Federal Government Jobs Web Site Hacked

The federal government’s online database for job seekers has been hacked.

As if Uncle Sam’s hiring process is not in enough of a mess already, now comes word that the pocket where he keeps job applications has been picked.

USAJOBS, the government’s database, is powered by Monster.com, the Internet employment service.

A “special security alert” posted by USAJOBS says “certain contact and account data were taken, including user IDs and passwords, email addresses, names, phone numbers, and some basic demographic data.

“The information accessed does not include resumes,” continues the statement from Mary Volz-Peacock, USAJOBS program director. “The accessed information does not include sensitive data such as social security numbers or personal financial data.”

But the government warns that the stolen data could be used in phishing schemes. This is a type of electronic fraud in which crooks use e-mail messages, pretending to come from legitimate organizations -- potentially the U.S. government in this case -- to secure sensitive information from those whose e-mail addresses were stolen.”

People with USAJOBS passwords may soon be required to change them, according to the announcement.

“USAJOBS will never send an unsolicited e-mail asking you to confirm your username and password,” says the alert, “nor will Monster ask you to download any software, ‘tool’ or ‘access agreement’ in order to use your USAJOBS account.”

The hacking of USAJOBS was part of a larger intrusion into Monster.com. A "security breach official alert" on that site says "we recently learned our database was illegally accessed and certain contact and account data were taken."

A mandatory change of e-mail passwords for company clients goes into effect today, according to Nikki Richardson, Monster's vice president of corporate communications. The company is "monitoring any illicit use of information and so far we have not detected the misuse of this information," she said in a telephone interview.

In addition to changing passwords, Richardson recommended that Monster users be vigilant for suspicious e-mails and review the Monster security page, which can be found at monster.com. More information also is available at usajobs.gov.

By Sara Goo  |  January 30, 2009; 2:43 PM ET  | Category:  Hiring
Previous: Key House Member Opposes a Cut in Mail Delivery | Next: Unions Celebrate New Entree to the White House

Comments



Just where are all these "internet security" folks? How is that our information is taken at will? Just unbelievable these internet systems are so damn vunerable.

Posted by: ward5354 | January 30, 2009 3:44 PM | Report abuse

No, MORE INFORMATION IS NOT AVAILABLE AT USAJOBS! THERE IS NOTHING INDICATING THAT EMAIL ADDRESSES AND PASSWORDS HAVE BEEN HACKED!

Posted by: arrabbiato | January 30, 2009 3:49 PM | Report abuse

If I remember correctly, Monster was hacked before. They should have dropped Monster then.

Posted by: Bill22042 | January 30, 2009 3:51 PM | Report abuse

Clearly the code running the site wasn't coded in America.
It was outsourced.

Posted by: blakesouthwood | January 30, 2009 4:00 PM | Report abuse

NEOCONS still trying to take down the country

Fei Hu

Posted by: Fei_Hu | January 30, 2009 4:05 PM | Report abuse


Isn't it just like the feds to allow this to happen?

BTW Joe, you are doing an excellent job. It's like having Mike back at the Post.

Posted by: mortified469 | January 30, 2009 4:06 PM | Report abuse

You know what? I had NO IDEA this had happened!! they have a small little alert thing on their site and that is it. this is the SECOND time USAJOBS has been hacked!!! Why will people apply for federal jobw when our info is not safe!!
THIS IS THE SECOND TIME and USA JOBS did not notify ANYONE!!!!!!!
What if I had not checked the USAJOBS site-- I would have NEVER KNOWN!!

Posted by: oba2 | January 30, 2009 4:09 PM | Report abuse

thank you for reporting this to the public.

Posted by: egalitaire | January 30, 2009 4:19 PM | Report abuse

.
seems to me,
if they got my User ID, and they got my password,
even if they didn't steal my resume at that time, or SSN,
they have everything they need to do so.

Disingenuous, saying they didn't take any resumes.
.

Posted by: BrianX9 | January 30, 2009 4:21 PM | Report abuse

"Powered by" Monster.com.

I'm sure the irony is unintentional, but....

Posted by: ArtCee | January 30, 2009 4:22 PM | Report abuse

Do the feds actually hire from the USAJobs website? Is it a complete listing of available positions?

