Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Personal data for more than 130K U.S. Navy sailors hacked (reuters.com)
238 points by petethomas on Nov 24, 2016 | hide | past | favorite | 65 comments


It seems like with the wholesale compromise of US Government personnel from virtually every branch of government at this point, it is relative child's play for the new owner(s) of this information to massively influence US policy and action, almost to the point of control. It might take a few years to filter through the data and find the weak links, but the damage is basically inevitable.

Am I missing something here? A statistically relevant subset of people have important secrets, and a statistically relevant subset of those (perhaps most) are relatively easy to control when you know them. If the US has similar information on other governments' personnel, we might even fall into the caricature of the US guiding their actions while they guide those of the US, since those controlling and those being controlled will (largely) not be the same members of their respective governments.

The entire situation seems quite messy.


If you're a state actor (Russia, China etc.) that has a sufficient funding / motivation to take a dataset like this and systematically blackmail people in it for information, it seems naïve to think that those states haven't had this sort of information for decades already through traditional espionage methods.


Bulk collection and bulk processing make today's version very different.


nation-states had the power of bulk collection and bulk processing 30 years ago, the difference is now you don't need a human to copy the data to a disk and walk off with it.


I hypothesize this is not so much about influencing US policy and action directly, or even about spying on assets, but more about mutually assured destruction for when a cyber war breaks out.

The state actors responsible for this want the US to know that they have these records. That they can attack/disturb/flood the personal computers, social networks, and family of these soldiers / military assets.

Also note the apparent warning in the Shadow Brokers auction:

> You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle?


I don't think that MAD doctrine applies here - with nuclear weapons, you know when someone is using them right away. With this data thoough, usage is covert, so each side will be thinking that tge other has already started using it.


You can't hand a nuclear weapon to Assange and have him fire it for you and then deny knowing anything about it :)


'Sovereign Invidual'[0] makes a good case of how all the hacks and leaks across the board will eventually drive the adoption of encryption, which in turn will lead to the gradual transition of power away from nation states (mostly in the economic sense).

[0] https://www.amazon.com/Sovereign-Individual-Mastering-Transi...


What a relevant book that is. It also predicted cryptocurrencies (in the mid 90s) and national independence movements gaining ground.


You have just described the spy-vs-spy-vs-countrer-spy-vs-??? intelligence and counterintelligence dance that has been happening for at least 100 years. The situation is the same, just the modus operandi has changed.


I think there's a fair argument to say that the level of scale possible here makes this is a different situation


our government doesn't give a shit because we "hack" foreign nationals/governments so regularly that 130k accts doesn't register as an issue.

it really is child's play


As a sailor in the US Navy, let me quote from the Chairman's letter leading the OPM breach report (1), here he is addressing all federal CIOs:

The effectiveness of our country's response depends on your answer to this question: Can you as the CIO be trusted with highly personal, highly sensitive data on millions of Americans?

I guarantee most Federal CIOs never even saw the report, and wouldn't believe the question actually applies to them. The folks at DDS did though (including Matt Cutts), and I'm willing to bet they have it pinned up on the wall.

(1) https://oversight.house.gov/wp-content/uploads/2016/09/The-O...


> Can you as the CIO be trusted with highly personal, highly sensitive data on millions of Americans?

Perhaps a better question is: can anyone be expected to properly secure data on that scale, against well-resourced malicious actors?


Has Google ever suffered a breach on this scale? Having worked in IT in the government vs. the private sector, it really seems as though government could care less about security.


Does operation Aurora count by the Chinese government? It was a big enough deal to Google that they stopped operating a search engine within China's borders. https://en.m.wikipedia.org/wiki/Operation_Aurora

https://www.washingtonpost.com/world/national-security/chine...

How about when Google's data center links were tapped by the NSA?

https://www.washingtonpost.com/world/national-security/nsa-i...


I thought it was mostly IP and a couple of accounts that were taken. Nothing on the scale of millions of records taken? I could be wrong however.


It was a pretty serious breach as far as I remember. The assailing party was looking for specific accounts, and got what they were looking for. Just because they didn't take millions of records didn't mean that they didn't have access to them.

Google right after the NSA reveal started doubling up on their efforts to use encrypted links between servers within their data centers, leading me to believe that it could have been a lot worse - just get access to some non-critical host, and if the traffic is unencrypted, just hang out with a packet sniffer and just record all traffic passing by.

Google is much more vigilant with their security (not that they weren't before, just even more so) - It's better to not underestimate the extent of breaches.


When I search my email on haveibeenpwned.com, one of my results is the following:

Bitcoin Security Forum Gmail Dump: In September 2014, a large dump of nearly 5M usernames and passwords was posted to a Russian Bitcoin forum. Whilst commonly reported as 5M "Gmail passwords", the dump also contained 123k yandex.ru addresses. Whilst the origin of the breach remains unclear, the breached credentials were confirmed by multiple source as correct, albeit a number of years old.

Compromised data: Email addresses, Passwords


Most US companies have security breaches all the time. However, unless a social security number, health information or credit card is accessed there are no real reporting rules. Most companies do not disclose attempted/successful cyberattacks on their networks.

Therefore, if google isn't storing large numbers of credit cards, social security numbers of health records they probably will never tell you wether or not they had their servers breached.



I bet quite a big number of those federal CIOs got their "education" from:

"Center of Information Assurance and Cybersecurity at the University of Washington, designated by the NSA/DHS as a Center for Academic Excellence in Information Assurance Education and Research"

http://www.washington.edu/research/centers/126

http://www.uwb.edu/ciac

https://www.pce.uw.edu/certificates/information-security-and...

Taught by a ~70 year old woman with lit major, MBA, fake IT Phd and zero real IT knowledge https://www.coursera.org/instructor/~115

I took three classes wasting my time listening to >50 year old industry veterans(LAX airport CISO boasting how he doesnt know _anything_ about computers etc) tell me CIO role is to get a piece of paper stating you delegated responsibility and obey all the federal/industry pat on the back standards (PCI, HIPAA, SOX).


Take the violated trust in the CIO top of the Navy releasing this news on the day before Thanksgiving.


'"At this stage of the investigation, there is no evidence to suggest misuse of the information that was compromised," the Navy said.'

I somehow don't think that whoever targeted a 'a laptop used by a Hewlett Packard Enterprise Services employee working on a U.S. Navy contract' was doing so to grab personal data for smash-n-grab identity theft or other things that'd rapidly leave 'evidence to suggest misuse of the information'...


I don't think the laptop was specifically targeted. People generally don't follow the rules and walk around with too much information that isn't secure. They're bamboozled with phishing and like to click on rar files that have their FEDEX shipping documents for a package they never sent.

Or they have a developer image on their laptop that isn't locked down and download Warez or Torrent and visit Porno sites.

Until there are consequences when this kind of thing happens, like people getting fired or severe penalties, I'm afraid it will just continue. It's either some 15 year old kid in Eastern Europe or the Chinese and Russians have some more info to build dossiers on the American Armed Forces.


>People generally don't follow the rules and walk around with too much information that isn't secure.

1 :

>A NASA inspector general report this year determined 48 NASA laptops and mobile computing devices were lost or stolen between April 2009 and April 2011, many containing sensitive data.

http://www.reuters.com/article/us-space-nasa-security-idUSBR...

2:

Personally identifiable information of "at least" 10,000 NASA employees and contractors remains at risk of compromise following last month's theft of an agency laptop, a spokesman told Computerworld via email Thursday.

http://www.computerworld.com/article/2493084/security0/nasa-...

3:

NASA decides to encrypt all their laptops, because PEOPLE STORE SENSITIVE INFORMATION UNENCRYPTED on laptops that they take home.

https://oig.nasa.gov/Special-Review/SpecialReview(12-17-12)....


