One of the most sensitive science labs in the US has shut down all internet access after attackers exploited a vulnerability in Microsoft's Internet Explorer browser to steal data from some of its servers, according to published news reports. The security breach at the Oak Ridge National Laboratory is at least the second time …
solution is simple
The solution is simple. Google did it after being hacked, it's now time for ORNL and others to follow suit.
Ban Windows from any sites/networks with sensitive data
The problem is not windows. The problem is incompetent administrators.
A competent Administrator can set up windows so that it's virtually impossible to penetrate. I... look, do you really think the same people running *nix (probably allowing the users to run as root etc) would be any more secure? I mean, seriously?
bollocks, follow some ISO standards
Thats complete garbage, its down to poor user training and a crap IT dept.
Email should be scrubbed down to plain text only before appearing at the user end with no ability for them to click thru links in an email.
User machines that have Internet access should be on a discrete physical network to their main internal/dev environment and two separated email environments, one internal only and one external only.
USB etc locked down so data cant be moved between the two environments.
MAC address lock down to stop machines being physically moved between the two environments.
The OS has nothing to do with it, learn something about security before talking complete arse
Incompetence & ISO standards
Seems to me that the vulnerability targeted was on IE, therefor without Windows there would be no hoopla.
A data "in the megabytes" is still quite enough to hold thousands of personal details, if not tens of thousands.
RE: Incompetence & ISO standards
No the vulnerability was the meat sacks that clicked on the link and it always will be where the root of the problem lies. Any computer could be riddled with vulnerabilities on a corporate network and it could be relatively safe from intrusion until that one email with a dodgy link comes in, it could be sitting in the inbox for a millenia with no threat until that one human being clicks on that dodgy link or attachment.
This can be applied to any OS or hardware manufacturer, that's why most intrusions are done with social engineering tricks nowadays rather than a brute force hack as the latter will raise alarms even before they have breached the defenses.
Blaming the user?
An email arrives in your inbox.
It's from your brother.
Title is, "Plans for Mum's 60th"
There is no attachment.
The email asks you to have a look at a hotel you heard him mention before.
You google for the hotel, and look at it's website.
I hope that you read emails from people you know that are about stuff you expect from them. Sometimes even emails that have attachments. Otherwise... why do you have email?
Blaming the user is fine if no one wants to specifically attack your business. When you are a government lab targeted by professional intelligence agencies, I'm not sure it works.
"One of the most sensitive science labs in the US"
and they're using Windows and Ayeee?
I remember when the US had world-class scientists.
Have you tried locking down another browser with group policy?
I don't know what is the nature of their research
but they could have spent a little time an resources on subjects like searching for an alternate more secure OS and/or browser (hey, they are a research facility, they can afford that) or caring to look at PKI cryptography for signing/authenticating email messages. Come on, people know by now how easy is to fall for a message coming from HR department so why not cryptographically sign those messages. Six years ago I was working for a utility company in some Eastern Canadian province and they were using this stuff.
Obvious advice, spend less on MS products and instead hire competent people in the security department.
I'm not trying to say MS technology is the worst from a security point of view but what the heck, after all these high profile security incidents exploiting one or more aspects of Microsoft platforms, maybe it is worth the trouble to look for a change. Again, they are a research facility so why not?
Not safety in numbers
"I'm not trying to say MS technology is the worst from a security point of view"
Correct. MS software may (or may not) be less secure that other software, but because MS has such a market dominance in the business desktop arena, the effect of any security weaknesses are magnified many times.
Get off the train to crazytown
@A Non e-mouse "Correct. MS software may (or may not) be less secure that other software, but because MS has such a market dominance in the business desktop arena, the effect of any security weaknesses are magnified many times."
Well that would make avoiding their software in "One of the most sensitive science labs in the US..." pretty freaking obvious, wouldn't it? Especially after the first few times?
I don't agree with this old meme, but there's the logical fallacy right there.
HR Department Email
Wait, don't tell me... 2011 Recruitment plan.xls?
You'd have thought a place like that would have things seriously locked down.
Locked down like 'no internet access'.
One place I worked on a contract a few years ago gave me two logins. Fat client laptop with normal account had internet access but no secured data access and a thin client account with secured data access rights but no internet access. Thin client session set for no pass-through or data access from fat client. Secured account only let me log into thin client.
Made for an embuggerance if I needed to send secured stuff externally but apparently they'd had an incident before and had locked the systems down.
There were still compromises made but then only the terminally naive think that you can secure data to completely remove any chance of being stolen.
Valuable site uses most hacked software in history, site gets hacked.
In related news: Pope though to be Catholic.
The main "Advanced Persistent Threat" seems to be the prevalence Windows, IE, Adobe flash & acrobat these days. Will no one rid us of this scrounge?
A New Dawn for Executive Directors in the Digital Era of Virtual Arenas*
"Oak Ridge National Labs blamed the breach on an “advanced persistent threat,” a buzz term that seems to mean different things to different people."
Quite so, and methinks the term is designedly disingenuous and a smoke and mirrors ploy to deflect smart attention away from a very sophisticated virtual machine reverse social engineering root/code base floating temptations in advanced persistent treats which are only a threat to fear and loathing command and control systems..... sub-prime administrations ...... with dumb destructive weapons tech disabilities and debilitating dependencies.
Oak Ridge allows IE on-site?
Gawd/ess. And I thought the Iranian SCADA issue was bad ...
Blame is only partly ms
Stupid is as stupid does. The problem here is probably one of user education. There are always going to vulnerabilities insoftware. Blaming ms makes us feel better doesn't it but it isn't helpful; Perhaps these researchers need windows to do their job? Some archaic nuclear fission modelling software that still only runs with a particular version of visual c++.
The vuln was made public in pwn2own. The booby trap was injected into the system on April 7 a week before patch tuesday. Pretty hard-core don't you think?
They banned attachments
So the next attack will be html email then.
>Representatives didn't return emails
well, if their internet access has been completely cut off....
chinese hackers downvote posts?
No, you really really need www via Internet Explorer on Windows in a top secret laboratory, you really do, honestly!
Ok so HR receive an email they did not write. RED FLAG!
IT Rapid investigation of the email, If it's deemed to be malicious...
Risk exists that employees clicked (they will deny it)
lock-down and clean up.
Implement Proxy White-list. No other web traffic! << LOCK DOWN!
Examine logs for users.
Scan and check affected PC's
If necessary check all pc's on that network.
restore normal service.
I really have to ask.
How fucking hard is it to implement a Software Restriction Policy that at a minimum denies access to /temp and external drives!?
Is there some reason that basic users need to be able to run programs from IE/Outlook and external media? Windows can be perfectly secure, but apparently people can't be assed to implement any security other than installing a anti virus program and deciding that their network is secure.
"Representatives didn't return emails and calls seeking comment." - Oh really ?
Try again today. It says in your own article that their email is being reconnected on Wednesday.
They also may well have IP phones, which might explain your calls not being returned.
If the US can't secure their diplomatic correspondence...
...then why would we expect Oak Ridge to be capable of the same? Public key encryption has been around for years but, as usual, the cost of these incidents is less than the cost of implementing it.
Over 10% fell for the scam when it has happened before!?! Big, big fail.
Honestly? I expect State is filled with fatheads
who won't take advice from their IT Department and are so infatuated with themselves that they think they are the only ones who ever thought of stealing the other guy's diplomatic mail.
On the other hand, I expect one of our premier nuclear research facilities to be staffed by people who have purchased at least one clue in their lives.
Perfect Opportunity for Deficit Reduction
Fire the 10% who clicked and achieve a 10% budget savings while most likely lowering your productivity by a much smaller percentage as these were not the brightest of the bunch. You may even find productivity increases now that the chaff has been removed. That's one of the paradoxes of business, a lot of times adding more employees reduces production.
Stable Door - Bolted
'Representatives didn't return emails'
Um well they wouldn't would they, it's been turned off.
Seriously though, IE? What were they thinking? I don't let my 14 year old use IE because of the security holes in it. If I had a nuclear lab, I think i'd be a little stricter than that.
Two things I don't understand
1. How Microsoft can be blamed if users are taken in by a phishing e-mail.
2. How any site where security is critical is even giving house-room to microsoft.
@Two things I don't understand
Point 1 is down to the 'embed everything' attitude of MS where something like a spreadsheet is ABLE to run externals things, probably a flash object (as that is a common source of holes in getting through). And often there are dozens of ways in Windows to elevate privileges once you can run arbitrary code to do more mischief.
Point 2 is one of life's WTF? questions that is never adequately answered.
As I said, most hacked software in history. Whether a lot of that is down to its popularity is a side question, no doubt some of it it is, but it means that even for a similar situation (say hypothetically Linux and Windows had the same number of exploitable bugs) you have far more black-hat skills to deploy against MS' crock.
And yet it is chosen for a sensitive lab? FAIL
Google learned this the hard way and did something about it - changing to Macs. Not perfect (fanbois won't understand that statement) but it reduces the attack opportunities a lot.
The only advanced persistent threat at Oak Ridge ...
... is Internet Explorer.
"Representatives didn't return emails and calls seeking comment."
Of course they didn't, they were afraid you were another phising attempt.
No Internet access?
Research institutes are always 'top-secret labs' to hacks. Whilst it may very well be true that there is some highly classified research going on in some corner of the lab, the way you deal with it is to have proper controls between the classified and non-classified parts. Like a big air gap, razor wire, killer bees....
It's national research facilities like, for example, the National Supercomputer Centre (which is located there) that the Internet was made for.
Total non story
my brother works there. Nothing of any value is done on the windows boxes, which are mainly left around after vendors try and flog them to the place. It's an ubergeek paradise, with Linux and Cray devotees at every turn.
Their image processing kit is pretty fearsome though.
Certainly my experience at various research labs is ..
that Windows was used by the computer illiterate or for 'corporate ' use (HR, marketing, managers, e-mither ) the hard scientific stuff was done generally on Unix or increasingly Linux.
@Total non story
"Nothing of any value is done on the windows boxes"
Except maybe store the home addresses, social security numbers, photos, and other personal data of those who do have access to important stuff?
Not that a Chinese (for the sake of argument) agency would then consider a more traditional spy approach of, say, compromising and attempting to blackmail or convert said workers to agents, would they?
@ Anonymous coward -- Eh, the story a fabrication then?
If you're correct then, ipso facto, the El Reg story is crap.
...Lessons in formal logic for anyone?
so is this "advanced persistent threat" called
"Running windows" ?
seriously though, you can make the network as secure as you want & the users will find a way to F*** it up.
The only sure fire way to secure users involves a roll of carpet & an abandoned quarry...
It's the fault of the Management of the company, pure and simple.
TRAIN YOUR USERS.
That is the only way to secure your system from email-and-internet-borne threats.
If your users regularly do stupid things like just clicking on links and opening unrequested attachments without checking what they actually are then no security software in the world can save you.
Security software (eg antivirus) is by definition reactive. At its very best, reactive protection can only save the second victim.
Proactively teaching your users about security 'best practice' can save the first victim.
It would help, but it is NOT the whole answer. Yes you will reduce the number of attempts at penetrating the system, but it is only one aspect.
You need 'security in depth' as each layer always has *some* way of being penetrated.
As seen here, and several other places recently (Google et al, French & Canadian gov, etc) Windows/IE/Office/Flash has been a juicy orifice for entry.
I must be missing something
Why not disconnect the sensitive data from the Internet?
this isn't an IE problem. It's a Keyboard/Chair Interface Error
Folks involved in top secret "stuff" clicking random links in unsecured emails?!
Before blaming IE I'd love to know what OS and patch level they had, what antimalware they are running, what filtering at the edge they do on incoming mail... are they just picking a handy scapegoat to avoid questions about their own competance?
Physically disjoint networks, and signed email.
If this data really is that secret, it should be on a physically disconnected network.
They do train the users.
I suspect that, like pretty much every organization over 200 people I have ever worked for, they (management and IT) train the users to allow whatever random "upgrade" someone with a pocket protector pushes to them. Also to never use an alternate email client, or even disable the OutLook preview pane, and always click _immediately_ on every link from anyone "over" them in the hierarchy (which includes anyone in HR or finance, and every admin to office dwellers)...
True story: I once got an email consisting entirely of a Word(tm) document "from the CEO". Got in (mild) trouble for not reading and responding quickly. It came in the same batch of email as an offer of penis pills "from Steve Case @aol". And the MGMT Droids saw _no_reason_whatsoever that the latter was a reason not to trust the former.
Users do what they are rewarded for, and avoid what they are punished for. Sanity in the official procedures 3-ring binder is only there to avoid lawsuits, nit to be followed day-to-day.
... "most sensitive" and Internet Explorer.
if it's so "sensitive", why is IE in use in the first place?
I'll leave the Windows part alone.
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- NASA finds first Earth-sized planet in a habitable zone around star
- New Facebook phone app allows you to stalk your mates
- Reddit users discover iOS malware threat