back to article US mega-hack: White House orders govt IT to do what it should have done in the first place

In response to this week's data breach at the US Office of Personnel Management, the White House has ordered federal agencies to immediately deploy state-of-the-art anti-hacker defenses – things like installing security patches, and not giving everyone the admin password. This groundbreaking cyber-edict comes after dossiers …

  1. Cirdan
    FAIL

    Well, THERE'S your PROBLEM....

    Microsoft Windows, Apple OS X, Linux, Unix, BSD...

    It doesn't matter.

    PEBCAK

    ...Cirdan...

    Of course, administrative decisions hobble those in the trenches...

    1. Anonymous Coward
      Anonymous Coward

      Re: Well, THERE'S your PROBLEM....

      "If the White House's top tips on cyber-security really are news to government IT admins, the hackers needn't have bothered burning such a precious tool."

      That's the problem right there. machines don't lie and people do.

      Your unpatched, unaudited, unchanged password chickens will eventually come home to roost.

      My new cyber-security company, GetAClue Inc. will help fix all that. It will start by firing all the people whose details were leaked, on the grounds of National Security. Then we will hire some Indians, Vietnamese, Chinese and Mexicans to sort it all out. Kerching!

      1. Anonymous Coward
        Anonymous Coward

        Re: Well, THERE'S your PROBLEM....

        "Then we will hire some Indians, Vietnamese, Chinese and Mexicans to sort it all out. Kerching!"

        You didn't sound like a tool until that last line. Idiot

        1. Anonymous Coward
          Anonymous Coward

          Re: Well, THERE'S your PROBLEM....

          He actually sounds more like some of the companies that didn't get the bid for beefing up computer security. Or maybe the ones that did.

      2. Anonymous Coward
        Anonymous Coward

        Re: Well, THERE'S your PROBLEM....

        "Then we will hire some Indians, Vietnamese, Chinese and Mexicans to sort it all out. Kerching!"

        What's wrong with you?

    2. lambda_beta
      Linux

      Re: Well, THERE'S your PROBLEM....

      Let's not forget the REAL problem ... software, it sucks. It's a house of cards with no solution in sight. We have patches with fix patches which fix patches etc. And nobody knows which pieces fit with other pieces.

      In order to rush out the latest and greatest to make that almighty buck, we've sacrificed stability and common sense in design and testing. It's the only product you buy which comes with a 'known list of bugs' and nobody cares.

      1. This post has been deleted by its author

      2. itzman
        Boffin

        Re: Well, THERE'S your PROBLEM....

        It's the only product you buy which comes with a 'known list of bugs' and nobody cares.

        Er no, all products now come with a list of 'known bugs' in order to limit legal liability.

        This microwave oven is unsuitable for the drying of pets.

        Your mileage may vary.

        Only those who buy software even remotely expect perfection, and no one in the engineering and manufacturing industry who has the least idea of the modern ideas of Quality Management expects any product to be perfect without continuous effort devoted to improving it - not till its perfect, but until all known and serious flaws have been identified fixed or documented into a 'limitations of use' type tome

        1. lambda_beta
          Linux

          Re: Well, THERE'S your PROBLEM....

          Please, you cannot compare, bugs are things that don't make the product work or not work as advertized. Drying of pets in a microwave is not the same, it's not a bug. Having the microwave stop working for certain foods made by certain manufactures is a bug. Mileage varies on how you drive and where (city or highway), it's not a bug.

        2. cortland

          Re: Well, THERE'S your PROBLEM....

          Don't forget Pratchett's memorable "May contain nuts" or, in this case, actually BE "nuts."

        3. Cynic_999 Silver badge

          Re: Well, THERE'S your PROBLEM....

          "

          It's the only product you buy which comes with a 'known list of bugs' and nobody cares.

          Er no, all products now come with a list of 'known bugs' in order to limit legal liability.

          "

          I'll add to that and say that your average washing machine is not equipped to detect and deal with malicious attackers who go house-to-house secretly loosening bolts and rewiring all the appliances.

          Software bugs are really not the main problem here.

    3. Anonymous Coward
      Anonymous Coward

      Re: Well, THERE'S your PROBLEM....

