Top-secret US lab infiltrated by spear phishers – again One of the most sensitive science labs in the US has shut down all internet access after attackers exploited a vulnerability in Microsoft's Internet Explorer browser to steal data from some of its servers, according to published news reports. The security breach at the Oak Ridge National Laboratory is at least the second time …
The problem is not windows. The problem is incompetent administrators.
A competent Administrator can set up windows so that it's virtually impossible to penetrate. I... look, do you really think the same people running *nix (probably allowing the users to run as root etc) would be any more secure? I mean, seriously?
Thats complete garbage, its down to poor user training and a crap IT dept.
Email should be scrubbed down to plain text only before appearing at the user end with no ability for them to click thru links in an email.
User machines that have Internet access should be on a discrete physical network to their main internal/dev environment and two separated email environments, one internal only and one external only.
USB etc locked down so data cant be moved between the two environments.
MAC address lock down to stop machines being physically moved between the two environments.
The OS has nothing to do with it, learn something about security before talking complete arse
No the vulnerability was the meat sacks that clicked on the link and it always will be where the root of the problem lies. Any computer could be riddled with vulnerabilities on a corporate network and it could be relatively safe from intrusion until that one email with a dodgy link comes in, it could be sitting in the inbox for a millenia with no threat until that one human being clicks on that dodgy link or attachment.
This can be applied to any OS or hardware manufacturer, that's why most intrusions are done with social engineering tricks nowadays rather than a brute force hack as the latter will raise alarms even before they have breached the defenses.
An email arrives in your inbox.
It's from your brother.
Title is, "Plans for Mum's 60th"
There is no attachment.
The email asks you to have a look at a hotel you heard him mention before.
You google for the hotel, and look at it's website.
A javascript executes quietly compromising your computer.
Your brothers yahoo account had been compromised, and the attacker found out about your mothers birthday from his facebook. The hotel site was an unpatched wordpress installation by the managers son, and the javascript was inserted into it through an SQL injection.
I hope that you read emails from people you know that are about stuff you expect from them. Sometimes even emails that have attachments. Otherwise... why do you have email?
Blaming the user is fine if no one wants to specifically attack your business. When you are a government lab targeted by professional intelligence agencies, I'm not sure it works.
In one of my previous companies, we used Netscape (it was before MS killed them!). They had a special version of Netscape with certain things switched off (like Javascript!). The firewall for the entire network ignored all browsers, except the special locked-down version of Netscape (It was recognised that IE was bad, even then:)
but they could have spent a little time an resources on subjects like searching for an alternate more secure OS and/or browser (hey, they are a research facility, they can afford that) or caring to look at PKI cryptography for signing/authenticating email messages. Come on, people know by now how easy is to fall for a message coming from HR department so why not cryptographically sign those messages. Six years ago I was working for a utility company in some Eastern Canadian province and they were using this stuff.
Obvious advice, spend less on MS products and instead hire competent people in the security department.
I'm not trying to say MS technology is the worst from a security point of view but what the heck, after all these high profile security incidents exploiting one or more aspects of Microsoft platforms, maybe it is worth the trouble to look for a change. Again, they are a research facility so why not?
"I'm not trying to say MS technology is the worst from a security point of view"
Correct. MS software may (or may not) be less secure that other software, but because MS has such a market dominance in the business desktop arena, the effect of any security weaknesses are magnified many times.
@A Non e-mouse "Correct. MS software may (or may not) be less secure that other software, but because MS has such a market dominance in the business desktop arena, the effect of any security weaknesses are magnified many times."
Well that would make avoiding their software in "One of the most sensitive science labs in the US..." pretty freaking obvious, wouldn't it? Especially after the first few times?
I don't agree with this old meme, but there's the logical fallacy right there.
One place I worked on a contract a few years ago gave me two logins. Fat client laptop with normal account had internet access but no secured data access and a thin client account with secured data access rights but no internet access. Thin client session set for no pass-through or data access from fat client. Secured account only let me log into thin client.
Made for an embuggerance if I needed to send secured stuff externally but apparently they'd had an incident before and had locked the systems down.
There were still compromises made but then only the terminally naive think that you can secure data to completely remove any chance of being stolen.
"Oak Ridge National Labs blamed the breach on an “advanced persistent threat,” a buzz term that seems to mean different things to different people."
Quite so, and methinks the term is designedly disingenuous and a smoke and mirrors ploy to deflect smart attention away from a very sophisticated virtual machine reverse social engineering root/code base floating temptations in advanced persistent treats which are only a threat to fear and loathing command and control systems..... sub-prime administrations ...... with dumb destructive weapons tech disabilities and debilitating dependencies.
This post has been deleted by its author
This post has been deleted by its author
Stupid is as stupid does. The problem here is probably one of user education. There are always going to vulnerabilities insoftware. Blaming ms makes us feel better doesn't it but it isn't helpful; Perhaps these researchers need windows to do their job? Some archaic nuclear fission modelling software that still only runs with a particular version of visual c++.
The vuln was made public in pwn2own. The booby trap was injected into the system on April 7 a week before patch tuesday. Pretty hard-core don't you think?
How fucking hard is it to implement a Software Restriction Policy that at a minimum denies access to /temp and external drives!?
Is there some reason that basic users need to be able to run programs from IE/Outlook and external media? Windows can be perfectly secure, but apparently people can't be assed to implement any security other than installing a anti virus program and deciding that their network is secure.
/rant.
Ok so HR receive an email they did not write. RED FLAG!
