back to article Top-secret US lab infiltrated by spear phishers – again

One of the most sensitive science labs in the US has shut down all internet access after attackers exploited a vulnerability in Microsoft's Internet Explorer browser to steal data from some of its servers, according to published news reports. The security breach at the Oak Ridge National Laboratory is at least the second time …


This topic is closed for new posts.
  1. Peter 39

    solution is simple

    The solution is simple. Google did it after being hacked, it's now time for ORNL and others to follow suit.

    Ban Windows from any sites/networks with sensitive data

    1. Anonymous Coward
      Anonymous Coward

      Ban incompetence.

      The problem is not windows. The problem is incompetent administrators.

      A competent Administrator can set up windows so that it's virtually impossible to penetrate. I... look, do you really think the same people running *nix (probably allowing the users to run as root etc) would be any more secure? I mean, seriously?

    2. Anonymous Coward

      bollocks, follow some ISO standards

      Thats complete garbage, its down to poor user training and a crap IT dept.

      Email should be scrubbed down to plain text only before appearing at the user end with no ability for them to click thru links in an email.

      User machines that have Internet access should be on a discrete physical network to their main internal/dev environment and two separated email environments, one internal only and one external only.

      USB etc locked down so data cant be moved between the two environments.

      MAC address lock down to stop machines being physically moved between the two environments.

      The OS has nothing to do with it, learn something about security before talking complete arse

      1. Pascal Monett Silver badge

        Incompetence & ISO standards

        Seems to me that the vulnerability targeted was on IE, therefor without Windows there would be no hoopla.

        A data "in the megabytes" is still quite enough to hold thousands of personal details, if not tens of thousands.

        1. Rob

          RE: Incompetence & ISO standards

          No the vulnerability was the meat sacks that clicked on the link and it always will be where the root of the problem lies. Any computer could be riddled with vulnerabilities on a corporate network and it could be relatively safe from intrusion until that one email with a dodgy link comes in, it could be sitting in the inbox for a millenia with no threat until that one human being clicks on that dodgy link or attachment.

          This can be applied to any OS or hardware manufacturer, that's why most intrusions are done with social engineering tricks nowadays rather than a brute force hack as the latter will raise alarms even before they have breached the defenses.

          1. sam 16

            Blaming the user?

            An email arrives in your inbox.

            It's from your brother.

            Title is, "Plans for Mum's 60th"

            There is no attachment.

            The email asks you to have a look at a hotel you heard him mention before.

            You google for the hotel, and look at it's website.

            A javascript executes quietly compromising your computer.

            Your brothers yahoo account had been compromised, and the attacker found out about your mothers birthday from his facebook. The hotel site was an unpatched wordpress installation by the managers son, and the javascript was inserted into it through an SQL injection.

            I hope that you read emails from people you know that are about stuff you expect from them. Sometimes even emails that have attachments. Otherwise... why do you have email?

            Blaming the user is fine if no one wants to specifically attack your business. When you are a government lab targeted by professional intelligence agencies, I'm not sure it works.

  2. Big-nosed Pengie

    "One of the most sensitive science labs in the US"

    and they're using Windows and Ayeee?

    I remember when the US had world-class scientists.

    1. bluesxman

      Why Ayeee?

      Have you tried locking down another browser with group policy?

      1. BristolBachelor Gold badge

        Netscrape, RIP

        In one of my previous companies, we used Netscape (it was before MS killed them!). They had a special version of Netscape with certain things switched off (like Javascript!). The firewall for the entire network ignored all browsers, except the special locked-down version of Netscape (It was recognised that IE was bad, even then:)

  3. Anonymous Coward

    I don't know what is the nature of their research

    but they could have spent a little time an resources on subjects like searching for an alternate more secure OS and/or browser (hey, they are a research facility, they can afford that) or caring to look at PKI cryptography for signing/authenticating email messages. Come on, people know by now how easy is to fall for a message coming from HR department so why not cryptographically sign those messages. Six years ago I was working for a utility company in some Eastern Canadian province and they were using this stuff.

    Obvious advice, spend less on MS products and instead hire competent people in the security department.

    I'm not trying to say MS technology is the worst from a security point of view but what the heck, after all these high profile security incidents exploiting one or more aspects of Microsoft platforms, maybe it is worth the trouble to look for a change. Again, they are a research facility so why not?

