4 July 2015

Union sues OPM — Second breach, of security clearance material, to be announced next week


With help from Joseph Marks, David Perera, Shaun Waterman and Caroline Cullen Barker

UNION SUES OPM — The largest union representing federal employees is seeking class action status for a lawsuit filed against the Office of Personnel Management over the massive breach at the agency. Dave reported the American Federation of Government Employees lawsuit late Monday. The action against OPM and federal contractor KeyPoint alleges that OPM violated the Privacy Act and Administrative Procedure Act — by failing to comply with Federal Information Security Management Act procedures to document cybersecurity measures. KeyPoint, a background investigation contractor whose credential was used to compromise OPM database, is accused of negligence.

AFGE is seeking damages for current and future losses related to the compromise of employee personal information, “adequate” credit monitoring for a “sufficient” length of time and ID theft insurance and repair services. It also seeks a court order that KeyPoint and OPM improve their cybersecurity. "AFGE will not sit idly by while OPM fails to comply with the most basic requests for information or provide an adequate response. Even after this historic security breach, OPM has continued to use poor data security practices and inferior private-sector strategies to solve its security woes," AFGE National President J. David Cox said in a statement. AFGE will hold a conference call on the lawsuit this morning, and we’ll be tracking. The complaint:http://bit.ly/1SZmsDT


OPM WILL ANNOUNCE SECOND BREACH NEXT WEEK — OPM, for its part, is planning to make an announcement next week on the extent of the second breach of its networks, of security clearance background information — the “crown jewels” for foreign intelligence services. Two Hill staffers told MC that OPM, Homeland Security and White House officials held a conference call for congressional offices Monday afternoon. Officials said they expect to provide more information next week on the scope of the second breach the agency suffered, which affected the security clearance form SF-86. Since OPM began notifying 4.2 million victims of the first breach in early June, officials have acknowledged a second breach but declined to provide a number of those affected. OPM and the White House had no comment on what was discussed on the call.

HAPPY TUESDAY and welcome to Morning Cybersecurity. Your host has made no secret of her St. Louis Cardinals fandom, and even The Guardian is realizing that’s the right way to be: http://bit.ly/1HuE60l. But tonight, at least, we can all unite behind the U.S. Women’s National Team at the World Cup. As always, send your thoughts, tips and feedback to tkopan@politico.com and follow @talkopan, @POLITICOPro and @MorningCybersec. Full team info is below.

ARCHULETA RESIGNATION WATCH, CONTINUED — A large majority of cybersecurity thought leaders say Office of Personnel Management Director Katherine Archuleta should “take responsibility” for the breaches that occurred under her watch — and many believe she should resign. Of the roughly 100 cyber “influencers” assembled by Christian Science Monitor’s Passcode, 84 percent said Archuleta should take responsibility. Archuleta has resisted calling herself personally responsible, stating that hackers should bear the blame and adding that she's been working to fix IT problems at the beleaguered agency. The 100 experts who answered the Passcode Influencers Poll question about Archuleta didn’t all necessarily call for her to step down, although some did. When it comes to cyberattacks, “you never want to blame the victim,” said Daniel Castro, vice president of the Information Technology and Innovation Foundation think tank. “But in this case, OPM is not the victim,” he added. More: http://bit.ly/1BRyYRq

FIRST LOOK: INDIAN GOVERNMENT AGENCY USERNAMES, PASSWORDS EXPOSED — An Indian postal service agency stored clear-text information of accounts, email addresses and passwords for all of the agency’s 50 offices in a government document stored in a public cloud, Elastica reports this morning. The document was being stored in Google Drive, and appeared to be related to an infrastructure migration within the agency, according to Elastica researchers. The accounts exposed were designed for management, making it likely they had broad administrative privileges, the researchers surmised. The document was discovered in a case study to demo a product offered by the company that scans for sensitive docs in cloud services’ storage. Elastica alerted the relevant CERT and agency to correct the flaw. The study’s takeaway was that built-in security features in cloud platforms may not be enough to protect organizations’ data, especially with user error. The report, coming out today:http://bit.ly/1LGUBat

