OPM Hit By Class Action Lawsuit, and Those Phishing Scams You Feared Over #OPMHack Are Real (Corrected)

Posted: 7:16 pm  EDT

 

The largest federal employee union, the American Federation of Government Employees, filed a class action lawsuit today against the Office of Personnel Management, its director, Katherine Archuleta, its chief information officer, Donna Seymour and Keypoint Government Solutions, an OPM contractor.
.

.

.
A couple of weeks ago, we thought that the “recipe” from the OPM email notification sent to potentially affected employees via email might be copied by online scammers.

.

 

Today, the United States Computer Emergency Readiness Team (US-CERT), part of part of DHS’ National Cybersecurity and Communications Integration Center (NCCIC) issued an alert on phishing campaigns masquerading as emails from the Office of Personnel Management (OPM) or the identity protection firm CSID.

#

OPM Announces Temporary Suspension of the E-QIP System For Background Investigation

Posted: 12:19 am EDT

 

On June 29, OPM announced the temporary suspension of the online system used to submit background investigation forms.  The system could be offline from 4-6 weeks.  Below via opm.gov:

WASHINGTON, D.C. – The U.S. Office of Personnel Management today announced the temporary suspension of the E-QIP system, a web-based platform used to complete and submit background investigation forms.

Director Katherine Archuleta recently ordered a comprehensive review of the security of OPM’s IT systems. During this ongoing review, OPM and its interagency partners identified a vulnerability in the e-QIP system. As a result, OPM has temporarily taken the E-QIP system offline for security enhancements. The actions OPM has taken are not the direct result of malicious activity on this network, and there is no evidence that the vulnerability in question has been exploited. Rather, OPM is taking this step proactively, as a result of its comprehensive security assessment, to ensure the ongoing security of its network.

OPM expects e-QIP could be offline for four to six weeks while these security enhancements are implemented. OPM recognizes and regrets the impact on both users and agencies and is committed to resuming this service as soon as it is safe to do so.  In the interim, OPM remains committed to working with its interagency partners on alternative approaches to address agencies’ requirements.

“The security of OPM’s networks remains my top priority as we continue the work outlined in my IT Strategic Plan, including the continuing implementation of modern security controls,” said OPM Director Archuleta. “This proactive, temporary suspension of the e-QIP system will ensure our network is as secure as possible for the sensitive data with which OPM is entrusted.”

#

Meanwhile, on June 22, AFSA sent a letter to OPM Director Katherine Archuleta with the following requests:

Screen Shot 2015-06-29

via afsa.org (click for larger view)

 

On June 25, AFSA is one of the 27 federal-postal employee coalition groups who urge President Obama to “immediately appoint a task force of leading agency, defense/intelligence, and private-sector IT experts, with a short deadline, to assist in the ongoing investigation, apply more forceful measures to protect federal personnel IT systems, and assure adequate notice to the federal workforce and the American public.”  (read letter here: AFSA Letter sent in conjunction with the Federal-Postal Coalition |June 25, 2015 | pdf)

#

“M” Writes Update to State Department Employees Regarding OPM Breach

Posted: 1:36 pm EDT

 

It took 18 days before I got my OPM notification on the PII breach. Nothing still on the reported background investigation breach. OPM says it will notify those individuals whose BI information may have been compromised “as soon as practicable.”  That might not happen until the end of July! The hub who previously worked for State and another agency has yet to get a single notification from OPM. We have gone ahead and put a fraud alert for everyone in the family. What’s next? At the rate this is going, will we soon need fraud alerts for the pets in our household? They have names and passports, and could be targeted for kidnapping, you guys!!

And yes, I’ve watched the multiple OPM hearings now, and no, I could not generate confidence for the OPM people handling this, no matter how hard I try. Click here for the timeline of the various breaches via nextgov.com, some never disclosed to the public.

Still waiting for the White House to do a Tina Fey:

you're all fired

via giphy.com

On June 25, the Under Secretary for Management, Patrick Kennedy sent a message to State Department employees regarding the OPM breach. There’s nothing new on this latest State update that we have not seen or heard previously except the detail from the National Counterintelligence and Security Center (NCSC) at http://www.ncsc.gov (pdf) on how to protect personal information from exploitation (a tad late for that, but anyways …) because Foreign Intelligence Services and/or cybercriminals could exploit the information and target you.

Wait, what did OPM say about families? “[W]e have no evidence to suggest that family members of employees were affected by the breach of personnel data.” 

Via the NCSC:

Screen Shot 2015-06-26

no kidding!

Screen Shot 2015-06-26

you don’t say!

Here is M’s message from June 25, 2015 to State employees. As far as we know, this is the first notification posted publicly online on this subject, which is  good as these incidents potentially affect not just current employees but prospective employees, former employees, retirees and family members.

Dear Colleagues,

I am writing to provide you an update on the recent cyber incidents at the U.S. Office of Personnel Management (OPM) which has just been received.

As we have recently shared, on June 4th, OPM announced an intrusion impacting personnel information of approximately four million current and former Federal employees. OPM is offering affected individuals credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. Additional information is available on the company’s website, https://www.csid.com/opm/ and by calling toll-free 844-777-2743 (international callers: call collect 512-327-0705). More information can also be found on OPM’s website: www.opm.gov.

Notifications to individuals affected by this incident began on June 8th on a rolling basis through June 19th. However, it may take several days beyond June 19 for a notification to arrive by email or mail. If you have any questions about whether you were among those affected by the incident announced on June 4, you may call the toll free number above.

On June 12th, OPM announced a separate cyber intrusion affecting systems that contain information related to background investigations of current, former, and prospective Federal Government employees from across all branches of government, as well as other individuals for whom a Federal background investigation was conducted, including contractors. This incident remains under investigation by OPM, the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI). The investigators are working to determine the exact number and list of potentially affected individuals. We understand that many of you are concerned about this intrusion. As this is an ongoing investigation, please know that OPM is working to notify potentially affected individuals as soon as possible. The Department is working extensively with our interagency colleagues to determine the specific impact on State Department employees.

It is an important reminder that OPM discovered this incident as a result of the agency’s concerted and aggressive efforts to strengthen its cybersecurity capabilities and protect the security and integrity of the information entrusted to the agency. In addition, OPM continues to work with the Office of Management and Budget (OMB), the Department of Homeland Security, the FBI, and other elements of the Federal Government to enhance the security of its systems and to detect and thwart evolving and persistent cyber threats. As a result of the work by the interagency incident response team, we have confidence in the integrity of the OPM systems and continue to use them in the performance of OPM’s mission. OPM continues to process background investigations and carry out other functions on its networks.

Additionally, OMB has instructed Federal agencies to immediately take a number of steps to further protect Federal information and assets and improve the resilience of Federal networks. We are working with OMB to ensure we are enforcing the latest standards and tools to protect the security and interests of the State Department workforce.

We will continue to update you as we learn more about the cyber incidents at OPM. OPM is the definitive source for information on the recent cyber incidents. Please visit OPM’s website for regular updates on both incidents and for answers to frequently asked questions: www.opm.gov/cybersecurity. We are also interested in your feedback and questions on the incident and our communications. You can reach out to us at DG DIRECT (DGDirect@state.gov) with these comments.

State Department employees who want to learn additional information about the measures they can take to ensure the safety of their personal information can find resources at the National Counterintelligence and Security Center (NCSC) at http://www.ncsc.gov. The following are also some key reminders of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.

Steps for Monitoring Your Identity and Financial Information

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.
  • Review resources provided on the FTC identity theft website, www.Identitytheft.gov. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.

Read in full here.

#

State Department to Get a Holodeck to Train U.S. Diplomats, Star Trek Replicator Not Included

Posted: 2:17 am  EDT

 

The Foreign Service Institute will soon have an  Immersive Virtual Environment to train our diplomats.  The solicitation calls it a “Holodeck Projection Solution” and it is an intended addition to the school’s Innovation Lab.

Really, something like this?

 

In early 2014, Wired reported that the Army Contracting Command issued a Sources Sought notice for companies interested in demonstrating “mature technologies” for military training.  The report noted that Northrop Grumman thinks its Virtual Immersive Portable Environment (VIPE) Holodeck just may be the answer.  The VIPE Holodeck 360 degree virtual training system provides users with a high-fidelity immersive environment with a variety of mission-centric applications, including simulation and training, mission rehearsal and data visualization. The VIPE Holodeck can support live, virtual and constructive simulation and training exercises including team training, cultural and language training and support for ground, air and remote platform training.

The U.S. Army required  white paper and demo from interested companies with the requirement spelled out here.

The announcement said that the Army lacked the capability to rapidly assess, adapt and replicate the complex nature of the operational environment and applicable Joint, Interagency, International, Multinational (JIIM) enablers to conduct realistic training and develop adaptive Leaders at Home Station. Associated Areas of interest for NIE 15.1 Include:

Provide an Augmented Reality (AR) capability that can be utilized by individual Soldiers or Small units (Company & below) to integrate (simulated) Joint and other combined arms enablers (e.g., indirect/FA fires, aerial delivery of supplies, CAS) during live training events, (with the ability to support multi-echelon training at Home Station when required).

It looks like, the U.S. Army was actually looking not only into the capability gaps, it also knows what that immersive virtual environment will be used for.

We can’t say the same for the State/FSI solicitation for a holodeck.

FSI will have an  Immersive Virtual Environment to train our diplomats but it does not say what kind of immersive training it will be used for. It requires vendor to “provide any necessary training” but does not identify what training content is required.  Is this for an immersive congressional hearing environment?  Language training? Death notification simulations for non-consular officers working as duty officers? Will our diplomats be doing intergalactic diplomatic negotiations on alien planets?  The solicitation does not say.  What’s next?  A follow-up solicitation for vendors to write virtual environment simulations for diplomats? A solicitation for the script for those simulations?

Here’s a clip from The Void, a company that says “you will walk into new dimensions and experience worlds without limits. From fighting intergalactic wars on alien planets, to casting spells in the darkest of dungeons, THE VOID presents the future of entertainment. Only limited by imagination, our advanced Virtual-Reality technologies allow you to see, move, and feel our digital worlds in a completely immersive and realistic way.”

Folks, please let us know when the FSI cafeteria gets a replicator.

 

Via fedbiz:

The Foreign Service Institute (FSI) is the Federal Government’s primary training institution for officers and support personnel of the U.S. foreign affairs community, preparing American diplomats and other professionals to advance U.S. foreign affairs interests overseas and in Washington. At the George P. Shultz National Foreign Affairs Training Center (NFATC), the FSI provides more than 450 courses, including some 70 foreign languages, to more than 50,000 enrollees a year from the State Department and more than 40 other government agencies and the military service branches.

The NFATC is seeking to have an Immersive Virtual Environment display capability added to its Innovation Lab classroom.

Holodeck Projection Solution

FSI has a space that has three walls arranged in a U-shape with 90° angles between each wall. Each wall is approximately 15ft long by 8ft in height. The vendor will provide a solution to project images on three walls (surfaces) in order to produce an immersive space for training.

The solution must include the following:

• A source computer capable of processing, rendering, and outputting high-end digital video and graphics.

• The source computer must have the ability to have a WiFi network connection, run on latest version of its operating system, and be capable of outputting four (4) video feeds each 1920×1080 or greater; three for the walls/surfaces and one for local monitoring.

• Video processing must…

* Accommodate to the angles in the U shape layout and adjust for the perspective change (i.e. a “wrapped” image). The system must display images from the perspective of a viewer standing in the center of the U as they look around them.

* Be able to show content independently and in a variety of combinations. (i.e. a separate image on each surface simultaneously; two images split between the three surfaces; and other combinations.)

• An audio solution for the immersive space driven from the controlling PC.

• The walls painted or finished with a suitable projection surface.

• Projectors placed so as to minimize shadows from people standing in the immersive environment.

•Projectors with a native resolution of 1920×1080 or greater and a contrast ratio of 2000 to 1 or greater.

This requirement will include all necessary projection equipment, mounts, PC, installation, cabling, wall plates, video processing and wall surface paint/material for a turnkey room.

• Vendor will document all cabling & design and present to FSI in an editable electronic & printed format when the work is completed.

• Vendor will document all equipment serial information and present to FSI in an electronic format (MS Excel or equivalent) when work is completed.

•  Vendor shall provide any necessary training.

Paging Starfleet, is this all you need for a holodeck?

#

 

ALL Foreign Affairs Agencies Affected By #OPMHack: DOS, USAID, FCS, FAS, BBG and APHIS

Posted: 6:15  pm  PDT

 

AFSA has now issued a notice to its membership on the OPM data breach. Below is an excerpt:

On Thursday June 4, the Office of Personnel Management (OPM) became aware of a cybersecurity incident affecting its systems and data. AFSA subsequently learned that the Personally Identifiable Information (PII) of many current and former federal employees at the foreign affairs agencies have been exposed as a result of this breach.

The most current information provided to AFSA indicates the following: Most current, former and prospective federal employees at ALL foreign affairs agencies have been affected by this breach. That includes the State Department, USAID, FCS, FAS, BBG and APHIS. OPM discovered a new breach late last week which indicates that any current, former or prospective employee for whom a background investigation has been conducted is affected.

In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from opmcio@csid.comand it will contain information regarding credit monitoring and identity theft protection services being provided to those federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service. All the foreign affairs agencies suggest that those affected should contact the firm listed below. Members of the Foreign Commercial Service may additionally contact Commerce’s Office of Information Security at informationsecurity@doc.gov.

As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks.  To protect yourself, we encourage you to check the following:

  1. Make sure the sender email address is “opmcio@csid.com“.
  2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.
  3. The email subject should be exactly “Important Message from the U.S. Office of Personnel Management CIO”.
  4. Do not click on the included link. Instead, record the provided PIN code, open a web browser, manually type the URL http://www.csid.com/opm into the address bar and press enter. You can then use the provided instructions to enroll using CSID’s Web portal.
  5. The email should not contain any attachments. If it does, do not open them.
  6. The email should not contain any requests for additional personal information.
  7. The official email should look like the sample screenshot below.
image via afsa.org

image via afsa.org

Additional information has been made available on the company’s website, www.csid.com/opm, and by calling toll-free 844-777-2743 (International callers: call collect 512-327-0705).

Agency-Specific Points of Contact:

If you have additional questions, contact AFSA’s constituency vice presidents and representatives:

Read the full announcement here.

Amidst this never ending round of data breaches, go ahead and read Brian Krebs’ How I Learned to Stop Worrying and Embrace the Security Freeze. The USG is not offering to pay the cost of a credit freeze but it might be worth considering.

Of course, the security freeze does not solve the problem if the intent here goes beyond stealing USG employees’ identities.   If the hackers were after the sensitive information contained in the background investigations, for use at any time in the future, not sure that a credit freeze, credit monitoring and/or ID thief protection can do anything to protect our federal employees.

Security clearance investigations, by their very nature, expose people’s darkest secrets — the things a foreign government might use to blackmail or compromise them such as drug and alcohol abuse, legal and financial troubles and romantic entanglements. (via)

I understand why the USG has to show that it is doing something to address the breach but — if a foreign government, as suspected, now has those SF-86s, how can people protect themselves from being compromised? If this is not about compromising credit, or identities of USG employees but about secrets, credit monitoring and/or ID thief protection for $20 Million will be an expensive but useless response, wouldn’t it?

#

Obama Admin Official Leaks Dismal Stengel-Kerry Memo on ISIS Counter Messaging

Posted: 2:08 am EDT

 

An internal State Department memo paints a dreary view of the Obama administration’s efforts to counter messaging by the Islamic State. And somebody leaked it to the New York Times.

.

.

.

.

.

Why, indeed?

The internal memo, dated June 9 is marked SBU or “sensitive but unclassified.” It was drafted and approved by Richard A. Stengel, the State Department’s under secretary for public diplomacy and public affairs (State/R) and a former managing editor of Time magazine.  The memo addressed to Secretary Kerry is cleared only by one person, Susan Stevenson, from Stengel’s own Front Office; there are no other addressee.  It’s hard to say how far this memo traveled in 4-5 days before it was leaked but the source could not be too far away from Stengel and Kerry’s offices.

The question now is motive. Who leaked that memo and why? Is it to garner support from higher ups like those in the WH or is it to torpedo Stengel’s “big proposal and immediate improvement” before it get legs. Who gains, who losses from this leak?

The memo is made available online by the NYT.

Pardon me, you’re waiting for the SBU leaker to get caught? We’ll, we’re also waiting for the trap doors for the leakers of the 2010 secret cables sent by then Ambassador Eikenberry on the Afghanistan strategy, and the 2012 top secret cable by then Ambassador Crocker on Pakistani havens.  To-date, none of those leakers have been caught. So, catch the SBU leaker? Good luck!

#

Dear Consular Affairs, This Is Giving Us Sorta Kinda Nightmares

Posted: 12:24 am EDT

 

An assistant secretary of the Bureau of Consular Affairs told Congress in 2003 that “the Department of State’s visa work abroad constitutes the “forward based defense” of the United States against terrorists and criminals who seek to enter the country to harm us.” 

In 2012, the deputy assistant secretary for visa services told Congress, “We are the first line of defense in border security because the Department is often the first government agency to have contact with foreign nationals wishing to visit the United States” (pdf).

We get that, and then you read about embassy officials who all had full-time duties elsewhere in the embassy serving as consular officers.  Some of them who apparently had no experience with consular work performed consular functions according to the OIG inspectors.  No consular experience? We wonder if that means first tour officers who went through the consular course but serving in a non-consular function at post, or does that mean embassy officials with no prior experience but hopefully, at least, with Con-Gen light training? Folks might read this and scream like … but that is such a small consular operation.  Well, that’s true enough.  But like they say, the bad guys only have to succeed once, and we know that they are trying mighty hard every day.

Via State/OIG inspection report of US Embassy Antananarivo (pdf):

The small consular section provides the full range of consular services, and Department end users express satisfaction with the work of the section. The embassy processed 1,579 nonimmigrant visas in FY 2014. Demand for immigration from Madagascar and Comoros to the United States has been low historically. Between FYs 2009 and 2014, the embassy issued on average fewer than 35 immigrant visas each year. The consular staff noted that few citizens of Madagascar and Comoros have taken advantage of the Diversity Visa Program that Congress created to diversify the sources of immigration to the United States. In 2013, the consular staff started publicizing the Diversity Visa Program in Madagascar and Comoros. More than 21,400 Malagasy submitted entries for the program in 2013, three times the number who applied in 2012.

The consular section chief position experienced a gap of 8 months from December 2011 to August 2012 because of a voluntary curtailment by the previous consular officer. The embassy assured the Department that backup officers at the embassy could cover the gap. Several different officers served as consular officers during that period, but all had full-time duties elsewhere in the embassy and some had no experience doing consular work. Because the amount of consular work in Antananarivo was low, the Department accepted the backup assurances as acceptable and decided not to send any officers on temporary duty assignment during the 8-month gap.

When the current consular section chief arrived, he discovered several problems with consular management controls. The backup officers had not done the daily accounting for consular cash receipts from April to August 2012, a management control vulnerability that the consular section chief reported to the Bureau of Consular Affairs. The consular section chief also learned that one of the backup officers was attempting to use consular funds to pay for a nonconsular trip to Comoros and to purchase equipment, such as iPads and four flat-screen televisions, that were ostensibly for use in the consular section but in fact were meant for use elsewhere in the embassy. The current consular section chief stopped those inappropriate expenditures of consular funds and reconstructed the consular cash records for the 8-month period. He did not find any discrepancies in accounting for the consular cash. However, this incident highlights the fact that consular management controls can go awry even in small consular operations, especially when no full-time consular manager is present. The embassy gave assurances to the Department that an officer who headed another section could serve concurrently as consular section chief for 8 months. The Department needs to consider carefully the credibility of such assurances when evaluating options for filling staffing gaps.

The consular section chief has had discussions with the Bureau of Consular Affairs about the fact that his consular workload does not require a full 40 hours per week. Officials in the Bureau of Consular Affairs suggested that the consular section chief could volunteer to take on other duties in the embassy. During the inspection, in consultation with the OIG inspection team, the chargé d’affaires designated him as the backup Comoros reporting officer.

We doubt that these gaps or occasionally, the temporary closures of consular section when the sole consular officers are away from their posts had to do with money, since the CA bureau certainly has tons of that. So we’re wondering if this has more to do with poor planning.  If not, well, what is it?
.

Well, now …

#

Burn Bag: I volunteer! I volunteer as tribute! Not to the Hunger Games, silly!

Via Burn Bag:

 

“State just announced its 2015 Foreign Service Selection Board membership.  One name in particular somehow manages to serve on promotion panels year after year, and this year is no exception.  God complex, much?  There should be a limit on how many promotion panels you sit on — let some fresh eyes do the reviewing of colleagues’ performance.”

Image from peoplecallmethings.tumblr.com via giphy.com

 

Most Apt Question on #ClintonEmails: “Simply put, where was everyone?”

Posted: 2:36 am EDT

 

“I remain mystified by the fact that the use of a private e-mail account apparently went either unnoticed or unremarked upon during the four-year tenure in office of the former secretary” […] ”Simply put, where was everyone? Is there any record indicating that any lawyer, any FOIA officer, any records person, any high-level official ever respectfully confronted the former secretary with reasonable questions about the practice of sending e-mails from a private account? It is unfathomable to me that this would not have been noticed and reported up the chain.”

Jason Baron
Former Director of Litigation, NARA
Source: HRC Emails: Federal officials voiced growing alarm over Clinton’s compliance with records laws, documents show

 #

Tweet of the Day: Note to State Department: Don’t be so prickly

Posted: 12:51 am EDT