Update on the OPM hack, 14 million people affected by the breach - details from nearly everyone who works for the US government are in the hands of the Chinese government now. Worse is the absolute lack of security controls in their core systems:
- Of the 47 major IT systems at OPM, 22 of them are currently run by contractors.
- While OPM instituted security monitoring of some systems, those tools covered only 80 percent of OPM's systems and did not include contractor-operated systems.
- Seven major systems out of 25 had inadequate documentation of security testing, three out of the 22 contractor-operated systems had not been tested in the last year; the remainder had only been tested once a year.
- None of the agency's 47 major applications required two-factor authentication.
In short, this is how this Man-on-the-Side attack is carried out:Interesting approach, DDoS by using their capability to MitM any connection and adding a JS causing any user going to Baidu to hit GitHub. The mitigation by GitHub was clever, returning an alert tag when connecting to the target URLs, effectively blocking the user's browser.
- An innocent user is browsing the internet from outside China.
- One website the user visits loads a javascript from a server in China, for example the Badiu Analytics script that often is used by web admins to track visitor statistics (much like Google Analytics).
- The web browser's request for the Baidu javascript is detected by the Chinese passive infrastructure as it enters China.
- A fake response is sent out from within China instead of the actual Baidu Analytics script. This fake response is a malicious javascript that tells the user's browser to continuously reload two specific pages on GitHub.com.
ORDOS, A MAGICAL LAND in the just north of China, is a dazzling pearl in the world history and culture. That’s what it says — verbatim, in ungrammatical English — on a plaque that greets you as you enter a rotunda in the Ordos Museum. The city of Ordos sits in a coal-rich wilderness of desert and grassland at the southwestern edge of the Chinese province of Inner Mongolia. It is not even 15 years old and has a minuscule population compared to most Chinese cities. But those facts have not constrained Ordos’s municipal rhetoric. In the museum’s exhibition devoted to Genghis Khan you are told that when the great warrior traveled through in the early 13th century, he praised Ordos as a paradise, an ideal home for both children and old people, with a natural landscape of unrivaled beauty. Signs welcome visitors to “the famous tourist city,” “the most excellent tourist city” and “the top tourist city in China.” The word Ordos itself is a kind of boast: In Mongolian, it means “many palaces.”