The original China Syndrone was a movie about a cover-up of safety hazards at a nuclear power plant, starring Jane Fonda, Michael Douglas, and Jack Lemmon. The idea was that if a nuclear reactor were to melt down, the molten core would be on its way to China, hence “China syndrone.”
There is a new “China Syndrone” that is the current darling of the U.S. government and its toady press following. The new “China Syndrone” blames China for every breach in cybersecurity in the United States, particular of U.S. government sites. The latest round of these specious accusations surround the 2015 data breach at the U.S. Office of Personnel Management.
The Wall Street Journal, was the first to repeat unsubstantiated claims by U.S. governments sources pointing at hackers in China as the source of the attack. From there it has flared into a general parroting contest in the media to see who can repeat the claim the most often. No one from the press it appears, has obtained any evidence to substantiate such a claim. Nor are they likely to since the hack was either months or a year ago (accounts differ).
Even more disturbing, CNN has reported as “news” the following eleven steps (the story headline says ten, but we already knew CNN has trouble with numbers beyond two) to hack the U.S. government:
- Find Agency X
- Spam
- Get a federal worker to reply
- Focus on Agency X
- Find more points of entry
- Spread
- Discover vulnerabilities
- Become an admin
- Create new users
- Exploit fake users
- Avoid detection
And…
In April, the U.S. government learned of the ten-step plan to hack it. For two months, the federal government didn’t reveal the information publicly because they had not yet cleaned up the entire system. Nor did federal officials want the Chinese to know they were onto them.
Really? And this “ten step” plan differs from hacking anyone else how? I suspect this is representative of the level of government understanding of cybersecurity. Now you know why the U.S. government is cyberinsecure. Yes?
Did you know that for at least the past two years that privileged users at OPM have not followed rules on password length? Or that staff who no longer work at the agency may still have valid access to data? Or that users may have greater access than necessary for their positions? See U.S. Office of Personnel Management Data Breach for details and sources.
Here’s a five step plan to hack the OPM:
- Locate likely privileged user on LinkedIn or other social network site. (count on LinkedIn today is over 3,000)
- Locate network address for OPM login
- Brute force short password
- Exploit user’s access
- Avoid detection
Or if that seems like too much work:
- Locate likely privileged user on LinkedIn or other social network site. (count on LinkedIn today is over 3,000)
- Steal user’s laptop
- Use password save in browser to login the OPM network
- Exploit user’s access
- Avoid detection
Either way works.
You don’t have to be a nation state to breach U.S. government security and pretending otherwise annoys potential friends (China) and prevents us from addressing known security issues. Like management incompetence at OPM. How difficult is it to enforce password restrictions. If a privileged user can’t logon because they can use a secure password, then you know they have outlived their usefulness at the agency.
PS: China or at least hackers in China could have been responsible for the OPM hack but then anything is possible. Saving face instead of addressing management and security issues is a very poor cybersecurity strategy.