My concern is that there seem to be very few open positions listed, and they make you jump through hoops just to be considered for an interview.

Why not allow people to apply by email, using a resume and cover letter, then request more information if/when they want to interview the applicant?

Posted by: MattNYC1 | January 30, 2009 4:25 PM | Report abuse

before people start blaming the govt. please note that this was Monster.com that got hacked.

Posted by: dealer1 | January 30, 2009 4:26 PM | Report abuse

The least the hackers could have done was taken our resumes. That way we might have had a chance at a job in this miserable mess of an economy.

Posted by: umbriell | January 30, 2009 4:28 PM | Report abuse

friend of mine has already reported a phising using resume data today.

Posted by: dealer1 | January 30, 2009 4:28 PM | Report abuse

Let me guess- the site was running Windoze.

Posted by: hairguy01 | January 30, 2009 4:41 PM | Report abuse

Everyday the worthless employees and leadership of government want more and more information about our lives. Everyday they push for more computer usage and shared computer information. Even now the clowns want everything known about us on medical computers....But the north end of south bound mules aren't smart enough to secure it or chase down criminals accessing the information. Our government is simply a mess. The only difference between modern United States government and the Cub Scouts is that the Cub Scous have adult leadership.

Posted by: gunnysgt77 | January 30, 2009 4:51 PM | Report abuse

You see thats why, the website shouldn't make you put in your SSN. I know that part wasn't hacked but still. I really pissed. I just applied for several jobs thur that website, only to hear this!

Posted by: wizardman | January 30, 2009 4:51 PM | Report abuse


Here's the story WaPo should be tracking:

http://www.dcexaminer.com/local/012909-Ex-Fannie_Mae_worker_charged_with_planting_computer_virus.html

Ex-Fannie Mae worker charged with planting computer virus

By Freeman Klopott
Examiner Staff Writer 1/29/09
A fired Fannie Mae contract employee allegedly placed a virus in the mortgage giant’s software that could have shut the company down for at least a week and caused millions of dollars in damage, prosecutors say.

Rajendrasinh Makwana, an Indian citizen, was indicted Tuesday on computer intrusion charges. The former Gaithersburg resident is out on $100,000 bail, court documents said.

Makwana was fired from his contract position at Fannie Mae on Oct. 24 for changing computer settings without permission from his supervisor, FBI agent Jessica Nye wrote in a sworn statement. He had worked at Fannie Mae for three years as a computer engineer at the Urbana offices, where he had full access to all of the federally created mortgage company’s 4,000 servers. Before leaving work Oct. 24, Makwana allegedly tried to hide a code in server software that was set to activate the morning of Jan. 31, the agent wrote.

“Had this malicious script executed, [Fannie Mae] engineers expect it would have caused millions of dollars of damage and reduced if not shutdown operations at [Fannie Mae] for at least one week,” Nye wrote. “The total damage would include cleaning out and restoring all 4,000 of [Fannie Mae’s] servers, restoring and securing the automation of mortgages, and restoring all data that was erased.”

[ ... ]

We _know_ who this hacker was in this case; a foreign national allowed superuser access to 4000 servers storing and processing some of the most important financial data.

Mr Makwana was working for "OmniTech" which is Omnitech International. If you google that in the context of "H-1B" and "visa abuse" you will get lots and lots of hits.

So, the government letting foreigners run our information systems. I wonder why none of those foreigners noticed that a lot of other foreigners had gotten "liar loans" that they used to secure option-ARM (adjustable rate) mortgages that they relentlessly "flipped" every six months, fraudulently forcing upwards the valuations of homes.

The government needs to start hiring American (including Canadian) computer people instead of offshoring or importing people who are worked like slaves for about 3/4ths of industry scale for Americans; and who leave behind them incomprehensible skeins of "spaghetti code" that nobody else can decipher, not because the code's that good or profound, but because it's just jumping around for the sake of jumping around. And then they leave comment lines in Urdu or Hindi that nobody but their countrymen can understand.

It's time to lock down our systems, folks. It's not like there's a shortage of unemployed or underemployed US information technology workers.

Posted by: thardman | January 30, 2009 4:56 PM | Report abuse

I see an award fee dissipation light, blazing and flashing....

This is what happens when the FASTER, BETTER, CHEAPER model is used.

Either pay for it upfront or you'll get 10 times worse, in the end.

Posted by: Computer_Forensics_Expert_Computer_Expert_Witness | January 30, 2009 5:49 PM | Report abuse

re: Freeman Klopott article

The reason why code development is offshored, is becuase it is cheaper to use Indian and Pakistani labor than US or Canadian labor. Someone measured KSLOC (thousand lines of code) and looked at the cost of KSLOC done in India vs Redmond, Washington. No need for new facilities or improvement to current facilities, thus no new employees needed.

Microsoft thought that this would solve the mass of code necessary for the development of a new O/S (operating system) or applications. The model was to take the rough code and slim and refine it down with state-side programmers. This would reduce development costs and deploy a product.

where American corporations screw-up is that they try to have customer service run out of India or Pakistan. The problem in chief is communication. Regrettably, the accents are so strong, you're lucky if you can make out 7 out of 10 words.

Now that India has become a software powerhouse and the H1B visa program (which is a joke for the most part), India's rates have gone through the roof, hopefully jobs will return to our shores.

Posted by: Computer_Forensics_Expert_Computer_Expert_Witness | January 30, 2009 6:02 PM | Report abuse

Does the federal government REALLY want qualified people to serve? This is ridiculous.

And thanks for the heads up!

Posted by: CaptainJohn2525 | January 30, 2009 6:25 PM | Report abuse

Odd,
Maybe it is the Department of Justice collecting evidence, after that attempt to use taxpayer money to pay a voter fraud agency.

Posted by: dottydo | January 30, 2009 6:45 PM | Report abuse

Does anyone else see the lack of wisdom at bombing a place you outsource American ID's to?

Placing enemy fungus among us into the Government is a debacle.

Who thinks that Obama's blackberry is not a sensative feed to any hacking terrorist?
They should take it away from him.

Posted by: dottydo | January 30, 2009 6:56 PM | Report abuse

"Clearly the code running the site wasn't coded in America."

Oh, please. Reports say they used Monster.com's platform. Monster consists of ASP code running on Microsoft Windows Server, probably with a Microsoft SQLServer database backend. When Monster was hacked in 2007, it was via a Trojan being installed - not an exploit of the Monster site code. Probably the same this time - exploits of the underlying server or database code. And that's coded in Redmond.

Posted by: hitpoints | January 30, 2009 7:07 PM | Report abuse

this is the second time that this company has allow this to happen. OPM quit spending millions of dollars for this service and start using your federal government Information Technology workforce, between, DOI, DOD, there are numerous fee for service government agencies that can do this better than this contractor.

Posted by: glc1987 | January 30, 2009 7:09 PM | Report abuse

I've been saying it for years...see

www.D50.org

The real danger to our financial systems is through software!

500,000+ H1-B visa holders could not have all been checked for security risks. Just because greedy corporate execs want cheap labor, doesn't mean they should get it.

Go to http://www.whitehouse.gov/StrongMiddleClass/ and let the whitehouse know they should shut down the H1-B program!

Posted by: Sadler | January 30, 2009 7:10 PM | Report abuse

RE: Ex-Fannie Mae worker charged with planting computer virus

Ummm - the guy apparently now works for Bank of America!
They (BoA) are the folks with: "THE HIGHER STANDARD" - LOL! Guess they need to add some 6-Sigma to their hiring process...

Posted by: Sadler | January 30, 2009 7:24 PM | Report abuse

Expect to see more attacks on web sites that have anything to do with employment, especially as the Depression deepens. Remember that these are the same parasites that were registering domains like "katrinarelief.com" as that Hurricane was approaching New Orleans.

Posted by: dldbug | January 30, 2009 7:25 PM | Report abuse

Note, however, that on the USAJobs website, there is not an in-your-face or top of the page notification, but rather there is a small item, along with other links, in small letters, on the left side, that reads:
Special Security Alert
Please read this notice

While the notice is explanatory, the notification, the alert notice, isn't enough to get anyone's attention, and can easily be considered one of many other type notices that suggest keep your password to yourself, don't reveal..., etc. It is not, NOT, indicative of a warning that the site and information on the site has been hacked.

Dungarees@gmail.com

Posted by: Dungarees | January 30, 2009 7:58 PM | Report abuse


Ah, you know, especially in the DC area, all sorts of foreigners are all throughout the information systems.

It's not as if there is a shortage of American/Canadian talent. I keep mentioning the Canadians because they are part of the same economy, we sneeze, they get pneumonia. But I digress.

Look, I worked for a company that had a fair amount of foreign talent but we also had lots of local (as in Beltsville/Laurel etc) engineers and coders. When you have system administrators with access levels global to your company, you don't necessarily want the least expensive talent or the most expensive talent. You don't even necessarily want the best talent. What you want is equanamity and loyalty, and professionalism above all. In the modern day, there is nothing more dangerous than a Disaffected Sysadmin, unless it's a group or network of Disaffected Sysadmins. Throw into the mix just a few nationalistic concerns and a little propaganda from their homeland's intelligence operations services, or even from their homeland's enemies' intelligence operations services, and it's a recipe for disaster.

Really, there seems to be a picture emerging of really significant lack of security concepts. Given some of the things that happened during the Bush-II administration in terms of failures of Homeland Security and border/immigration issues, sensible people should be running around screaming "the sky is falling ow it just hit me" but they're not. I think it's pretty clear that most politicians are incapable of listening and they've mostly appointed officials specifically to be ignorant of issues, deaf to warnings, and incompetent to act even if their heard and learned.

I predict very bad things in the very near future, if we don't start locking potentially hostile foreigners out of our systems and start going through every last line of code from the BIOS in our Lenovo Group laptops to the remote control for your cable-TV set-top boxes.

For all we know, all of that outsourced code is a ticking time bomb.

Posted by: thardman | January 30, 2009 8:22 PM | Report abuse

Another example of incompetent holdovers from the Bush administration. The white house computer system was stuck in the 1980s and there is no reason to use a private contractor to do this job. The right wing is still living in the stone age.

Posted by: bikesac | January 30, 2009 8:30 PM | Report abuse

No one seems to be interested in the fact this guy is apparently working for Bank of America RIGHT NOW!

http://www.washingtonpost.com/wp-dyn/content/article/2009/01/30/AR2009013001406.html?hpid=topnews

The linked article doesn't allow comments, so I'll make them here:

1) The FBI needs to pick this guy up immediately and hold him as an imminent threat and a flight risk.
2) The Bank of America needs to review every machine and piece of software this guy has touched since October.
3) If this person is on an H1-B visa - why has he been in the US (apparently) more than the allowed six years?
4) If an H1-B - why didn't BoA discover he was "on bail" when they checked with the visa clearing agency?

See www.D50.org for threat information I posted years ago on this very topic!

NO ONE IS LISTENING!

Posted by: Sadler | January 30, 2009 9:29 PM | Report abuse


Working for BoA?

That's very worrisome. They are the holders of the vast majority of non-FANNIE/FREDDIE "toxic asset" mortgages.

It's possible he could get into a position to be a Bad Superuser and Rogue Sysadmin to crash their data.

Why are any of these people working in positions that have the least sensitivity, much less in positions of potential massive damage?

We need to lock down H-1B workers in the same way that the Transportation Security Administration locked down the airports after goatherds flew jets into the Twin Towers.

The damage could be far worse and only needs one Bad Sysadmin to do it.

Raj may be the James Bond of the ultimate destruction of our financial system.

Let's take this discussion to all of the Federal comment servers under whitehouse.gov and on WaPo who is now covering this story.

http://www.washingtonpost.com/wp-dyn/content/article/2009/01/30/AR2009013001406.html

http://www.washingtonpost.com/wp-dyn/content/article/2009/01/29/AR2009012902751.html


We would like to convince BoA but they are foreigner owned and staffed, and might cheerfully let it all fall down as long as it makes America drag the world down with it.

This is starting to look like something potentially really bad coming together.

Look to your servers and if you are root you need to go through every last bit of code from extranational authors.

Instantly set all cron jobs to no-execute.

Get and use a chkrootkit.org tool and examine it before you execute it.

Go on major damage alert!

Consider this the first radar alert that was ignored before Pearl Harbor.


Posted by: thardman | January 30, 2009 11:00 PM | Report abuse


Now for a moment of raw paranoia:

USAJOBS resumes are by hackers suddenly all replaced by pointers to INDIA SPIES and SABOTEURS. All phone numbers will after the hack be replaced by recruiter numbers to OMNITECH INTERNATIONAL or TATA INDUSTRIES, largest H-1B "brokers" and "recruiters".

Of course it's not possible. Ooops, this story reports that it is possible. Easily done, even.

Weep for your nation, governed by fools that you elected.

Posted by: thardman | January 30, 2009 11:22 PM | Report abuse

Having now read the criminal complaint:

http://www.scribd.com/doc/11528145/Makwana-Complaint

I wonder if he really had time to write all these scripts - or if they were prepared ahead of time.

He should be considered a flight risk - especially since he e-mailed his family NOT to return to the USA...

WHY ISN'T THIS STORY ON THE FRONT PAGE???

See www.d50.org for my prediction from years ago on this very issue.

Posted by: Sadler | January 31, 2009 12:23 AM | Report abuse

thardman wrote: "...and on WaPo who is now covering this story...":

Homeland Secretary Wants to Deport Criminal Illegal Immigrants

This story isn't relevant - it deals with ILLEGAL immigrants. Makwana is LEGAL. (Of course perhaps his H1-B has expired...they are supposed to be good for six years)

Posted by: Sadler | January 31, 2009 12:30 AM | Report abuse

Sadler: I posted _two_ links. You followed the one that's only tangentially related.

Having looked over the DoJ document, it looks almost as if Makwana could have just downloaded some fairly generic scripts from any number of Script Kiddie sites and modified them to his ends. That would not take very long. However, a certain amount of malice-aforethought is clearly present; however long it took to write these scripts, a fair amount of planning had to go into it. Nobody could accept for a moment that this was a crime of passion, but rather it was one of a studied attack coming out of cold blood.

And as to his relatives not coming to the US from India, well, if he had pulled this off, he would be about as popular as a Taliban warlord on September 15 2001 and so probably would be any other person from India looking for work in IT on the H-1B Visa.

Posted by: thardman | January 31, 2009 11:18 AM | Report abuse

arrabbiato wrote:
"No, MORE INFORMATION IS NOT AVAILABLE AT USAJOBS! THERE IS NOTHING INDICATING THAT EMAIL ADDRESSES AND PASSWORDS HAVE BEEN HACKED!"

Yes, there is information on the USAJobs website. However, it is was not an in-your-face or top of the page notification, but rather it was a small item, along with other links, in small letters, on the left side, that reads:
Special Security Alert
Please read this notice

While the notice is explanatory, the notification, the alert notice, isn't enough to get anyone's attention, and can easily be considered one of many other type notices that suggest keep your password to yourself, don't reveal..., etc. The link is not indicative of a warning that the site and information on the site has been hacked.

MattNYC1 wrote:
"Do the feds actually hire from the USAJobs website? Is it a complete listing of available positions?...Why not allow people to apply by email, using a resume and cover letter, then request more information if/when they want to interview the applicant?"

Yes, the Federal Government actually hires from the USAJobs website. And the reason they no longer want a variety of e-mails and cover letters with applications is because they've found that it's easier and quicker if there's a common system. While the old SF 171 forms were detailed and convoluted, they too were better than numerous people writing their application requests in numerous formats, making it necessary to spend an inordinate amount of time trying to determine what the individual was writing.

Is it the best system? Probably not, but can you come up with a better one, other than saying let people do it their own way?

gunnysgt77 wrote:
"Everyday the worthless employees and leadership of government want more and more information about our lives. Everyday they push for more computer usage and shared computer information. Even now the clowns want..."

Part of the problem is that everyone wants something from the government, and, like it or not, the only way to keep track of information in order to quickly access it, is by computer.

As for the "worthless employees" of government, I assume that gunnysgt77's anonymous screen name refers to his/her having been a U.S. Marine, a government employee; should I consider all Gunny Sergeants worthless? Sorry, but calling all government employees worthless is assinine and stupid. It seems that the only non-worthless government employees are those that provide something specific to someone specific (such as gunnysgt77), and everyone else is worthless; the problem is is that each citizen wants and expects something different, and that's part of what government employees are all about. Even so, I'm not sure how a private company's being hacked makes all government employees and leaders worthless.

Posted by: Dungarees | February 2, 2009 8:34 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company