OPM Hack Victims Must Re-Enroll Starting December 1 to Keep Monitoring Services

November 2, 2016 By domani spero in Federal Agencies, Huh? News, Security, Spectacular, State Department, Technology and Work, Trends Tags: credit monitoring, CSID, cybersecurity, data breach, fingerprints, ID Experts, identity protection, OPM, OPM hack, PII data, Winvale Group LLC 2 Comments

Posted: 12:37 am ET
[twitter-follow screen_name=’Diplopundit’ ]

Some former and current federal employees whose personal data was compromised in the OPM data breach will have to re-enroll starting December 1 to continue receiving monitoring protection from a USG contractor. OPM doesn’t say what will happen to the data, feds and former feds have already submitted to CSID, but folks who have enrolled in that service will no longer have access to their CSID account when that contract expires on December 1. The Government Executive is reporting that as many as 600,000 individuals impacted by the initial hack will need to re-enroll to continue monitoring services through ID Experts. How is it that CSID is not able to port data over to ID Experts? Below from OPM:

OPM is announcing a change to the credit monitoring and identity protection service provider that will affect a subset of individuals impacted by the personnel records cyber incident announced in the summer of 2015. Most impacted individuals will not experience any change to their current coverage, and do not need to take any action, but a subset of individuals will need to re-enroll to continue coverage.

OPM currently uses two different companies to provide credit monitoring and identity protection services free of charge to impacted individuals. Winvale/CSID covers the 4.2 million individuals impacted by the personnel records cyber incident and ID Experts (MyIDCare) covers the 21.5 million individuals impacted by the background investigations cyber incident. As of December 1, coverage under Winvale/CSID will expire.

Credit monitoring and identity protection services from Winvale/CSID expire on December 1, 2016. Once services with Winvale/CSID expire, you will no longer have access to information in your Winvale/CSID account. If you wish to review or print your credit reports or other monitoring information from your Winvale/CSID account, please log in to your account prior to December 1.

As of December 2, 2016 all individuals impacted by either incident will be eligible for coverage through ID Experts (MyIDCare).

According to OPM, individuals currently covered by ID Experts (MyIDCare) will not experience a change in their coverage or service at this time and do not need to take any action. More:

Starting December 1, individuals previously covered by Winvale/CSID will be offered services through IDExperts (MyIDCare). Impacted individuals will also still be automatically covered by identity restoration and identity theft insurance, but you will need to re-enroll with ID Experts (MyIDCare) if you would like to continue to receive monitoring services.

Most of the individuals covered by Winvale/CSID were also impacted by the background investigation records cyber incident. These individuals should already have received a letter from OPM inviting them to enroll in services with ID Experts (MyIDCare) and providing them with a 25-digit PIN code.

If you previously received a notification letter in connection with the background investigation records incident and wish to enroll with ID Experts (MyIDCare) now, you will need to use the 25-digit PIN code provided in this letter. Click here if you have your 25-digit PIN code and wish to enroll now.

If you believe you previously received a notification letter in connection with the background investigation records incident, but no longer have your original notice, you can visit the Verification Center to obtain a duplicate copy by U.S. Postal Service.

If you are in the subset of individuals who were not impacted by the background investigations incident, you will be receiving a new notification letter from OPM via the U.S. Postal service with a 25-digit PIN that you can use to enroll with ID Experts (MyIDCare). We expect to mail the majority of these notifications in November 2016.

Note that OPM makes clear that ID Experts cannot enroll victims without the 25-digit PIN code and cannot provide former/current employees with a PIN code over the phone.

As Many as 600K OPM Hack Victims Must Re-Enroll to Keep Protection Services https://t.co/7USEY2WuTh pic.twitter.com/kKfo1JiQHu

— GovExec (@GovExec) November 1, 2016

Yo! This is nuts! @USOPM changing contract and employees need to re-enroll after hack!? https://t.co/kesHFRDIq5

— Diplopundit (@Diplopundit) November 1, 2016

The #OPM breach report: A long time cominghttps://t.co/qB9E9cQHop #OPMHack #cybersecurity

— Bob Jackson (@1st_infantry) October 18, 2016

And while you’re reading how to re-enroll, you might want to read about grafted fingerprints and hackers’ long term intention, because why not? If the data has not surfaced for sale, we have to wonder what was that hack about?