IT Rapid investigation of the email, If it's deemed to be malicious...
Risk exists that employees clicked (they will deny it)
lock-down and clean up.
Implement Proxy White-list. No other web traffic! << LOCK DOWN!
Examine logs for users.
Scan and check affected PC's
If necessary check all pc's on that network.
restore normal service.
simples.
...then why would we expect Oak Ridge to be capable of the same? Public key encryption has been around for years but, as usual, the cost of these incidents is less than the cost of implementing it.
Over 10% fell for the scam when it has happened before!?! Big, big fail.
who won't take advice from their IT Department and are so infatuated with themselves that they think they are the only ones who ever thought of stealing the other guy's diplomatic mail.
On the other hand, I expect one of our premier nuclear research facilities to be staffed by people who have purchased at least one clue in their lives.
Fire the 10% who clicked and achieve a 10% budget savings while most likely lowering your productivity by a much smaller percentage as these were not the brightest of the bunch. You may even find productivity increases now that the chaff has been removed. That's one of the paradoxes of business, a lot of times adding more employees reduces production.
'Representatives didn't return emails'
Um well they wouldn't would they, it's been turned off.
Seriously though, IE? What were they thinking? I don't let my 14 year old use IE because of the security holes in it. If I had a nuclear lab, I think i'd be a little stricter than that.
Point 1 is down to the 'embed everything' attitude of MS where something like a spreadsheet is ABLE to run externals things, probably a flash object (as that is a common source of holes in getting through). And often there are dozens of ways in Windows to elevate privileges once you can run arbitrary code to do more mischief.
Point 2 is one of life's WTF? questions that is never adequately answered.
As I said, most hacked software in history. Whether a lot of that is down to its popularity is a side question, no doubt some of it it is, but it means that even for a similar situation (say hypothetically Linux and Windows had the same number of exploitable bugs) you have far more black-hat skills to deploy against MS' crock.
And yet it is chosen for a sensitive lab? FAIL
Google learned this the hard way and did something about it - changing to Macs. Not perfect (fanbois won't understand that statement) but it reduces the attack opportunities a lot.
This post has been deleted by its author
Research institutes are always 'top-secret labs' to hacks. Whilst it may very well be true that there is some highly classified research going on in some corner of the lab, the way you deal with it is to have proper controls between the classified and non-classified parts. Like a big air gap, razor wire, killer bees....
It's national research facilities like, for example, the National Supercomputer Centre (which is located there) that the Internet was made for.
TRAIN YOUR USERS.
That is the only way to secure your system from email-and-internet-borne threats.
If your users regularly do stupid things like just clicking on links and opening unrequested attachments without checking what they actually are then no security software in the world can save you.
Security software (eg antivirus) is by definition reactive. At its very best, reactive protection can only save the second victim.
Proactively teaching your users about security 'best practice' can save the first victim.
It would help, but it is NOT the whole answer. Yes you will reduce the number of attempts at penetrating the system, but it is only one aspect.
You need 'security in depth' as each layer always has *some* way of being penetrated.
As seen here, and several other places recently (Google et al, French & Canadian gov, etc) Windows/IE/Office/Flash has been a juicy orifice for entry.
This post has been deleted by its author
"Nothing of any value is done on the windows boxes"
Except maybe store the home addresses, social security numbers, photos, and other personal data of those who do have access to important stuff?
Not that a Chinese (for the sake of argument) agency would then consider a more traditional spy approach of, say, compromising and attempting to blackmail or convert said workers to agents, would they?
this isn't an IE problem. It's a Keyboard/Chair Interface Error
Folks involved in top secret "stuff" clicking random links in unsecured emails?!
Before blaming IE I'd love to know what OS and patch level they had, what antimalware they are running, what filtering at the edge they do on incoming mail... are they just picking a handy scapegoat to avoid questions about their own competance?
I suspect that, like pretty much every organization over 200 people I have ever worked for, they (management and IT) train the users to allow whatever random "upgrade" someone with a pocket protector pushes to them. Also to never use an alternate email client, or even disable the OutLook preview pane, and always click _immediately_ on every link from anyone "over" them in the hierarchy (which includes anyone in HR or finance, and every admin to office dwellers)...
True story: I once got an email consisting entirely of a Word(tm) document "from the CEO". Got in (mild) trouble for not reading and responding quickly. It came in the same batch of email as an offer of penis pills "from Steve Case @aol". And the MGMT Droids saw _no_reason_whatsoever that the latter was a reason not to trust the former.
Users do what they are rewarded for, and avoid what they are punished for. Sanity in the official procedures 3-ring binder is only there to avoid lawsuits, nit to be followed day-to-day.
Phishers look for an email sender that is credible.
Who better than the HR department who almost certainly churn out illiterate and incomprehensible rubbish on a regular basis, therefore are likely to cause less concern when they start addressing people as "My Christian Brother" and similar?
An HR person once invited me to a meeting on the 37th. of the month. Yup, they'd counted the days on their calendar. Dunno how they got to 37 though - Only ever saw one get past 10 myself, and he was wearing elastic-sided shoes...
Put goodies inside a barnyard without a door and surely this is what you'd expect.
The f-wit(s) who allowed Internet 'barnyard-door Explorer' to be installed here ought to be whipped and their life story exposed to WikiLeaks!
(It never ceases to amaze me that people still actually let the internet be connected to computers which contain very sensitive data. Laziness and incompetence seems to know no bounds.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
