Was the National Nuclear Safety Administration Compromised by Hackers?

[Rach3]

WASHINGTON (Reuters) - A computer hacker got into the U.S. agency that guards the country's nuclear weapons stockpile and stole the personal records of at least 1,500 employees and contractors, a senior U.S. lawmaker said on Friday.

The target of the hacker, the National Nuclear Safety Administration, is the latest agency to reveal that sensitive private information about government workers was stolen.

The incident happened last September but top Energy Department officials were not told about it until this week, prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA...

http://today.reuters.com/news/newsArticle.aspx?type=domesticNews&storyID=2006-06-09T235714Z_01_N09199487_RTRUKOC_0_US-CRIME-NUCLEAR-HACKER.xml

Shall we panic, then?

 

[heartless]

No, No, No, what a moron. Why records of employees? There's so much other interesting stuff about us's security, that no one else could ever imagine.

 

[Gokul43201]

Why is this all coming out now? Does X feel a little less guilty if Y admits to the same screw up?

 

[Rach3]

NNSA is a fantastically insecure place, if major security leaks take all of a year to get reported to their administrators. (either that or the administrators are secretive, lying scum...)

Why would someone go after employee databases at a critical security agency? Could it be a massive plot of social engineering?

 

[Rach3]

http://today.reuters.com/news/newsArticle.aspx?type=domesticNews&storyID=2006-06-09T235714Z_01_N09199487_RTRUKOC_0_US-CRIME-NUCLEAR-HACKER.xml

Committee chairman Rep. Joe Barton said NNSA Administrator Linton Brooks should be "removed from your office as expeditiously as possible" because he did not quickly notify senior Energy Department officials of the breach.

"And I mean like 5 o'clock this afternoon if it's possible," Barton, a Texas Republican, said in a statement.

I concur!

 

[Gokul43201]

No, No, No, what a moron. Why records of employees? There's so much other interesting stuff about us's security, that no one else could ever imagine.

The really sensitive stuff is probably protected by a higher level encryption. And the hacker only has so much time before s/he is detected and the Feds come knocking. Gotta make the best of it...and scram. Even info about employees could be worth a ****load of money in the right markets.

 

[Evo]

My company actually requires me to put my social security number on customer contracts. I have refused to do so and have been putting a bogus number on them, these contracts are publicly viewable. My company is nuts. And it's the third largest company in the country of it's kind.

 

[Rach3]

The really sensitive stuff is probably protected by a higher level encryption.

The explicit assumption being, that sensitive information is protected by competent people. Unlike, say, the entire database of the VA. Or, employee addresses of the Nuclear National Safety Agency.

And the hacker only has so much time before s/he is detected and the Feds come knocking. Gotta make the best of it...and scram. Even info about employees could be worth a ****load of money in the right markets.

The hacker has had a head start of a full nine months...

 

[Gokul43201]

The hacker has had a head start of a full nine months...

Hey congrats on the 100. How long do you think before you forget your passwd?

Aside:

Regular Joe: "Damn, I forgot my password!"
Hacker: "Pffft, silly noob."

 

[Rach3]

The really sensitive stuff is probably protected by a higher level encryption.

Let me correct myself. In both cases (VA, NNSA), it was. In the VA case, an employee lost an illicit, unencrypted copy on his laptop's external storage drive. In the other case, the encryption either wasn't strong enough, or there was an exploitable weakness, or maybe the password was very weak. Merely having a policy about encryption doesn't meant things are actually going to be encrypted, when employees are complacent and/or incompetent and/or morons.

 

[Moonbear]

My company actually requires me to put my social security number on customer contracts. I have refused to do so and have been putting a bogus number on them, these contracts are publicly viewable. My company is nuts. And it's the third largest company in the country of it's kind.

That's nuts! When I was in college, they started allowing us to use our student ID cards as a debit card for purchasing stuff in campus bookstores and eateries, then had the brilliant idea you should sign for your purchase on a list and write your SS# next to it to match your signature to your card purchase. And then when the next person came along, they handed them the same list to sign next on the list. I flat out refused to include my SS# (this was already after they stopped using SS#s for your ID number, so they were already aware there was a reason not to use it). At first they gave me a hassle over it (by then they had already swiped my card and the purchase was complete, so I'd just walk away if they didn't just agree), but as I explained the reasons to each employee I encountered, some started to agree to let me skip it, and eventually, they phased that out.

 

[Moonbear]

It would be one thing if they just didn't make this public knowledge right away while investigating, notifying employees, etc., but if even department officials were not notified, that's pretty scary. When they hacked the university computers where I worked, we knew within 24 hours that it had happened (we did find out through the news, but that was actually faster than sending us memos since they didn't have a lot of details to share yet anyway). It took about a week or two for them to determine the complete list of whose information was accessed and to notify us of this individually, but at least we all were aware we were potentially on that list. Nine months seems a bit long to wait to notify anyone their information was accessed...by then, they might already own a house in the Hamptons, a few luxury cars and a yacht they never knew about.

 

[Pengwuino]

Let me correct myself. In both cases (VA, NNSA), it was. In the VA case, an employee lost an illicit, unencrypted copy on his laptop's external storage drive. In the other case, the encryption either wasn't strong enough, or there was an exploitable weakness, or maybe the password was very weak. Merely having a policy about encryption doesn't meant things are actually going to be encrypted, when employees are complacent and/or incompetent and/or morons.

Rach, "policy" doesn't normally dictate encryption. If you're really talking about a hacker, the only way someone can intervene and make it easier would be to completely remove layers of encryption which would is too outrageous to actually happen very often. This isn't about someone leaving their office with a bunch of documents on a CD or someone setting up their password as "password". This hacker probably (if the reporting is correct) entirely compromised the security and didn't need someone to have a weak password to gain entry.

NNSA is a fantastically insecure place, if major security leaks take all of a year to get reported to their administrators. (either that or the administrators are secretive, lying scum...)

source?

 

[Cyrus]

NNSA is a fantastically insecure place, if major security leaks take all of a year to get reported to their administrators. (either that or the administrators are secretive, lying scum...)

It is? How about a source on that claim?

Why would someone go after employee databases at a critical security agency? Could it be a massive plot of social engineering?

Because the real stuff that is National Security sensitive actually is kept locked away, despite your claim of it being a fantastically insecure place.

The hacker has had a head start of a full nine months...

On reading the article, it said it took nine months to get reported to senior officials, not nine months to get detected.

Merely having a policy about encryption doesn't meant things are actually going to be encrypted, when employees are complacent and/or incompetent and/or morons.

Have you ever in your life step foot inside a national government laboratory? It is not just 'policy,' it is very strictly inforced for the most part.


... stupid bird beat me to my post...stop stealing my ideas Pengwunio..

 

[Pengwuino]

Wow me and cyrus were on the same page instead of at each others throat for once, this isn't comforting.

 

[Rach3]

On reading the article, it said it took nine months to get reported to senior officials, not nine months to get detected.

And that's a good thing?

 

[Cyrus]

And that's a good thing?

I never said it was a good thing. Comparatively, it is better to have a breakdown in reporting this to senior officials than to have a hacker go undetected for nine months.

One can simply look at the type of information that was hacked into, mainly human resources related. (NOT an area of Top Secret information, BIG DIFFERENCE.)

As Gokul has already said, this information can be used for identity theft, but does not jeopardize national security in terms of stealing nuclear secrets.

 

[Rach3]

One can simply look at the type of information that was hacked into, mainly human resources related. (NOT an area of Top Secret information, BIG DIFFERENCE.)

Who claimed this was 'Top Secret' stuff? It's sensitive, and a potential security liability via social engineering, and should have stayed on a closed intranet (not at an internet-connected terminal, as it apparently was). This was a very basic failure of methodology.

 

[Cyrus]

Who claimed this was 'Top Secret' stuff?

Reread what I wrote. I did not say it was Top Secret. In fact, I explicitly said it was NOT Top Secret information to make a point.

It's sensitive, and a potential security liability via social engineering, and should have stayed on a closed intranet (not at an internet-connected terminal, as it apparently was). This was a very basic failure of methodology.

Here at work, one is able to access their computers through TCP/IP by logging into the network. They can also submit timesheets and do various other functions, all related to their personal information. This means there has to be an online data base with employee information so that it can be accessed remotely.

If this were a very basic failure of methodology, it would have been detected long before this incident. Despite what you may think, the government takes very careful security measures and is not run by a bunch of morons.

Oh, and your article makes no mention of social engineering.

 

[Rach3]

If this were a very basic failure of methodology, it would have been detected long before this incident.

On what reasoning?

Oh, and your article makes no mention of social engineering.

It didn't. I pointed out that it might have been a motive for this hack - it was speculation on my part.

Basic definition is here.

 

[Cyrus]

On the reasoning that government labs do constant security checks and updates. I could (no, I really cant) send you the scores of emails they constantly send out about security updates to all employees via internal email.

I'm sorry, but I consider unfounded speculation to be meaningless.

 

[Rach3]

On the reasoning that government labs do constant security checks and updates. I could (no, I really cant) send you the scores of emails they constantly send out about security updates to all employees via internal email.

Of course they're worried about security. That's not the same thing at all as saying that they have effective or intelligent security. In this case we observe a significant failure of their security.

I'm sorry, but I consider unfounded speculation to be meaningless.

Meaningless for what? If detailed employee information is targeted and stolen, then there exists a danger of social engineering. Of course it's speculation - I'm stating what the risk is. How can you talk about security without speculating about the possible failures and risks?

It's hardly unfounded or original...
http://en.wikipedia.org/wiki/Kevin_Mitnick

 

[Rach3]

Since this is now an absurd semantic discussion, I recuse myself from this thread.

 

[Cyrus]

Of course they're worried about security. That's not the same thing at all as saying that they have effective or intelligent security. In this case we observe a significant failure of their security.

No, they actually do have very effective security. They were hacked into, detected it and stopped it. Again, the hacker only was able to get "soft" or sensitive information and that's exactly what good security does. Prevents a hacker from gaining access into the Top Secret files.

What you observed, is a significant failure in effective communication, NOT security.

As for your speculation, it is indeed meaningless. With all due respect, you are not an expert in government security and you do not have all the facts on the incident; therefore, you are just making wild guesses for all you know.

Why are you trying to discuss the possible faulres and risks? Again, you do not work on security, do you? You simple are not qualified to continue this argument (and neither am I).

Yes, I know about social engineering and Kevin Mitnick. What does this have to do with with the incident specifically?

 

[Cyrus]

Since this is now an absurd semantic discussion, I recuse myself from this thread.

No disrespect, but you post a link to an article and then state:

Shall we panic, then?

This is hardly a realistic question. Your whole thread has been mostly sensationalistic at best with little to no fact to support your argument. And lots, and lots of speculation. This is not the first time you have made a thread like this. If you want to discuss the incident, then please have a clear and well defined question.

 

[Moonbear]

Since this is now an absurd semantic discussion, I recuse myself from this thread.

In that case...thread locked.