My @WIRED story about the epic hack that could lead to your fingerprints getting grafted onto someone in Chengdu. https://t.co/fgllpzgCeV

— Brendan I. Koerner (@brendankoerner) October 24, 2016

OPM’s Security Clearance Backlog Now At 500,000+ Govt-Wide

September 9, 2016 By domani spero in Contractors, Diplomatic Security, Federal Agencies, Huh? News, Lessons, Realities of the FS, Security Clearance, Spectacular, Staffing the FS, State Department Tags: Bureau of Diplomatic Security, China, data breach, DS/SI/PSS, Office of Personnel Management, OPM, OPM hack, Security Clearance

Posted: 4:14 am ET
[twitter-follow screen_name=’Diplopundit’ ]

The State Department recently sent an agency-wide message from the Under Secretary for Management which provide timelines for job applicants and employees who are in the process of applying or renewing their security clearances. The Bureau of Diplomatic Security adjudicates security clearances and renewals for all State Department employees but we understand that contractors are mostly processed by the Office of Personnel Management (OPM). The message notes that OPM currently has a backlog of more than 500,000 clearances government-wide.

In terms of length of adjudication, apparently 60% of the Department’s initial Top Secret investigations are completed within six months while 66% of its initial Secret investigations are completed in four months. When compared government-wide, the Department adjudicates security clearances much faster than the government-wide average. So that’s good, except, of course, if you’re the one waiting for it, six months is a loooong time. We don’t know what is the average wait time for the remaining 40% awaiting their TS clearance or the 34% awaiting for their Secret clearance?

But the OPM backlog of more than 500,000 clearances government-wide? Not so good. With a new administration transitioning in next year, waiting for a security clearance may just be like Beetlejuice waiting at the DMV without an appointment.

Via reactiongifs.com

In related news, OPM is also in the news because the House Oversight and Reform Committee released its report yesterday on The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation (read PDF or read below). The report details the exfiltration by two hacking teams of the security background data on 21.56 million individuals, the personnel files of 4.2 million former and current US government employees and the fingerprints for 5.6 million of them.

You will not be surprised to hear that OPM/OIG has warned since at least 2005 that the information maintained by OPM was vulnerable to hackers. US-CERT had also warned the department of a malware operating on its servers in 2012, and again in 2014, CERT warned that a hacker had managed to get information out of the OPM servers. The report notes that the damage could have been mitigated if the security of the sensitive data in OPM’s critical IT systems had been prioritized and secured.

“Despite this high value information maintained by OPM, the agency failed to prioritize cybersecurity." https://t.co/dCv8AadHVh

— The Intercept (@theintercept) September 8, 2016

Read the damning dossier on the security stupidity that let China ransack OPM's systems https://t.co/KM4N6bGAKN

— John McDonald (@trimble2k) September 9, 2016

Congressional report slams OPM on data breach, describes cascading series of blunders https://t.co/M3JO9Z19ng

— briankrebs (@briankrebs) September 7, 2016

Read the report here:

Another Federal Data Breach: Hacker Dumps FBI and DHS Employee Information Online

February 9, 2016 By domani spero in Federal Agencies, Govt Documents, Lessons, Security Tags: Cyber Security, data breach, DHS, DOJ, federal employee records, social engineering

Posted: 2:56 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

Via motherboard.vice.com:

The data was obtained, the hacker told Motherboard, by first compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place. (On Monday, the hacker used the DoJ email account to contact this reporter). From there, he tried logging into a DoJ web portal, but when that didn’t work, he phoned up the relevant department.

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”

If that’s true, then it took just one employee and elementary social engineering to start the ball rolling in this newest data breach.

