"might be cause for celebration".
Really? 1% of their employees being morons, is good news? I hadn't realised that one in a hundred internet users generally still fall for phishing emails.
Doesn't Oak Ridge use spam filters?
One of the most sensitive science and technology labs in the US has been hacked as part of what it called "a sophisticated cyber attack that now appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." The unknown attackers managed to …
You'd think Los Alamos and Oak Ridge would be on top of beating into their idiot employees to NOT open emails with attachments from unknowns. Personally, they should do what happens at our office if a malicious email is opened. One to three days on suspension for the first time.
Sheesh, what a bunch of maroons.
First I get a letter from USA Jobs telling me that my personal info has been compromised, and now it's ORNL!!!! I visit their Computer Science and Mathematics facility on a regular basis. I guess they've given my data away too. The best part is that SSN verification is part of every visit so now either the commies or Nigerians have my SSN. Wonderful.
God, you know this really pisses me off. I just attended an seminar there discussing their internal network security and how great it is. Damn'it! This is disgusting. Homeland Security indeed.
I think the lesson here is that an adequately researched spear phishing attack is good enough to fool even rocket scientists. Presumably this is not a "all your base are belong to us" email, but something sophisticated. Hey, the fact that not every employee opened the highly targeted email bomb is pretty good.
It's easy to laugh at the victims here and act all superior, but really, if somebody that appeared to be a colleague sent you email on your work account that appeared to be about the specific work that you do, and said "look at the attached info", how smart are you? Are you that smart every time? Even in the morning when you're not revved up? Even right before a meeting when you're in a hurry?
The spear phishers got to take seven shots at 3k employees. The odds of catching one guy not paying enough attention are up there in the "inevitable" range.
I just hope we're doing it to "them".
You'd think the highly classified bunch would wise up and switch all their computers to Linux (you know, like several countries' governments are starting to). The employees that would normally open such an email might raise their IQ a few points because of Linux, too.
Perhaps the red level has some sensitive information on aliens, in which case I hope the attackers are successful in getting at it, so long as they make it public. =P
One of the problems is that a lot of the people using these networks in the course of their work day are experts in their own little field, but are of the opinion that their expertise extends to all of existence and beyond. As such, they are resistant to and tend to ignore common-sense IT rules, because...well...they are them and they are really far too important. Besides, they know what they are doing. They are eckspurts.
Needless to say, The Defense Department has a huge and expensive security initiative going on right now and the colones and yes, even the generals are starting to growl and gnaw people's heads off, where appropriate.
They are starting to roll out standardized desktop images and that is really starting to get up noses, because the users no longer have their admin rights on their machine. They want to install what they want, when they want it, damn the security concerns.
All in all, it sounds like too much fun for me.
Oh, and Linux in these situations? Rare, except for some HPC's running RedHat and only RedHat. Other than that, it's Microsoft all the way. In fact, they have been upgrading to Exchange 2007. Hours of fun for the whole family, that.
I don't think I'm being biased when I say that relying on Windows for security is probably unwise, but whatever they use, if they really want to keep data secure, then they shouldn't put it online in the first place, passwords or not. Keep it in the building. Real security is physical security and until they realize that, then this "sooper sekrit" stuff is just a childish game.
"made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven 'phishing' emails, all of which at first glance appeared legitimate,"
Yeah? -- like spam from a machine in the office with 'click here to see Paris in action'.
"Hey, I can't see anything, I'll click again a few times'.
Entirely agree that military secrets shouldn't be held on a network connected to the Internet. And they aren't - read the article:
"Recently, malicious and determined hackers have accessed the Lab’s unclassified Yellow Network and removed a significant amount of unclassified material," according to a November 9 memo sent to employees. The lab's so-called red network, which is reserved for classified information, was not affected.
And to all the fanbois crying "if only they'd used Linux this could never have happened", I can do no better than to quote the master (Bruce Schneier):
"If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology." - Secrets & Lies
How on earth does that work when anyone can get dozens of GB of data past any industry-standard or even mil-spec security guy without even trying, using stuff no smarter than USB flash drives and freely available encryption/disguise software????
Sorry, but the era of physical security being sufficient as well as necessary is no longer applicable.
"anyone can get dozens of GB of data past any industry-standard or even mil-spec security guy without even trying, using stuff no smarter than USB flash drives"
I think you'll find that systems connected to classified networks don't /have/ USB ports (they used to fill them with epoxy resin, but I think more sophisticated solutions are now available) or CD/DVD drives. Physical security was never sufficient in itself, but has always been a critical component of any security solution. Networks handling highly sensitive data should be separated by an air gap from any network connected to the Internet.
PS Sorry Ole, I realised that should have been Juul ;)
There's simply no justification for all of this. It's certainly not the fault of the OS or AV or security software not doing it's job. This lies squarely on the shoulders of the idiots who fall for BS. Any email that supposedly contains company driven information, especially important information, should be dealt with with kid gloves. I mean, come on, if it's that important, why would a company take the chance that the email would be opened, let alone successfully delivered? Company oriented email should always be verified or better yet, not sent at all. Duh, the boss sent me something and his office is just down the hall. How stupid is that? And on the chance that email is a priority for certain aspects of the job, make sure all employees know that attachments are strictly forbidden. This isn't *ahem*... rocket science.
I agree. That's why I'm suggesting physical security. No data is truly safe if there is a connection to the outside world. That means that the people who work there also have to be trustworthy. As for physical security, it's amazing how many places there are where you could just walk in and grab a computer. They might not even notice you right away, and if the (usually plain vanilla) security people complain, you either talk with them or you just make a run for it. Until they have experienced this sort of thing, at least once, they won't be ready. However, I think that in this case they may actually BE secure, since (as Chris Miller points out) it was only the unclassified network which was compromised. So what's the big deal? Perhaps there wasn't really a story here.
PS Chris: I don't mind a little variety in the spelling of my name :)
You would have thought that the people responsible for network security for organisations like this would take steps to ensure that no executable attachments are allowed into the organisation.
It's relatively straight forward to configure IE to prevent it running scripts or active content of any kind. It's similarly easy to disable macros in Office. Add in some e-mail filters to block attachments, and disable internet and e-mail access apart from via a separate terminal server.
If you really want to go the whole hog, enable internet access to whitelisted sites only, and enable SPF or SenderID and only allow e-mail attachments or links from whitelisted senders who can be verified. All other e-mails can come through, but with attachments stripped out.
I could configure that in under a week, it's entirely possible for the business to continue working with it in place, and I very much doubt this attack would have worked had those steps been taken.
It's pretty obvious they were using Outlook or some IE-based email reader. It's mind-bogglingly ridiculous that the government hasn't installed a *nix OS... one that protects itself from moronic and malevolent users. I thought we'd learn after losing billions in data and productivity in corporate America.
Good grief, I can open any email message without worry, simply because I'm not using Windows. And, I don't care how much it's "patched" or what services are disabled. Continual patches means someone is using/researching exploits before MS can respond.
Unless the government uses a transparent, explicitly customizable open operating system, or creates one themselves, a Windows node on a sensitive network is completely insane. I'm blown away when I see those duds at the government bureaus (e.g., US customs agency, dept. of motor vehicle, etc.).
It seems Bushie's own computer would need to be compromised before anyone gets how serious this has become. (I can imagine the hook that ultimately phishes him: "Osama's hideout seen on Google maps!")
Well this is interesting,so sensitive areas are being hacked.I am not surprized,and I bet we won't hear about it again,and the reason is that the hacking is coming from China.We were warned that this could happen.I put the blame squarely on the shoulders of political correctness,that is in fact nothing less then political cowardice.
What do you mean, "They are starting to roll out standardized desktop images and that is really starting to get up noses, because the users no longer have their admin rights on their machine. They want to install what they want, when they want it, damn the security concerns."
You mean they let users have Admin privileges?
Next you'll tell me that they don't have forced password changes, or that the system won't disallow previously used or weak passwords...
We have 5000 PCs (or thereabout) in my organisation, located at nearly 200 locations, and without proper safety measures...
(Remember Blaster? It infected 3 of our PCs, and two of those were laptops which was infected when they were used at home)
So.. 7 emails constitutes a coordinated attack? Is it too far beyond the realms of chaos to say that the pattern is more likely to be attributed to the increasing rate of phishing scams than it is to anyone's particular desire to view government websites. Keep in mind, Los Alamos puts a stupendous amount of data up for the public to view. Chances are, most of those "1,100" attempts were just google search result of pages that shouldn't have been cached that looked interesting.
The frightening part is not that someone phished national labs, but that the contingency wasn't anticipated, let alone expected on such a giant widely used and viewed webserver and mail server.
Sounds like all highly intelligent people to me - so smart for their own good. High on brainpower, low on common sense. Or, as we used to say of a friend of mine, "Not only is she blind, but she can't see either." So focused on what they are doing, they don't stop to think about anything else. Security on the computer is someone else's job.
It's either China, or the latest CIT class in India trying to earn their graduate credits by finding a way into government databases.