing the day and then the month in your birthday. The Chinese expect it the other way.

Reversing your first and last name is an old Chinese trick so they're on to that one.

hombre said...

The President is safe, since it appears he has never had a background check. Unfortunately, some of these lesser lights may be susceptible to blackmail.

Oh well, asi es la visa in Obamaworld.

Etienne said...

I haven't heard of anyone getting fired yet above the grade of GS-5.

Anonymous said...

Also on Friday, the White House announced a “30-day Cybersecurity Sprint” in which the administration is instructing agencies to take actions such as changing their passwords from "password" to "123123".

Anonymous said...

The actual WH statement is worse than the Politico article.

In a statement, the White House said that on June 8, investigators concluded there was "a high degree of confidence that ... systems containing information related to the background investigations of current, former and prospective federal government employees, and those for whom a federal background investigation was conducted, may have been exfiltrated."

Like I said earlier. That means it's not only Civilian Feds, but also Military and Contractors. All of them. Millions more. 10-20 million...

Etienne said...
This comment has been removed by the author.
hombre said...

11:28: "... asi es la vida."

Damned predictive text.

Paco Wové said...

White House cybersecurity czar "sees his lack of technical expertise in IT security as an asset in his job"

Anonymous said...

One of the things the breach is doing is keeping the government from issuing visas. So maybe autocomplete is on to something.

Anonymous said...

Coupe said...
The sad thing is, you need a CAC Card to login and file your SF-86 data.


Where? The e-qip portal I used weeks ago needs no CAC?

http://www.opm.gov/e-QIP/browser-check.asp

TerriW said...

rhhardin said...I use ROT13 for everything. Let them find a backdoor into that if they can.

The government uses ROT26, of course. That's twice as good as ROT13!

rcocean said...

What's laughable is that according to the OPM website Federal employees are required to take classes on Cyber Security every year and sternly warned that failure to protect private information can result in fines and jail time.

I guess no one at OPM has to take them.

traditionalguy said...
This comment has been removed by the author.
traditionalguy said...

Can you imagine the Federal Agencies that have been gathering the internet data info on all living creatures for 20 years has ACCIDENTALLY let the entire Federal Government's personnel data to sit unprotected?

This does not compute as an accident.

Etienne said...

Users have to take an online test every year, or your account is deleted. The test is pretty common computer stuff, like spam, and phishing, etc. Real low level stuff. If you have administrator privileges, then you also need a Security+ cert as a minimum, which your employer pays for.

But the kind of security lapses we are talking about here is done by computer programmers, in making mistakes on how the data is stored, and back-doors to the data. The Apps are defective.

Basically they just crippled the US government. Users and Administrators can just raise their hands - it wasn't me!

exhelodrvr1 said...

At least the Democrats are taking responsibility for this.

Etienne said...
This comment has been removed by the author.
Big Mike said...

@Megaera, first of all, that's the Obama administration in a nutshell: throw out some regulations and appoint a "czar," then walk away with zero point zero zero follow-up.

Secondly, in my experience government folks at the GS-12 and -13 and -14 levels typically get it with respect to cybersecurity. Perhaps that's the annual training in effect. It's at the Schedule C and SES and political appointment ranks that they have no clue. Case in point being a recent Secretary of State who stupidly put all of her Emails, official and personal, on a poorly-secured Email server. What are the odds that government-sponsored hackers from adversarial nations and NGOs were reading her Emails before she was? The word "certainty" comes to mind. Some apologists pointed out that the Department's own servers were using out of date certificates too. That line of defense seems to have been dropped when somebody pointed out that the Secretary of State is ultimately responsible for what goes on in the Department she represents.

Jim said...

Yes, this is good for a chuckle. Hillery is the main supporter of Hillery, a somewhat similar situation to Jeb Bush.

Michael K said...

"Obama's college transcripts are still secure"

Well, there are some things too important to lose.

Krumhorn said...

While I'm sure that our gracious hostess and her fellow don't-be-mean-don't-be-harsh moderates would regard it as strident partisan paranoia, the possibility of all this being intentionally allowed to happen cannot be summarily dismissed from the list of possibilities. And I mean from the top. It is clear that the prevailing ethos in the west wing from the very start is that America has needed to be brought down several notches.

Mission accomplished.

- Krumhorn

rcocean said...

The question needs to be asked. Why was the SF-86 database not stored offline? How many people needs to have access to that kind of private information? No one seems to have thought much about the risks vs. awards of having this in a centralized online databank.

Anonymous said...

rcocean said...
The question needs to be asked. Why was the SF-86 database not stored offline? How many people needs to have access to that kind of private information? No one seems to have thought much about the risks vs. awards of having this in a centralized online databank.


Because 20-30% of the forms need to be updated every year. The form must be updated every 5 years by everybody.


They used to be done in hard copy. A real pain.


jimbino said...

I made the mistake of filling out one of those long forms for a secret security clearance I needed for a 9-month contract job I had at TI to design an anti-tank rocket. Because I had worked as a tour guide on a "9-countries in-12-days" bus, there was a huge delay while they checked on where I was when in Europe, necessitating that TI put me on a non-security-clearance job until the approval came through.

As a result, I got my security clearance on the very day that my 9-month contract expired. I was told that the security check would have cost some $30,000. Your tax dollars at work.

Anonymous said...

jimbino said...
I made the mistake of filling out one of those long forms for a secret security clearance


The lesson from a guy whose had a TS for 45 years now is:

1. Always keep a copy.
2. Always tell the same story
3. the first thing they do is look at changes from your last form.

Note, I said a lesson. Note the 3 bullets are all the same lesson :)


Richard Dolan said...

Someone noted up thread that our gov't has focused on the offensive end of things -- getting access to Merkel's cell phone data, to say nothing of all domestic and int'l telephone metadata, etc., plus mastering such fun stuff as stuxnet malware. But, evidently, there was no glory, certainly no incentive, to play defense. And so we didn't.

Partly it's the fault of the clueless occupant of the WH and the presidential appointees running the various agencies. Yet, in these stories of massive break-ins and data theft, we aren't seeing the same thing being written about the Defense Cept or the CIA. Presumably some parts of the gov't know how to protect what needs protecting from prying cyber-eyes.

It's not a big step from these hacking incidents to an attack on the financial system, or the electric grid, or almost any other aspect of the nationalized economy, that brings it all down. Those risks have been written about endlessly over the last decade, as the risk has grown exponentially. Any bets on whether our fearless leaders have put in place effective defensive mechanisms? Didn't think so.

jimbino said...
This comment has been removed by the author.
jimbino said...

Richard Dolan,

Presumably some parts of the gov't know how to protect what needs protecting from prying cyber-eyes.

No, it seems that no parts of the gummint know how to do what needs to be done. It appears to be a qualification for POTUS, COTUS and SCOTUS that you be uneducated and unskilled in STEM. In addition, for appointment to SCOTUS, you have to be Roman Catholic or Jewish and a college humanities major.

How many of the current POTUS candidates have any STEM sophistication? Rand Paul and Ben Carson, at least, had to take and pass the MCAT, which involves some baby math and baby science. Is it too much to require that our leaders have taken a calculus or other advanced math class? That one of them have studied math, chemistry, engineering or economics at the graduate level?

Larry J said...

"Blogger mccullough said...
Obama's college transcripts are still secure"

That's HIS personal information, so of course it's protected. And I eagerly await for Hillary! To explain that she used private email servers because she just knew that government systems weren't secure enough for her official business.

Anonymous said...

Jimbino.

Carly Fiorina?

She received a Bachelor of Arts in philosophy and medieval history from Stanford University in 1976. During her summers, she worked as a secretary for Kelly Services.[26] She attended the UCLA School of Law in 1976 but dropped out[27] after one semester and worked as a receptionist for six months at a real estate firm Marcus & Millichap, moving up to a broker position before leaving for Italy, where she taught English.[28]

Fiorina received a Master of Business Administration in marketing from the Robert H. Smith School of Business at the University of Maryland, College Park in 1980. She also obtained a Master of Science in management from the MIT Sloan School of Management under the Sloan Fellows program in 1989

Michael K said...

"That one of them have studied math, chemistry, engineering or economics at the graduate level?"

That's sexist. You should be ashamed. Don't talk about Hillary that way !

jimbino said...
This comment has been removed by the author.
jimbino said...
This comment has been removed by the author.
jimbino said...

Drill Sgt:

Carly Fiorina?

Though I like Carly Fiorina a lot, as far as STEM education goes, she's a lightweight like most of the others, though not as bad as Hillary. Don't let the "master of science in management" fool you. It certainly doesn't carry the heavy-duty math requirements of an MS in economics, not to mention an MS in math, MS in physics, MS in computer science, or MS in engineering.

You have to be very bright, of course, to get into Stanford or MIT, but hell, Nobelist Obama graduated from Harvard and Harvard did its usual job: GIGO.

Why not someday have a choice of a polymath inventor like Jefferson, Franklin or Hedy Lamarr?

Anonymous said...

She was the best I could do.

PS: I just have a BA in Econ, cause the Vietnam war got in the way of my ChemE. But The Army paid for the MBA and I specialized in Operations Research, so some MBA's or MS in Mgt, could have serious math involved.

C R Krieger said...

OPM Director Katherine Archuleta should show some honor and resign.

Regards  —  Cliff

holdfast said...

I use RememberTianamenSquare as my password. No Chinese hacker would have the guts to type that.

MaoSuksAzz would work too.

jimbino said...

Katherine Archuleta--another STEM-challenged appointee:

With her breadth of experience as an educator, public administrator, and community leader, Katherine Archuleta possesses an abundance of skills to bring talented people together with different ideas and fresh perspectives to strengthen our federal workforce. As Katherine said “[t]he complex and important work of government requires a diverse and inclusive workforce that is representative of the many important perspectives, talents, and backgrounds of our great Nation. I am committed to building a diverse and inclusive workforce to serve the American people."

jimbino said...
This comment has been removed by the author.