The True Story: Two U.S. Nuclear Labs "Hacked"
December 8, 2007 5:49 PM
comment(s) - last by
Two labs of America's top scientists have fallen for the oldest trick in the hackers' book
featured a blog yesterday on how the media frequently reports on so called "hacks" with little understanding of what happened, participating in a
irresponsible brand of journalism that borders on alarmism
. The problem is exacerbated in that people really do fall victim to Internet scams, even rather smart ones, which reporters dubiously dub "hacks."
One such report
that two nuclear labs had been "hacked." The true story is a bit more entertaining and the reveals that there is no threat to the country's nuclear safety. Real threats such as concerted "hacks"
conducted by the Chinese against the U.S. government
are certainly a concern, but the only thing dangerous about the compromise at these labs is the stupidity of a few scientists and workers at the plants.
The Oak Ridge National Laboratory (ORNL) in Tennessee and Los Alamos National Lab in New Mexico have made a habit of
collecting the social security numbers, names, and birth dates
of scientists who visit the plants. The information is put into a database, which reads like a who's who of America's top scientists.
Unfortunately, nobody thought such a practice might be a bit insecure. Starting October 29, workers at the labs began receiving phishing emails, which followed a traditional attack pattern of containing malicious Trojan-containing attachments.
There is no evidence that the attacks were specifically geared at the lab. If the attacks were just a general Internet attack, those responsible might have been excited at the big fish they caught. The two labs both have reported that the phishing emails gained access to their system, which indicates at least two employees -- one at each plant -- were foolish enough to click the attachment and commence the damage. The result was that the database with the scientists' information was compromised.
The phishers gained access to the records of all visitors at the plant between 1999 and 2004.
Don't blame the news networks solely for sensationalizing the attack and making it sound like a sophisticated assault. Leaders at the labs have gone on record trying to fudge the facts in statements, making the attacks sound more complex than they really are and icing over that the attacks only succeeded due to employee failures.
For example, ORNL director Thom Mason stated that the attacks were, "coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country," and continued, "Because of the sensitive nature of this event, the laboratory will be unable for some period to discuss further details until we better understand the full nature of this attack."
Los Alamos has been more silent about what appears to prove the old adage that the greatest hole in security on the average computer network is the network's users.
In 2006 Los Alamos fell victim to social engineering and phishing when its emails were stolen and ended up on the USB stick of a drug dealer found in a police raid. The emails contained data of simulated nuclear weapons tests considered sensitive.
At the time executive director of the Project On Government Oversight (POGO), Danielle Brian blasted Los Alamos for their lax security stating, "This appears to be a new low, even drug dealers can get classified information out of Los Alamos."
Expect more pressure for ORNL and LANL as the smoke of sensationalism begins to blow away, revealing atrocious security due to user stupidity. Looks like some of America's top minds have just fallen for the one of the oldest tricks in the hackers' book.
This article is over a month old, voting and posting comments is disabled
RE: The irony is sadly laughable
12/10/2007 3:25:52 PM
I taught a training class at Los Alamos in one of their computer labs in the late 1990s, while I worked for a company that wrote electromagnetic analysis software. This was on UNIX, and they were so security sensitive that we had a security person sitting in the back of the room during the entire class and literally following us around, including stationing himself outside the bathroom when I or the other instructor (a female) took our potty breaks. They didn't trust one of the scientists taking the class to be our 'escort'. And we were given temporary, supposedly limited-access login accounts to that lab only because as instructors we had to demonstrate some of the software features on the projector for the class to follow along. They made a big deal about how they had to 'isolate' the lab from the rest of the intranet, etc since we uncleared (unwashed) heathens were visiting, and since this was supposedly a classified lab (or could be, on other days) there was supposedly no outside access, either.
The funny part is that the security person couldn't follow (and didn't try) the material in the class at all, and in fact read a magazine most of the time. But I remember on the second day we constructed an example waveguide interface problem that was giving us results that didn't seem physically correct, so we as the instructors wanted to get a copy of the model to send back to the developers for diagnosis and a possible code fix. Without even thinking about it we were able to open up a terminal window and FTP it to our company servers, and only later on did I ask the other instructor "um, if they were so security conscious we had to be followed, and were given "limited access" accounts...how did we so easily get a a toob to the Internets? <jokey l33t speak is obvious revisionist memory>. I was honestly worried that somehow they'd think we'd "intentionally" violated their security, but figured the best thing to do would be to come clean and bring it up, rather than wonder if they 'noticed' somehow later on and it looked more suspicious to have not mentioned it. Fortunately nothing came of it on our end - no idea if we cost someone an IT job, though....
Sad, really. There's some analogy about barn doors and cows one could insert there, somewhere....not that any of this applies, as obviously the typical user is the worst security threat per the article. But I find it amusing that even that closed lab had direct outside access. I don't even recall having to do anything special on the terminal window to FTP out through a firewall...
"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay
Hack The Planet
December 7, 2007, 1:52 PM
Unisys Blamed for China-Connected Homeland Security Hacks
September 26, 2007, 10:08 AM
Amazon, HBO Team up to Bring HBO Content to Prime Members
April 23, 2014, 11:36 AM
U.S. Wants to Reduce Tension Over Internet Net Neutrality
April 22, 2014, 2:07 PM
AT&T Announces Plans to Expand Ultra-Fast Fiber Internet Network to 100 Cities
April 22, 2014, 9:36 AM
AT&T Takes First Steps in Launching Its Own Online Video Service
April 22, 2014, 9:25 AM
Netflix Opposes Comcast/Time Warner Deal, Says It's Anti-Competitive
April 22, 2014, 8:52 AM
Quick Note: Netflix to Raise Streaming Prices Later This Year for New Customers
April 21, 2014, 11:09 PM
Most Popular Articles
A Bug's Life: Female Cave Bugs Have Penises, Penetrate Males for Three Days
April 17, 2014, 7:20 PM
HTC Hires Former Samsung Marketing Chief Who Developed "Galaxy" Brand
April 18, 2014, 6:00 PM
NASA Finds "Habitable Zone" Planet Sized Similar to Earth
April 18, 2014, 3:13 PM
Mounties Arrest 19-Year-Old Who Delayed Canada's Tax Filing w/ Heartbleed
April 17, 2014, 3:24 PM
Thanks to Government Crackdown, Chinese "Porn Cop" Has Watched 600K Adult Videos
April 21, 2014, 12:00 PM
Latest Blog Posts
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
Global Cyber Espionage Concerns Reveal Growing Cyber Armies
Nov 29, 2013, 11:04 AM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information