June 18, 2015

A database supposedly from a sample of information stolen in the much publicized hack at the Office of Personnel Management (OPM) has been making the rounds in the cybercrime underground, with some ne’er-do-wells even offering to sell it as part of a larger package. But a review of the information made available as a teaser indicates that the database is instead a list of users stolen from a different government agency — Unicor.gov, also known as Federal Prison Industries.

Source: Unicor.gov

Source: Unicor.gov

Earlier this week, miscreants who frequent the Hell cybercrime forum (a “Deep Web” site reachable only via the Tor network) began passing around a text file that contained more than 23,000 records which appeared to be a user database populated exclusively by user accounts with dot-gov email addresses. I thought it rather unlikely that the file had anything to do with the OPM hack, which was widely attributed to Chinese hackers who are typically interested in espionage — not selling the data they steal on open-air markets.

As discussed in my Oct. 2014 post, How to Tell Data Leaks from Publicity Stunts, there are several simple techniques that often can be used to tell whether a given data set is what it claims to be. One method involves sampling email addresses from the leaked/hacked database and then using them in an attempt to create new accounts at the site in question. In most cases, online sites and services will allow only one account per email address, so if a large, random sampling of email addresses from the database all come back as already registered at the site you suspect is the breached entity, then it’s a safe guess the data came from that entity.

How to know the identity of the organization from which the database was stolen? In most cases, database files list the users in the order in which they registered on the site. As a result, the email addresses and/or usernames for the first half-dozen or more users listed in the database are most often from the database administrators and/or site designers. When all of those initial addresses have the same top-level domain — in this case “unicor.gov” — it’s a good bet that’s your victim organization.

Image: Unicor.gov

Image: Unicor.gov

According to Wikipedia, UNICOR is a wholly owned United States government corporation created in 1934 that uses penal labor from the Federal Bureau of Prisons to produce goods and services. It is apparently restricted to selling its products and services to federal government agencies, although recently private companies gained some access to UNICOR workforce. For instance, companies can outsource call centers to UNICOR. Case in point: If you call UNICOR’s main number off-hours, the voicemail message states that during business hours your call may be handled by an inmate!

On Tuesday, I reached out to UNICOR to let them know that it appeared their user database — including hashed passwords and other information — was being traded on underground cybercrime forums. On Wednesday, I heard back from Marianne Cantwell, the public information officer for UNICOR. Cantwell said a review of the information suggests it is related to an incident in September 2013, when Federal Prison Industries discovered unauthorized access to its public Web site.

“Since that time, the website software has been replaced to improve security. Assessments by proper law enforcement authorities were conducted to determine the extent of the incident, at the time it was discovered,” said Cantwell, who confirmed the incident hadn’t been previously disclosed publicly. “Limited individuals were deemed to be potentially impacted, and notifications were made as a precautionary measure. Federal Prison Industries is sensitive to ensuring the security of its systems and will continue to monitor this issue.”

The “website software” in question was ColdFusion, a Web application platform owned by Adobe Systems Inc. Around that same time, hackers were running around breaking into a number of government and corporate Web sites and databases using ColdFusion vulnerabilities. In October 2013, I wrote about criminals who had used ColdFusion exploits to break into and steal the database from the National White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.

There is no information to link the hack at UNICOR to the crooks behind the NW3C compromise, but it’s interesting to note that those responsible for the NW3C attack also had control over the now-defunct identity theft service ssndob[dot]ms. That service, which was advertised on cybercrime forums, was powered in part by a small but powerful collection of hacked computers exclusively at top data brokers, including LexisNexis, Dun & Bradstreet, and HireRight/Kroll.

41 thoughts on “OPM’s Database for Sale? Nope, It Came from Another US .Gov

  1. Matt

    I’m concerned that once the state who “acquired” the actual database from OPM, once they’ve pulled out the data that they need for their purposes, that they’ll go ahead and put it on the market just to make a few bucks or to create more havoc.

    1. Matt (part deux)

      Imagine what that extraneous info would mean to ISIS operatives, both in the US and abroad.

    2. asdfg

      Extremely, extremely unlikely. Nation states do not ever put up information for sale publicly on criminal forums. They do not need the hundreds of dollars it would net.

      1. TErickson

        They may not ‘need the money’ but the added benefit of causing your advisory hardship and pain could be reason enough. Imagine what fraudsters could do with all of that information, its better than the information our credit agencies sold.

          1. Status Quo

            At least up to this point it hasn’t happened. Depending on how nefarious they want to be they could leak information of no use to them to groups or individuals that would put it up for sale while keeping the high value information for later use.

            1. Will Cipriano

              If you wanted to hide your motives, selling the data for a quick profit gets the waters a bit muddier. I’m some situations there is nothing but upsides.

  2. Brett

    MATT: That’s the concern of many folks that have held or currently hold security clearances. Not only that the miscreants will go after the high profile targets, but also that they’ll sell the data of individuals, their family members, previous addresses, phone numbers, etc… all of which are included in any detailed background check for security clearances.

    1. Matt

      Well, at least we’ll be protected by the goofy sub-contractor OPM hired to notify everyone that they’ve lost our data lol….which was stupid in and itself….we train people to watch out for phishing emails, and OPM promptly sends out one with a notification from a .com – I’m spending my time playing catch up just responding to those calls. OPM suspended the notification because of that, but now it’s back on, now they’re saying, you can trust it because now it’s HTTPS!! lol…

      1. Phil Cooper

        I’ve been having the same problem here. The folks that are minding the house on this are clueless…

  3. Mahhn

    So UNICOR manages and sells unpaid (slave) labor,, could it be a former inmate getting revenge?

    1. moikmellah

      I’d like to think that the last thing that went through his head, other than that bullet, was to wonder how the hell Andy Dufresne ever got the best of him.

    2. Seth

      Last I checked, UNICOR does pay it’s labor force, not minimum wage, but it is more compensation than they would be getting otherwise…

  4. NotMe

    Sad that the disclosure laws in the states did not require them to report the breach. I guess I thought that everyone had to comply with breach disclosure laws where PII is exposed, lost, or stolen.

    Perhaps no one from California or Massachusetts was in the files lost.

    Helps no one to hide these crimes.

    1. Matt

      Ironically enough, they haven’t even followed the DoD PII spillage policies. The latest from OPM says that they aren’t “accepting” responsibility for the spill, legal wise anyway…

  5. Charles Adams

    OK… I have this big fireproof, waterproof, safe in the garage. It is guarded by three little dogs that bark their fool heads off when even a mouse passes by. Then there is me with a shotgun. Let’s go back to Rolodex cards and lock them in safes. Maybe a warehouse full of safes with a few old ladies, the only ones that know the combination, that could look stuff up when you needed it. Sure, one or two safes a year might get compromised, but then you have only lost ten or twenty thousand records instead of the millions we seem to loose every day. And, it would still cost less money than those fancy, expensive, computers with their LANS, WANS, Routers, Switches, Bluetooth, yada, yada, yada

    1. timeless

      Grandmas (and Grandpas for that matter) are very helpful and very trusting people.

      While it’s true that making the method of record retrieval “slow”, you can limit the number of records leaked per unit time, it doesn’t actually protect you from leaking records.

      FWIW, I’m not sure I’m opposed to rate limiting (or bandwidth monitoring) database access — these seem like fairly reasonable “best practices” — If you see a huge data spike, the database should be taken down and someone should have to come in and approve it.

      But, that risks “The Boy Who Cried Wolf”. There are plenty of movie plots which involve this. “Sneakers” is a good one (there’s a script for the movie online, but you should watch it).

      The other problem is the tension between “convenience”/”speed” and “security”. Typically “important people” want things “fast” and they will scream loudly and overrule anyone who wants to do things securely. So if some General or Deputy Director wants to get a post filled, they’ll demand things be rushed. If you can figure out which people do that, you can impersonate them and use the same approach to retrieve records. (If the people are famous, you can probably record their voices and re-sequence — watch Sneakers, but most likely they delegate, so you can just claim to be their newest victim-delegate when you call for the records.)