      There's a story that the employee union fought against earlier attempts to implement security measures...

      1. James Loughner
        Mushroom

        Re: Well, THERE'S your PROBLEM....

        "There's a story that the employee union fought against earlier attempts to implement security measures..."

        Republican right wing propaganda

        1. cortland

          Re: Well, THERE'S your PROBLEM....

          Is there currently any other kind of Republican propaganda?

        2. jrwc

          Re: Well, THERE'S your PROBLEM....

          Well, less money spent on security means more spent on fat union members.

  2. Anonymous Coward
    Anonymous Coward

    Fine with me

    The US gov't is the biggest perpetrator of hacking and spying in the world. If they get hacked themselves, they really don't have a leg to stand on, morally speaking.

    I fully expect to be put on some kind of NSA list for posting this.

    1. Anonymous Coward
      Anonymous Coward

      Re: Fine with me

      Don't worry the NSA combines all 'Anonymous' comment together to save file space I'm safe.

    2. Six_Degrees

      Re: Fine with me

      I'm not sure you'll be put on such a list, or if you are whether it will mean anything. The NSA has, so far, failed to detect a single terrorist attack despite its massive surveillance of citizens. Today brings yet another example, as a loon in Dallas with what turns out to be a history of threats and wild-eyed imaginings managed to set bombs off around police headquarters and spray it with gunfire, without a single warning from all that monitoring.

      Honestly, I don't believe terrorist monitoring is the purpose of the NSA. They've taken Hoover and Nixon and their idea of "enemies lists" to a massive extreme, and are far more interested in monitoring political activity, aspirations, and opposition than in keeping the public safe from harm.

      1. Anonymous Coward
        Anonymous Coward

        Re: Fine with me

        >>I'm not sure you'll be put on such a list, or if you are whether it will mean anything. The NSA has, so far, failed to detect a single terrorist attack despite its massive surveillance of citizens.

        Uh, exactly. I'm not a terrorist so I'm sure they'll direct most of their effort to monitoring me.

      2. itzman

        Re: Fine with me

        The NSA has, so far, failed to detect a single terrorist attack despite its massive surveillance of citizens.

        The history of the Uk's involvement with N Ireland terrorism is littered with incidents that made the papers and MI scuttlebutt about what really happened.

        Murders by e.g. the Unionist paramilitaries of (largely unknown) IRA high command.

        The mysterious early detonation of bombs and even weapons caches by 'inept terrorists'

        The way in which the IRA high command eventually turned coats and joined a peace settlement.

        The point about secret intelligence, is that it is secret.

        https://en.wikipedia.org/wiki/Bodyguard_of_Lies

        Is a book worth reading that illustrates just how much of the secret intelligence war of WWII was devoted to disguising how much the secret intelligence agencies had actually penetrated the enemy intelligence systems.

        And how much even when it was published remained secret. And a lot still is.

        The problem with secret agencies is that you have to take them on trust.

        There is an apocryphal story about a newly elected Harold Wilson calling in the heads of the security services and saying 'I am the duly elected representative of this country: Can you tell me the sphere of your operations?'

        "No: Its a matter of national security"

        "And who are you answerable to, if not me?"

        "Can't tell you: National security".

        1. Sir Runcible Spoon

          Re: Fine with me

          ""Can't tell you: National security"."

          To which the correct response should be 'you're fired'.

          1. asdf
            Thumb Up

            Re: Fine with me

            >>""Can't tell you: National security"."

            >To which the correct response should be 'you're fired'.

            Holy crap post of the month.

  3. Eddy Ito
    Facepalm

    --->

    D'OH! Just fucking D'OH!

  4. Anonymous Coward
    Anonymous Coward

    As ye sow...

  5. Mark 85 Silver badge

    Government needs a new department...

    The Department of the Obvious.... The problem with this screw-up is that it won't be the decision makers that pay. It'll be the citizens as always who are collateral damage.

    1. Anonymous Coward
      Anonymous Coward

      Re: Government needs a new department...

      But how can we bootstrap the process? Because it's obvious that a Dept for the Obvious is needed, without that dept already in place no action can be taken!

      We'll just have to trust to the cornerstone of modern US democracy: give an ungodly amount of money to lobbyists, lie back and think of the children.

  6. Herb LeBurger
    FAIL

    Don't worry

    Spying on the American people will prevent this sort of thing.

    1. Anonymous Coward
      Happy

      Not worried

      It already has prevented it, each and every one of all those times it didn't happen. This program says in the last ~240 years of Real Freedom there were about 1.4 x 10^53 Planck times. The spying just has to be worth all that.

  7. Gray
    Alert

    Oh, CRAP! There goes the budget!

    1. three to six months to develop a departmental assessment team and draft an action plan;

    2. six months to vet, recruit, and hire a departmental team of in-house security experts;

    3. ditto the outside consulting team;

    4. six to nine months of developing security objectives, systems flow charts, software initiatives, and hardware procurement timelines;

    5. preliminary submission of department budget requests with security set-asides;

    6. evaluations and promotions of upper level management to oversee security initiatives;

    7; 8; 9; 10 ... need we go on?

    It will be a cold day in Hell before ... ( groan )

    1. Mage Silver badge
      Devil

      Re: Oh, CRAP! There goes the budget!

      Then to save money they will subcontract to an allegedly secure cloud run by Google/Microsoft/Apple/Oracle/IBM or whoever.

      I'd not trust the security of any Cloud Contractor. Try finding out what it is.

  8. Destroy All Monsters Silver badge

    Oh man

    This is going to be ONE TOUGH WEEKEND!

  9. James 51

    Need a movie with Bruce Wills playing the role of Simon who's locked in the White House server room by hackers and he needs to do this stuff to get out.

  10. Destroy All Monsters Silver badge

    Even the Navy has decided to check out the "cyberwarfare" pork barrel. I think a slight rejiggling in priorities is in order.

    1. Ole Juul

      won't hold water

      Even the Navy has decided to check out the "cyberwarfare" pork barrel.

      1. Anonymous Coward
        Anonymous Coward

        Re: won't hold water

        I get a sinking feeling about this.

        1. Anonymous Coward
          Anonymous Coward

          Re: won't hold water

          cyber glug glug glu..........

          1. Anonymous Coward
            Anonymous Coward

            Re: won't hold water

            SYN flood?

  11. Anonymous Coward
    Anonymous Coward

    The other 17 hacker gangs now hate the 18th

    They'd had easy access for years, now some new kids come in knocking things over and (finally) waking up the guard dogs. Probably take them weeks to get new access now!

    1. Anonymous Coward
      Anonymous Coward

      Re: The other 17 hacker gangs now hate the 18th

      Or maybe just get round to changing the admin password?

  12. Christoph

    "aggressive, persistent malicious actors that continue to target our nation’s cyber infrastructure"

    Unlike the shining white knights that the US uses to target everybody else's cyber infrastructure.

  13. All names Taken
    Facepalm

    Consequences?

    Does this mean that any networked computer is not really secure?

    And will data on there get slurped?

    1. Anonymous Coward
      Anonymous Coward

      Re: Consequences?

      Adama was right, you know.

  14. Mark Allen
    Facepalm

    Should have employed Garry McKinnon

    Sounds like nothing changed.

  15. Adam JC

    - Install software patches for critical vulnerabilities "without delay."

    - Use antivirus and check log files for "indicators" of malware infection or intrusion.

    - Start using two-factor authentication.

    - Slash the number of people with administrator-level access and limit what they can do.

    So, as a sysadmin I consider these an absolute necessity (Bar perhaps 2FA) for ALL of my customers... Let alone a federal agency.

    1. Sir Runcible Spoon

      Considering this was a 'hack' and not being reported as an inside job - perhaps they need to be looking at processes with admin rights rather than people.

  16. Trollslayer
    Mushroom

    To use anitvirus

    Did I really read that??!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: To use anitvirus

      It's low hanging fruit.

      You wouldn't believe that my company didn't have any.

      Then we get a cryptolocker hit.

      Get it installed.

      Sounds like BATTLESTATIONS! occur.

  17. The_Idiot

    "Right then...

    ... did you do as I told you and install our made-in-the-US state of the art anti-bad-guy stuff?"

    "Yes, Mr President. We did."

    "Hmmm. But isn't that the stuff we told folks to put, like, back doors and ways in into?"

    "Yes, Mr President - but it's OK. We've taken care of that."

    "Oh? How?"

    "We put big software signs on all the back doors. They say 'US Government secrets behind here. KEEP OUT."

    "Ah. That's alright then. Carry on...."

    1. Mage Silver badge
      Happy

      Re: "Right then...

      In the robots.txt file :-)

  18. wiggers

    Slamming of barn doors...

    ...to the sound of distant hoof-beats.

    1. Destroy All Monsters Silver badge

      Re: Slamming of barn doors...

      Operation FREEDOM HORSE

  19. king of foo

    Honeytrap?

    Call me jaded, but...

    This sounds too daft to be "true"; meaning perhaps the US gov wants to catch some of them dang hackers by advertising an easy target, encouraging poor judgement re self protection on the hackers' part. I suspect the target isn't that easy... and full of malware/other nasties intended to identify and track the 'enemy'.

    1. Anonymous Coward
      Anonymous Coward

      Re: Honeytrap?

      I'll call you jaded. Don't put something down to malice where it is almost always stupidity.

    2. Naselus

      Re: Honeytrap?

      I think you may mean 'honeypot'. Honeytrapping is what private eyes do to check their client's partner for infidelity. Honeypots are unguarded IT used as bait.

      And no, this sounds like exactly the kind of junk that senior execs say in the aftermath of a successful hack; they cannot begin to comprehend the complexities of the subject at hand and so go with the few bits of IT security that they recall hearing about in that Win98 product launch they attended prior to being uplifted to management. Kind of like a user with limited IT knowledge will ask you 'is it a virus?' whenever the PC does anything remotely unexpected.

  20. Tom 7 Silver badge

    Well at least Hillary is safe.

    NT

    1. Anonymous Coward
      Anonymous Coward

      Re: Well at least Hillary is safe.

      And now *everyone* knows to look for you on Daily Kos.

      Way to suck in opsec.

  21. Drew 11

    Someone's had their privacy invaded.

    Must be time for some numptie to pipe up with "if you've got nothing to hide you've got nothing to worry about".

  22. HildyJ Silver badge
    Unhappy

    It's what low bidders provide

    As a retired IT procurement specialist, this is what Congress mandates. Most data centers are contracted out and you can't select the best IT management firm, you have to select the cheapest "qualified" firm. The same goes for software. As a result you get bargain basement sysops running marginal software with no time to test patches and updates.

  23. thexfile
    Boffin

    Don't use typed passwords. Use retinal identification systems.

    1. Anonymous Coward
      Anonymous Coward

      with big lasers - preferably mounted on sharks

  24. td97402

    Air Gapping Anyone?

    You'd think that some of the systems that have been hacked recently should never have been accessible from the public Internet. Oh and before anyone brings it up, the only working USB ports on such systems should be behind physical lock and key as well.

  25. Will Godfrey Silver badge
    Unhappy

    Here we go again

    Every time I think governments can't get any more stupid...

    1. Sir Runcible Spoon

      Re: Here we go again

      Someone once postulated that the only things that were infinite were the Universe and human stupidity, expect they now know the Universe not to be infinite.

      1. Anonymous Coward
        Anonymous Coward

        Re: Here we go again

        That would be Albert EINSTEIN again,

        "Two things are infinite: the universe and human stupidity; and I'm not sure about the universe"

        Curiously, his name is the acronymof the US Federal Government's intrusion detection system.

        https://en.wikipedia.org/wiki/Einstein_%28US-CERT_program%29

        The Irony

  26. John Brown (no body) Silver badge
    WTF?

    "which was launched a year ago"

    See icon

  27. OmgTheyLetMePostInTheUK

    Why isn't EVERYING encrypted?

    Just a stupid little question...

    But why would you keep the secrets of this nation stored in plain text mode?

    Why isn't every last piece of government data fully encrypted?

    I worked for a tiny financial company from 1999 to 2005, and one of the things I did while there was to encrypt every single thing in every database we had. It took a lot of planning. It took a lot of programming to support that. But in the end, when you opened up an database in the company using any method other that using the custom software package that I had written, you saw encrypted gobbly goop. So here we are 13 years after I did that for this small little company, and the government still has their data in plain text.

    We need to fire a whole bunch of stupid congressmen and senators.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why isn't EVERYING encrypted?

      Quite looking forward to the fingerpointing and excuses on Monday.

    2. Naselus

      Re: Why isn't EVERYING encrypted?

      "But why would you keep the secrets of this nation stored in plain text mode?"

      Speak for yourself, the leader of OUR nation wants to ban encryption altogether...

    3. Tom 13

      Re: Why isn't EVERYING encrypted?

      Your so called defense is useless as soon as someone outside the system gets the credentials to an authorized account. That's the problem with so much of security thinking these days. It's as compartmentalized as you've demonstrated.

  28. Mitoo Bobsworth
    Joke

    Sounds like a bad case of....

    Time to roll out this handy reminder again, methinks.

    ADMINISTRATIUM

    "The heaviest element known to science was recently discovered by investigators at a major U.S. research university. The element, tentatively named administratium, has no protons or electrons and thus has an atomic number of 0. However, it does have one neutron, 125 assistant neutrons, 75 vice neutrons and 111 assistant vice neutrons, which gives it an atomic mass of 312. These 312 particles are held together by a force that involves the continuous exchange of meson-like particles called morons.

    Since it has no electrons, administratium is inert. However, it can be detected chemically as it impedes every reaction it comes in contact with. According to the discoverers, a minute amount of administratium causes one reaction to take over four days to complete when it would have normally occurred in less than a second.

    Administratium has a normal half-life of approximately three years, at which time it does not decay, but instead undergoes a reorganization in which assistant neutrons, vice neutrons and assistant vice neutrons exchange places. Some studies have shown that the atomic mass actually increases after each reorganization.

    Research at other laboratories indicates that administratium occurs naturally in the atmosphere. It tends to concentrate at certain points such as government agencies, large corporations, and universities. It can usually be found in the newest, best appointed, and best maintained buildings.

    Scientists point out that administratium is known to be toxic at any level of concentration and can easily destroy any productive reaction where it is allowed to accumulate. Attempts are being made to determine how administratium can be controlled to prevent irreversible damage, but results to date are not promising."

    1. lambda_beta
      Linux

      Re: Sounds like a bad case of....

      The interesting thing about the neutrons in this element is that, instead of being made up of the usual up and down quarks, it consists only of bottom and strange quarks.

  29. Anonymous Coward
    Facepalm

    My thoughts on this matter:

    1) Please, please, please--anyone who is managing a database containing background and personnel information on all civilian federal government employees had better already know about deploying the latest software and security patches. However, it wouldn't surprise me if they didn't....

    2) Definition of poetic justice: The zero-day vulnerability exploited by the Chinese(?) hackers is one that the NSA/Five Eyes had already identified and had decided to keep to themselves--because that zero-day has intelligence value and nothing that the NSA/Five Eyes ever does or avoids doing is ever picked up by other hackers out in the world.

  30. All names Taken
    Holmes

    On the other hand ...

    Do we really accept that the nation capable of keeping (almost?) all things secret until whistleblower(s) happen along will so readily and easily-peasily put its hands in the air and say "Cor Blimey! Yes Guv! We az ad our data nicked innit?"?

    While at the same time cold shoulder or incarcerate whistleblowers?

    Is it rat smelling time?

    1. Destroy All Monsters Silver badge
      Gimp

      Re: On the other hand ...

      If your agents turn out a bit deader than earlier or you have to "retire" them pronto, you HAVE to admit something has leaked tremendously. Especially as fixing this particular kimono-opening will take a decade or two will less than stellar HUMINT (even less stellar than currently, that is ... ).

      I also notice that there currently is suspicious failure in visa processing apparently due to the fact that US ambassies abroad can no longer put out processing requests to the US ... a likely story ... I don't see how that is related by tinfoil hat ON!

  31. David Pollard

    Damage Limitation?

