Yep, it looks very likely my personal data is now in the hands of China, or someone pretending to be China, or someone who wants it to look like China. While I can’t go into details, as many of you know I’ve done things with the federal government related to my rescue work. It isn’t secret or anything, but I never feel comfortable talking specifics because it’s part-time and I’m not authorized to represent any agency.
I haven’t been directly notified, but I have to assume that any of my records OPM had, someone… else… has. To be honest, based on what details have come out, I’d be surprised if it wasn’t multiple someone elses – this level of nation-state espionage certainly isn’t limited to any one country.
Now, on the upside, if I lose my SSN, I have it backed up overseas. Heck, I’m really bad at keeping copies of all my forms, which I seem to have to resubmit every few years, so hopefully whoever took them will set up a help desk I can call to request copies. I’d pay not to have to redo that stuff all over.
Like many of you, my data has been breached multiple times. The worst so far was the student health service at the University of Colorado, because I know my SSN and student medical records were in that one (mostly sprained ankles and a bad knee, if you were wondering – nothing exciting). That one didn’t seem to go anywhere but the OPM breach is more serious. There is a lot more info than my SSN in there, Including things like my mother’s maiden name.
This will hang over my head for the rest of my life. Long beyond the 18 months of credit monitoring I may or may not receive. I’m not worried about a foreign nation mucking with my credit, but they may well have enough to compromise my credentials for a host of services. Not by phishing me, but by walking up the long chain of identity and interconnected services until they can line up the one they want.
I am now officially a security risk for any organization I work with. Even mine.
And now on to the Summary…
We are deep into the summer, with large amounts of personal and professional travel, so this week’s will be a little short – and you probably already noticed we’ve been a bit inconsistent. Hey, we have lives, ya know!
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich’s webinar for Adallom on managing SaaS
- There might be more, but GoGo on this flight is terrible, and I can’t perform a news search.
- My 2015 Personal Security Guiding Principles and the New Rand Report.
- Incite 6/10/2015: Twenty Five.
- Threat Detection Evolution: Why Evolve? [New Series].
- Contribute to the Cloud Security Alliance Guidance: Community Drives, Securosis Writes.
- Network Security Gateway Evolution [New Series].
- We Don’t Know Sh–. You Don’t Know Sh–..
Research Reports and Presentations
- Endpoint Defense: Essential Practices.
- Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications.
- Security and Privacy on the Encrypted Network.
- Monitoring the Hybrid Cloud: Evolving to the CloudSOC.
- Security Best Practices for Amazon Web Services.
- Securing Enterprise Applications.
- Secure Agile Development.
- Trends in Data Centric Security White Paper.
- Leveraging Threat Intelligence in Incident Response/Management.
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance.
Top News and Posts
- Major zero-day security flaws in iOS & OS X allow theft of both Keychain and app passwords
- Hard to Sprint When You Have Two Broken Legs
- Second OPM Hack Revealed: Even Worse Than The First
- Report: Hack of government employee records discovered by product demo
- How I Learned to Stop Worrying and Embrace the Security Freeze
- Stepson of Stuxnet stalked Kaspersky for months, tapped Iran nuke talks
- Courts docs show how Google slices users into “millions of buckets”
- Factory Reset On Millions of Android Devices Doesn’t Wipe Storage