Regarding 3: The encryption scheme we put into place probably isn't going to slow down a motivated actor. We have master decryption passphrases that are regularly disseminated among the admins and could foreseeably end up in the wild (if nothing else, it wouldn't be difficult to social engineer).

And recently, we've started transitioning to new encryption software. Our implementation of the software prohibits more than one encryption passphrase per machine. So, in order to share machines between employees, organizations have begun sharing the same passphrase across all the organization's machines.

Source: HPES employee working on NASA ACES contract


Windows 10 "the most secure OS in history" still hides file extensions by default, so that virus.pdf.exe appears as virus.pdf!


If you're running defaults then you're already negligent. Not because defaults are necessarily bad (secure defaults ftw). But because you can always do better by tailoring your systems to your specific situation.


My point is rather that I am vigilant enough to check the actual extension of the file when I know it comes from a dodgy source (and to distrust the defaults in the first place). But what about a non technical user to who if the OS says it's a PDF, has the icon of a PDF, then it must be a PDF.


Agreed,how long is the investigation? It's only been a month. Isn't saying it hasn't been used at this stage kind of absurd?

Why even mention that part at all, just makes them sound dumber. Should have just said "there's an active investigation, we will release the full scope in a report later"


Except they probably don't want to promise that...


So you think that laptop is sitting on cinderblocks somewhere or what?


This is the reason why clearance forms ask you to disclose all of your past transgressions: It doesn't matter as much that you have them, but it matters if you're embarrassed by them.

They want to know that if someone attempts to blackmail you, you would rather the information become public than betray your country.


The government and it's contractors...with it's long RFC procurement process and associated bullshit will always be behind the security curve and will always be susceptible to these types of attacks as long as they favor a culture of old veteran people over competence.


Because private industry clearly has managed to avoid any security breaches?

For the last ~5 years the only credit card that hasn't been reissued before the expiration date because of some large corporate data breach is the one I never use.


That's the problem, but on the other hand, "move fast and break things" doesn't work very well in military. Some middle ground solution is needed here.


Agreed. Unfortunately, the opposite of "move fast and break things" is "move slow and watch them break on their own."


Hard-wired terminals in secure rooms, airgapped from the internet and no external/portable devices allowed, enforced by there being no sockets, and if that fails, by Marines with rifles. It really is not difficult to make a system 100x securer than that one...


"its contractors", "its long"


The answer is don't outsource things like this to Booze Muhkidney


Obvious question I know.. but why were the SSNs of sailors on some HP contractor's laptop?


You probably have no idea the degree to which the IT people in and around the military maximize their belief that those simpleton sailors not in the IT circle of trust are sheeple, and that they, the IT gods are, each and every one, the grand saviors of the Republic.

That sort of arrogance begets an unprecedented sense of entitlement. Coupled with a severe dependence on Microsoft Tuesday updates, and a general inability to recognize an SQL query (not making that up), and you have a real problem.

I would not doubt, for a second, that 134k SSNs were on some contractor's laptop.


>You probably have no idea the degree to which the IT people in and around the military maximize their belief that those simpleton sailors not in the IT circle of trust are sheeple, and that they, the IT gods are, each and every one, the grand saviors of the Republic.

You're posting on HN. I'd wager that a lot of us are or have been guilty of a bias like that.


Which provides additional insurance they are unaware...


I can imagine this happening very easily. Let's say a contractor is helping add a module to some web application...

"It worked on test, but not in production. It's supposed to be live already, what's the holdup? Fine, I'm not supposed to do this but I'll give him access to the live-server, read only, of course, since you have security clearance anyway. Plus, the data is in the DB, not on the application server. Ok, so now you have the whole /deploy folder, find the issue..."

"What do you mean you lost you laptop on the metro this morning? Fuck! Ok, well you only had access to the /deploy folder, but now I'm required to audit your laptop's backup to see if you had anything important, what a pain in the ass. Wait, what's this? There are all these XML files with personnel data in them in /deploy/api/xml/!!!!! Those files are supposed to be processed and removed from the web server, not stored! Shit!"


It was probably the MS Access database from BUPERS. It gets mailed to every command (or downloaded nowadays) on a monthly basis. It has everything on everyone. SSN, names, addresses, ranks, birthdays, etc. At least 50 fields of personnel info for almost everyone in the Navy. And it's not classified, otherwise they wouldn't be able to distribute it so widely (although they could at least make it Secret since most admin have Secret clearance, but most admin also work on unclas machines, so I guess not).

Source - I was a Yeoman in the Navy and had access to this. I already didn't think much of the Navy's PII procedures, but seeing this thing for the first time blew me away. It shouldn't exist.


HP does government consulting, it's quite likely they were working on an application that needed access to that data. When I was a civilian working in Navy medicine (building apps), that was often the case.


As a Navy physician trying to get IRB-approved research done, could you kindly share what kind of app needs a lone developer to have 134k SSNs on a laptop?


There are lots of very legitimate reasons, but a very common example might be vendor upgrades of core software for coding, integrations, dictation, etc. Fairly standard procedure to do (at least) a one off just in case backup of a database before running a big code update.


App developers never need access to real data. Ever.


Haha. Okay. I would hazard a guess that you haven't worked on real world apps then. Users will do things that you cannot predict. They will break things like never before.

I've written plenty of code that checks out against out test environment, but it'll choke on a weird thing in production. You NEED access to real data if you're going to make any progress in that scenario.


Yep, precisely. And it's not just the users that fuck up either. Sometimes, other systems you have to integrate with are also poorly designed and don't have proper control mechanisms in place. For instance, I'm working on integrating with another system right now where the zip_code field has values like "don't know". You're never going to be able to cover for things like that unless you have access to the real dataset.


>App developers never need access to real data. Ever.

What about if the app chokes on real data and it's not something covered by testing?


Use better type-checking?


>Use better type-checking?

You're not living in the real world. Users do weird things.

At some point someone will legally change their name to an emoji and it'll break a whole load of systems. Nobody saw that coming when they originally built some middleware in 1998.


It's pretty common for the government to do this sort of thing --

http://www.cnn.com/2009/POLITICS/01/27/va.data.theft/ 600+

http://thehill.com/policy/technology/97817-va-loses-another-... 26.5 million veterans/active

The funniest part of all of this is that the non veterans here seem to be surprised by this.


The real question is why not? Its not like HP will be fined to the tune of tens of millions for the breach, at best they will get stern reprimand letter.


I recall working with a HP Enterprise Services contractor and was amazed at just how much data was stored on his laptop. Categorized Outlook folders for each client, every email and contact stored locally. Orders, BOMs, price lists, RMAs... all on his laptop.

It would not surprise me the Navy contractor had the same setup.

HP's culture is incentivized to propagate 1990's client-server architecture as a result of their product line. Gov procurement officials and CIOs must demand that HP move to cloud-based infrastructure with 2-factor authentication.


As far as the cyber, I agree to parts of what the NSA said. We should be better than anybody else, and perhaps we’re not. I don’t think anybody knows that it was Russia that broke into the Navy. They are saying Russia, Russia, Russia—I don't, maybe it was. I mean, it could be Russia, but it could also be China. It could also be lots of other people. It also could be somebody sitting on their bed that weighs 400 pounds, okay?


I'm very interested to see how the public reacts to this unorthodox victim group.


The general public sees members of the armed services as people who, for one, are contractually obligated to be guinea pigs. I doubt there will be a huge reaction outside e.g. opsec circles, for better or worse.


Let's set up some predictions: more or less than the OPM hack?


Over thanksgiving? This news is already dead.


More or less than effectively zero, you mean? I'll go with equal.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: