(Press Secretary Josh Earnest does damage control on the OPM data breech that left a lot us breeched).
I would have returned to writing about the 72nd Ohio Volunteer Infantry wandering around Tennessee and Mississippi a century and a half ago this morning. It is much safer back there, but my attention was drawn to other matters this morning.
My pocket got picked. If you are a colleague or a government worker, it is highly likely that yours was, too. Millions of us.
Wired magazine contends that the way things work these days is this: “Every big hack discovered will eventually prove to be more serious than first believed.”
That certainly appears to be the case in the latest complete Government IT screw-up. First reports were pretty alarming: perhaps four million government workers had their Social Security numbers, birth-dates and addresses of current and former federal workers compromised. It was worse. Much worse.
Attribution of the attacker’s identity is always the hardest part of these things, but is looks like Chinese hackers accessed the bane of the Government worker’s life, the Standard Form 86 (SF-86). You need to complete one of these to get a security clearance adjudicated, and it contains the crown jewels of your life: not only all your personal information, but also data about friends, spouses and other family members.
The Government response has been muted- there is a lot to be embarrassed about. DHS had been claiming that the new EINSTEIN detection program was responsible for uncovering the hack. Nope, not so. It was a sales demonstration by an Internet security company called CyTech Services that noticed it.
“Say, are you aware that there is a malware program operating on your system?”
“Um, really?”
This morning they are saying that as many as 14 million files were compromised. And the SF-86s include financial information, detailed employment histories, criminal history, psychological records and information about past drug use. Since we don’t know the extent of the breech, there is possibility that there might be detailed personal information from polygraph exams, which depending on the Agency conducting it, can confessions of law breaking and sexual history.
The OPM had no IT security staff until 2013, and it shows.
A pal who (probably) also had his data stolen wrote to say “What is truly pathetic is that this kind of thing has been in discussion for so long – I personally participated in some talks on this in 1997, and the vulnerabilities were all discussed – nothing in that sense is new. Still, no one fixed it.”
So, OK. What is one to do about being suddenly so vulnerable? And vulnerable to what? Counterintelligence matters have been mentioned- information that could be used to blackmail or target individuals with clearances. Another pal remarked, a bit wistfully, that he was hoping for a lovely Chinese woman to show up on his doorstep and attempt to get him into a compromising position.
I have to agree, but I am not particularly alarmed about honey-pot operations to uncover ancient secrets- I think Chelsea Manning and Edward Snowden took care of anything that I might have known that was interesting to a hostile service. I am more concerned about the financial end of this- no one on the edge of retirement needs ruination.
I purchased a credit protection plan the last time one of these breeches occurred, and went back this morning to see if it was worth the effort to continue paying for it. Some facts about what works and what doesn’t is at this link, and you can make up your own mind.
I have a suspicion that a lot of financial data has been sold to the dark web already. So, take the usual precaution about not taking things for granted with people who may want to target and compromise you.
I don’t know if there is a connection, but the breech has been going on for months, if not longer, and the spear-phishing attacks see to be getting more sophisticated. You know about phishing- a hacker uses some credible bit of information to get you to believe it is a legitimate inquiry and you provide the information they desire. While I still get requests to claim my millions from the Nigerian Banker, or update account information from banks I have never dealt with- I am now getting a number of them directed at accounts that I actually use. More than would be by random chance.
I have the gnawing feeling that there is a connection between the data breech and attempts to specifically target people with bogus mail from institutions that they know have active accounts. So, never click on a link contained in an email. They already know all your stuff and would never ask for it again unsolicited. Open a new browser window and log on to the official sites as a matter of course if there is any doubt.
I also decided last year that I had plenty of credit and since I don’t pay a great deal of attention to my statement activity, so I went ahead and placed a freeze on my accounts at Experian, TransUnion and whatever the third one is. Since most lenders require a credit check as a condition of opening a new account, a “freeze” will normally result in an identity thief’s request to open a new account in your name being denied, and you will be notified of the attempt. It costs $10-20 bucks (of course), and varies in duration; one of them expires after seven years. You have password access to temporarily lift the freeze if you want to finance a purchase.
Here is a link to the process.
Finally, and I will stop the geezer advice to you tech-savvy folks with this: I recently got my first replacement credit card with an RFID chip embedded in it. There is a lot of misinformation about how hard or easy it is to steal the information from the chip, but most conclude that multiple cards in the same purse or wallet do not cancel each other out, they can be “read” by the right device in seconds, and any unshielded card is subject to compromise be a scanner within a couple feet.
The banks started putting the chips in passports about five years ago, which is why I hastened to renew one WITHOUT the chip. I will get sucked into a new one next year whether I like it or not, so the question is how you protect your data. There are shielded wallets out there, and I just ordered one, since I felt like an idiot folding up some aluminum foil in my existing billfold.
I am sure you have already thought of all this stuff, but with the threat now exposed, and the Government’s response so timid, I thought I might pass along some options defend ourselves against the bad guys.
Certainly the Government isn’t going to do it for us, you know? They actually appear to be the problem.
Copyright 2015 Vic Socotra
www.vicsocotra.com
Twitter: @jayare303