BIS AGAIN UPDATES WASSENAAR FAQ — The Commerce Department’s Bureau of Industry and Security has updated its frequently asked questions section on proposed implementation of Wassenaar Arrangement regulations on Monday — once again provoking dissatisfaction among security researchers. The number of questions about how BIS will implement export controls on cybersecurity software now outstrip questions on implementation of sanctions against Russia. But the FAQs “are not binding [as far as I know] and if the reg[ulation]s contradict the FAQs (as they seem to), the regs will be used by a judge in determining whether an export license should or should not have been obtained by someone they deem in breach,” noted one poster to a distribution list critical of the proposed rules. “Given that the FAQs have gone beyond ‘clarifying’ or ‘interpreting’ the draft legal text — and in some cases contradict the express wording of both the BIS text and the Wassenaar text — it seems as though we will be in this endless cycle of revised FAQs until they emerge with new text when the consultation period ends.” The FAQs: http://1.usa.gov/1KlGR2R

** A message from Northrop Grumman: Today’s enemy threats have taken on forms like never before. That’s why our full-spectrum cyber capabilities enable our military to tackle challenges at the push of a button. See how athttp://bit.ly/1IM0OAJ **

FAKE MIRROR SITES ATTACK TOR USERS — Attacks on Tor users are showing no signs of slowing down, with a new report finding evidence hackers are tricking users into visiting fake websites. The URLs of websites hidden by the anonymity network typically are an unintelligible string of numbers and letters, unlike their clear-web counterparts, such as politico.com. Unknown attackers have set up URLs closely resembling legitimate hidden website URLs in an apparent bid to divert users away, according to a post on Pastebin. The fake sites are even more difficult to spot because they display the content of the real website. It’s possible the attackers are gathering user names and passwords by passing them onto the real site. In all, the researcher found 255 fake mirror sites and posted them online. More: http://bit.ly/1LRvRsV

ON THE MOVE:

— Security researcher Peiter Zatko, aka Mudge, announced Monday he’s leaving Google to start a new venture in cyber inspired by testing leader Underwriter Laboratories. Despite some confusion in tweets, Mudge is not joining a government agency or the White House, but sources told Re/code he is looking to start an independent nonprofit that could at some point collaborate with government. The story: http://on.recode.net/1JlGh3U

REPORT WATCH:

— Retailers are perceived as the riskiest holders of data, with government right behind, according to a new Unisys survey. Forty-four percent of consumers felt a retailer breach in the next year was likely, and 39 percent felt the same about government agencies, according to the poll of more than 1,000 consumers in 12 countries, conducted before the OPM hack was announced. http://bit.ly/1C2ABME

QUICK BYTES

— Cyber mercenaries are easy to come by these days. Passcode:http://bit.ly/1Ioy8x5

— Europol and Barclays ink memorandum of understanding to fight cybercrime. Europol: http://bit.ly/1GLdUcd

— Peter Singer’s new book out today, “Ghost Fleet,” imagines WWIII. One tidbit: “Do you think Anonymous would just sit out and watch a full-fledged cyber war?” Singer told MC. More from The Wall Street Journal: http://on.wsj.com/1SWpSra

— Google rolls out new security features for Google Apps administrators to deploy for authentication. Google: http://bit.ly/1SZ1N2R

— International operation targets online airline ticket fraudsters, leading to scores of arrests for a variety of crime, including cybercrime. Europol:http://bit.ly/1QZLx40

— Anonymous calls for a million mask march in Charleston on July Fourth to show solidarity with an activist who took down a Confederate flag. IB Times:http://bit.ly/1JlrSoc

— Could cyberwar wipe out repositories of human knowledge in one fell swoop? Motherboard: http://bit.ly/1U1qlcY

— Companies have a difficult time fighting banking malware. CSO:http://bit.ly/1HtDPuI

— Hackers are using alerts about the Middle East Respiratory Syndrome outbreak as a spear phishing lure. TrendLabs: http://bit.ly/1eVYhrx

— The Iraqi government shut down the Internet, reportedly to stop students cheating on exams. Ars Technica: http://bit.ly/1SYFwCq

— The Cloud Security Alliance is launching a working group to define cloud data security protocols and best practices to be implemented by application designers. Dark Reading: http://ubm.io/1ef92Ex

— Trend Micro and Intel Security are formalizing their partnership with the British National Crime Agency’s Cyber Crime Unit. The Register:http://bit.ly/1GVi2IK

That’s all for today. USA!

Stay in touch with the whole team: Tal Kopan (tkopan@politico.com, @TalKopan); Joseph Marks (JMarks@politico.com, @Joseph_Marks_); David Perera (dperera@politico.com, @daveperera; and Shaun Waterman (swaterman@politico.com, @WatermanReports).

**A message from Northrop Grumman: To meet today’s most advanced enemy threats, our military needs to be able to eliminate them — without putting troops in harm’s way. That’s why we’re the leader in full-spectrum cyber. Learn more athttp://bit.ly/1IM0OAJ **

No comments: