White House weighs sanctions after second breach of a computer system

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://timesofindia.indiatimes.com/world/us/White-House-weighs-sanctions-after-second-breach-of-a-computer-system/articleshow/47652441.cms

The White House on Friday revealed that hackers had breached a second
computer system at the office of personnel management, and said that
President Barack Obama was considering financial sanctions against the
attackers who gained access to the files of millions of federal workers.

Investigators had already said that Chinese hackers appeared to have
obtained personal data from more than 4 million current and former federal
employees in one of the boldest invasions into a government network.

But on Friday, officials said they believed that a separate computer system
at the agency was breached by the same hackers, putting at risk not only
data about the federal employees, but also information about friends,
family members and associates that could number millions more. Officials
said that the second system contained files related to intelligence
officials working for the FBI, defense contractors and other government
agencies.

READ ALSO: Massive cyber attack hits 4 million US federal workers; probe
focuses on China

Sam Schumach, a spokesman for the personnel office, said that the FBI's
incident response team had concluded "with a high degree of confidence"
that systems containing information related to background investigations of
current, former and prospective federal employees were compromised.

A senior government official, speaking on the condition of anonymity, said
that investigators became aware of the second intrusion while assessing the
damage from the first breach. The official said the information apparently
taken in the second breach appeared not to be limited to federal employees.

The database contains copies of what is known as standard form 86, a
questionnaire filled out by applicants for national security positions. The
127-page form can include medical data, including information on treatment
or hospitalization for "an emotional or mental health condition."

In addition, the form asks for detailed information on close relatives and
"people who know you well." The form has spaces for each contact's home or
work address, email address, phone number and other information.

The personnel office has said that the number of federal employees and
applicants affected could rise beyond the four million already reported. If
the relatives and close contacts are included, the total number of people
affected could be several times as high, officials said.

At the White House, officials said that Obama was weighing the use of an
executive order he signed in April that allows the Treasury secretary to
impose sanctions on individuals or groups that engage in malicious
cyberattacks, or people who benefit from them.

"This newly available option is one that is on the table," said Josh
Earnest, the White House press secretary.

Obama signed the executive order after the attack on Sony Pictures'
computer network, an intrusion that US officials believe was carried out by
the government of North Korea. The order gives the administration the
ability to freeze assets in the United States, bar Americans from doing
business with groups that sponsor cyberattacks, and cut the groups off from
American goods and technology. But the use of the sanctions authority could
be more significant if Obama wielded it against China, which officials
believe has continued to sponsor cyberattacks even as the two nations
warily seek a working relationship in other areas.

Earnest declined to say whether investigators had concluded that the
attacks at the personnel office affected many millions more people than the
four million already announced. And he declined to say whether officials at
the US Embassy in China were being relocated out of a fear that the hackers
retrieved information about their contacts in that country.

"We have acknowledged that potentially sensitive data about a substantial
number of federal employees was breached or is at least now at risk,"
Earnest said. "But we haven't talked publicly about the details of that."

Security experts say the forensic evidence from the attacks suggests that
they were the work of a sophisticated Chinese group that for the past three
years has targeted a number of government agencies and defense contractors.

More recently, however, the group appears to have been looking for inroads
into the personal lives of government workers, military and intelligence
personnel, and defense contractors, and it has been gathering the personal
data and medical histories of its targets. Though experts say it is not
clear what the attackers plan to use the information for, they note that it
is the sort of delicate medical data that could be used for blackmail.

While the group is not a unit of the People's Liberation Army's third
department, which oversees the Chinese military's cyberintelligence
gathering, the chronology of its attacks matches Beijing's stated economic
and strategic objectives.

It is unclear what exactly the relationship is between the attackers and
the Chinese state, but for years security researchers have found evidence
of a freelance market for Chinese hackers. Previous attacks against targets
that would be of interest to the Chinese government have been tied to
students and educators at Chinese universities and employees at Chinese
Internet firms.

The impact of the breach of personnel files is continuing to ripple across
other federal agencies. On Friday, for example, the office of management
and budget announced new steps that agencies must take to secure their
networks as part of a "30-Day Cybersecurity Sprint" ordered by the
government's chief information officer.

Those steps include continuous, real-time monitoring of computer networks
and the use of multifactor authentication, in which users are required to
go beyond user names and passwords to verify their identity when logging
on. Neither of those security features was in place at the personnel office
before the attack last month.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!