Wednesday, June 14, 2006
LANL-ALL2001: Message from NNSA Director Brooks regarding cyber security breach
Sent: Wednesday, June 14, 2006 2:07 PM
Subject: LANL-ALL2001: Message from NNSA Director Brooks regarding cyber security breach
Please note the following message from National Nuclear Security Administration Director Linton Brooks to all NNSA employees and contractors:
As most of you knowŠan attack on an unclassified NNSA system resulted in personal information on approximately 1,502 NNSA federal and contractor employees being unlawfully obtained. About 75 of the affected individuals are federal employees. Most others work at the production plants, the Nevada Test Site, or the national laboratories. Some are retired. The data was in a list that included names, social security numbers, level of security clearance, when that clearance was last updated, and a code identifying the company (but not the geographic location) where the affected individuals worked. Neither dates of birth, nor addresses, nor other personal information were included in the compromised information. Still, this is a very serious event.
Starting last Friday evening, and continuing nearly around the clock all weekend, senior NNSA managers began contacting by phone each employee whose personal information was compromised in order to provide them with information about protecting themselves from such dangers as identity theft. About 80 percent of the affected employees were contacted by last night. We are continuing to try to reach the remaining employees until we have personally contacted everyone. In addition to these phone calls, I sent letters first thing Monday morning directly to the federal employees and to the managers of the contractor employees who were affected. The contractor managers were asked to provide the information to their employees (we don't have mailing addresses for most contractor employees). I have also instructed the NNSA Site Managers to follow up and ensure that the contractors promptly provide the information to the employees.
I suspect that most of you who were involved (and many who weren't) are upset and angry, both over the incident and over the fact that I was aware of it for several months before I told you about it. You have a right to be. With regard to the attack itself, because the criminal investigation is still ongoing, I cannot provide you any details. I am convinced that no NNSA employee could have prevented this attack. Due to the nature and sensitivity of our work, NNSA is a frequent target for sophisticated hackers. Every day there are thousands upon thousands of attempts to gain unauthorized access to our computer systems. And every day, such efforts are thwarted by the safeguards built into these systems and by the expertise of the hundreds of cyber security experts across the NNSA and DOE complex. These experts go to extraordinary lengths to protect our data. They do an incredible job.
Even with this strong cyber security effort, the fact that we lost data testifies to the sophistication of the attack.
The delay in informing you, however, could have been prevented. Quite simply, we screwed up. Given the involvement of other federal agencies that investigate such breaches, when attacks occur, we are not always at liberty to immediately notify people. Sometimes we need to delay while investigators try to identify the hacker(s) and determine the level of compromise, etc. Thus, some short delay would be understandable. Most of the delay, however, was preventable and unnecessary. I am still trying to sort out exactly what happened, but it is clear that a number of people, including me, failed in their responsibilities to keep you informed.
All of you deserved better. I am working to fix our procedures so that such an inadvertent delay cannot happen again. I will keep all of you posted on this matter as progress is made, with particular attention given to those of you directly affected. In the meantime, I apologize for our failure.
Los Alamos National Laboratory
P.O. Box 1663, Mail Stop C177
THIS IS A NOTIFICATION SYSTEM ONLY. PLEASE DO NOT RESPOND TO THIS MESSAGE. THANK YOU!
...and no, DOE/NNSA has not telephoned me!
...and no my line management has not contacted me.
Penetration Testers Try a New Twist on Social Engineering (7 June 2006)
A credit union that had been experiencing problems with employees sharing passwords and divulging other information too easily hired a company to asses their network security with a focus on social engineering. Employees were aware that their security was going to be tested, so instead of taking the usual social engineering routes, the penetration testing company left 20 USB drives near the credit union in the parking lot and smoking areas. Employees picked up 15 of the 20 drives and installed them on their computers to see what they held, which turned out to be a Trojan horse program that gathered passwords, logins and other data and emailed them back to the company.
[Editor's Note (Northcutt): It may be a new twist to the author of the article, but this trick as old as the hills. I first saw this done using a floppy disk survey. You stuck the disk in your laptop, filled out the survey, put the disk in a pre-packaged mailer and sent it back to receive a free prize. Another variant is demonstration software. You leave shrink wrapped CDs that look like they have games or useful applications around the target site. People will try the game or application while installing the attacker's software on their systems. The article does serve as a reminder, and I like the ending. Telling people is not enough, you need to keep hammering it into their heads. It would be interesting to try some trojaned thumb drives in a candy jar that if inserted into a computer posted a big red message saying you just earned a 100 dollar fine. ]
People no matter where they work should be a bit more aware of what they connect to their computers. Just because you get a mailling that says "Needed work info" with a cdrom in it doesn't mean you should install it and run it because the typed letter with it says so. Especially if the Postmark is from Formosa, Florida versus Near-Beltway, Maryland.
If someone you know sends you a cdrom, usb drive etc.. and you didn't ask for it is always a good idea to confirm via phone that they meant it for you. If you get an email from a work buddy but the headers look funny (sent from outside of your workplace).. or the Thunderbird Scam detector says it thinks its funny.. you should call them and find out if they meant it for you.
I would also check that your computer system at home and work do not have spyware on them. The number one way for computer identity theft these days is spyware that was installed without the user knowing what the program was going to do. [Just say no to dancing hamsters screensavers!]
The most common way for identity theft is actually pretty mundane. Work at or create yourself a business/non-profit and buy from a couple of advertising agencies a list of people in the demographic you want to scam. Then as that business run a couple of credit reports on the person.. that can get you enough information to get started on identity theft. There are other ways.. most of them easy because too many organizations use social security numbers or drivers license as the identity number for a person in their databases (both computer and hard-copy). And then many organizations will over trust a social-security number to allow it to open all kinds of things.
# posted by DOE Guy : 6/14/2006 04:52:07 PM
If NNSA had no way to prevent the attack, they have no business handling sensitive data.
# posted by Doug Roberts : 6/14/2006 07:21:30 PM
We design nuclear weapons. Can anyone quote me what the design criteria is for accidental nuclear detonation? Hint: it is not zero. By Doug's logic, we should not be handling the stuff (which a number of people, of course, would happily agree with). I am not defending what happened; merely pointing out that there are no perfect systems.
We screwed up? Who is we, Linton? How about a more direct "I screwed up"? You talk to Bodman on a frequent basis. You saw the furor over the VA episode last month. You knew that NNSA employee files had been hacked almost a year ago and you never mentioned it even once in discussions with Bodman. I can only imagine why you kept your mouth shut. Don't hide behind org charts and lines of command. You admitted clearly that you KNEW that the data had been stolen back in September, and you KNEW that those affected had never been contacted. If that's not a smoking gun pointing to gross incompetence, then I don't know what is!
Good security procedure would have dictated that the people on that list be contacted immediately and told to watch out for any unusual behavior or contacts from suspicious individuals. Perhaps a black-mail scheme was in the works against NNSA workers. One can imagine some pretty frightening scenarios. In all of them, the first line of defense would have been to forewarn those affected to be on extra guard. The failure to notify the victims was completely inexcusable. More than that, it may have endangered our national security in ways we are currently unaware. And you, Linton, knew that this situation had existed for over nine months and were willing to let it go on for some time longer!
If Brooks has any sense of honor, he will resign from his post by the end of this week. If he doesn't, then Bodman should remove him from office by Monday morning. It's the right thing to do.
Inadvertent delay? What a crock! The problem isn't procedures, or policy, or training or inadvertent delays. The problem is trying to cover up problem by not reporting them. The problem goes much deeper though, because when the little fish does the very same thing he gets sliced, diced and canned. When the big fish does it, he just swims away to spawn another mess. "I screwed up." Is that supposed to impress, to suggest some semblance of leadership? ...by accepting responsibility (sort of, perhaps, kind of, maybe?) How about "I got caught trying to cover up, so I resign?" Yes, now that would be the honorable thing to do, wouldn't it? Did UC President Bob Dynes do this? Did the UC Regents ask him to do this? Did Nanos do this? Did Bob Dynes ask him to do this? No? Is anybody in leadership these days even capable of accept responsibility, much less acknowledging the messes they make? Well certainly not without a golden parachute attached! The rest of us can just keep on fanaticizing about justice, honor, fair play, leadership and integrity. Nice concepts, but apparently too difficult to put into practice once you become a God.
If you ever needed an example of a double standard between how DOE/NNSA treats their screw-ups compared to those of their contractors you have it with this episode. It couldn't be any clearer.