tag:blogger.com,1999:blog-28220200.post1238291262350578607..comments2023-08-27T06:53:36.768-06:00Comments on LANL: The Rest of the Story: Funny, I can't remember Mike mentioning thisFrank Younghttp://www.blogger.com/profile/02134775226991383924noreply@blogger.comBlogger28125tag:blogger.com,1999:blog-28220200.post-22783981411450083592007-12-08T21:58:00.000-07:002007-12-08T21:58:00.000-07:00I will stand corrected on a couple of issues. Acco...I will stand corrected on a couple of issues. According to a NYTimes article there was a CERT bulletin that was not public and so I wouldnt know about... (while I once worked for LANL I have not for several years). <BR/><BR/>http://www.nytimes.com/2007/12/09/us/nationalspecial3/09hack.html?_r=1&ref=technology&oref=slogin<BR/><BR/>My guess is that this was passed through DOE via CIAC and so it is the one referred. It could also be quite another one as this memo seems to haved been dated after the ORNL incident initially occured (according to this article and others). <BR/><BR/><BR/>http://www.dailytech.com/article.aspx?newsid=9950<BR/>http://www.channelregister.co.uk/2007/12/07/national_labs_breached/<BR/><BR/>I will also agree that any agency (be it LANL or DOE HQ) going on the 'sophisticated attack' really overplays how easy this is. However, that is pretty much a standard 'how to talk to the press about stuff neither the reporter nor the spokesman understand'.Stephen Smoogenhttps://www.blogger.com/profile/17026786034163911165noreply@blogger.comtag:blogger.com,1999:blog-28220200.post-13794870085332124162007-12-08T19:17:00.000-07:002007-12-08T19:17:00.000-07:00Well we must be talking about 2 different problems...Well we must be talking about 2 different problems. SNL has had the problem, ORNL had the problem, LLNL had the problem, LANL had the problem... I am trying to figure out who didn't in the NNSA complex.Stephen Smoogenhttps://www.blogger.com/profile/17026786034163911165noreply@blogger.comtag:blogger.com,1999:blog-28220200.post-39919640241826295772007-12-08T15:55:00.000-07:002007-12-08T15:55:00.000-07:00"That would say it was yet another Zero day as has..."That would say it was yet another Zero day as has been the tendancy in the past. In that case the only fix would have been: Do not allow email in or out of the laboratory."<BR/><BR/>Sorry, but not all labs had this vulnerability. This was not a zero day problem.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-60362671219433758782007-12-08T11:54:00.000-07:002007-12-08T11:54:00.000-07:0012/8/07 9:43 AMI have gone over the CIAC lists.. a...12/8/07 9:43 AM<BR/><BR/>I have gone over the CIAC lists.. and I am not seeing one that covers this issue. The one that might basically says tells people to use regedit on their own computer but that Adobe doesnt support this method and it could brick your computer. However, the problem was probably not the one fixed by Adobe as documents with those vulnerabilities would have been detected by the multiple layers of anti-virus software that checks email going into the systems. That would say it was yet another Zero day as has been the tendancy in the past. In that case the only fix would have been: Do not allow email in or out of the laboratory. <BR/><BR/>All it takes is one bad site in the .gov/.mil/.edu and social engineering becomes so much easier. You break into one computer, you find who that person talks to. You exploit that communication and add a zero day trojan. You move from there to the next victim using a different zero day to avoid network fingerprinting software.. If you know that someone at FermiLab talks with someone at ArgonneLab and that person talks to someone at LLNL, who talks to someone at LANL.. and if you have someone at a DOE HQ.. you can probably walk it even faster and farther up.<BR/><BR/>Since you 'own' each exploited systems keyboard, you do as much as possible via encrypted channels (send the trojan via Entrust/GPG/etc so it is less likely to have been fully checked.)<BR/><BR/>As much as there are holes in the system.. this is one where people are taking advantage of built in trust mechanisms of the human brain. It is a problem that has been around for 10k years and will probably be with the cockroaches that take over from us.Stephen Smoogenhttps://www.blogger.com/profile/17026786034163911165noreply@blogger.comtag:blogger.com,1999:blog-28220200.post-52391997850169282612007-12-08T09:43:00.000-07:002007-12-08T09:43:00.000-07:00"It appears 1:11 PM knows about CIAC. What part of..."It appears 1:11 PM knows about CIAC. What part of CIAC guidance was ignored in this incident. Care to enlighten us with your great wisdom?"<BR/><BR/>"Our "CIAC" poster still hasn't listed the specific CIAC guidance that would have prevented this latest intrusion. It's put up or shut up time, fella."<BR/><BR/>Sorry for the delay you dim bulbs, I was actually getting some work done. CIAC issued a notice about a week or two before this event happened warning about this vulnerabiltiy. Apparently, some labs choose to ignore it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-50019608996599846752007-12-08T08:57:00.000-07:002007-12-08T08:57:00.000-07:00All you computer security geniuses: it may have sl...All you computer security geniuses: it may have slipped your mind that there is a little bit more than web-surfing and e-mail reading regarding computer use at the lab(s). Maybe GRID-computing tells someone something or distributed databases accessing massive amounts of diverse sets of off-site data. Thus if someone suggests to airgap the yellow network from the green, such type of work would pretty much come to an halt (not all high-performance computing is classified and on the red). But certainly, nobody would need sophisticated high-performance computing for pit production anyway...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-15419752711860866192007-12-08T06:08:00.000-07:002007-12-08T06:08:00.000-07:00Anonymous at 12/7/07 5:26 PM said..."There's no re...Anonymous at 12/7/07 5:26 PM said...<BR/><BR/>"There's no reason why everybody is given external e-mail and internet access other than its the easiest thing to do."<BR/><BR/>This person is clearly not a LANL or LLNL employee nor has s/he ever worked there or possibly anywhere.<BR/><BR/>Much of the work at LANL involves collaboration with other laboratories, universities, businesses, etc. Much of the communication is done via Email.<BR/><BR/>Internet access is used by employees to make travel reservations, review conference proceedings, publish technical papers, research procurements on vendors' websites, etc.<BR/><BR/>Postings such as this are clearly nonsense. Maybe this person is an employee of POGO?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-74479496456526746962007-12-07T23:17:00.000-07:002007-12-07T23:17:00.000-07:00Red Net, Green Net, Yellow Net, Blue Net, Lavender...Red Net, Green Net, Yellow Net, Blue Net, Lavender Net... who the hell cares about the color of nets we've got running at LANL. Just wire them all together and get some F#@*k'ing work done!<BR/><BR/>Just kidding.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-11569717708316430562007-12-07T22:10:00.000-07:002007-12-07T22:10:00.000-07:005:26 pm:"Security has been repeatably asked to mon...5:26 pm:<BR/><BR/>"Security has been repeatably asked to monitor e-mail and interent more closely but they won't because "its a lot of effort". There's no reason why everybody is given external e-mail and internet access other than its the easiest thing to do. LANS won't monitor outgoing mail because its too much work."<BR/><BR/>OK, genious, just how do you propose to "monitor" hundreds of thousands of incoming and outgoing emails every day?? You say, "by keyword lists, of course." Well that has been done for years, and not one of the actual email compromises has been caught by such electronic searches - the "false positive" problem is just too big.<BR/><BR/>"There's no reason why everybody is given external e-mail and internet access other than its the easiest thing to do." No, it's done because that's how business is done in today's world. Get a clue.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-80756698151667694132007-12-07T20:48:00.000-07:002007-12-07T20:48:00.000-07:00You obviously don't work at LANL, 8:15.You got Gre...You obviously don't work at LANL, 8:15.<BR/><BR/>You got Green and Yellow mixed up.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-46905802991907528382007-12-07T20:25:00.000-07:002007-12-07T20:25:00.000-07:00I have a simpler solution, 8:15:1) Go work somewhe...I have a simpler solution, 8:15:<BR/><BR/>1) Go work somewhere else that isn't quite so fucked up.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-17854534575358681532007-12-07T20:15:00.000-07:002007-12-07T20:15:00.000-07:00The Solution:1) No laptops allowed on the Green Ne...The Solution:<BR/><BR/>1) No laptops allowed on the Green Net. You don't know where they may have been sticking their dirty etherent ports!<BR/><BR/>2) Cheap, light-weight PC clients used for internet access hooked to the Yellow Net.<BR/><BR/>3) PCs on an air-gapped Green Net which is used for intranet "LANL-only" network. This would be everyone's main work PC.<BR/><BR/>4) USB pendrives, portable hard drives, and DVDs to transport files between the Yellow Net and Green Net PCs. Pendrives are easy to lose, though, so make sure they are the new type with built-in hardware encryption. Hand these pendrives out for free to anyone at LANL who needs them for transferring files. Use the carrot, and not the stick!<BR/><BR/>This won't make everyone at LANL happy, but it elminates all dangers of a trojan leak of work related files over the internet. You could also add an HPSS type system to item (4), so that file transfers between the Yellow Net and Green Net could be "pushed" through the LANL networks using a highly protected "transfer" server, much like what is used to do transfers from the open to the secure at LANL.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-68970323512909526692007-12-07T19:53:00.000-07:002007-12-07T19:53:00.000-07:00Our "CIAC" poster still hasn't listed the specific...Our "CIAC" poster still hasn't listed the specific CIAC guidance that would have prevented this latest intrusion. It's put up or shut up time, fella.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-8379910014254168452007-12-07T19:35:00.000-07:002007-12-07T19:35:00.000-07:00Welcome to the wonderful world of Microsoft Window...Welcome to the wonderful world of Microsoft Windows and malicious attachments. <BR/><BR/>Oh, and LANL's Best and Brightest. Add them to the mix and you have a sure-fire ticket through the firewall.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-17885828734681841072007-12-07T19:27:00.000-07:002007-12-07T19:27:00.000-07:00I would also like to know what CIAC guidance was m...I would also like to know what CIAC guidance was missed. This kind of vulnerability can only be 100% stopped by turning off all network access. You are dealing with users being 'tricked' or socially engineered to do something. You can send people to training every couple of days but they will still do dumb things and all it takes is 1 person to do that. And the odds of that one person doing it is going to be non-nill depending on how well crafted the email is. <BR/><BR/>And once you get that 1 person it is easier to get others because you can use that persons identity/system to trick others. If someone were to send out a RIF list from HR how many people do you think would open it to see if they were on it?Stephen Smoogenhttps://www.blogger.com/profile/17026786034163911165noreply@blogger.comtag:blogger.com,1999:blog-28220200.post-13313262692314254812007-12-07T19:15:00.000-07:002007-12-07T19:15:00.000-07:00"There's no reason why everybody is given external..."There's no reason why everybody is given external e-mail and internet access other than its the easiest thing to do." - 5:26 PM<BR/><BR/>Say, what? You have got to be kidding me!<BR/><BR/>Do you have any idea of the science requirements at the labs and how research is done? Any idea at all?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-75328737663002592222007-12-07T18:52:00.000-07:002007-12-07T18:52:00.000-07:00"Funny, I can't remember Mike mentioning this"Mick..."Funny, I can't remember Mike mentioning this"<BR/><BR/>Mickey's "personal attorney," Richard Marquez, must have advised him not to.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-18034771316570674432007-12-07T18:44:00.000-07:002007-12-07T18:44:00.000-07:00Yeah. I'm going to stop telling people that I use...Yeah. I'm going to stop telling people that I used to work at LANL.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-77576959022246930882007-12-07T18:38:00.000-07:002007-12-07T18:38:00.000-07:00Yellow needs to be airgapped from the green. Give ...Yellow needs to be airgapped from the green. Give everybody a basic low cost something-or-other for external email and web browsing. Sneakernet stuff that needs to be transferred from one to the other.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-29185110501292900622007-12-07T18:31:00.000-07:002007-12-07T18:31:00.000-07:00Wow. this story is on Slashdot now.Wow. this story is on Slashdot now.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-18474940287777752262007-12-07T17:58:00.000-07:002007-12-07T17:58:00.000-07:00If you really want to monitor all outgoing and inc...If you really want to monitor all outgoing and incoming email and put the staff support in place to do it, it will further raise the cost of doing business. Is that what you want?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-83809945548172462962007-12-07T17:26:00.000-07:002007-12-07T17:26:00.000-07:00Security has been repeatably asked to monitor e-ma...Security has been repeatably asked to monitor e-mail and interent more closely but they won't because "its a lot of effort". There's no reason why everybody is given external e-mail and internet access other than its the easiest thing to do. LANS won't monitor outgoing mail because its too much work. <BR/>With the present lazy (or inept) security bureaucracy, problems are sure to continue.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-66449886486950980032007-12-07T16:52:00.000-07:002007-12-07T16:52:00.000-07:00Clearly since worms and viruses come in on email w...Clearly since worms and viruses come in on email which is displayed on the screen, the only solution is to smear JB Weld on everyones monitor.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-49801441790484686222007-12-07T14:48:00.000-07:002007-12-07T14:48:00.000-07:00Poster 1:11 PM, no one just "allowed this vulnerab...Poster 1:11 PM, no one just "allowed this vulnerability" to happen at the labs. <BR/><BR/>The only secure policy for stopping trojans is to pull the ethernet cables and stop all internet traffic. In the case of national labs, adversarial attacks may come from sophisticated people with very deep pockets and high levels of expertise. We take precaution, sure, but it is ludicrous to think that all these attacks can be stop. <BR/><BR/>It appears 1:11 PM knows about CIAC. What part of CIAC guidance was ignored in this incident. Care to enlighten us with your great wisdom?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-28220200.post-9750641681195940632007-12-07T13:11:00.000-07:002007-12-07T13:11:00.000-07:00"LANL handled this latest cyber-attack much better..."LANL handled this latest cyber-attack much better than ORNL."<BR/><BR/>Really? Both labs allowed this vulnerability despite CIAC guidance.Anonymousnoreply@blogger.com