Dec 7, 2007

Funny, I can't remember Mike mentioning this

But, he's probably had a lot on his mind lately.

-Gus

_____________________________________________________


07 December 2007

Hackers launch major attack on US military Labs

http://www.techworld.com/security/news/index.cfm?newsID=10867&pagtype=all

By John E. Dunn, techworld


Hackers have succeeded in breaking into the computer systems of two of the US’s most important science labs, the Oak Ridge National Laboratory (ORNL) in Tennessee and Los Alamos National Laboratory in New Mexico.

In what a spokesperson for the Oak Ridge facility described as a “sophisticated cyber attack”, it appears that intruders accessed a database of visitors to the Tennessee lab between 1990 and 2004, which included their social security numbers and dates of birth. Three thousand researchers reportedly visit the lab each year, a who’s who of the science establishment in the US.

The attack was described as being conducted through several waves of phishing emails with malicious attachments, starting on 29 October. Although not stated, these would presumably have launched Trojans if opened, designed to bypass security systems from within, which raises the likelihood that the attacks were targeted specifically at the lab.

ORNL director, Thom Mason, described the attacks in an email to staff earlier this week as being a "coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country."

"Because of the sensitive nature of this event, the laboratory will be unable for some period to discuss further details until we better understand the full nature of this attack," he added.

The ORNL has set up a web page giving an official statement on the attacks, with advice to employees and visitors that they should inform credit agencies so as to minimise the possibility of identity theft.

Less is known about the attacks said to have been launched against the ORNL’s sister-institution at Los Alamos, but the two are said to be linked. It has not been confirmed that the latter facility was penetrated successfully, though given that a Los Alamos spokesman said that staff had been notified of an attack on 9 November – days after the earliest attack wave on the ORNL - the assumption has to be that something untoward happened there as well, and probably at other science labs across the US.

The ORNL is a multi-purpose science lab, a site of technological expertise used in homeland security and military research, and also the site of one of the world’s fastest supercomputers. Los Alamos operates a similar multi-disciplinary approach, but specialises in nuclear weapons research, one of only two such sites doing such top-secret work in the US.

Los Alamos has a chequered security history, having suffered a sequence of embarrassing breaches in recent years. In August of this year, it was revealed that the lab had released sensitive nuclear research data by email, while in 2006 a drug dealer was allegedly found with a USB stick containing data on nuclear weapons tests.

“This appears to be a new low, even drug dealers can get classified information out of Los Alamos," Danielle Brian, executive director of the Project On Government Oversight (POGO), said at the time. Two years earlier, the lab was accused of having lost hard disks

The possibility that the latest attacks were the work of fraudsters will be seen by some as optimistic – less positive would be the possibility of a rival government having been involved. Given the apparently co-ordinated nature of events, speculation will inevitably point to this scenario, with the data theft a cover motivation for more serious incursions.

28 comments:

Anonymous said...

Of course Mikey mentioned it, way back in the first part of November:


To/MS: All Employees
From/MS: Michael R. Anastasio, DIR, A100
Phone/Fax: 7-5101/5-2679
Symbol: DIR-07-324
Date: November 9, 2007



SUBJECT: RECENT HACKING EVENT A REMINDER TO BE CYBER SECURITY
AWARE

For years the Laboratory has been the target of daily, relentless
attacks by hackers by means of SPAM, random pinging, robotic
campaigns, and various other determined, focused, sophisticated
efforts. The Laboratory receives more than 50,000 attacks each
day, and on some days the number reaches half a million. The vast
majority are unsuccessful, but defending against the attacks is
complicated by the difficulty in distinguishing the serious
attacks from all the rest.

Occasionally, a new computer worm or virus comes through the
Laboratory’s unclassified network firewall undetected, resulting
in the compromise of computers. Recently, malicious and
determined hackers have accessed the Lab’s unclassified Yellow
Network and removed a significant amount of unclassified
material. The exact nature of the stolen information is under
forensic investigation.

The affected computers have been disconnected from the Internet
and the hacker’s software has been disabled. The Laboratory’s
Red, or classified, network is “air-gapped” from all
unclassified networks and was not affected.

This recent occurrence is a reminder that awareness is the first
and most important layer of defense against fast-spreading worms
that target known vulnerabilities. The threat of comprehensive,
malevolent attacks is continuous and high.

Here are some things you can do to help protect our network and
your computer from infection:

* Don’t open unknown e-mail attachments or click on suspicious
links.
* Ensure that your computer has the most recent operating
system security patches.
* Ensure your antivirus application is installed, functioning,
and updated with the latest software.
* Ensure that your computer scans all files for viruses.

