Stories
Slash Boxes
Comments

SoylentNews is people

Encryption Would Not have Protected Secret Federal Data Says DHS

posted by martyb on Thursday June 18 2015, @12:59PM   Printer-friendly
from the if-you-are-allowed-in,-then-you-are-allowed-in dept.

Hugh Pickens writes:

Sean Gallagher reports at Ars Technica that Dr. Andy Ozment, Assistant Secretary for Cybersecurity in the Department of Homeland Security, told members of the House Oversight and Government Reform Committee that in the case of the recent discovery of an intrusion that gave attackers access to sensitive data on millions of government employees and government contractors, encryption would "not have helped" because the attackers had gained valid user credentials to the systems that they attacked—likely through social engineering.

Ozment added that because of the lack of multifactor authentication on these systems, the attackers would have been able to use those credentials at will to access systems from within and potentially even from outside the network. "If the adversary has the credentials of a user on the network, they can access data even if it's encrypted just as the users on the network have to access data," said Ozment. "That did occur in this case. Encryption in this instance would not have protected this data."

The fact that Social Security numbers of millions of current and former federal employees were not encrypted was one of few new details emerged about the data breach and House Oversight member Stephen Lynch (D-Mass.) was the one who pulled the SSN encryption answer from the teeth of the panel where others failed. "This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in because of the obfuscation and the dancing around we are all doing here. As a matter of fact, I wish that you were as strenuous and hardworking at keeping information out of the hands of hackers as you are in keeping information out of the hands of Congress and federal employees. It's ironic. You are doing a great job stonewalling us, but hackers, not so much."

See our earlier stories: U.S. Government Employees Hit By Massive Data Breach and Hacking of Federal Security Forms Much Worse than Originally Thought

Original Submission

 
This discussion has been archived. No new comments can be posted.
Encryption Would Not have Protected Secret Federal Data Says DHS | Log In/Create an Account | Top | 22 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by Immerman on Thursday June 18 2015, @02:47PM

    by Immerman (3985) on Thursday June 18 2015, @02:47PM (#197823)

    No, it most absolutely IS their fault.

    In your scenario they should have required some proof that the person who "forgot their password" actually was who they claimed to be. And the required proof should be at least as reliable as what was required to create the account in the first place. Any other policy completely undermines the point of having passwords in the first place.

    Being "helpful" is no excuse for completely undermining the purpose of your job.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by Dunbal on Thursday June 18 2015, @03:25PM

    by Dunbal (3515) on Thursday June 18 2015, @03:25PM (#197847)

    Not only that but designing a system where someone with "valid credentials" can obtain an unencrypted copy of every single entry in the database without raising any flags is pretty shoddy design. Or do they just hand out root powers to everyone?

    • (Score: 2) by Immerman on Thursday June 18 2015, @03:48PM

      by Immerman (3985) on Thursday June 18 2015, @03:48PM (#197858)

      Not being a database engineer - I wonder how you would restrict it? If you have any access to the database then it seems to me that presumably you have a potential need to access any single record within it, which would in theory allow access to *every* record. Sure, there could be red flags raised if someone is accessing large numbers of records, but actually terminating access would seem to be an invitation to a lot of grief - especially if there is ever any serious data-analysis/aggregation performed.

      • (Score: 2) by Dunbal on Thursday June 18 2015, @04:58PM

        by Dunbal (3515) on Thursday June 18 2015, @04:58PM (#197886)

        We're talking millions of records. It is simply not possible for someone to access them one single record at a time, nor is it possible for someone to somehow copy a record at a time. This is someone who must have had the ability to dump, unencrypted, the whole database. That's different from having read access to records, or modify access to records. That's a privilege that pretty much should belong only to the guy who makes the backups and it's pretty silly if that can be done from anywhere other than in front of the server by any user.

        • (Score: 3, Insightful) by Immerman on Thursday June 18 2015, @06:53PM

          by Immerman (3985) on Thursday June 18 2015, @06:53PM (#197921)

          SELECT * FROM records. Save results to disk. Done.

          • (Score: 2) by WillR on Thursday June 18 2015, @07:55PM

            by WillR (2012) on Thursday June 18 2015, @07:55PM (#197956)

            iptables -P INPUT drop
            iptables -A INPUT -s (front-end app servers) -j accept
            iptables -A INPUT -s (DBA workstations) -j accept

            Plonk! (Unless you've pwned a DBA's machine, anyway...)

          • (Score: 2) by Dunbal on Friday June 19 2015, @01:14AM

            by Dunbal (3515) on Friday June 19 2015, @01:14AM (#198056)

            Yeah give EVERY user the ability to do this. Sorry how does this change the point I was making? If anyone can get root access to the database through "social engineering" then there is no security at all. So how many employees have already obtained/sold the list without the agency knowing?