Breaking: Hacker publishes personal info of 20,000 FBI agentshttps://t.co/6dzVWH5Dm3 pic.twitter.com/C5oYyzrIpx

— Motherboard (@motherboard) February 8, 2016

Hacker fulfills his promise and dumps list of 20,000 FBI agents. https://t.co/HwnmBRyLEj pic.twitter.com/MKvurnvcV4

— Lorenzo Franceschi-B (@lorenzoFB) February 8, 2016

This hacker has compiled nearly 30,000 ways to contact the FBI https://t.co/aBGJPyRC3X pic.twitter.com/IhhqmdTrAC

— CNET (@CNET) February 8, 2016

Officials downplay DOJ/DHS hack, say it doesn't compare to scope of #OPMhack @attackerman and @samthielman report https://t.co/fQqG9IonCZ

— Just Security (@just_security) February 8, 2016

USG Creates New National Background Investigations Bureau (NBIB) After OPM Data Breach

January 26, 2016 By domani spero in Diplomatic Security, Federal Agencies, Govt Documents, Interagency Cooperation, Security, State Department Tags: background investigation, Cyber Security, data breach, Federal Investigative Services, National Background Investigations Bureau, NBIB, OPM, OPM hack

Posted: 12:16 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

Last week, OPM announced a series of changes to modernize and strengthen the way it conduct background investigations for Federal employees and contractors and protect sensitive data. The new bureau will be housed at OPM but will have DOD IT security and operation. It also absorbs OPM’s Federal Investigative Services (FIS). It is described as a new government wide-service provider. It is not clear how this will affect agencies like the State Department who conducted their own separate background investigations in the past.

Below is an excerpt from the OPM announcement:

These changes include the establishment of the National Background Investigations Bureau (NBIB), which will absorb the U.S. Office of Personnel Management’s (OPM) existing Federal Investigative Services (FIS), and be headquartered in Washington, D.C. This new government-wide service provider for background investigations will be housed within the OPM. Its mission will be to provide effective, efficient, and secure background investigations for the Federal Government. Unlike the previous structure, the Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB.

Today’s announcement comes after an interagency 90-Day Suitability and Security review commenced last year in light of increasing cybersecurity threats, including the compromise of information housed at OPM, to re-examine reforms to the Federal background investigations process, assess additional enhancements to further secure information networks and systems, and determine improvements that could be made to the way the Government conducts background investigations for suitability, security and credentialing.

This review was conducted by the interagency Performance Accountability Council (PAC), which is chaired by the Office of Management and Budget (OMB) and comprised of the Director of National Intelligence (DNI), the Director of the U.S. Office of Personnel Management, in their respective roles as Security and Suitability Executive Agents of the PAC, and the Departments of Defense (DOD), the Treasury, Homeland Security, State, Justice, Energy, the Federal Bureau of Investigation, and others. It also included consultation with outside experts.

We are proud of the collaborative effort of the interagency team that helped identify these critical reforms. And we are committed to protecting the security of not only our systems and data, but also the Personally Identifiable Information of the people we entrust with protecting our national security.

We also want to thank the men and women of OPM’s Federal Investigative Services for the work they do every day to provide quality background investigations to agencies across Government.

The Administration will establish a transition team that will develop a plan to stand up NBIB and migrate the existing functions of the current Federal Investigative Service to the NBIB, and to make sure that agencies continue to get the investigative services they need during the transition.

For more information about today’s announcement please go to https://www.whitehouse.gov/blog/2016/01/22/way-forward-federal-background-investigations.

OPM Data Breach Victims Get New Verification Site Through DOD, ID Protection Services Through ID Experts

December 2, 2015 By domani spero in Defense Department, Federal Agencies, Govt Documents, Privacy, Security, Security Clearance, Spectacular, Spouses, State Department, Technology and Work, Trends Tags: cybersecurity, data breach, data breach insurance, FS family members, ID Experts, identify theft and fraud protection services, MyIDCare, OPM, OPM hack

Posted: 1:23 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

OPM launches self-check website for hack victims: https://t.co/x7pwhPqe4k pic.twitter.com/AUrubfyDeh

— The Hill (@thehill) December 2, 2015

Just in: @USOPM launches website for #breach victims https://t.co/DA4lS45CKY

— FedScoop (@fedscoop) December 1, 2015

New verification center is opened for potential victims of @USOPM #cyber attack. Details on how it works. https://t.co/Oplkk8I1nG

— Jason Miller (@jmillerWFED) December 1, 2015

OPM’s Cybersecurity Resource Center allows individuals impacted by the hack to sign up for protection services through ID Experts or verify if one is impacted by the data breach through DOD.

OPM says that while it is “not aware of any misuse of your information,” it is offering victims and dependent minor children who were under the age of 18 as of July 1, 2015, credit and identity monitoring, identity theft insurance, and identity restoration services for the next three years “through ID Experts, a company that specializes in identity theft protection.”

According to OPM, the identify thief insurance became effective on September 1, 2015 and the scope of the coverage includes all claims submitted on or prior to December 31, 2018. This insurance covers expenses incurred in restoring identity and is valid for amounts up to $1,000,000 with no deductible.

If you received a notification letter and PIN code from the Office of Personnel Management, OPM has determined that your Social Security Number and other personal information was stolen in a cyber intrusion involving background investigation records. You have to sign up for MyIDCare to access the protection if offers.

OPM has published what its notification letters look like:

If your fingerprints were not compromised, your notification letter will look like this (PDF file) [119.25 KB].
If your fingerprints were compromised, your notification letter will look like this (PDF file) [49.67 KB].

The Federal Government has also set up a verification center to assist individuals who have lost their PIN code or believe their data may be impacted but have not yet received notification letters. If you believe that you were impacted, but have not yet received your notification letter, OPM asks that you wait until mid-December before contacting the verification center. The Federal Government anticipates completing the mailing of notification letters by the end of the second week in December.

To verify by phone, call 866-408-4555 Toll Free; 503-520-4453 International; 503-597-7662 TTY or verify online here through DOD.

The https://opmverify.dmdc.osd.mil verification website offered through the Department of Defense says that its purpose is “To provide breach notification and facilitate the provision of breach mitigation services to individuals affected by the breach of information in the Office of Personnel Management (OPM) background investigation databases.”

DoD will also “use the data to respond to breach verification inquiries received from individuals using the link on OPM’s website that redirects individuals to a DoD website where they can enter their information to find out if they have been affected by this breach. These records may also be used for tracking, reporting, measuring, and improving the Department’s effectiveness in implementing this data breach notification.”

Click here for the Frequents Asked Questions. If you have already enrolled and have questions or concerns about your post-enrollment services, you may call OPM’s 800-750-3004.

Related posts:

Federal Employees With Stolen Fingerprints From OPM Breach – Now Up to 5.6 Million

September 23, 2015 By domani spero in Career Employees, Disasters, Federal Agencies, Huh? News, Interagency Cooperation, Security, State Department, Technology and Work Tags: cybersecurity, data breach, fingerprint data misuse, identify theft and fraud protection services, OPM, OPM hack 4 Comments

Posted: 12:05 pm EDT
Updated: 6:39 pm PDT
[twitter-follow screen_name=’Diplopundit’ ]

OPM now admits that the fingerprints of 5.6m federal employees were stolen by hackers http://t.co/4ffDbltGSy

— WIRED (@WIRED) September 23, 2015

Here is the official statement from OPM dated September 23, 2015:

As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness. During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analyzed. Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million. This does not increase the overall estimate of 21.5 million individuals impacted by the incident. An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals.

Federal experts believe that, as of now, the ability to misuse fingerprint data is limited. However, this probability could change over time as technology evolves. Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future. This group will also seek to develop potential ways to prevent such misuse. If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.

As we have stated previously, all individuals impacted by this intrusion and their minor dependent children (as of July 1, 2015) are eligible for identify theft and fraud protection services, at no cost to them. In conjunction with the Department of Defense, OPM is working to begin mailing notifications to impacted individuals, and these notifications will proceed on a rolling basis.

OPM and our partners across government are working to protect the safety and security of the information of Federal employees, service-members, contractors, and others who provide their information to us. Together with our interagency partners, OPM is committed to delivering high-quality identity protection services to impacted individuals. The interagency team will continue to review the impacted data to enhance its quality and completeness, and to monitor for any misuse of the data. The U.S. Government will continue to evaluate the coverage being provided and whether any adjustments are needed in association with this incident.

Sigh. Grrr. Sigh. Grrr. Sigh. Grrr. Sigh. Grrr.

Updated:

5.6m fingerprints were stolen in the OPM’s data breach. What will they be used for? http://t.co/yAKP1YxksH @ldignan pic.twitter.com/WeqvElz7Xn

— ZDNet (@ZDNet) September 23, 2015

OPM Says 5 Times More Federal Employees Had Fingerprint Data Stolen in Hack Than First Believed http://t.co/OCGNjwJjEB

— Nextgov (@Nextgov) September 23, 2015

PSA: Know the Risk #Raise Your Shield Campaign: Spear Phishing

September 10, 2015 By domani spero in Federal Agencies, Public Service, Security, Social Media, Technology and Work, Trends Tags: #RaiseYourShield campaign, cybersecurity awareness, data breach, National Counterintelligence and Security Center, NCSC, ODNI, Office of the Director of National Intelligence, PSA, spear phishing 1 Comment

Posted: 4:02 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

The National Counterintelligence and Security Center (NCSC) is responsible for leading the counterintelligence and security mission across the USG. It is putting out the #RaiseYourShield campaign focusing on spear phishing. It will reportedly be targeting social media, human targeting, and travel awareness. You can learn more at http://www.ncsc.gov but fair warning, the website is slow and cumbersome, hard to navigate and not terribly user-friendly.

Via the Office of the Director of National Intelligence:

Here’s the Don’t Be THIS Guy: Spear Phishing video:

OPM Spends $133 Million on Credit Monitoring, Still No Credit Freeze

September 4, 2015 By domani spero in Contractors, Federal Agencies, Huh? News, Security, Spectacular, State Department, Technology and Work Tags: data breach, ID Experts, Identity Theft Guard Solutions LLC, identity thief protection, OPM 2 Comments

Posted: 12:34 am PDT
[twitter-follow screen_name=’Diplopundit’ ]

On September 1, OPM announced the $133M contract for identity thief protection and credit monitoring services for the 21.5 million individuals affected by the massive OPM breach that includes security clearance data. Our go-to expert on this says that “perhaps the agency should be offering the option to pay for the cost that victims may incur in “freezing” their credit files, a much more effective way of preventing identity theft.” Excerpt from Krebs on Security:

The only step that will reliably block identity thieves from accessing your credit file — and therefore applying for new loans, credit cards and otherwise ruining your good name — is freezing your credit file with the major credit bureaus. This freeze process — described in detail in the primer, How I Learned to Stop Worrying and Embrace the Security Freeze — can be done online or over the phone. Each bureau will give the consumer a unique personal identification number (PIN) that the consumer will need to provide in the event that he needs to apply for new credit in the future.

Here is part of the OPM announcement:

The U.S. Office of Personnel Management (OPM) and the U.S. Department of Defense (DoD) today announced the award of a $133,263,550 contract to Identity Theft Guard Solutions LLC, doing business as ID Experts, for identity theft protection services for 21.5 million individuals whose personal information was stolen in one of the largest cybercrimes ever carried out against the United States Government. These services will be provided at no cost to the victims whose sensitive information, including Social Security numbers, were compromised in the cyber incident involving background investigations.

