This OPM data breach is bad, real BAD!!!

paperfist · Jul 10, 2015

steppinthrax said:
It's not.

But I suspect the vector is online. Back in 2007 the Gov switched the SF-86 to a online site called eqip.

https://www.opm.gov/investigations/e-qip-application/

As you can see the site is down for security enhancements!!!!!

My suspicion is some sort of hack traversal through this system to the repository!!!

lol down for security enhancements!

I guess my point is why does it need to be attainable online in some shape or form? I can see why you'd want law enforcement data like that, but to house employee data is just asking for it.

ImpulsE69 · Jul 10, 2015

Thanks for the heads up.

Kwatt · Jul 11, 2015

steppinthrax said:
It's not.

But I suspect the vector is online. Back in 2007 the Gov switched the SF-86 to a online site called eqip.

https://www.opm.gov/investigations/e-qip-application/

As you can see the site is down for security enhancements!!!!!

My suspicion is some sort of hack traversal through this system to the repository!!!

The horse has fled the barn! Let's lock the door!

My fraud protection for the SC breach has expired. So 3 more years for free!...Hip hip hooray

.

lxskllr · Jul 11, 2015

Instead of trying to break my encryption, maybe they should more effort into encrypting their shit.

Sabrewings · Jul 11, 2015

paperfist said:
lol down for security enhancements!

I guess my point is why does it need to be attainable online in some shape or form? I can see why you'd want law enforcement data like that, but to house employee data is just asking for it.

It's for the investigators. They don't send someone from the OPM central offices to you for an interview. They have a network of local investigators and they all use that system. It's also for submissions and revisions by the applying member.

Unfortunately for me, the Chinese now know everything about me all the way back to 2003.

destrekor · Jul 11, 2015

Are military clearances involved with this? I've heard that they could be, but the OPM doesn't acknowledge that at all.

Sabrewings · Jul 11, 2015

With this latest release, yes, military is affected. We already got word at my unit. Pretty much every SF86 ever submitted to eQIP has been stolen.

destrekor · Jul 11, 2015

Sabrewings said:
With this latest release, yes, military is affected. We already got word at my unit. Pretty much every SF86 ever submitted to eQIP has been stolen.

oh joy

Sabrewings · Jul 11, 2015

destrekor said:
oh joy

Mmmmhmmm.

MarkXIX · Jul 11, 2015

repoman0 said:
https://www.opm.gov/cybersecurity/

The answer is "highly likely" yes, it does affect you. It appears to go all the way back to 2000.

So according to that site, OPM will be providing ID theft services to 20 million people, who will all apparently be notified with details in the mail in the next few weeks ....

Here's what is counter-intuitive about the ID theft services though. It requires you to submit all the same information basically that just got stolen, which is a bit unnerving.

So, I just had all my private info stolen (dates of birth for all of my family members, financial accounts, etc.) and in order to protect myself I'm expected to give all that same information to someone else in order to protect myself.

Kwatt · Jul 12, 2015

MarkXIX said:
Here's what is counter-intuitive about the ID theft services though. It requires you to submit all the same information basically that just got stolen, which is a bit unnerving.

So, I just had all my private info stolen (dates of birth for all of my family members, financial accounts, etc.) and in order to protect myself I'm expected to give all that same information to someone else in order to protect myself.

Yep we could not keep it secure the first time so please give it to us again.

"We take security very seriously"

...

steppinthrax · Jul 13, 2015

paperfist said:
lol down for security enhancements!

I guess my point is why does it need to be attainable online in some shape or form? I can see why you'd want law enforcement data like that, but to house employee data is just asking for it.

When you obtain employment within the fed gov or cleared contractor and they require a security clearance. They will direct you to this OPM website. This site pretty much allows you to fill out the SF-86 online and submit it. Honestly the interface is quite good. It branches quite well and authenticates the SF-86 quite well.

As a developer I know that no matter how strong you make a system, if there is a way to get in there will always be a way to get in!!!

kranky · Jul 13, 2015

I don't think this info will be used for fraud or identity theft. If it was the Chinese who got the data, it will be used for espionage, to try to get people to spy for them.

"Look, we aren't asking you to be a traitor. We're just asking for a little help so we don't have to tell your family or your wife about the incident. We can get the same information from the papers eventually and all we're asking is for you to give it to us directly. It's the same information they will release anyway, there's no harm in that. And you don't want your wife to find out about what happened before you met her, do you? Imagine how your kids will feel when it's all over the local papers and their friends find out."

destrekor · Jul 13, 2015

kranky said:
I don't think this info will be used for fraud or identity theft. If it was the Chinese who got the data, it will be used for espionage, to try to get people to spy for them.

"Look, we aren't asking you to be a traitor. We're just asking for a little help so we don't have to tell your family or your wife about the incident. We can get the same information from the papers eventually and all we're asking is for you to give it to us directly. It's the same information they will release anyway, there's no harm in that. And you don't want your wife to find out about what happened before you met her, do you? Imagine how your kids will feel when it's all over the local papers and their friends find out."

This is one time I am hoping this was government-backed, as it would be as you say: a lesser likelihood that this information is sold on the black markets to be used for identity theft.

Gillbot · Jul 13, 2015

Is there a way aside from sitting back and waiting to find out if your info has been compromised?

JSt0rm · Jul 13, 2015

wang dong will fuck you

Red Squirrel · Jul 13, 2015

Don't worry, I'm sure the government agencies or whoever was responsible for this breach has plenty of liability insurance. It's business as usual for them and they don't care.

This does sound pretty bad though. This is only in the US right? I guess I don't have to worry, for now... But so many companies and agencies have our info now days, and they really don't care about security, so it's pretty much a ticking time bomb at all times.

cabri · Jul 13, 2015

Gillbot said:
Is there a way aside from sitting back and waiting to find out if your info has been compromised?

In theory, you can go to a gov website to find out.

But that was prior to the last revelation.

Best to figure that if you had anything to do with clearances and/or Fed gov employment after 2000, you have been compromised.

JSt0rm · Jul 13, 2015

i got compromised with the sony hack. Its no big deal until it is.

WackyDan · Jul 13, 2015

steppinthrax said:
This is pretty crazy.

If anyone has Security Clearance (like me) they would know the process and the "full compliance" of information you have to provide on the SF-86 to obtain clearance.

Just imagine this get's released onto some dark website somewhere. People will see some very very very very private information about these individuals.

Far beyond on who has a clearance or not!!!!

Yeah.... I've been parsing the Homeland Security bulletin and IOCs within with all the suspect files and md5 hashes. I've been helping customers automate the discovery of those files with my endpoint management agent.

MD5? Really? Sha1 and Sha256 are so much better for this than MD5 as MD5 will have false positives.

Federal gov't IT needs to get with the times.

ImpulsE69 · Jul 13, 2015

Is it wrong that I'm not as worried about this data breach as I am about all that DNA they took from us years ago for "studies"?

CZroe · Jul 14, 2015

I think the CIA is just trying to demonstrate how much they know about the source of PLA hacks.

reallyscrued · Jul 14, 2015

Remember when you got asked "Could this information ever be used against you as blackmail?"

Time to put your money where your mouth is.

mikeford · Jul 14, 2015

Amazing,Obama's campaign worker with no IT experience was an epic fail, and the cover up didn't work. Nothing new.

BrunoPuntzJones · Jul 14, 2015

kranky said:
I don't think this info will be used for fraud or identity theft. If it was the Chinese who got the data, it will be used for espionage, to try to get people to spy for them.

"Look, we aren't asking you to be a traitor. We're just asking for a little help so we don't have to tell your family or your wife about the incident. We can get the same information from the papers eventually and all we're asking is for you to give it to us directly. It's the same information they will release anyway, there's no harm in that. And you don't want your wife to find out about what happened before you met her, do you? Imagine how your kids will feel when it's all over the local papers and their friends find out."

I agree. Go through the SF86s and figure out who was a gambling addict, a kiddy toucher, etc. Then use as blackmail for nefarious deeds.

This OPM data breach is bad, real BAD!!!

Diamond Member

Lifer

Golden Member

No Lifer

Golden Member

Lifer

Golden Member

Lifer

Golden Member

Platinum Member

Golden Member

Diamond Member

Elite Member

Lifer

Lifer

Lifer

No Lifer

Diamond Member

Lifer

Diamond Member

Lifer

Lifer

Platinum Member

Diamond Member

Lifer