OPM Left Internal System Vulnerable to a Known Attack for Weeks

The Office of Personnel Management (OPM), which was infamously hacked last year, today announced it fixed a serious vulnerability affecting a potentially sensitive part of its network after being informed of it by Motherboard.

An encryption certificate associated with an OPM sub-domain was vulnerable to the so-called DROWN attack, which was announced earlier this month. With DROWN, resourceful attackers can crack encrypted traffic, and then steal passwords and other sensitive information from affected sites in a matter of hours.

"As numerous worldwide internet vulnerabilities are discovered almost daily, OPM, on a routine basis, takes immediate steps to remediate vulnerabilities as they become known to us—as was the case with the recent DROWN vulnerability," Samuel Schumach, press secretary for the OPM told Motherboard in an email.

Motherboard first told OPM about the vulnerable certificate on Tuesday, and the problem had been fixed by the following day.

"OPM's ability to respond and address issues such as these shows our significant progress in vulnerability remediation and incident response," Schumach continued.

The vulnerable certificate was discovered after Motherboard investigated an OPM "Secure Portal User Login" page. Taking the URL of that page, and pasting it into the free, online tool to check for sites vulnerable to DROWN, revealed that a certificate for a related section of the system was affected by the attack.

The now-fixed certificate included the sub-domain "pips," which refers to Personnel Investigation Processing System. The OPM would not comment on what information was transmitted with this certificate, but according to a government website, "PIPS is an automated system which houses the Security/Suitability Investigations Index (SII) and is used by Federal Investigative Services at the U.S. Office of Personnel Management (OPM-FIS) for the automated entry, scheduling, case control and closing of background investigations." An OPM document adds that PIPS "supports the core investigative processed such as the entry of the investigative data."

As for the attack itself, DROWN works on sites which inadvertently expose their encryption keys through the use of SSLv2, a precursor to Transport Layer Security (TLS), which is used to encrypt data in transit. In short, an attacker can decrypt a TLS session by repeatedly forcing connections to the target using SSLv2, and each time build up a picture of the encryption key. When Ars Technica reported on the research at the start of the month, more than 11 million websites and e-mail services were vulnerable to DROWN.

"Having SSLv2 still enabled is a sign of having antique infrastructure that might have other vulnerabilities," Nadia Heninger, assistant professor in computer and information science at the University of Pennsylvania, and one of the co-authors of the DROWN paper, told Motherboard in an online chat. Although the DROWN problem has been fixed, she pointed out that the sub-domain was perhaps vulnerable to FREAK, another encryption-related attack from last year. It appears to also be affected by POODLE, a third attack from 2014.

Talking about DROWN and FREAK, Heninger said, "These are interesting cryptographic vulnerabilities, but the more pressing broader issue here is how hard it is, even for the government, to secure itself against attacks. SSLv2 and export cipher suites have been deprecated for 15-20 years."

"It's clearly difficult for large organizations to secure their infrastructure," she added.

While the certificate for the PIPS sub-domain was vulnerable, the keys for the login page itself appear to be up to date, Haninger pointed out.

But, depending on what information was being transmitted with the weak certificate, sensitive information could still have been exposed.

On Tuesday, acting OPM Director Beth Cobert tried to convince lawmakers to provide $37 million to migrate the agency from older machines over to modern equivalents. For the meantime, old and new systems will be run side-by-side, however.

The agency's catastrophic hack included 5.6 million fingerprints, and sensitive information on roughly a staggering 22 million people.

When it comes to this latest, albeit smaller blunder, "It's pathetic that it has to be pointed out by someone from the outside; that such an obvious vulnerability exists in such a sensitive place," Michael Adams, an information security expert and former US Special Operations Command Sergeant Major, told Motherboard in a phone call.

Correction: An earlier version of this article said that 32 million people were affected by the OPM hack. According to OPM's official figures, it was 22 million people.