To better recognize a possible computer security incident and how
to promptly report it to your OCSR (Organizational Computer
Security Representative) and line manager, please take a moment
to refresh your understanding of cyber security issues by
reviewing cyber security training
http://int.lanl.gov/security/cyber/training/training.shtml

Cyber Security Team Contact Information – Web:
http://int.lanl.gov/security/cyber/
Phone: 665-1795 – Fax: 665-1799 – Email: cybersecurity @lanl.gov

You may also access a recent Security Smart on cyber security at
http://int.lanl.gov/security/documents/security-smart/comp_resp_0707.pdf

Gussie Fink-Nottle said...

I stand corrected, 12:35.

-Gus

Anonymous said...

LANL handled this latest cyber-attack much better than ORNL. Won't make any difference, though. Congress and their friends in POGO will still take this opportunity to kick the shit out of LANL, once again.

Anonymous said...

"LANL handled this latest cyber-attack much better than ORNL."

Really? Both labs allowed this vulnerability despite CIAC guidance.

Anonymous said...

Poster 1:11 PM, no one just "allowed this vulnerability" to happen at the labs.

The only secure policy for stopping trojans is to pull the ethernet cables and stop all internet traffic. In the case of national labs, adversarial attacks may come from sophisticated people with very deep pockets and high levels of expertise. We take precaution, sure, but it is ludicrous to think that all these attacks can be stop.

It appears 1:11 PM knows about CIAC. What part of CIAC guidance was ignored in this incident. Care to enlighten us with your great wisdom?

Anonymous said...

Clearly since worms and viruses come in on email which is displayed on the screen, the only solution is to smear JB Weld on everyones monitor.

Anonymous said...

Security has been repeatably asked to monitor e-mail and interent more closely but they won't because "its a lot of effort". There's no reason why everybody is given external e-mail and internet access other than its the easiest thing to do. LANS won't monitor outgoing mail because its too much work.
With the present lazy (or inept) security bureaucracy, problems are sure to continue.

Anonymous said...

If you really want to monitor all outgoing and incoming email and put the staff support in place to do it, it will further raise the cost of doing business. Is that what you want?

Anonymous said...

Wow. this story is on Slashdot now.

Anonymous said...

Yellow needs to be airgapped from the green. Give everybody a basic low cost something-or-other for external email and web browsing. Sneakernet stuff that needs to be transferred from one to the other.

Anonymous said...

Yeah. I'm going to stop telling people that I used to work at LANL.

Anonymous said...

"Funny, I can't remember Mike mentioning this"

Mickey's "personal attorney," Richard Marquez, must have advised him not to.

Anonymous said...

"There's no reason why everybody is given external e-mail and internet access other than its the easiest thing to do." - 5:26 PM

Say, what? You have got to be kidding me!

Do you have any idea of the science requirements at the labs and how research is done? Any idea at all?

Stephen Smoogen said...

I would also like to know what CIAC guidance was missed. This kind of vulnerability can only be 100% stopped by turning off all network access. You are dealing with users being 'tricked' or socially engineered to do something. You can send people to training every couple of days but they will still do dumb things and all it takes is 1 person to do that. And the odds of that one person doing it is going to be non-nill depending on how well crafted the email is.

And once you get that 1 person it is easier to get others because you can use that persons identity/system to trick others. If someone were to send out a RIF list from HR how many people do you think would open it to see if they were on it?

Anonymous said...

Welcome to the wonderful world of Microsoft Windows and malicious attachments.

Oh, and LANL's Best and Brightest. Add them to the mix and you have a sure-fire ticket through the firewall.

Anonymous said...

Our "CIAC" poster still hasn't listed the specific CIAC guidance that would have prevented this latest intrusion. It's put up or shut up time, fella.

Anonymous said...

The Solution:

1) No laptops allowed on the Green Net. You don't know where they may have been sticking their dirty etherent ports!

2) Cheap, light-weight PC clients used for internet access hooked to the Yellow Net.

3) PCs on an air-gapped Green Net which is used for intranet "LANL-only" network. This would be everyone's main work PC.

4) USB pendrives, portable hard drives, and DVDs to transport files between the Yellow Net and Green Net PCs. Pendrives are easy to lose, though, so make sure they are the new type with built-in hardware encryption. Hand these pendrives out for free to anyone at LANL who needs them for transferring files. Use the carrot, and not the stick!

This won't make everyone at LANL happy, but it elminates all dangers of a trojan leak of work related files over the internet. You could also add an HPSS type system to item (4), so that file transfers between the Yellow Net and Green Net could be "pushed" through the LANL networks using a highly protected "transfer" server, much like what is used to do transfers from the open to the secure at LANL.

Anonymous said...

I have a simpler solution, 8:15:

1) Go work somewhere else that isn't quite so fucked up.

Anonymous said...

You obviously don't work at LANL, 8:15.

You got Green and Yellow mixed up.

Anonymous said...

5:26 pm:

"Security has been repeatably asked to monitor e-mail and interent more closely but they won't because "its a lot of effort". There's no reason why everybody is given external e-mail and internet access other than its the easiest thing to do. LANS won't monitor outgoing mail because its too much work."