      The only approach that sort of works is 2FA possibly on a per record basis, but again, such things run afoul of Major Generals [♫I Am the Very Model of a Modern Major-General♫].

  6. Faro

    Cold Fusion….Enjoyed reading your previous posts on this language.

  7. :(

    Alright Krebs, since it seems you’re on Hell quite often, what’s your name 😉

    1. teksquisite

      It does not matter what your name is in HELL, as of July 1 – if you are just a lurker, adios pal. They will be scrubbing the forum down with a toothbrush.

      So, maybe Brian can make a special deal with PING? I will check into it for my handle too = that is if PING comes out of hiding…

  8. AnonSxe

    Stupid, miscreant criminals. Bad things you have been doing will not gonna lead you to a good path. Remember there is always justice, if caught you will be rotten your life behind the bars, else you will be punished by the God, remember dumbass criminals this is how things work, this is how world works upon the rules of nature and the creator of this world you retards.

    I promise to do some justice from my side to give your brains some shock treatment, don’t underestimate me, us and other people who are at the right side of the justice, putting myself into hardcore learning.
    The things you do are totally wrong, sick, full of ignorance, proves that you got a brain size of an atom. Your illegal doings have to end up people with looses: mentally and financially. You broke them completely. If you really wanna show off yourselves it would be great if you try to improve something and make things better.

    At least feel from fear from God and their absolute Justice. Get away from Hooligansim and Villainy and do some nice job. Close your stupid business sites where brainless nerds meet. You will realise and understand if you got intellectual or any kindness living deep down inside of you.

    1. Jimbo

      Hahahaha. Oh wait, you’re serious, let me laugh harder: HAHAHAHAHA.

    2. meh

      The government is hardly a paragon of virtue.

  9. melosebrain

    OPM, the Office of Penetrated Mainframes

  10. Sheriff Jon

    We need a security “Game Changer”. Layered security, or reconfiguring existing security solutions is not working. Is there no brain power out there that can come up with a new approach? There is one thing worse than having security vulnerabilities and that is thinking that you’re safe with your existing security approach.

    Compliance with regulatory requirements may limit your liability exposure, but does it really protect the data? We may need to change our business processes and strategy and dare I say it, balance some of our growth initiatives with security game-changers to reduce the open drain of our vital information. I’m not just referring to the compromise of personal information, I am also concerned about compromise of the information that manages our our critical infrastructure.

  11. Xyborg

    Does anybody think this could be the reason of the Passport and VISA issue this week too?

  12. GW

    If things continue this way, then once data is digitized, it will, sooner or later, be public data.

  13. steven k

    That’s trash, darkode published data of millions people Both government agencies, worry When They get to USA

  14. Corey

    I believe the reaches of this are just now surfacing. I’d have to guess that much more will become exposed, especially given the intel acquired from this attack. It an incredible situation, and somewhat pathetic really.

    1. patti

      Enemy neighbors have usually contributed rather strongly to the fall of states (civilizations) throughout history, even up to the Soviet debacle. This should be striking a cautionary note, but it’s usually the costs related to repelling the enemy which ultimately bankrupt a civilization. I’m not sure a costly arms race here is a good idea, and there are things (like thermodynamics) which science cannot cheat – it may not be possible to fully repel all cyber attacks. A smart woman does not frequent the streets at night – a smart government does not keep information internet-accessible?

  15. limapie

    May I say something? If personnel records are so valuable, how come the OPM allowed a ‘bridge’ to them from the internet?

    To be absolutely safe, I would suggest two separate and distinct systems. One solely in house. The other to the world wide web.

    How hard is that, DAH?

    1. limapie

      As far as social security numbers….practically no one in this whole country has a ‘secret’ number anymore!

      Lose the numbers. Switch to something else.

      Fund the Social Security agency with cash to issue everyone, everywhere NEW ‘numbers’ (or whatever the new system will be) for their old numbers.

      Time to button up, peeps. This is getting pricey for the government to have the American coffers bleeding like that.

    2. timeless

      So, the problem is that there are lots of groups w/in the US who do hiring.

      There are 15 departments outside of the Executive Office of the President itself:

      I’d say there are about 667 entities listed on that page (including some which fall under the legislative/judicial branches, and some which possibly could be counted twice or which could be exempt from OPM rules). Assume that some of those are themselves huge.

      Total 1,774,000 employees.

      There’s probably an HR group for every 200-500 people, that’s a lot of HR groups. Each group needs to be able to hire, which means they need to be able to ask + answer the questions that OPM was dealing with.

      You could say “put all the records on punch cards and store them in a secret vault”. That’s fine as long as no one needs to use the records ever (see Raiders of the Lost Ark or Indiana Jones and the Kingdom of the Crystal Skull). It’s much less workable when you have 3000-5000 groups of people spread across 3.8 million square miles. At some point, you’re going to need to connect those groups with the data whereever it is.

      You could say “ok, so make them use a phone to get the records”.

      If you haven’t read a bit about Social Engineering, please take some time to do so. This article seems like a fairly good introduction:
      Don’t skip the section titled “Social Engineering by Phone”.

      Now, having learned a bit about Social Engineering, substitute “Help Desk” for “HR”.

      A phone system is inherently insecure because of the way trust works, especially when not everyone knows everyone intimately (and intimacy really doesn’t scale beyond 2 or 3 people…, remember, we’re talking about 5,000 groups of people).

      The next response is “ok, so use a VPN”. Well, a VPN doesn’t actually help. Remember that if I can socially engineer the HR person on the remote side, I can probably also socially engineer the HR person on the local side — into giving away her (VPN) credentials (or just total access to her computer). There’s even an entire section of attacks for this, “spear phishing” where malware is targeted at “high value targets” (normally this is the CFO, but here, the HR people are high value, since they’re an excellent foothold into the VPN you’ve asked for).

      The idea of having a standalone computer for banking (something Brian encourages and which I support) unfortunately doesn’t scale for a distributed system, it’s great when you really only have one accountant who needs access to the data. It’s unworkable when you have 5000+ groups of people who need access to the data.

      Convincing one person to have a second computer just for this use works, convincing 5000+ groups of people to have a second computer, one where they need to receive input from their primary input methods (resumes via email?) and somehow enter it into this second computer? Whatever air-gap you think you’ve established, as soon as you ask users to frequently bring data across the gap, they’re going to quickly bring malware along for the ride. And they’ll hate you for it in the process. — You’ve created security theater and wasted a lot of time and money in the process.

      Unfortunately, doing security right is Hard.

      1. Phil Cooper

        “Whatever air-gap you think you’ve established, as soon as you ask users to frequently bring data across the gap, they’re going to quickly bring malware along for the ride. And they’ll hate you for it in the process. — You’ve created security theater and wasted a lot of time and money in the process.”

        The Navy and Marines called it “NMCI”. And yes, it sucked.

  16. Dale

    In a wonderful piece of irony, government employees are being directed to register for credit monitoring at a site where you have to enable the compromised SSL2 in order to access the site.
    Let’s follow up bad security practices with even more bad security practices. So much for learning our lessons.
    Brian, I hope you can highlight this in order to shame them into better security practices

  17. G.Scott H

    Identity theft is an issue because organizations do not authenticate the identity credentials presented to the level required. Let’s keep the SSNs and allow their use as identifiers broadly. Granting credit or other without appropriate authentication will leave the grantor on the hook for the loss, not the “identity theft” victim.

    I have looked at my SF86, I and my spouse have our SSN, address, phone, DOB, place of birth, mother’s maiden name, father’s middle name, their places of birth, our children’s middle name, etc. exposed in the second OPM incident in June. There is a goldmine of identity theft information in those records.

    I will be implementing credit freezes per Mr. Krebs’ advice ASAP. I will be looking into other protections for other things like health insurance/care theft, benefits theft, false criminal records, and whatever else I can think of.

Comments are closed.