    1. A Non e-mouse Silver badge

      Not safety in numbers

      "I'm not trying to say MS technology is the worst from a security point of view"

      Correct. MS software may (or may not) be less secure that other software, but because MS has such a market dominance in the business desktop arena, the effect of any security weaknesses are magnified many times.

      1. Mikel

        Get off the train to crazytown

        @A Non e-mouse "Correct. MS software may (or may not) be less secure that other software, but because MS has such a market dominance in the business desktop arena, the effect of any security weaknesses are magnified many times."

        Well that would make avoiding their software in "One of the most sensitive science labs in the US..." pretty freaking obvious, wouldn't it? Especially after the first few times?

        I don't agree with this old meme, but there's the logical fallacy right there.

  4. trarch

    HR Department Email

    Wait, don't tell me... 2011 Recruitment plan.xls?

    You'd have thought a place like that would have things seriously locked down.

    Locked down like 'no internet access'.

    1. Craig (well, I was until The Reg changed it to Craig 16)

      Slow learners...

      One place I worked on a contract a few years ago gave me two logins. Fat client laptop with normal account had internet access but no secured data access and a thin client account with secured data access rights but no internet access. Thin client session set for no pass-through or data access from fat client. Secured account only let me log into thin client.

      Made for an embuggerance if I needed to send secured stuff externally but apparently they'd had an incident before and had locked the systems down.

      There were still compromises made but then only the terminally naive think that you can secure data to completely remove any chance of being stolen.

  5. jake Silver badge

    Oak Ridge allows IE on-site?

    Gawd/ess. And I thought the Iranian SCADA issue was bad ...

  6. amanfromMars 1 Silver badge

    A New Dawn for Executive Directors in the Digital Era of Virtual Arenas*

    "Oak Ridge National Labs blamed the breach on an “advanced persistent threat,” a buzz term that seems to mean different things to different people."

    Quite so, and methinks the term is designedly disingenuous and a smoke and mirrors ploy to deflect smart attention away from a very sophisticated virtual machine reverse social engineering root/code base floating temptations in advanced persistent treats which are only a threat to fear and loathing command and control systems..... sub-prime administrations ...... with dumb destructive weapons tech disabilities and debilitating dependencies.

  7. This post has been deleted by its author

  8. This post has been deleted by its author

  9. malfeasance

    Blame is only partly ms

    Stupid is as stupid does. The problem here is probably one of user education. There are always going to vulnerabilities insoftware. Blaming ms makes us feel better doesn't it but it isn't helpful; Perhaps these researchers need windows to do their job? Some archaic nuclear fission modelling software that still only runs with a particular version of visual c++.

    The vuln was made public in pwn2own. The booby trap was injected into the system on April 7 a week before patch tuesday. Pretty hard-core don't you think?

  10. Paul Crawford Silver badge


    Valuable site uses most hacked software in history, site gets hacked.

    In related news: Pope though to be Catholic.

    The main "Advanced Persistent Threat" seems to be the prevalence Windows, IE, Adobe flash & acrobat these days. Will no one rid us of this scrounge?

  11. Pen-y-gors

    >Representatives didn't return emails

    well, if their internet access has been completely cut off....

  12. John G Imrie

    They banned attachments

    So the next attack will be html email then.

  13. Anonymous Coward

    chinese hackers downvote posts?

    No, you really really need www via Internet Explorer on Windows in a top secret laboratory, you really do, honestly!

  14. Anonymous Coward
    Anonymous Coward

    I really have to ask.

    How fucking hard is it to implement a Software Restriction Policy that at a minimum denies access to /temp and external drives!?

    Is there some reason that basic users need to be able to run programs from IE/Outlook and external media? Windows can be perfectly secure, but apparently people can't be assed to implement any security other than installing a anti virus program and deciding that their network is secure.


  15. Anonymous Coward


    Ok so HR receive an email they did not write. RED FLAG!

    IT Rapid investigation of the email, If it's deemed to be malicious...

    Risk exists that employees clicked (they will deny it)

    lock-down and clean up.

    Implement Proxy White-list. No other web traffic! << LOCK DOWN!

    Examine logs for users.

    Scan and check affected PC's

    If necessary check all pc's on that network.

    restore normal service.


  16. Anonymous Coward

    If the US can't secure their diplomatic correspondence...

    ...then why would we expect Oak Ridge to be capable of the same? Public key encryption has been around for years but, as usual, the cost of these incidents is less than the cost of implementing it.

    Over 10% fell for the scam when it has happened before!?! Big, big fail.

    1. Tom 13

      Honestly? I expect State is filled with fatheads

      who won't take advice from their IT Department and are so infatuated with themselves that they think they are the only ones who ever thought of stealing the other guy's diplomatic mail.

      On the other hand, I expect one of our premier nuclear research facilities to be staffed by people who have purchased at least one clue in their lives.

    2. Eddie Johnson

      Perfect Opportunity for Deficit Reduction

      Fire the 10% who clicked and achieve a 10% budget savings while most likely lowering your productivity by a much smaller percentage as these were not the brightest of the bunch. You may even find productivity increases now that the chaff has been removed. That's one of the paradoxes of business, a lot of times adding more employees reduces production.

  17. It wasnt me
    Thumb Down

    @Team Reg

    "Representatives didn't return emails and calls seeking comment." - Oh really ?

    Try again today. It says in your own article that their email is being reconnected on Wednesday.

    They also may well have IP phones, which might explain your calls not being returned.

  18. swisstoni

    Stable Door - Bolted

    'Representatives didn't return emails'

    Um well they wouldn't would they, it's been turned off.

    Seriously though, IE? What were they thinking? I don't let my 14 year old use IE because of the security holes in it. If I had a nuclear lab, I think i'd be a little stricter than that.

  19. Anonymous Coward
    Anonymous Coward

    Two things I don't understand

    1. How Microsoft can be blamed if users are taken in by a phishing e-mail.

    2. How any site where security is critical is even giving house-room to microsoft.

    1. Paul Crawford Silver badge

      @Two things I don't understand

      Point 1 is down to the 'embed everything' attitude of MS where something like a spreadsheet is ABLE to run externals things, probably a flash object (as that is a common source of holes in getting through). And often there are dozens of ways in Windows to elevate privileges once you can run arbitrary code to do more mischief.

      Point 2 is one of life's WTF? questions that is never adequately answered.

      As I said, most hacked software in history. Whether a lot of that is down to its popularity is a side question, no doubt some of it it is, but it means that even for a similar situation (say hypothetically Linux and Windows had the same number of exploitable bugs) you have far more black-hat skills to deploy against MS' crock.

      And yet it is chosen for a sensitive lab? FAIL

      Google learned this the hard way and did something about it - changing to Macs. Not perfect (fanbois won't understand that statement) but it reduces the attack opportunities a lot.

      1. Anonymous Coward


        ...on me

        With thanks

  20. CaptainHook

    "Representatives didn't return emails and calls seeking comment."

    Of course they didn't, they were afraid you were another phising attempt.

  21. maccy
    Gates Horns

    The only advanced persistent threat at Oak Ridge ...

    ... is Internet Explorer.

    1. This post has been deleted by its author

  22. Richard 26

    No Internet access?

    Research institutes are always 'top-secret labs' to hacks. Whilst it may very well be true that there is some highly classified research going on in some corner of the lab, the way you deal with it is to have proper controls between the classified and non-classified parts. Like a big air gap, razor wire, killer bees....

    It's national research facilities like, for example, the National Supercomputer Centre (which is located there) that the Internet was made for.

  23. Richard 12 Silver badge

    It's the fault of the Management of the company, pure and simple.


    That is the only way to secure your system from email-and-internet-borne threats.

    If your users regularly do stupid things like just clicking on links and opening unrequested attachments without checking what they actually are then no security software in the world can save you.

    Security software (eg antivirus) is by definition reactive. At its very best, reactive protection can only save the second victim.

    Proactively teaching your users about security 'best practice' can save the first victim.

    1. Paul Crawford Silver badge

      @Richard 12

      It would help, but it is NOT the whole answer. Yes you will reduce the number of attempts at penetrating the system, but it is only one aspect.

      You need 'security in depth' as each layer always has *some* way of being penetrated.

      As seen here, and several other places recently (Google et al, French & Canadian gov, etc) Windows/IE/Office/Flash has been a juicy orifice for entry.