“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future,” said Beth Cobert, Acting Director of the Office of Personnel Management. “Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

ID Experts will provide all impacted individuals and their dependent minor children (under the age of 18 as of July 1, 2015) with credit monitoring, identity monitoring, identity theft insurance, and identity restoration services for a period of three years. This task order was awarded under GSA’s Blanket Purchase Agreements (BPA) for Identity Monitoring, Data Breach Response and Protection Services which GSA awarded today.

The U.S. Government, through the Department of Defense, will notify those impacted beginning later this month and continue over the next several weeks. Notifications will be sent directly to impacted individuals.

OPM (Mis)Spends $133 Million on Credit Monitoring in Wake of Breach http://t.co/uCKRq5IJ2G

— briankrebs (@briankrebs) September 2, 2015

The government will actually spend $330 million to protect victims of the #OPMhack: http://t.co/q7bV7fJK16 pic.twitter.com/EjUYXIQdWi

— Nextgov (@Nextgov) September 3, 2015

Millions hit by personal data hack still have not been told http://t.co/bZxHvUQ48o pic.twitter.com/ZOMymIy8sA

— Reuters Business (@ReutersBiz) September 2, 2015

@USOPM why are you not adding credit freeze cost/protection for victims of the OPM hack?

— Diplopundit (@Diplopundit) September 4, 2015

Heard that? Crickets.

Purported ISIS ‘Hit List’ With 1,482 Targets Includes State Department Names

August 16, 2015 By domani spero in Diplomatic Attacks, Diplomatic Security, Foreign Service, FSOs, Functional Bureaus, Learning, Realities of the FS, Security, Social Media, Spectacular, State Department, Technology and Work, U.S. Missions Tags: cyberdefense, cybersecurity, data breach, ISIS, online threats, opsec, Troy Hunt

Posted: 6:52 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

According to CNN, a group calling itself the Islamic State Hacking Division recently posted online a purported list of names and contacts for Americans it refers to as “targets,” according to officials.

Though the legitimacy of the list is questionable, and much of the information it contains is outdated, the message claims to provide the phone numbers, locations, and “passwords” for 1400 American government and military personnel as well as purported credit card numbers, and excerpts of some Facebook chats.

The Guardian describes the list as a spreadsheet, published online last week which exposes names, email addresses, phone numbers and passwords. The 1,482 names include members of the U.S. Marine Corps, NASA, the State Department, the U.S. Air Force, and the FBI.

The Daily Mail reports that the list includes an accompanying message that reads: ‘Know that we are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts.’

The list apparently also includes the names of eight Australians and UK government personnel. In Australia where ~~there~~ this is huge news, Prime Minister Tony Abbott told the press, “We’ve just discovered that it’s actually able to launch cyber attacks in this country so this is a very sophisticated and deadly threat to us even here in Australia.” A chief executive of a forensic data firm in the country went so far as to advise that Canberra’s public servants get off social media. He also recommended that “on the day [ADFA] cadets enlist, their entire electronic lives be erased” and that “they should not exist on digital networks until they retire from Defence.”

The reaction here is a little less ZOMG! Last week, then Army Chief of Staff Gen. Ray Odierno said in a press conference that “this is the second or third time they’ve claimed that and the first two times I’ll tell you, whatever lists they got were not taken by any cyber attack.”

“This is no different than the other two,” Odierno said. “But I take it seriously because it’s clear what they’re trying to do … even though I believe they have not been successful with their plan.”

CNN reports that Pentagon spokesman Lt. Col. Jeffrey Pool also cautioned that many of the military email addresses looked at least several years old, based on their suffixes. He said that shortly after this list was posted, a reminder went out to service personnel that they should limit the personal information they put on social media. “If any of your information on it is accurate, you’re very concerned,” former Homeland Security adviser Fran Townsend told CNN, “as are government officials.”

According to the Washington Examiner, State Department employees comprise about a quarter of the alleged personal information on the list. That would be about 370 names. It also says that at the bottom of the leaked document, originally posted on zonehmirrors.org, are receipts from State Department employees along with their credit card numbers. The report notes that Islamic State supporters tweeted a link to the document and also tweeted, in one instance, information claiming to be the personal details of a staff member from the U.S. embassy in Cairo that said: “To the lone wolves of Egypt.”

Technology security expert, Troy Hunt, writes that “nothing makes headlines like a combination of ISIS / hackers / terrorism!” and has taken a closer look with an analysis here. Mr. Hunt’s conclusion — drawn merely from looking at the leaked list and applying what he observed from experience with previous data dumps leaked list — is that “the data is almost certainly from multiple locations and very unlikely to be from a single data breach.” Also that “most of the data is easily discoverable via either existing data breaches or information intentionally made public.” He writes, “Even the source of the amalgamated data is unverifiable – it could be someone who does indeed wish harm on the individuals named, it could be a kid in his pyjamas, there’s just not enough information to draw a conclusion either way.”

In his analysis of the ISIS list, Mr. Hunt says that “there are many sources from which attributes in this list can be compiled.” As an example, he cited the Adobe breach of 2013 in which 152M records were leaked, which includes 257k .gov email addresses. He writes:

The ISIS list has a lot of state.gov email addresses – Adobe leaked 1,657 of those and they look just like this:

state.gov email addresses in the Adobe data breach via Troy Hunt (used with permission)

“Adobe also leaked password hints so you can begin to quite easily build a profile around people working in the US State Department,” he said.

Would be good to know if any of the names in the Adobe breach are showing up in the ISIS list. We have not seen the purported ISIS list or the names from the Adobe hack but we hope somebody at State is looking at those names. Folks probably need to work on their password hints, too.

In a separate post, Mr. Hunt also notes this:

“The hyperbole and the fear, uncertainty and doubt that spread over this was just off the scale compared to the significance of the actual data. Here we have what amounts to little more than easily discoverable information mostly already in the public domain and suddenly it’s become a huge terror hack. [….] However, the legitimacy of the claims that this was an “ISIS hack” appear to have gotten in the way of a good story and the news has simply run with it.

A couple more reading clips below from Troy Hunt:

Just did a (very late) interview with CNN on this ISIS hack, story seems to be spreading a bit: http://t.co/pQkxHIJxFN

— Troy Hunt (@troyhunt) August 13, 2015

Security Sense: On the Internet, Nobody Knows You’re a Dog (or a terrorist cell) http://t.co/eAifSCag5B

— Troy Hunt (@troyhunt) August 14, 2015

There’s not much one can do with the Adobe, Target, Home Depot, OPM hack except to sign up for credit monitoring service or put a credit freeze on one’s account. That is, if we’re concerned about identity thief. But those services will not work against potential blackmails related to a foreign government hack, or online threats related to potentially scraped data, collected from websites and social media accounts.

We are persuaded by Mr. Hunt’s analysis that this was not a real hack. But real or not, the information is out there and thinking about ‘lone wolf’ offenders seduced by ISIS’ call, in the U.S. or elsewhere is not paranoid. Folks might consider this a good excuse to review their digital footprint.

The threats online — whether real or part of propaganda — is not going to abate anytime soon. This is the world as it is, and not an attempt at hyperbole. Employees overseas can report these threats to RSOs but hey, have you seen the rundown of the RSO’s managed programs? We don’t even know what specific office at State tracks these breaches or who has responsibility for online threats. Was anyone notified by State when the Adobe breach occurred in 2013 and leaked hundreds of official emails? Were those emails changed? A ~~talkinghead~~ writinghead would like to know.

Also some of USG’s overseas posts still display the official email addresses of personnel in public affairs, and those dealing with contracts, solicitations, and acquisitions on their websites. Those should be generic e-mail accounts not linked to an individual’s name but linked instead to the section, function or office, e.g. Sanaacontracts@state.gov. Makes better sense as people rotate jobs anyway.

We’re trying to find if Diplomatic Security has any response, guidance, reminder for State Department personnel given this report and the Burn Bag received earlier. Would be a good time as any to issue an opsec reminder. We will have a follow-up post if/when we get an official response.

What Information Is Collected on OPM’s Background Investigation Forms?

August 3, 2015 By domani spero in Federal Agencies, Govt Documents, Security, Security Clearance, Spectacular, State Department, Technology and Work, Trends Tags: cybersecurity, data breach, National Security Positions, Non-Sensitive Positions, OPM, OPM hack, Positions of Public Trust, Security Clearance

Posted: 2:44 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

Via CRS Insight

The information collected will depend on the applicant’s position and the type of background investigation required. OPM uses three standard forms for background investigations: SF-85, SF-85P, or SF-86 form. The forms are typically submitted electronically using OPM’s Electronic Questionnaires for Investigations Processing (e-QIP) system. OPM had suspended use of e-QIP “for security enhancements,” but re-enabled the system on July 23, 2015.

Data Collected for Non-Sensitive Positions

The eight-page SF-85 is required for applicants to non-sensitive positions (e.g., positions that do not require a security clearance) who require physical access to government facilities and who are in positions with a “low risk” to cause damage to the federal government or national security. The responsibilities of these positions are limited and there is little opportunity to use such positions for personal gain. For this reason, the information collected is relatively limited in scope and includes

full name, aliases, and SSN;
citizenship information;
employment information and addresses for the past five years; and
information on use or possession of illegal drugs (including marijuana) in the previous year.

Data Collected for “Positions of Public Trust”

The 11-page SF-85P is required for applicants in “Positions of Public Trust,” (i.e., positions that do not involve access to classified information, but that demand a “significant degree of public trust” due to the level of policymaking or other responsibilities). These positions may involve a “significant risk for causing damage [to the federal government] or realizing personal gain.” In addition to the information listed above, the SF-85P requires

identifying information (e.g., height, weight, eye and hair color);
military service information;
employment information and addresses for the past seven years; schools, if any, attended during the past seven years;
name, address, and telephone number of three personal references and immediate family members;
criminal arrests and/or convictions for the past seven years (excluding incidents prior to the applicant’s 16th birthday or traffic fines under $150);
financial information, including bankruptcies during the past seven years and any delinquent financial obligations;
foreign travel during the past seven years; and
information on use or possession of illegal drugs (including marijuana) in the previous year and any illegal purchase, sale, or transport of drugs in the previous seven years.

Data Collected for Security Clearances and Other National Security Positions

The 127-page SF-86 form is required for applicants to national security sensitive positions, which includes (but is not limited to) positions that require a security clearance. In addition to the information listed above, the SF-86 requires

employment information and home addresses for the past 10 years;
schools attended for the past 10 years, including a reference at each school attended;
personal information (including SSN) for current spouse or cohabitant;
foreign contacts, travels, and/or activities;
associations with individuals or groups dedicated to terrorism or the violent overthrow of the U.S. government;
details on applicant’s “psychological and emotional health,” including, with certain exceptions, details on treatments during the past seven years;
additional information on criminal activities, including convictions or charges involving firearms or explosives;
alcohol use in the past seven years that has negatively impacted the applicant’s work, personal relationships, finances, or resulted in “intervention by law enforcement/public safety personnel”;
use, possession, or other involvement with illegal drugs (including marijuana) in the past seven years or at any time while holding a clearance;
details on the applicant’s financial condition and civil court actions; and improper use of information technology systems.

What Other Records Are Contained in OPM’s Personnel Security Background Investigation Files?

OPM’s systems also include information gathered by investigators during the background investigation process, such as summaries of interviews with the applicant’s family members, co-workers, friends, and neighbors. Additionally, investigators may run credit checks, pull civil and criminal court records, and run checks of state and federal agency records to verify information that the applicant provided on the application.

According to OPM’s most recent Privacy Act Notice, personnel investigation records may also include information provided by other agencies, such as:

Internal Revenue Service income tax returns;
prior security clearance investigative records; and
clearance adjudicative records, including polygraph results, if applicable.

It is unclear from OPM’s news release if these types of investigative records were compromised in the breach.

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this: