Print 33 comment(s) - last by Pythias.. on Dec 17 at 11:32 PM

Two labs of America's top scientists have fallen for the oldest trick in the hackers' book

DailyTech featured a blog yesterday on how the media frequently reports on so called "hacks" with little understanding of what happened, participating in a irresponsible brand of journalism that borders on alarmism.  The problem is exacerbated in that people really do fall victim to Internet scams, even rather smart ones, which reporters dubiously dub "hacks."

One such report featured on ABC News concluded that two nuclear labs had been "hacked."  The true story is a bit more entertaining and the reveals that there is no threat to the country's nuclear safety.  Real threats such as concerted "hacks" conducted by the Chinese against the U.S. government are certainly a concern, but the only thing dangerous about the compromise at these labs is the stupidity of a few scientists and workers at the plants.

The Oak Ridge National Laboratory (ORNL) in Tennessee and Los Alamos National Lab in New Mexico have made a habit of collecting the social security numbers, names, and birth dates of scientists who visit the plants.  The information is put into a database, which reads like a who's who of America's top scientists.

Unfortunately, nobody thought such a practice might be a bit insecure.  Starting October 29, workers at the labs began receiving phishing emails, which followed a traditional attack pattern of containing malicious Trojan-containing attachments.  

There is no evidence that the attacks were specifically geared at the lab.  If the attacks were just a general Internet attack, those responsible might have been excited at the big fish they caught.  The two labs both have reported that the phishing emails gained access to their system, which indicates at least two employees -- one at each plant -- were foolish enough to click the attachment and commence the damage.  The result was that the database with the scientists' information was compromised. 

The phishers gained access to the records of all visitors at the plant between 1999 and 2004. 

Don't blame the news networks solely for sensationalizing the attack and making it sound like a sophisticated assault.  Leaders at the labs have gone on record trying to fudge the facts in statements, making the attacks sound more complex than they really are and icing over that the attacks only succeeded due to employee failures.

For example, ORNL director Thom Mason stated that the attacks were, "coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country,"  and continued, "Because of the sensitive nature of this event, the laboratory will be unable for some period to discuss further details until we better understand the full nature of this attack."

Los Alamos has been more silent about what appears to prove the old adage that the greatest hole in security on the average computer network is the network's users.

In 2006 Los Alamos fell victim to social engineering and phishing when its emails were stolen and ended up on the USB stick of a drug dealer found in a police raid.  The emails contained data of simulated nuclear weapons tests considered sensitive.

At the time executive director of the Project On Government Oversight (POGO), Danielle Brian blasted Los Alamos for their lax security stating, "This appears to be a new low, even drug dealers can get classified information out of Los Alamos."

Expect more pressure for  ORNL and LANL as the smoke of sensationalism begins to blow away, revealing atrocious security due to user stupidity.  Looks like some of America's top minds have just fallen for the one of the oldest tricks in the hackers' book. 

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: socialing...
By Pythias on 12/9/2007 3:09:00 AM , Rating: 3
Educated and/or trained does not equal "smart". I bet the crack dealer on the corner woulnd't have fallen for this scam.

RE: socialing...
By Alexstarfire on 12/9/2007 3:52:36 AM , Rating: 3
Yep, that's why we have book smarts and street smarts. You usually have one or the other, not both.

RE: socialing...
By Manch on 12/9/2007 6:53:53 AM , Rating: 2
I think I have a little of both! For example:

My 2 guns popping 2 bullets each in your skinny ass equals 4 holes!!! How do you like them apples?! waddup!

Just playin. Seriously though, I work with a lot of "smart" people and they are the dumbest smart people I have ever met. I don't know how many times I've had to tell them, well pick an example and these morons have done it. Some people just don't learn.

"No the naked Anna Kornakova pics and the Britney box shot are bad!

Yeah the first one is bad cuz it contains malicious logic but the other is just bad for your eyes!

RE: socialing...
By LogicallyGenius on 12/9/07, Rating: -1
RE: socialing...
By clovell on 12/9/2007 9:31:58 AM , Rating: 3
What happens if I call you a douchebag?

RE: socialing...
By Manch on 12/9/2007 3:13:36 PM , Rating: 2

RE: socialing...
By T4RTER S4UCE on 12/9/2007 3:39:16 PM , Rating: 2
I dont know about 3 Billion but maybe 1.5 Billion because as South Park has taught us 1/4th of the population is retarded.

RE: socialing...
By Pythias on 12/17/2007 11:32:10 PM , Rating: 2
I desperately await a cure for your cranial rectosis.

RE: socialing...
By Nik00117 on 12/9/2007 11:51:51 AM , Rating: 2
Gotta tell you that crack dealer wouldn't of fallen for the fraud.

I will admit it, I consider myself very smart. Very street smart too and I fell for a scam once as well.

However out all the attempts people have wanted to scam me, and i've turned the tables on them (as in got their info and gave it to the cops) beats the times.

I remember once, "discover" called my dad saying their was a error with his billing and we needed his CC number in order to go ahead and fix this error. my dad began going for his CC to tell the guy on the phone.

Picked up the phone, figuring such a large organization would give their employees operator IDs, I picked up the phone and said "give me your operate ID" guy on the line was completely stumbled. He was like "uh, what do you mean?" I called him an ass and hung up.

"It seems as though my state-funded math degree has failed me. Let the lashings commence." -- DailyTech Editor-in-Chief Kristopher Kubicki
Related Articles
Hack The Planet
December 7, 2007, 1:52 PM

Most Popular Articles5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Automaker Porsche may expand range of Panamera Coupe design.
September 18, 2016, 11:00 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
No More Turtlenecks - Try Snakables
September 19, 2016, 7:44 AM
ADHD Diagnosis and Treatment in Children: Problem or Paranoia?
September 19, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki