No attack necessary
No attack needed here in UK, just trawl the relevant LinkedIn group :)
An attack suspected to have originated in China breached security at the US Office of Personnel Management, according to The New York Times. The paper's report suggests the attackers attempted to access personnel records describing government workers who have applied for high-level security clearances. Those records, the …
Same with the US really.
Instead of trying to bust open a system they'll probably never get into, they could have just trawled facebook and linkedin looking for people with 35 series MOS if they're Army and the IS or CTI/CTR/CTT rating in the Navy as well as the Air Force and Marine Corps equivalents. They all at least possess a secret clearance. Hell, even a regular line Infantryman holds a Secret clearance now (which is ridiculous, but Army stupid is Army stupid).
I have a feeling they were trying to find civilian employees or possibly contractors with Chinese names that they could try to influence (which is how they usually go about getting scientists at the National Labs to sell information to them), with a TS though. If they're looking for contractors with clearances, hitting OPM is kind of stupid. DSS does the clearance process for them, while OPM is only for Government employees, including Military Personnel.
demonstrating just how useless the organization led by Clapper and Alexander is.
After spending trillions of dollars, including money wasted on Alexanders 'Starship' command centre, they have achieved luttle by way of protecting the US secrets.
So much for being a 'leader' of technology. Huess the Chinese hold that honour now.
NSA/CSS has been strongly focused on exploitation as opposed to Information Assurance and security for about 10 years now, if you've paid any attention to Snowden's leaks you should be well aware of this.
Hell, I remember when the shift happened, when they started telling their IA customers (like myself and the rest of the Army) to use Microsoft's security configuration templates and guides as opposed to their own on Windows systems, and stopped releasing baseline config files for RHEL. They didn't just stop doing it publicly. And the Information Assurance course that I have to take bi-annually hasn't been updated in forever.
Simply put, US-CERT needs to be moved out of DHS and take that function across the entire Government. There is no reason on earth that an Intelligence agency should be responsible for wider Information Security at all.
Biting the hand that feeds IT © 1998–2020