OPM Says It Breaks Encryption to Monitor Employees' Browsing Habits

Mark Van Scyoc/Shutterstock.com

Through a technique called "SSL decryption," the agency sees through secure online transactions between a worker’s computer inside the agency firewall and an external website.

The code-breaking National Security Agency and the recently hacked Office of Personnel Management have more in common than one would think.

Both keep tabs on the Internet traffic of government workers to prevent malicious actors from penetrating U.S. networks.

NSA breaks into the private communications of foreign adversaries for intelligence gathering. OPM officials peek at what their employees are browsing, because, increasingly the bad guys are using tainted websites as a launching pad, said Jeff Wagner, OPM director of security operations.

Through a technique called "SSL decryption," the agency sees through secure online transactions between a worker’s computer inside the agency firewall and an external website.

As with massive eavesdropping by NSA, the idea of organizations routinely intercepting workers’ communications riles some civil liberties activists, Wagner acknowledged.

"When I bring up SSL decryption -- first, it's always the 'How do you do it without the OGC getting mad at you?'-discussion, which is true," he said, using the abbreviation for Office of General Counsel. "You are going to get a lot of privacy questions."

Wagner was speaking at an 1105 Media event in Washington last week before an audience of government and contractor security personnel.

OPM has firsthand experience with both malware attacks and invasions of privacy. Suspected Chinese hackers compromised confidential details on 21.5 million national security personnel and their family members in a breach disclosed this summer.

The enemies Wagner had in mind last week implant malicious files through security holes in commercial websites and online ads.

These "watering hole," "angler" or "malvertising" attacks strike widely popular sites to infect as many visitors as possible, or target sites known to attract the sorts of victims they want to hack. For example, in 2013, Microsoft, Apple and Facebook officials acknowledged some of their employees fell victim to watering hole attacks while visiting a software developer website. 

“[Washington radio station] WTOP, I hate to pick on them, they've been hit multiple times. Why? Everybody wants to know what the traffic is in D.C.," Wagner said. "So if I want to infect federal users, why not go to the one place I know everybody is going to?"

WTOP said it discovered in May 2013 its site was harboring malicious code. The station said it removed the code and installed additional security measures. More recently, security firm MalewareBytes detected an angler attack Oct. 9 that embedded a malicious file into the Daily Mail website. The bogus ads were later removed. Roughly 156 million visitors a month read the online newspaper.

"One thing we're seeing a lot of is angler attacks," Wagner said. "It's not phishing attacks anymore" – emails carrying malicious code. "That's too simple."

BlueCoat, Dell and Palo Alto Networks are among the many tech companies that sell SSL decryption products to provide network visibility.  

To keep hackers and agency lawyers at bay, Wagner configures OPM’s decryption program to only read specific data flowing through the network, he said.

"I don't care if you go to Bank of America. I really don't. What I do care about is, I see that you went to Bank of America," he said. "I don't need to know your password or username… I can write rules to strip a lot of that data out. But I need to know where you've been."

(Image via Mark Van Scyoc/Shutterstock.com)