    Articles published in the last couple of days suggest that the Russians and Chinese have decoded material leaked by Edward Snowden, and in consequence spies have had to be moved for fear they will be recognised. Is this part of a damage limitation exercise to shift the blame onto him for "significant" damage (see caption in link)?

    http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11673533/British-spies-removed-from-operations-after-Russia-and-China-crack-codes-to-leaked-Snowden-files.html

    1. Destroy All Monsters Silver badge
      Big Brother

      SCHNELL! PIN IT ON ... MANNING ... I meant SNOWDEN!

      Yep. 100% sounds like THE FIX IS IN!

      I never heard that there were "things to crack" in Snowden's files or anything that would particularly identify agents nor that his stuff has come into the hand of China (how?) or Russia (though that might well be possible). AFAIK, he just snaffeled the dayglo presentations of powerpoint-addicted staffers. And if they HAVE been cracked ... backdoor in your shitty crypto, sir ... suits you!

      Britain has pulled out agents from live operations in "hostile countries" after Russia and China cracked top-secret information contained in files leaked by former U.S. National Security Agency contractor Edward Snowden, the Sunday Times reported.

      Uh-huh!

  32. tmeralus
    Unhappy

    Open Security

    I agree with others that its software and patch after patch after patch. The problem with the US is not that there was a security breach but that its being posted on tech sites, forums, news, and everywhere else for the world to see. IF the US were going to create a bomb to destroy country "X", that country can just log into twitter or go to us.gov and find out where its being made, how its being made, where it will hit, what day it will hit, you get my point... ridiculous... America, the best country ever stolen.

  33. Anonymous Coward
    Anonymous Coward

    OK, the long and thinkfully skinny is this

    OPM's breach and even the White House breach is limited.

    First, the White House data was unclassified. Classified goes on networks that are segregated from things that can find the internet.

    Thank Silent Bob for that!

    OPM breach released pretty much *some* group who has or applied for clearances. I can't discuss that further, due to an NDA.

    So, it stands for the OPM breach, either all, some existing or new applicants have highly confidential information of that group.

    Yeah, it's *that* potentially ugly.

    I know of some sub-sets of who, but to be blunt, I don't know if *I* am part of the group.

    Meanwhile, I already know that the PRC knows me, via a different breach in 2008.

    Notable was a breach of discussions on how I deflected the breach for my organization.

    So, a breach could be a personal as the contents of my scrotum.

    Now, excuse me while I kiss my renewal of my security clearance goodbye.

    1. Anonymous Coward
      Anonymous Coward

      Re: OK, the long and thinkfully skinny is this

      >Now, excuse me while I kiss my renewal of my security clearance goodbye.

      No more government pork for you. Now you need to be exposed to market forces like the rest of us.

  34. Anonymous Coward
    Anonymous Coward

    1. Install software patches for critical vulnerabilities "without delay."

    2. Use antivirus and check log files for "indicators" of malware infection or intrusion.

    3. Start using two-factor authentication.

    4. Slash the number of people with administrator-level access and limit what they can do and for how long per-login-session, and "ensure that privileged user activities are logged and that such logs are reviewed regularly."

    The only one on that list that looks newish to me is #4, and even then only at the "are logged and that such logs are reviewed regularly." level which isn't specific to my job function.

    The problem is too many agencies have had excuses to avoid this part or that part of one or more of these recommendations. The particularly amusing ones are the super-critical systems that don't have the budget to properly regression test "critical and important" patches and since those patches pose too much risk to the functioning of the system are exempt from applying them.

    Almost as amusing is the two factor authentication. The directive for this was set out way back in 2004 and was supposed to take no more than 5 years to implement. For various and sundry reasons you can't simply make it an across the board rule (the silliest excuse on this is that they won't issue smart cards to temporary employees; have to be employed for more than 6 months to get a card). So you implement a split system where people use both the card and user name/password. Now as we're implemented where I work, your smart card has a 6-8 digit PIN, and they don't force you to change it every 60 days. Passwords have to be at least 14 characters long, meet the usual complexity requirements, and are forced to change every 60 days with nag messages giving a 14 day countdown. Yet we still have users who make up excuses to use username/password instead of the smart card.

    The AV line looks like the usual argle bargle. We're AV'd out the ass here, to the point that even on modern systems it noticeably slows down systems. Whether or not the logs are reviewed is another question.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021