(Updated) Security Bulletin: The OPM Hack & You

By now you should have heard about the massive data breach at the Office of Personnel Management, the government agency responsible for managing the personal records of every federal employee and member of the intelligence community. The most damning record comes to us in the form of the SF-86, a record that contains enough personally identifiable information to steal the identity of not only the professional obtaining the security clearance, but literally everyone they love.

This revelation is particularly sobering when it comes on the wake of a similarly damning bit of data mining:  Looking Glass.  The unfortunate realization that our security managers were right - be careful what you put on the internet - comes a little too late.  And, unfortunately, as both the OPM hack and the web crawler Looking Glass prove, you can be victimized even if you do everything right.

So, if you're a first cousin, or a spouse of a veteran, then everything necessary to end up with your identity stolen (your last known address, or two, your employer, your birth day, SSN, maiden names) is probably included in this data.  However, the amount of data leaked here is so massive that, unless you're named by a filtering program (like Looking Glass - or you post photos of your Mercedes on Twitter), you're probably not going to show up on any criminal's (or foreign government) radar.

For your average American, you might be included in this breach by name (e.g. "Airmen Johnny has coffee with Dr. Snuffy regularly"), but beyond your name you're probably without worry.

update: 16 june, 2015

From the CSID website:  $1,000,000 in identity theft protection services to be offered to those affected; notifications will be sent by e-mail or postal service by 19 June, 2015. SF-86s probably not compromised: "Your [family member] was not affected by this breach. The only data potentially exposed as a result of this incident is your personal data."

Furthermore, this incident did not affect military records; no contractors were affected unless they previously held Federal civilian positions. The incident affected current and former Federal civilian personnel, including Department of Defense civilian employees.

Unfortunately, there is a spearfishing campaign going on sending fictitious e-mails to DOD personnel. US Army CID states a phishing email is being sent to DOD personnel asking them to click on hyperlinks and enter a personal PIN number to verify their personal Information.

The Office of Personnel Management has issued a warning to its users to avoid clicking on links in e-mails, giving out personal information over the internet, or communicating with individuals of an unverified nature.

Data Mining, The Internet, and Counter Intelligence

Data Mining, The Internet, and Counter Intelligence

We can, and do, talk about Data Privacy and Ownership until we're blue in the face; we also talk about how seriously screwed up some of the things the National Security Agency did were, but we never really harp on the obvious fact:  All the security in the world doesn't do a damn bit of good if you give your information away; one ambitious JSON project over on Github called Looking Glass is capitalizing on just that very fact.

In fact, as of this publication, they have data mined over 139,361 resumes belonging to military and civilian officials within our nation's Intelligence, Surveillance, and Reconnaissance (ISR) fields.  Those handy little endorsements have been used by job seekers to categorize them into fields (e.g. "Security Clearance" or "ISR") where data miners have been more than willing to scoop that  information up.

Three Common Problems With SSH-Keychains

Three Common Problems With SSH-Keychains

Part of keeping a secure network is periodically backing up data or system logs, but if you have more than a handful of computers then logging on to each individual workstation can be a hassle.  So what's a lazy (I prefer "efficient") Systems Administrator to do?

Why, automate it through scripts, of course.

Typically, in order to automate retrieving data from multiple workstations, you need to build a script that remotely logs on to each workstation using secure shell, or SSH. Unfortunately, the process of using SSH to access a workstation requires you to authenticate with each workstation, preventing you from automating it without either:

  • Embedding the username and password into your script
  • Disabling authentication completely
  • Manually typing in the username and password each time you run the script

Fortunately, there is an alternative:  SSH-Keychains.  SSH-Keychains utilize Public Key Infrastructure (PKI) to generate a public and private key to authenticate the server and account with each workstation without the use of a normal password.

Creating an SSH-Keychain should be a quick process using the ssh-keygen command and copying the public key ( to the ~/.ssh/authorized_keys file, but sometimes the process still hangs up.  So you'll need to troubleshoot the issue using ssh -v to determine why the SSH is failing.  It could fail because:  Destination is not found in the known_hosts, public key failed, or failed keyboard-interactive (configuration file settings).

The Onion Router, Router

The Onion Router, Router

There's been a lot of publicity about a new router, called the anonabox, that promises to make all of your anonymous browsing dreams come true through an open-source software known as TOR. Given that I'm a lover of Kickstarter and an outspoken critic of a lot of voyeurism on the Internet in the post-Snowden world, a lot of my colleagues have approached me on what the hell TOR is, and whether or not this router is worth the pledge.

TOR, stands for The Onion Router, an open source software that has been keeping clandestine journalism safe for years. TOR is a vital tool to ensure the security and integrity of The Open Internet, and it is something that helps ensure journalistic integrity and the freedom of protest and speech. This is absolutely a cause worth supporting, and the anonabox promises to be a way to exchange money ($48) for the convenience of not having to download and tweak the open source TOR software onto each of your computers. However, as backlash against the project has already proven, the largest enemy is going to be unmet expectations.

Why It's Not About Privacy

Why It's Not About Privacy

I've faced some opposition recently based on my views that the Electronic Frontier Foundation did a disservice to their constituents by focusing so much of their efforts on privacy, rather than data ownership.  With that in mind, I pose two ethical scenarios to help illustrate my (and the Guardian's) point that solving the data ownership debate will solve far more than just the privacy debate.

Our laws are focused on data collection, but the existence of data is not the concern; it’s the usage and sharing of data.  In today’s interconnected world, individuals are no longer as concerned about what a given company knows about them, but how it’s used and with whom that information is shared.  These are issues that cannot be solved when we limit the scope of our conversation to privacy, but must be evaluated in the larger discussion of establishing ethical data ownership legislation.