Did you by chance hack OPM back in 2015? Good news, your password probably still works!

Government audit finds office still hasn't cleaned up from Obama-era megabreach


More than three years after suffering one of the largest cyber-attacks in US government history, the Office of Personnel Management has yet to adopt dozens of the security measures investigators ordered – including basic stuff like changing passwords.

A report issued this week by Government Accountability Office (GAO) disclosed that the OPM has failed to comply with more than a third of recommendations its investigators made for improving the office's network security and data protection.

The GAO audit (PDF) looked over a series of four reports its investigators issued between 2015 and 2017 concerning the massive theft of sensitive records on around 21.5 million current, former, and prospective government workers from Uncle Sam's computer systems.

Since the last report was written in August of 2017, GAO says that OPM has only complied with 51 of those 80 items. Far from being abstract, bureaucratic measures, the lapses noted by the audit include some very basic security practices.

Among the recommendations that have not been implemented was the call for OPM to reset its passwords after the network was ransacked, as well as the failure to "install critical patches in a timely manner, periodically evaluate accounts to ensure privileged access is warranted, and assess controls on selected systems as defined in its continuous monitoring plan."

Judge with gun

Slain: Unions' US OPM mega-hack lawsuit against Uncle Sam

READ MORE

In other words, more than three years after it was hacked, apparently by the Chinese, and relieved of the sensitive personal details of more than 20 million Americans, including their intelligence clearance paperwork, the OPM still can't be bothered to change passwords or install Windows updates.

The GAO audit goes on to note other poor security practices within the agency, including shared admin accounts shared by multiple staffers, a failure to encrypt passwords (both stored and in-transit), and a failure to install the latest patches for network devices that connect to "high impact" machines with sensitive data.

"Implementing all of the remaining open recommendations expeditiously is essential to OPM ensuring that appropriate security controls are in place and operating as intended," the GAO report concludes.

"Until OPM implements these recommendations, its systems and information will be at increased risk of unauthorized access, use, disclosure, modification, or disruption."

The OPM, for its part, is working to get caught up on the recommendations. The GAO says the agency plans to address 25 of the 29 outstanding items by the end of the year and address another three in 2019. ®


Other stories you might like

  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Oracle sued by one of its own gold-level Partners of the Year over government IT contract
    We want $56 million, systems integrator tells court

    Oracle has been sued by Plexada System Integrators in Nigeria for alleged breach of contract and failure to pay millions of dollars said to be owed for assisting with a Lagos State Government IT contract.

    Plexada is seeking almost $56 million in denied revenue, damages, and legal costs for work that occurred from 2015 through 2020.

    A partner at Plexada, filed a statement with the Lagos State High Court describing the dispute. The document, provided to The Register, accuses Oracle of retaliating against Plexada and trying to ruin the firm's business for seeking to be paid.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • Governments opt for XaaS, dump datacenters in droves
    Outsource all the things! To whom? The lowest bidder of course, says Gartner

    The world's governments are eager to let someone else handle their IT headaches, according to a recent Gartner report, which found a healthy appetite for "anything-as-a-service" (XaaS) platforms to cut the costs of bureaucracy.

    These trends will push government IT spending to $565 billion in 2022, up 5 percent from last year, the analyst house claims. Gartner believes the majority of new government IT investments will be on service platforms by 2026.

    "The pandemic sped up public-sector adoption of cloud solutions and the XaaS model for accelerated legacy modernization and new service implementations," Gartner analyst Daniel Snyder said in a release. "Fifty-four percent of government CIOs responding to the 2022 Gartner CIO survey indicated that they expect to allocate additional funding to cloud platforms in 2022, while 35 percent will decrease investments in legacy infrastructure and datacenter technologies."

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading

Biting the hand that feeds IT © 1998–2022