What do you expect
Nothing in this report surprises me in the slightest. At all.
Welcome to the world of corporate IT in the 21st century. Underresourced, Outsourced, Undecompetent, Outstretched and so on...
Just when it looked like US-China relations couldn’t get any more frosty, news has emerged that defence contractor QinetiQ suffered a massive breach of classified data over three years which may have leaked advanced military secrets to the infamous PLA-linked hacking gang Comment Crew. Bloomberg spoke to Verizon’s Terremark …
They were the over-resourced, led by the corrupt and incompetent, to do the unnecessary for the blindly oblivious
or something like that.....
Doesn't surprise me either. But if anything, HB Gary were given carte blanche by their political and corporate sponsors. And yet somehow, they ended up completely pwned as they proceeded to f*k up their mission.
The Feds and Banksters would have been better off trying to recruit anonymous members directly.
Amazing how such people can even be considered for security work or counter-intel.
Team USA really needs to sharpen up its tools before engaging in cyber warfare with the like of the PLA or the russkies, me thinks. Bloody embarassing
How many companies are currently compromised and don't know it.
How many more have been compromised, but for fear of reputational and financial loss won't disclose it's happened.
Unless this involves some leak it's happened, or bragging rights by the hackers, very few of these ever come to light.
However - let them be a lesson to anyone or any corporation that taking security and data protection is a serious, time-consuming, expensive and specialised business.
"However - let them be a lesson to anyone or any corporation that taking security and data protection is a serious, time-consuming, expensive and specialised business."
And doomed to failure when these machines are connected to the internet. Air gapping has its limitations, but its a damned good start, as is separate systems within the company for separate functions.
It may very well be the actuality and reality that the West is no longer top dog in the intelligence gathering/phishing/phorming world. Get used to it ...... for whenever it be true, would an arrogant denial be even more damaging to western national and international security interests, and thus is it to be avoided at any and all cost.
Well, incompetent and corrupt maybe, but the thing about the secretary's PC made me wonder if this wasn't "just" another aspect of the self-jamming bomber radar fiasco from the 1980s, which was engineered purely from the rather extreme rules on compartmentalization that prevent people from different parts of a large project talking to each other, even the military liaisons assigned to the civilian teams.
Everyone has worked on a project in which different teams did not communicate properly. Now imagine that project if the different teams were prevented form any contact whatsoever other than the original design spec. Now add in modular scope creep and rethinks and stir until there's a loud *snap!* and the smell of frying insulation.
On getting any useful information out of qinetiq - we never managed to while working on a joint project with them.
Not that we wanted to work with them, but anybody doing any sort of high-tech defence project in the UK is 'encouraged' to partner with them. It's fantastic, all the red tape and inefficiency of Soviet era bureaucracy but you get to pay them lots of money.
Facebook graph search. Thousands upon thousands upon thousands of people publicly list their employment position when such position implies access to sensitive data and probably a TS-SCI clearance. It's not hard for the Chinese to friend some of these people, build minimal trust, then get them to click a link to stealthy unpatched 0-day. A fully patched OS won't matter much.
As far as how sloppy/lazy/unenforced security controls are, this video is depressing...
DEFCON 20: An Inside Look Into Defense Industrial Base (DIB) Technical Security Controls
. . . .much access to classified nets was had: they're air-gapped. Now. . . . sensitive stuff being sneakernetted over to the "low" side by the vegetables-that-walk-like-men, that I can see (and DID see. . . ) all the time.
Besides, you don't NEED classified info to get the "merely" sensitive stuff. As noted by others, the state of security on the vast majority of corp nets is a sad, sad joke. ESPECIALLY when Senior Manglement DEMANDS holes in firewalls for preferred apps, admin access on their own boxes. etc. . . We don't NEED the BOFH. . . we have the lusers. . .
Worked in a similar government lab. There were two complete networks, one for normal, one for restricted stuff.
A few scientists and managers naturally needed access to both so their machines got two network cards (this was the 90s)
Then the purchasing system was moved to the 'restricted' net for security reasons, which meant every admin/shipping/stores PC needed a connection to both networks - the result was a super restricted network with 500 bridges to the public network
Seriously, they hired THOSE fools to deal with security? Do they not remember how incompetent they were proven to be? Do they not have Google? Did they also hire Fox, Inc. to deal with security for Henhouse & Co.?
Yeah, not surprised, just wondering why the idiots at QinetQ who make decisions like this should be trusted with secrets more readily than the Chinese, Mossad or Al Qaeda?