"might be cause for celebration".

Really? 1% of their employees being morons, is good news? I hadn't realised that one in a hundred internet users generally still fall for phishing emails.

Doesn't Oak Ridge use spam filters?

Their problem is obvious

"security provider McAfee"

Need I say more?

No internal security lessons??

You'd think Los Alamos and Oak Ridge would be on top of beating into their idiot employees to NOT open emails with attachments from unknowns. Personally, they should do what happens at our office if a malicious email is opened. One to three days on suspension for the first time.

Sheesh, what a bunch of maroons.

Fantastic - Twice in Just a Few Months

First I get a letter from USA Jobs telling me that my personal info has been compromised, and now it's ORNL!!!! I visit their Computer Science and Mathematics facility on a regular basis. I guess they've given my data away too. The best part is that SSN verification is part of every visit so now either the commies or Nigerians have my SSN. Wonderful.

God, you know this really pisses me off. I just attended an seminar there discussing their internal network security and how great it is. Damn'it! This is disgusting. Homeland Security indeed.

Gary McKinnon, now this.

You'd think the highly classified bunch would wise up and switch all their computers to Linux (you know, like several countries' governments are starting to). The employees that would normally open such an email might raise their IQ a few points because of Linux, too.

Perhaps the red level has some sensitive information on aliens, in which case I hope the attackers are successful in getting at it, so long as they make it public. =P

A friend works in IT for a defense contractor.

One of the problems is that a lot of the people using these networks in the course of their work day are experts in their own little field, but are of the opinion that their expertise extends to all of existence and beyond. As such, they are resistant to and tend to ignore common-sense IT rules, because...well...they are them and they are really far too important. Besides, they know what they are doing. They are eckspurts.

Needless to say, The Defense Department has a huge and expensive security initiative going on right now and the colones and yes, even the generals are starting to growl and gnaw people's heads off, where appropriate.

They are starting to roll out standardized desktop images and that is really starting to get up noses, because the users no longer have their admin rights on their machine. They want to install what they want, when they want it, damn the security concerns.

All in all, it sounds like too much fun for me.

Oh, and Linux in these situations? Rare, except for some HPC's running RedHat and only RedHat. Other than that, it's Microsoft all the way. In fact, they have been upgrading to Exchange 2007. Hours of fun for the whole family, that.

'sophisticated'?

"made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven 'phishing' emails, all of which at first glance appeared legitimate,"

Yeah? -- like spam from a machine in the office with 'click here to see Paris in action'.

"Hey, I can't see anything, I'll click again a few times'.

old news

old news the defence and bank computer systems have been hacked at since the birth of the internet !

It's not the OS

There's simply no justification for all of this. It's certainly not the fault of the OS or AV or security software not doing it's job. This lies squarely on the shoulders of the idiots who fall for BS. Any email that supposedly contains company driven information, especially important information, should be dealt with with kid gloves. I mean, come on, if it's that important, why would a company take the chance that the email would be opened, let alone successfully delivered? Company oriented email should always be verified or better yet, not sent at all. Duh, the boss sent me something and his office is just down the hall. How stupid is that? And on the chance that email is a priority for certain aspects of the job, make sure all employees know that attachments are strictly forbidden. This isn't *ahem*... rocket science.

Spear phishing

They must be after something in particular it's not too hard once you know who to set up a honeypot for them complete with plausible disinformation for them to see. A little less talk and a bit more action might reasonably expected from scientists.

RE: Real security

"Networks handling highly sensitive data should be separated by an air gap from any network connected to the Internet."

I wouldn't say that as you bet now they will use wireless systems so they have an 'air' gap but still have linked to the internet lol

Department of Moron Security

It's pretty obvious they were using Outlook or some IE-based email reader. It's mind-bogglingly ridiculous that the government hasn't installed a *nix OS... one that protects itself from moronic and malevolent users. I thought we'd learn after losing billions in data and productivity in corporate America.

Good grief, I can open any email message without worry, simply because I'm not using Windows. And, I don't care how much it's "patched" or what services are disabled. Continual patches means someone is using/researching exploits before MS can respond.

Unless the government uses a transparent, explicitly customizable open operating system, or creates one themselves, a Windows node on a sensitive network is completely insane. I'm blown away when I see those duds at the government bureaus (e.g., US customs agency, dept. of motor vehicle, etc.).

It seems Bushie's own computer would need to be compromised before anyone gets how serious this has become. (I can imagine the hook that ultimately phishes him: "Osama's hideout seen on Google maps!")

@ anonymous john

"the low .1 percent response" is 0.1%... 1:1000, not 1:100

Your computer has just been infected with Man.ual-Infect.ion-A

Please open "cmd", type "format c:/u/s" and reboot your machine.

it happens.

So.. 7 emails constitutes a coordinated attack? Is it too far beyond the realms of chaos to say that the pattern is more likely to be attributed to the increasing rate of phishing scams than it is to anyone's particular desire to view government websites. Keep in mind, Los Alamos puts a stupendous amount of data up for the public to view. Chances are, most of those "1,100" attempts were just google search result of pages that shouldn't have been cached that looked interesting.

The frightening part is not that someone phished national labs, but that the contingency wasn't anticipated, let alone expected on such a giant widely used and viewed webserver and mail server.

Can't see the Forest for the Trees

Sounds like all highly intelligent people to me - so smart for their own good. High on brainpower, low on common sense. Or, as we used to say of a friend of mine, "Not only is she blind, but she can't see either." So focused on what they are doing, they don't stop to think about anything else. Security on the computer is someone else's job.

It's either China, or the latest CIT class in India trying to earn their graduate credits by finding a way into government databases.