  24. Anonymous Coward

    Total non story

    my brother works there. Nothing of any value is done on the windows boxes, which are mainly left around after vendors try and flog them to the place. It's an ubergeek paradise, with Linux and Cray devotees at every turn.

    Their image processing kit is pretty fearsome though.

    1. Chemist

      Certainly my experience at various research labs is ..

      that Windows was used by the computer illiterate or for 'corporate ' use (HR, marketing, managers, e-mither ) the hard scientific stuff was done generally on Unix or increasingly Linux.

      1. This post has been deleted by its author

    2. Paul Crawford Silver badge

      @Total non story

      "Nothing of any value is done on the windows boxes"

      Except maybe store the home addresses, social security numbers, photos, and other personal data of those who do have access to important stuff?

      Not that a Chinese (for the sake of argument) agency would then consider a more traditional spy approach of, say, compromising and attempting to blackmail or convert said workers to agents, would they?

    3. Graham Wilson

      @ Anonymous coward -- Eh, the story a fabrication then?

      If you're correct then, ipso facto, the El Reg story is crap.


      ...Lessons in formal logic for anyone?

  25. Toolman83

    so is this "advanced persistent threat" called

    "Running windows" ?

    seriously though, you can make the network as secure as you want & the users will find a way to F*** it up.

    The only sure fire way to secure users involves a roll of carpet & an abandoned quarry...

  26. Nameless Faceless Computer User

    I must be missing something

    Why not disconnect the sensitive data from the Internet?

  27. Anonymous Coward
    Anonymous Coward

    KCI Error

    this isn't an IE problem. It's a Keyboard/Chair Interface Error

    Folks involved in top secret "stuff" clicking random links in unsecured emails?!

    Before blaming IE I'd love to know what OS and patch level they had, what antimalware they are running, what filtering at the edge they do on incoming mail... are they just picking a handy scapegoat to avoid questions about their own competance?

  28. Phil Endecott

    Physically disjoint networks, and signed email.

    If this data really is that secret, it should be on a physically disconnected network.

  29. Mike 16

    They do train the users.

    I suspect that, like pretty much every organization over 200 people I have ever worked for, they (management and IT) train the users to allow whatever random "upgrade" someone with a pocket protector pushes to them. Also to never use an alternate email client, or even disable the OutLook preview pane, and always click _immediately_ on every link from anyone "over" them in the hierarchy (which includes anyone in HR or finance, and every admin to office dwellers)...

    True story: I once got an email consisting entirely of a Word(tm) document "from the CEO". Got in (mild) trouble for not reading and responding quickly. It came in the same batch of email as an offer of penis pills "from Steve Case @aol". And the MGMT Droids saw _no_reason_whatsoever that the latter was a reason not to trust the former.

    Users do what they are rewarded for, and avoid what they are punished for. Sanity in the official procedures 3-ring binder is only there to avoid lawsuits, nit to be followed day-to-day.

  30. Steve 72

    Complete Oxymoron

    ... "most sensitive" and Internet Explorer.

    if it's so "sensitive", why is IE in use in the first place?

    I'll leave the Windows part alone.

  31. Anonymous Coward

    They otter know better...

    The fact that a "secure" lab is still using IE is, in my opinion, grounds to dismiss the CIO and CSO on grounds of gross incompetence and negligence.

  32. Anonymous Coward

    It's obvious - get rid of the HR department.

    Phishers look for an email sender that is credible.

    Who better than the HR department who almost certainly churn out illiterate and incomprehensible rubbish on a regular basis, therefore are likely to cause less concern when they start addressing people as "My Christian Brother" and similar?

    An HR person once invited me to a meeting on the 37th. of the month. Yup, they'd counted the days on their calendar. Dunno how they got to 37 though - Only ever saw one get past 10 myself, and he was wearing elastic-sided shoes...

  33. Graham Wilson

    How many years has the world known that IE's a barnyard door? Right, whip the idiots.

    Put goodies inside a barnyard without a door and surely this is what you'd expect.

    The f-wit(s) who allowed Internet 'barnyard-door Explorer' to be installed here ought to be whipped and their life story exposed to WikiLeaks!

    (It never ceases to amaze me that people still actually let the internet be connected to computers which contain very sensitive data. Laziness and incompetence seems to know no bounds.)

This topic is closed for new posts.

Other stories you might like