Nuclear Agency Worker Information Hacked 112
Juha-Matti Laurio writes to mention a Reuters report about a fairly worrying case of identity theft. A determined hacker gained access to the U.S. National Nuclear Safety Administration's records and made off with the information for over 1,500 employees and contractors. From the article: "The incident happened last September but top Energy Department officials were not told about it until this week, prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA. An NNSA spokesman was not available for comment."
Luckily... (Score:5, Funny)
Shouldn't be too hard to track down now, though. Phew!
So wheres the Glowing report on this?? (Score:3, Funny)
Re:So wheres the Glowing report on this?? (Score:3, Funny)
Re:So wheres the Glowing report on this?? (Score:1, Redundant)
Re:So wheres the Glowing report on this?? (Score:3, Funny)
Re:So wheres the Glowing report on this?? (Score:2)
Re:What kind of systems were involved? (Score:1)
considering that a large part of the government
went to windows 10 years ago (I know, I had family
working in government at the time and they all thought
it was a BAD IDEA because of security risks) it would
not surprise me in the least that this is precisely
how it was done.
I hate to say this, but government should have stayed with
UNIX (SVR4) or converted to BSD (OpenBSD is my favorite
for security stuff).
Still, I think it was a matter of someone paying a
talented skript-kiddie to do this job. IMHO, no
self-r
Re:What kind of systems were involved? (Score:1)
yeah, it figures both CIA and NSA would be able to shoot that down
(they would have MOUNTAINS of evidence pointing to security flaws
in M$ Windows thus making it "unsuitable for use in a secure environment").
I am rather surprised this was allowed to happen in the NNSA and the NRC.
ah well, thats what happens when you get a $100 Billion dollar company
throwing around gobs of cash to have things their way.
Re:What kind of systems were involved? (Score:1)
Re:What kind of systems were involved? (Score:1)
Re:What kind of systems were involved? (Score:1)
at least with *NIX, you have ACL's and some of "features"
that windows does not. also when was the last time you ever
heard of a *NIX system taking down a significant chunk of
a shipwide lan and shutting down the propulsion systems
such that a tow was required (this actually happened with
windows NT).
with a properly programmed *NIX system, such values would
have been kicked back with "invalid entry, try again!".
Huh? (Score:2)
Oh ya, it's the government, I forgot.
Re:Huh? (Score:5, Insightful)
Re:Huh? (Score:2)
Of course, the irony would be how security information was stored insecurely enough to be stolen.
Re:Huh? (Score:5, Insightful)
Re:Huh? (Score:2)
Evil geniuses of the world... (Score:2)
Re:Evil geniuses of the world... (Score:1)
NTWD (NSA TERRORISM WIRETAP DEAMON) AUTOMATED NOTIFICATION:
Your use of the words:
nuclear
bomb
password
downloading
the
Indicate that you are probably a terrorist. Please report to:
1234 NSA Way
Redmonton, DC
Special thanks to AT&T.
Big Trouble (Score:2)
Re:Big Trouble (Score:3, Funny)
Re:Big Trouble (Score:2)
Re:Big Trouble (Score:2)
Re:Big Trouble (Score:2)
Heads should roll! (Score:1, Flamebait)
Re:Heads should roll! (Score:1)
"China performed more than 3400 executions in 2004, amounting to more than 90% of executions worldwide." http://en.wikipedia.org/wiki/Death_penalty [wikipedia.org]
The US is in third place at 1.6% of all executions, behind Iran. Maybe next time your knee jerk U.S. response will have merit.
Re:Heads should roll! (Score:2)
Bit different when they've been tried first. Don't let a small technicality like that get in the way of your beliefs though!
Re:Heads should roll! (Score:2)
Re:Heads should roll! (Score:1)
Matter of national security? (Score:1)
Of course there is the chance that we have some James Bond plot underway and that it is some of the really bad guys that have cracked their way to this information. Chances are that this is not the case, but I'll bet this information is now for sale for whoever would be willing to pay the right price.
Saudi Arabian wealthy people and others might be willing to sponsor those that should not get their hands on information of this kind.
Sure having information on workers does not
Re:Matter of national security? (Score:1)
Troubling indeed. In 2003 the GAO found that their oversight of
contractors was lacking [gao.gov]. The NNSA got a panel together to review the issues mentioned by the GAO, and after a couple of years came up with the Mies report. Here's an overview of that [doe.gov]. Chapter 5, "Cyber System Security" mentions a lack of secure voice and data networks.
If you want to talk about security problems, this is the worst possible
situation. NNSA is responsible for security operations of contractors at
nuclear facilities, and has itself be
Matter of personal security. (Score:2)
Why aren't laws in place.... (Score:5, Informative)
The excuse they used that "We thought they knew" is total crap, you'd figure when the head of NNSA says to the ED "Oh hey, we had a security breach where information on 1500 people was stolen, just so you know" Bodman would say "Woooh there, what have you done about it?" as opposed to you know, saying "Mm kay, how about them bears?" and brushing it off...
Crypto-Gram (Score:2)
Write your Senators and Congresspersons.
9 months!#$ (Score:2)
You would think one of the Net Admins would have looked @ those logs in the last 9 months. Or something would have been found out of whack?
The NNSA is a semi-autonomous arm of the Energy Department and also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies.
That's just great. So for 9 months someone that shouldn't has had access? Something just isn't right lately with our gov't security.
Re:9 months!#$ (Score:2)
Re:9 months!#$ (Score:3, Insightful)
It's different than telling the public.
Re:9 months!#$ (Score:2)
Not as I read it. They cut off the access nine months ago. They're only now telling their bosses that they did it. This snippet from the article explains this, "According to Barton, the NNSA chief knew about the incident soon after it happened in September but did not inform Energy Department officials, including Bodman, until Wednesday."
Personally, I don't care if he notified the Secretary of Energy. He should have notified someone like the FBI an
Re:9 months!#$ (Score:1)
You would think one of the Net Admins would have looked @ those logs in the last 9 months. Or something would have been found out of whack?
The Net Admins probably informed the correct people as soon as they found out. The issue is that proper notifications weren't made to people higher in the hierarchy. Non-IT management/workers obviously didn't have thier own procedures for dealing with these matters. Even a one page checklist would have done bett
The REAL Crux of the problem (Score:5, Insightful)
If you want credit, go apply to the credit agencies the way they once did and use other companies as a reference the way things used to be in the good ole days. What does getting credit or a bank account have to do with your social security account anyway? Why does supplying my social security number become a requisite for getting a bank account? In some states, your SSN is also your driver's license number.
It's "convenient" for the government and all agencies and companies interested in collecting massive pools of information on single individuals. That's kinda the problem. That's been the argument for decades since the inception of the SSN.
We'll always be vulnerable as individuals because we cannot do anything about anyone else having our information... we don't even know who has it. We're ultimately powerless until we can have the use of the SSN for anything but Social Security accounting made illegal.
Re:The REAL Crux of the problem (Score:1)
And then once the use of the SSN becomes illegal, someone is going to have to do some clever coding along the lines of... SELECT sekritinph0 WHERE sekritinph0.IllegalizedSSN = sekritinph0.LegalReplacementIdentifer
Hmmmm, maybe I should get a patent for that while there is still time.
It's not just an ID theft problem (Score:2)
One question spy recruiters typically ask is "can you get me a list of your coworkers?".
>also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies.
That
Re:The REAL Crux of the problem (Score:2)
Bank accounts often pay interest, and the bank needs to send that to the IRS with your SSN. It's fairly reasonable to require the SSN to open an account, since even if the account doesn't pay interest now it might in the future.
Some interest paid on debt is deductible, so you run into similar requirements there.
Re:The REAL Crux of the problem (Score:2)
But as for reporting income, interest and deductable expenses, I think the government should do what it used to do -- "trust" its citizens to supply the information requested. Most people would be pretty honest about most things.
The issues of invasion of privacy by our "democratic" government just doesn't feel all that democratic to me.
Re:The REAL Crux of the problem (Score:2)
I wouldn't object to a requirement of a witness, identification, and a signed contract for all credit applications.
Even Blockbuster (Score:2)
WTF!?!! If it isn't required, then why even list it?
Re:Even Blockbuster (Score:2)
Re:Even Blockbuster (Score:1)
Driver's License - Lobby Your State (Score:2)
Ok, this is just scary... (Score:2)
I would bet that again "cool" solutions like Microsoft Windows or Microsoft Office is involved. Or better even, unconfigured and unsecured Linux or BSD server.
Propably will be modded troll, but anyway, it is crazy and scary in same time.
Re:Ok, this is just scary... (Score:1)
Not a troll
"Hello? Personnel? This is Paul in accounting. We just got a memo to about a new track
Probably not "Top Secret" (Score:2)
In fact, personnel contact and identity data is normally considered to be "sensitive but unclassified", which is only one notch above "display it on a public web site" and its security receives very little attention and is not taken seriously by most managers. T
Not Quite (Score:1)
Nope! It was some god damn black hat [catb.org] cracker [catb.org].
I don't understand... (Score:2)
...why, when something goes wrong in an organization, does the head of organization get called on to resign, when 90% of the time the incident didn't have anything to do with negligence or error on their part?
Can someone please explain for me?
Re:I don't understand... (Score:1)
Re:I don't understand... (Score:2)
correct functioning of that organization?
And if the organization does not function, who should
be held most responsible?
Re:I don't understand... (Score:3, Insightful)
What I don't understand is why we don't hold people accountable more often. It clearly is a tradition that has fallen on hard times in the U.S. In Europe it seems to be more common for government heads to be "held accountable" for the organization they run.
Re:I don't understand... (Score:1)
Flunkie: "Sure."
Boss: "Have we tested recovering from them?"
Flunkie: "Uhhh
It's their job to ensure everybody under them are doing their jobs.
Terror strike team... (Score:5, Interesting)
So here would be the nightmare scenario in my eyes... Hackers get DoD information from those 26.5 million VA database and slowly poison them... While the US is straddled in Iraq militarily, some country starts kidnapping those on the NNSA's list and either killing them or torturing them for information (schematics to facilities, etc.) while all this is going on, someone strikes inside the US on such a big scale, Hiroshima looks like a mild 4th of July show.... Scary isn't it?
Re:Terror strike team... (Score:2)
"It's sickening to see a country that can supposedly defend itself and the world, can't even secure their own networks."
Sickening, I agree, but I hope it doesn't come as a surprise. The all-too-common blindness that states, 'I don't care how it works; just make it work.' is finally exacting its toll. The stupid false alternative that assumes any criticism is an attack has made it downright dangerous for anyone to disagree, and now the price of conflating 'right' with 'agrees with me' is beginning to be fe
Re:Terror strike team... (Score:1)
What you said is actually possible, but to what end? World domination? Come on now, that's just lame.
Much more likely is a telecom attack where they deliver propaganda through the media and scare everybody shitless, which would be doing G.W a big favor.
And if they ever do that, I hope they use Fox as a HQ.
Oh no! (Score:1)
Re:China Syndrome (Score:1)
Confessions of an NNSA contractor (Score:5, Informative)
Here's the actual scoop, I work as an incident response investigator for the NNSA. There are two issues being confused and placed into one, there was an incident last September, it continues on now as a series of incidents that all mesh together as being from the same source- why haven't there been arrests and such? because it requires the cooperation of the foreign nation in question. Last month a service center in new mexico was broken into as part of the larger incident. This was a result of an attack using zero-day that at the moment is still unpatchable (no patch exists).
This is what is now being reported as a result of congressional hearings that took place. The information itself was not stolen almost a year ago, but rather less than a month ago, but the incident as a whole has been going on much longer than that. Alarms went up all over the place when this occured and everyone with a need to know was informed.
So to summarize, two related incidents, the first starting last September, and one occuring last month. The personal data was taken last month as part of the larger incident but is being reported as the data was stolen in september, which is incorrect.
Re:Confessions of an NNSA contractor (Score:2)
"Last month a service center in new mexico was broken into as part of the larger incident. This was a result of an attack using zero-day that at the moment is still unpatchable (no patch exists)."
What are you talking about? If there's no readily available patch, then you inspect the source and assign someone to patch the flaw. Sheesh!
And what was sensitive information doing sitting on a system which is breakable via a single exploit?
Re:Confessions of an NNSA contractor (Score:2)
"You must live in a small and unrealistic/idealistic world."
I do, and my small, idealised world has been attacked, but never 0wned. Which is why I'm happy I'm here.
Bullshit (was: Confessions of an NNSA contractor) (Score:2)
An incident response investigator for the NNSA would be fired for posting something like this to Slashdot. Furthermore, they probably wouldn't take the risk, because they would be smart enough to know that it wouldn't be hard for someone familiar with the group's writings to figure out who you are, if in fact you do work for them. So expect to be fired any day now, in the unlikely event that you were not posting crap.
The solution is simple (Score:2, Funny)
New US GOV page to check if you info was stolen (Score:4, Funny)
Re:New US GOV page to check if you info was stolen (Score:1)
I'm impressed that it can be done without my bank account details now! Those other guys needed all my bank account info to check for identity theft last time (and it was lucky I checked, because it turned out that my identy had been stolen!).
Identity Theft Protection here (Score:1)
Take it easy on the guy... (Score:4, Funny)
Can you blame him?
Damnit... (Score:3, Funny)
Re:Damnit... (Score:1)
Would you like a quote of FRY'S with that?
*head bursts from pun overload*
BURN KARMA BURN! (Score:2)
To everyone who claimed I was a "paranoid" in describing the value of "privacy" over vague promises of "security":
<font size=4> told ya' so </font>Just one? (Score:2)
Demand resignation of the remaining 1499 employees on the list, and the list will become useless. Problem solved.
If you know the enemy captured the plans of your attack, change the plans.
Committee transcript (Score:2)
"You're fired. Your soooo fired!"
HAVE YOU SEEN THIS LIST?! (Score:3, Informative)
Feel Safer? (Score:2, Insightful)
Do you feel safer?
Re:Feel Safer? (Score:2)
Does that kind of hairsplitting make you feel safer, Anonymous Bush worshipper Coward?
Accountability is the Only Way Out of this Mess (Score:2)
At this point, we need a real solution, we need accountability. Just like Sarbanes-Oxley for public corpoations, we need to appoint someone to be accountable for data security in the government. Every sensitive database, every record room needs a security officer who i
Barking up the wrong IP (Score:1)