OK, genious, just how do you propose to "monitor" hundreds of thousands of incoming and outgoing emails every day?? You say, "by keyword lists, of course." Well that has been done for years, and not one of the actual email compromises has been caught by such electronic searches - the "false positive" problem is just too big.

"There's no reason why everybody is given external e-mail and internet access other than its the easiest thing to do." No, it's done because that's how business is done in today's world. Get a clue.

Anonymous said...

Red Net, Green Net, Yellow Net, Blue Net, Lavender Net... who the hell cares about the color of nets we've got running at LANL. Just wire them all together and get some F#@*k'ing work done!

Just kidding.

Anonymous said...

Anonymous at 12/7/07 5:26 PM said...

"There's no reason why everybody is given external e-mail and internet access other than its the easiest thing to do."

This person is clearly not a LANL or LLNL employee nor has s/he ever worked there or possibly anywhere.

Much of the work at LANL involves collaboration with other laboratories, universities, businesses, etc. Much of the communication is done via Email.

Internet access is used by employees to make travel reservations, review conference proceedings, publish technical papers, research procurements on vendors' websites, etc.

Postings such as this are clearly nonsense. Maybe this person is an employee of POGO?

Anonymous said...

All you computer security geniuses: it may have slipped your mind that there is a little bit more than web-surfing and e-mail reading regarding computer use at the lab(s). Maybe GRID-computing tells someone something or distributed databases accessing massive amounts of diverse sets of off-site data. Thus if someone suggests to airgap the yellow network from the green, such type of work would pretty much come to an halt (not all high-performance computing is classified and on the red). But certainly, nobody would need sophisticated high-performance computing for pit production anyway...

Anonymous said...

"It appears 1:11 PM knows about CIAC. What part of CIAC guidance was ignored in this incident. Care to enlighten us with your great wisdom?"

"Our "CIAC" poster still hasn't listed the specific CIAC guidance that would have prevented this latest intrusion. It's put up or shut up time, fella."

Sorry for the delay you dim bulbs, I was actually getting some work done. CIAC issued a notice about a week or two before this event happened warning about this vulnerabiltiy. Apparently, some labs choose to ignore it.

Stephen Smoogen said...

12/8/07 9:43 AM

I have gone over the CIAC lists.. and I am not seeing one that covers this issue. The one that might basically says tells people to use regedit on their own computer but that Adobe doesnt support this method and it could brick your computer. However, the problem was probably not the one fixed by Adobe as documents with those vulnerabilities would have been detected by the multiple layers of anti-virus software that checks email going into the systems. That would say it was yet another Zero day as has been the tendancy in the past. In that case the only fix would have been: Do not allow email in or out of the laboratory.

All it takes is one bad site in the .gov/.mil/.edu and social engineering becomes so much easier. You break into one computer, you find who that person talks to. You exploit that communication and add a zero day trojan. You move from there to the next victim using a different zero day to avoid network fingerprinting software.. If you know that someone at FermiLab talks with someone at ArgonneLab and that person talks to someone at LLNL, who talks to someone at LANL.. and if you have someone at a DOE HQ.. you can probably walk it even faster and farther up.

Since you 'own' each exploited systems keyboard, you do as much as possible via encrypted channels (send the trojan via Entrust/GPG/etc so it is less likely to have been fully checked.)

As much as there are holes in the system.. this is one where people are taking advantage of built in trust mechanisms of the human brain. It is a problem that has been around for 10k years and will probably be with the cockroaches that take over from us.

Anonymous said...

"That would say it was yet another Zero day as has been the tendancy in the past. In that case the only fix would have been: Do not allow email in or out of the laboratory."

Sorry, but not all labs had this vulnerability. This was not a zero day problem.

Stephen Smoogen said...

Well we must be talking about 2 different problems. SNL has had the problem, ORNL had the problem, LLNL had the problem, LANL had the problem... I am trying to figure out who didn't in the NNSA complex.

Stephen Smoogen said...

I will stand corrected on a couple of issues. According to a NYTimes article there was a CERT bulletin that was not public and so I wouldnt know about... (while I once worked for LANL I have not for several years).

http://www.nytimes.com/2007/12/09/us/nationalspecial3/09hack.html?_r=1&ref=technology&oref=slogin

My guess is that this was passed through DOE via CIAC and so it is the one referred. It could also be quite another one as this memo seems to haved been dated after the ORNL incident initially occured (according to this article and others).


http://www.dailytech.com/article.aspx?newsid=9950
http://www.channelregister.co.uk/2007/12/07/national_labs_breached/

I will also agree that any agency (be it LANL or DOE HQ) going on the 'sophisticated attack' really overplays how easy this is. However, that is pretty much a standard 'how to talk to the press about stuff neither the reporter nor the spokesman understand'.