Nov 23, 2008

Go Phish

Frank,
At a meeting last week, it was said that about 1400 of these phishing emails were sent out to LANL managers, and about 400 of them responded. Of those, some actually entered PII (personally identifiable information). The follow-on test will be to send employees thumb drives, CDs, and DVDs to see if they insert them into their computers.
-Anonymous

Anonymous,
Thanks! The CDs and DVDs make great coasters. Save a few for me. I'll be happy to take all of the thumb drives too. All of the USB ports here at Acme Labs are JB Weld free.
Frank

Avoid becoming target of phishing scams

November 20, 2008

A group of Laboratory employees were attacked last week - cyber attacked that is - as part of an effort to test employee awareness about "phishing" scams.

A Laboratory red team conducted a "phishing" attack on some employees. The attack used two different e-mail messages, one from "lans-llc.com" with the subject "LANS Employee Survey," and the other from "employer-rewards.com" with "Congratulations!" in the subject line. The exercise was conducted under the direction of the Chief Information Office.

The e-mails were crafted to appear to be official correspondence, and they asked the employee recipients to click on an embedded link that took them to a Web site, said Maco Stewart of International Research, Analysis, and Technology Development (IAT-1), coordinator of the Lab's Information Security Operations Center. At the Web sites, recipients were prompted to provide additional information to either complete the "survey" or obtain their special gift.

Most employees receiving the e-mails recognized them as scams and either deleted them or reported the phishing attempt to their OCSRs. But some employees did click on the links, said Stewart.

"This type of attack is a common means used by adversaries who attempt to either gather sensitive information or deposit malicious software on the user's system," said Stewart.

Here are some tips to avoid becoming a victim of a phishing scam at work and home:
  • A well configured and patched system is the first line of defense. Contact a system administrator if not sure about the state of your system.
  • Ensure that your e-mail system does not automatically open any links or images. This is a setting that can be verified under the Options or Preferences menu for the email software.
  • Be suspicious of e-mail requests asking for inappropriate information, such as a home e-mail address, Z-numbers, or other personal information. Look for slight irregularities in the address or link, such as lanl.com as opposed to a .gov address.
  • Most e-mail software enables the user to "hover" over a link to see whether the true linked destination site is the same as that shown in the blue text.
Phishing e-mails may contain spelling errors or sound too good to be true. When in doubt, contact an OCSR. Don't click first and ask questions later, as this could compromise both your system and potentially, other systems on the network.

Employees should forward suspicious e-mails to csirt@lanl.gov and contact the Cyber Security Incident Response Team (CSIRT) at 5-8641. All information security events or incidents also must be reported to the SIT at 5-3505 during normal business hours or through SOC-Los Alamos after hours at 5-1279.

A list of cyber security contacts is here.

14 comments:

Anonymous said...

In my experience, if you forward a suspicious email to the cybersecurity folks, you get a nastygram back that tells you not to forward them any emails with suspicious attachments.

It's a nice customer service touch.

Anonymous said...

So almost 30% of our brillant managers at LANL were taken in by this internal phishing scheme?

Marvelous! It's clear that the manager ranks at LANL are full of the best and brightest that money can buy.

Anonymous said...

Imagine what the percentage would be had the phish been the opportunity to provide 360 degree feedback on Terry Wallace.

Anonymous said...

The solution to cybersecurity woes at the lab are so easily solved. We need to get rid of all the PCs and give everyone an Apple because Apple computers are immune to any type of virus or cyber attack. The added benefit of everyone using an Apple is that it fits in perfectly with the work free safety zone.

Anonymous said...

Someone said that Redondo was among the managers that fell for the phishing scheme.

Anonymous said...

Where's my promised gift? I entered my password into the site and that damn site didn't give me anything!!!

- Mikey

Anonymous said...

Did all those hundreds of LANL managers who fell for this scheme report it to the RLMs that sit above them and to their Cyber Security officers and OSCRs? Inquiring minds want to know. Did they follow LANL policies on this matter?

Anonymous said...

With all these attacks now coming from our very own people at LANL, I don't know what or who to trust any longer.

Do you respond to what look like official E-mails?

Are all the links on the labs web page safe, especially the links to outside news organizations?

If LANL's SMS PC management system puts up a dialog box asking me to restart my Window system, is it really the lab's SMS system asking me to do this?

It seems you can't trust much of anything at LANL at this point.

Anonymous said...

Flushing the daily "Links" email w/o reading is now sop in my group.

Anonymous said...

LANL's Email delivery system is going to be turned off over the holidays. If you are a researcher who needs to keep in contact with colleages you had better start doing it using a Google GMail account. But note that GMail can't even make it through LANL's Email system any longer. Is this any way to run a top research lab?

Anonymous said...

Can someone explain to me a rational reason why ZIP file attachments can't be used with LANL Email even when the Email only moves inside the lab?

You would think LANL could scan the ZIP file to look inside for any problems in the archive, but no, they simply ban all ZIP attachments.

This is a crazy. What's next, banning all PDF attachments?

Anonymous said...

Saw a letter entitled "LANS Pension Center" in my mail at home tonight. On opening it up, I found it contained almost zero information about the true state of the TCP1 pension.

It says:

"An actuary's statement show that enough money was contributed to the plan to keep it funded in accordance with the minimum funding standards of ERISA".

And that means... what, exactly? That it's 60% funded? 50% funded? That is contained at least some money way back in 2007?

It also lists the amount of funds on hand between July 1 2007 to Dec 31 of 2007. That's ancient history, LANS. Corporate pensions around the country are reporting losses of around 25% to 30% YTD. The TCP1 pension is only report what happened way back in '07!

Hello, LANS? Are you listening? The employees are worried and want accurate and timely data on their pension assets. If you can't seem to compute this data in a timely fashion and communicate it to your employees (even though other companies across America seem to handle this task with no problem), then perhaps we really do have something serious to worry about in regards to the handling of our TCP1's assets!

Anonymous said...

9:44 PM asked "Hello, LANS? Are you listening?"

Obvioulsy not as Terry Wallace still has a job.

greg close said...

11/25/08 9:44 PM re: LANS Pension Center

You left out the part of the letter that tells you if you want more detailed information to request it. So, follow the instructions if you want more info.

Also, this IS the exact same report that most companies send annually (with no problem). Most companies do not send a detailed prospectus with the SAR.

The SAR released in 2008 covers the 2007 plan year. That's the law, under ERISA. Pending approvals, there will be an interim communication on TCP1 prior to the SAR for the 2008 plan year, which otherwise wouldn't be due until this time next year.

When you get a letter like this, I recommend asking for an explanation from benefits@lanl.gov before leaping to your conclusion. You might find it more informative and more helpful, if a little less incinedary. At least then, you can take issue with the answer LANS has/hasn't provided rather than making bad assumptions out of ignorance.