backtop


Print 33 comment(s) - last by Pythias.. on Dec 17 at 11:32 PM

Two labs of America's top scientists have fallen for the oldest trick in the hackers' book

DailyTech featured a blog yesterday on how the media frequently reports on so called "hacks" with little understanding of what happened, participating in a irresponsible brand of journalism that borders on alarmism.  The problem is exacerbated in that people really do fall victim to Internet scams, even rather smart ones, which reporters dubiously dub "hacks."

One such report featured on ABC News concluded that two nuclear labs had been "hacked."  The true story is a bit more entertaining and the reveals that there is no threat to the country's nuclear safety.  Real threats such as concerted "hacks" conducted by the Chinese against the U.S. government are certainly a concern, but the only thing dangerous about the compromise at these labs is the stupidity of a few scientists and workers at the plants.

The Oak Ridge National Laboratory (ORNL) in Tennessee and Los Alamos National Lab in New Mexico have made a habit of collecting the social security numbers, names, and birth dates of scientists who visit the plants.  The information is put into a database, which reads like a who's who of America's top scientists.

Unfortunately, nobody thought such a practice might be a bit insecure.  Starting October 29, workers at the labs began receiving phishing emails, which followed a traditional attack pattern of containing malicious Trojan-containing attachments.  

There is no evidence that the attacks were specifically geared at the lab.  If the attacks were just a general Internet attack, those responsible might have been excited at the big fish they caught.  The two labs both have reported that the phishing emails gained access to their system, which indicates at least two employees -- one at each plant -- were foolish enough to click the attachment and commence the damage.  The result was that the database with the scientists' information was compromised. 

The phishers gained access to the records of all visitors at the plant between 1999 and 2004. 

Don't blame the news networks solely for sensationalizing the attack and making it sound like a sophisticated assault.  Leaders at the labs have gone on record trying to fudge the facts in statements, making the attacks sound more complex than they really are and icing over that the attacks only succeeded due to employee failures.

For example, ORNL director Thom Mason stated that the attacks were, "coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country,"  and continued, "Because of the sensitive nature of this event, the laboratory will be unable for some period to discuss further details until we better understand the full nature of this attack."

Los Alamos has been more silent about what appears to prove the old adage that the greatest hole in security on the average computer network is the network's users.

In 2006 Los Alamos fell victim to social engineering and phishing when its emails were stolen and ended up on the USB stick of a drug dealer found in a police raid.  The emails contained data of simulated nuclear weapons tests considered sensitive.

At the time executive director of the Project On Government Oversight (POGO), Danielle Brian blasted Los Alamos for their lax security stating, "This appears to be a new low, even drug dealers can get classified information out of Los Alamos."

Expect more pressure for  ORNL and LANL as the smoke of sensationalism begins to blow away, revealing atrocious security due to user stupidity.  Looks like some of America's top minds have just fallen for the one of the oldest tricks in the hackers' book. 


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

socialing...
By tobrien on 12/8/2007 8:11:23 PM , Rating: 2
Correct me if I'm wrong, but the socialing was done via phone initially, correct? I'm wondering because as far as I'm aware, telephone is the more or less "standard" means of socialing, right?

What I mean is that is there no way to completely defend against social engineering? Like there are countless easy to use phone spoofing services out there, but can't they just use some sort of private phone line or keep the public from being able to call the center?




RE: socialing...
By Zelvek on 12/9/2007 12:03:51 AM , Rating: 5
Social engineering can be done through any medium all one needs do is convince someone that they can be trusted. Even in such cases where social engineering is used over the phone no one with any degree of common sense should give out important info without proper verification. The fact that people fall for such simple hoaxes is a sad affair.


RE: socialing...
By KristopherKubicki (blog) on 12/9/2007 12:26:58 AM , Rating: 5
The fact that such smart people fall for such hoaxes has me appalled.


RE: socialing...
By SiliconAddict on 12/9/2007 1:44:43 AM , Rating: 2
You'd think people, especially geeks, would know by know that intelligence only plays a part in critical thinking. I've seem my fair share of people with PhD's who really are pretty damn stupid when it falls outside their realm of expertise.


RE: socialing...
By Pythias on 12/9/2007 3:09:00 AM , Rating: 3
Educated and/or trained does not equal "smart". I bet the crack dealer on the corner woulnd't have fallen for this scam.


RE: socialing...
By Alexstarfire on 12/9/2007 3:52:36 AM , Rating: 3
Yep, that's why we have book smarts and street smarts. You usually have one or the other, not both.


RE: socialing...
By Manch on 12/9/2007 6:53:53 AM , Rating: 2
I think I have a little of both! For example:

My 2 guns popping 2 bullets each in your skinny ass equals 4 holes!!! How do you like them apples?! waddup!

Just playin. Seriously though, I work with a lot of "smart" people and they are the dumbest smart people I have ever met. I don't know how many times I've had to tell them, well pick an example and these morons have done it. Some people just don't learn.

"No the naked Anna Kornakova pics and the Britney box shot are bad!

Yeah the first one is bad cuz it contains malicious logic but the other is just bad for your eyes!


RE: socialing...
By LogicallyGenius on 12/9/07, Rating: -1
RE: socialing...
By clovell on 12/9/2007 9:31:58 AM , Rating: 3
What happens if I call you a douchebag?


RE: socialing...
By Manch on 12/9/2007 3:13:36 PM , Rating: 2
terrorist


RE: socialing...
By T4RTER S4UCE on 12/9/2007 3:39:16 PM , Rating: 2
I dont know about 3 Billion but maybe 1.5 Billion because as South Park has taught us 1/4th of the population is retarded.


RE: socialing...
By Pythias on 12/17/2007 11:32:10 PM , Rating: 2
I desperately await a cure for your cranial rectosis.


RE: socialing...
By Nik00117 on 12/9/2007 11:51:51 AM , Rating: 2
Gotta tell you that crack dealer wouldn't of fallen for the fraud.

I will admit it, I consider myself very smart. Very street smart too and I fell for a scam once as well.

However out all the attempts people have wanted to scam me, and i've turned the tables on them (as in got their info and gave it to the cops) beats the times.

I remember once, "discover" called my dad saying their was a error with his billing and we needed his CC number in order to go ahead and fix this error. my dad began going for his CC to tell the guy on the phone.

Picked up the phone, figuring such a large organization would give their employees operator IDs, I picked up the phone and said "give me your operate ID" guy on the line was completely stumbled. He was like "uh, what do you mean?" I called him an ass and hung up.


RE: socialing...
By T4RTER S4UCE on 12/9/2007 3:35:08 PM , Rating: 2
My 14 year old sister is in the 9th grade. She is in advanced classes for every subject and gets straigt A+ every report card.
Until two days ago she didnt know what a web browser was.


RE: socialing...
By Ascanius on 12/10/2007 3:53:13 AM , Rating: 2
Getting straight A+ in all is nothing but the sign of a very well trained puppy or very well indoctrinated person.

Like when you clap your dogs head after it has done smth. amazing that you have tried teaching it for quite a while.

We are all born empty and what we are is the collective information gathered duering our lives mixed with how our genes makes us act and in this case "interact"

Real intelligence is the "speed" and the "capacity" when learning something for the very first time, like in those Mensa tests.

So you can be just as "intelligent" as you can be, but it does not change what you have learned so far and will learn in the future!

So if some specielists do not learn so much in the area of social skills due to reading heavy book instead, well then it is amazing simple why you get cheated by such a simple hoax like this example here shows.

The crack dealer does nearly NOTHING but social skills with all the different charracters he has to handle just on a sigle day bacis, that is why he very simple enough would never fall for such a scam as this.


RE: socialing...
By theapparition on 12/10/2007 11:13:33 AM , Rating: 2
Very important distinction:

Not all people who work at a rocket facility are rocket scientists.

You'd be surprised at who has access to sensitive information. Janitors, couriers, secretaries, etc. All have a hand in the chain of information.

There are levels of management that have access to sensitive info, and, well, we won't go into average intelligence of management.

Point is, it's a lot easier than you think, but it's not always the fault of the "smart" people.

With that said, there are plenty of book smart people that I wouldn't trust an ATM card with.


RE: socialing...
By Omega215D on 12/9/2007 8:54:35 AM , Rating: 2
A little sticker on my school binder:

Social Engineering Specialist: Because there is no patch for human stupidity.


RE: socialing...
By Master Kenobi (blog) on 12/9/2007 11:47:23 AM , Rating: 2
I agree. There will never be a patch for human stupidity.

By the way, there is a difference between PHD's and IT Engineers. I have met several IT PHD's and they are the biggest bunch of morons around. They can tell you how it should work, in theory, with all things constant. Any IT Engineer will tell you this is a pipe dream.


RE: socialing...
By slickr on 12/10/2007 2:05:59 AM , Rating: 1
This just shows how stupid people really are.
And this is nothing to be amazed at, fucking morons finsih college and stuff coz they can sit all day and fucking read the boring book and they don't actually use their intelegence to understand things in the book they just memorize it and tell it like a lyrics.(this doesen't apply to all PHD's'es!)


By GeorgeOrwell on 12/9/2007 2:06:24 AM , Rating: 2
It is very unlikely that the one big fear that has been programmed into the American people -- the rogue nuclear device/weapon -- is also where all the "hacking" is occurring as well.

A drug dealer having nuclear research facility info is one step away from some other criminal underworld type controlling an actual weapon. Or maybe it is just too much Hollywood.

Obviously the vast array of biological weapons, chemical weapons, high yield conventional weapons, etc., that are available in the US are of no interest to hackers.

Only the nukes. Maybe the hardest to use of all available weapons. Gimme a break.




By Ringold on 12/9/2007 2:43:19 AM , Rating: 2
Or maybe it's just because nobody cares to hear how an intern at a water treatment plant got his SSN stolen, and DailyTech has bills to pay? :)

If you really do care about completely uninteresting news, though, I'd like to report that it's cold outside and I just heard a train pass by.


By Manch on 12/9/2007 6:55:48 AM , Rating: 2
Yeah, the one that goes by my house usually passes by at 2100 & 0200. Just FYI since we're sharing


By KristopherKubicki (blog) on 12/9/2007 3:22:40 AM , Rating: 2
One thing that's important to remember about these labs is that they simulate nuclear explosions on computers -- not in their backyard. Any sort of nuclear program data coming out from these facilities might help Russia make a bigger bomb, but they're probably not going to help the Jihadi looking up how to build the bomb at Starbucks.


By crystal clear on 12/9/2007 7:55:48 AM , Rating: 2
quote:
One thing that's important to remember about these labs is that they simulate nuclear explosions on computers -- not in their backyards


Thats what Iran plans to do-therby they do not have to explode a device.

In this context read the news item below-

December 06, 2007 (Computerworld) -- Despite federal antiterrorism trade sanctions that bar the sale of U.S.-made computer technology to Iran, a computing research center in Tehran claims to have used Advanced Micro Devices Inc.'s Opteron processor to build the Middle Eastern country's most powerful supercomputer.

The Iranian High Performance Computing Research Center (IHPCRC), which is located at Tehran's Amirkabir University of Technology, said in an undated announcement on its Web site that it has assembled a Linux-based system with 216 Opteron processing cores. That's a relatively small supercomputer, with a claimed peak performance level of 860 billion floating-point operations per second, or gigaflops. But the research center said that the system, which will be used for weather forecasting and meteorological research, is the fastest built in Iran to date.

Thacker FZE is an authorized distributor of AMD products that is based in the United Arab Emirates, in the state of Dubai. The company is also listed under the name Sky Electronics on AMD's Web site. Sky Electronics, whose managing director is named Manoj Thacker, says on its Web site that it is a business partner of Intel, Microsoft Corp., Nvidia Corp. and several other technology vendors in addition to AMD.


http://www.computerworld.com/action/article.do?com...

Its a long article read it for more details on the subject.

The Iranians claims it will be used for weather forecasting and meteorological research, (is the fastest built in Iran to date) is simple deception.

They claim to use 216 Opteron processing cores.
In fact it could be more than that-who knows the exact figure/amount.

The real purpose is to simulate nuclear explosions on this computers .


I think the main question is
By vhx on 12/9/2007 1:08:30 AM , Rating: 4
Why exactly are nuclear power plant records and such networked on the internet? :O




RE: I think the main question is
By SandmanWN on 12/9/2007 7:47:03 PM , Rating: 2
My sentiments exactly. Why in the world would any computer on a nuclear research facility, that has direct access to the internet, have any pertinent information on it whatsoever!

Makes you wonder exactly how many times the governments can lose our personal identity numbers. I'm thinking about asking for a new one myself. Its probably been stolen 3-4 times over my lifetime. lol


private Internet Protocol network
By crystal clear on 12/9/2007 7:14:29 AM , Rating: 2

A closed IP network or private internet networks is not a new-
many agencies of classified nature/Govts/etc use them around the world.

No ACCESS(either way) is allowed to the outside world namely-public internet etc.

Employees have NO access to USB connections,that prevents them to use external hard drives/disk on keys etc .
Plus a series of other security measures too long to quote here.

Good news is on the way -

The General Services Administration last week requested information from network vendors interested in building a protected government network, dubbed Govnet.

"Govnet will be a private Internet Protocol network shared by government agencies and other authorized users only," the request for information said. "Govnet will provide connectivity among users to a defined set of service delivery points."

The network would be totally separate from the public Internet or other public or private networks. It would include voice, conferencing and multicast services. The GSA is asking for a network that "will be immune from malicious service and/or functional disruptions to which the shared public networks are vulnerable" and be impervious to malicious code from any external network.


The government is clearly on a fast track. Proposals are due to the GSA by Nov. 24.



http://www.eweek.com/article2/0,1759,1244717,00.as...




By SandmanWN on 12/10/2007 12:20:32 PM , Rating: 2
Things already exist to solve their problem you are correct, but for some reason they simply are not interested in those solutions up to this point. Perhaps now it will change.

The company I worked for does point to point dedicated or MPLS over standard lines that are for other "high risk" customers but we never had any serious return from the federal government. However, companies like Microsoft loved it and continually ask for more bandwidth than we can provide for their area, local and state governments beg us to run fiber to their area, and we have many bank customers. You would figure if its good enough for those guys the government would reconsider.

Unfortunately it seems nothing less than a fully dedicated fiber optic network will be the only answer they will accept. Meanwhile they will probably keep everything status quo until its completed 100% and we will continue to have incidents like this as it will drag on forever with all sorts of budget overruns. And it will probably cost a small fortune in the end, no doubt.


The irony is sadly laughable
By Spacecomber on 12/9/2007 9:16:04 AM , Rating: 2
I got one of those fraud alert letters from ORNL. The idea that my personal information was at risk of identity theft due to a hacked computer at "highly secure" government lab is both sad and funny at the same time.

On the other hand, I wouldn't make too much of how a place full of smart scientists should be any more capable of dealing with such an attack than another organization. The administration is in the hands of the same people you can find anywhere. Except for the security, the place is pretty much like a research oriented university. In fact, University Tennessee and Battelle share responsibility for its administration.

Anyone who has been to collge knows that the people running our places of higher learning are not exactly rocket scientists themselves.




RE: The irony is sadly laughable
By rtrski on 12/10/2007 3:25:52 PM , Rating: 2
I taught a training class at Los Alamos in one of their computer labs in the late 1990s, while I worked for a company that wrote electromagnetic analysis software. This was on UNIX, and they were so security sensitive that we had a security person sitting in the back of the room during the entire class and literally following us around, including stationing himself outside the bathroom when I or the other instructor (a female) took our potty breaks. They didn't trust one of the scientists taking the class to be our 'escort'. And we were given temporary, supposedly limited-access login accounts to that lab only because as instructors we had to demonstrate some of the software features on the projector for the class to follow along. They made a big deal about how they had to 'isolate' the lab from the rest of the intranet, etc since we uncleared (unwashed) heathens were visiting, and since this was supposedly a classified lab (or could be, on other days) there was supposedly no outside access, either.

The funny part is that the security person couldn't follow (and didn't try) the material in the class at all, and in fact read a magazine most of the time. But I remember on the second day we constructed an example waveguide interface problem that was giving us results that didn't seem physically correct, so we as the instructors wanted to get a copy of the model to send back to the developers for diagnosis and a possible code fix. Without even thinking about it we were able to open up a terminal window and FTP it to our company servers, and only later on did I ask the other instructor "um, if they were so security conscious we had to be followed, and were given "limited access" accounts...how did we so easily get a a toob to the Internets? <jokey l33t speak is obvious revisionist memory>. I was honestly worried that somehow they'd think we'd "intentionally" violated their security, but figured the best thing to do would be to come clean and bring it up, rather than wonder if they 'noticed' somehow later on and it looked more suspicious to have not mentioned it. Fortunately nothing came of it on our end - no idea if we cost someone an IT job, though....

Sad, really. There's some analogy about barn doors and cows one could insert there, somewhere....not that any of this applies, as obviously the typical user is the worst security threat per the article. But I find it amusing that even that closed lab had direct outside access. I don't even recall having to do anything special on the terminal window to FTP out through a firewall...


All I have to say is....
By Gnoad on 12/8/2007 8:10:09 PM , Rating: 2
lol.




Where's the proof?
By HilbertSpace on 12/9/2007 1:14:05 AM , Rating: 2
It isn't clear to me where the writer of the article got the info from... so who's right?




Thanks jason
By jtemplin on 12/10/2007 10:22:19 AM , Rating: 2
Thanks for giving us the real story on this "major hacking attack". If I had read this article first I would have been much worse off: http://www.tgdaily.com/content/view/35188/118/

And to all the people who purport to know all about intelligence...its laughably ironic to hear someone saying "oh yea you may have your phd, but in this world there is either book smarts or street smarts" as if these are mutually exclusive.

If complexity of thought is the hallmark of intelligence, and I believe it is... Then how dare you fools who think of the world in black and white claim to know something about intelligence. Some of you talk as if everything can be split into two camps...book smart, street smart...liberal, republican.

The world isn't some simple dichotomy waiting to be discovered by Joe Q Poster on DailyTech. The world does NOT fall on a one-dimensional axis.




“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith

Related Articles
Hack The Planet
December 7, 2007, 1:52 PM













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki