Dec 10, 2008

Where are my Cyber Yak-Trax?

In the spirit of the upcoming holidays, I'm going to try a constructive post for a change. Todays' Lab Newsbulletin contains a story headlined "Malicious phishing e-mail infects users who took the bait." Some excerpts:
Despite a series of warnings to Laboratory workers, a well-crafted malicious e-mail persuaded a number of employees to click on a link, resulting in the infection and confiscation of several Laboratory systems... This latest attack used verbiage that appeared to come from a Lab employee (although the associated phone number was faked), and the apparent "From:" address was a Google Gmail address rather than an internal address.

"Because I tend to be in a rush to get through my e-mail, I tend to want to accept what makes it into my inbox," said Maco Stewart of International Research, Analysis, and Technology Development (IAT-1), coordinator of the Lab's Information Security Operations Center. "Rather than have my computer get infected and confiscated, I'm trying to make myself check twice before I actually click on something or open any attachment. Many people don't completely back up their systems, either, and the complete system wipe and rebuild that's required after an infection can really ruin a person's productivity."
All of this "be careful" language reminds me of how the Lab approached the problem of falls on the winter ice for so many years. "Be careful," "go slow," "walk like a penguin." Wonderful advice - especially in hindsight - but how about clearing off the ice and snow in the first place, boss?! Those who have taken Human Performance Improvement training (allegedly the Lab's current safety program) will recognize that eliminating the source of the error is the best line of defense.

In that spirit, do readers have suggestions on how to really solve the cybersecurity threat? It's been made clear on several occasions that despite what they say, LANL's senior managers read the blog very closely. So maybe this is a better way to communicate than putting up Readers' Forum letters which will simply be dismissed by some appointed lackey.

Here are a few:

1. One root cause, suggested by Maco Stewart's quote above, is simply "too damn much email." In my opinion, it is time to stick a fork in the daily LINKS which is read by nobody, except perhaps the people who write it. Earlier this week a new mailing list was created for hosts of foreign nationals (over 300 subscribers) with the explanation that "Not everyone has the time (or inclination) to read Links regularly and it is rather easy to miss items of interest, such as Tuesday's FN and FN host meeting with Terry." At least this guy has the balls to be honest. LINKS no longer contains any items of any significance because nobody trusts that it will be read. It is an abject failure, so please stick a fork in it!

2. If there is a performance bonus riding on the continued existence of LINKS, then we obviously can't get rid of it. So instead, let's ride herd on the use of internal majordomo mailing lists. I checked mine this morning and found I've been signed up for over 50 emailing lists! (Almost as bad as the holiday catalog blitz in my mailbox at home). It gets even worse when idiots start replying to the entire mailing list with "Please unsubscribe me" and then ten other idiots reply "Yeah, me too." So here's a suggestion: Immediately kill off any mailing list that has more than 5% of the laboratory population subscribed to it, unless the list owner can prove that they need to communicate time-sensitive information (e.g. road closures). All information that applies to more than 5% of the lab's population goes on LINKS or the Newsbulletin. Some of the worst offenders on my list: lanldpr (>2000 subscribers), hrp_newsletter (>2100 subscribers), fsa_mastercard_recipients (>1200 subscribers), mylanl_users (>1000 subscribers), and cremusers (>1900 subscribers). If your mailing list is that large, and you are not the Laboratory Director or a PAD, then you technically qualify as a "spammer" and should be taken out and shot immediately.

3. Some here have promoted the idea of unplugging everyone below the AD level from the network. I'm increasingly leaning toward this solution, myself.

I look forward to other suggestions from your readers.

Merry Christmas, y'all.


Anonymous said...

I have my email set so that anything from Neu or Wallace, as well as Links, automatically goes into my "trash" folder.

Anonymous said...

I beat everyone to the punch and decided to stop the insanity by logging in to and unsubscribed myself from every email list I could. My email went from ~ 180 a day to 10. If someone other than my immediate work team/group wants something from me they better send it directly. If not they will not here from me and I will not have to respond to all the nonsense and misinformation. I feel much better.

Anonymous said...

Definitely a good idea 8:23. While I'm pretty good about deleting most emails without reading, it is time to just get off email lists such as "TR Highlights" if possible as well (email + attachments of the same email in different formats).

Is it possible to block email from certain addresses?

greg close said...

12/10/08 8:21 PM If you delete LINKS out of hand, you run the risk of missing institutional communications of import (like, for instance, re-enrolling in your FSA for Open Enrollment). Granted, there is an abundance of crap in LINKS of no relevance on a day-to-day basis - but do you really want to miss the stuff that is? take 2 seconds to browse it and then trash it, for your own protection.

Anonymous said...

12/11/08 10:17 AM - Links I still want and get.

12/10/08 11:32 PM - There are various ways of doing this. Without knowing your particular configuration it would be hard to advise what is best. If you get email from the institutional servers you could set a filter up with your email program based on a myriad of possibilities. I do this with other messages I get that I cannot unsubscribe from. I then have the filter mark it read and send it to the trash and NEVER look in the trash as that would defeat the entire purpose.

Anonymous said...

Working for an institution like LANS, you ignore "broadcast" messages at your peril. How long do you think your "I didn't want the crap" attitude will protect your job if some manager gets pissed enough to fire you, or just make your life daily hell? If you don't care about that, why are you still here?

Anonymous said...

12/11/08 8:16 PM

What the hell are you talking about? I look at links and the LANL home page every day at my convenience. Important stuff is usually in one of those two places. You sound angry.

Anonymous said...

"Working for an institution like LANS, you ignore "broadcast" messages at your peril. "


Anonymous said...

Looks like LANL cyber-security has decided to pulled the plug to all outside internet access for anyone using IE7 due to a serious security hole in this Microsoft product.

Of course, we all know that only clueless top executives at LANS still use IE7 as their browser.

Anonymous said...

I skim through Links every morning. It takes a few seconds, and there are useful bits.

Anonymous said...

How to tell if you might have an 'Anal Retentive' personality?

You carefully skim through the Lab Links each and every morning in fear that you might miss something important!

Frank Young said...

If you are scanning for blog fodder then it's ok.

Anonymous said...

LANS is messing with the employee 401k plans. Employees will have to start paying Fidelity $62/yr to administer their captive 401k accounts starting in '09.

Anonymous said...

Could be worse, 9:15 PM. LANS could decide to only give retiree medical benefits at full cost, freeze out the TCP1 pension, and drop matching contributions to TCP2.

Opps, did I just give LANS some new ideas?

Anonymous said...

"LANS is messing with the employee 401k plans. Employees will have to start paying Fidelity $62/yr to administer their captive 401k accounts starting in '09."

Huh? I thought the $62 was just for admistering the brokerage portion, if you elect to use it. Besides, you pay Fidelity anyway through fees attached to your funds.

Anonymous said...

Huh? 7:40PM - Check again.