Just when it looked like US-China relations couldn’t get any more frosty, news has emerged that defence contractor QinetiQ suffered a massive breach of classified data over three years which may have leaked advanced military secrets to the infamous PLA-linked hacking gang Comment Crew. Bloomberg spoke to Verizon’s Terremark …
What do you expect
Nothing in this report surprises me in the slightest. At all.
Welcome to the world of corporate IT in the 21st century. Underresourced, Outsourced, Undecompetent, Outstretched and so on...
Re: What do you expect
I agree, and the only way to recent the hacking..... Get rid of the computers and go back to pen and paper.
Re: What do you expect
They were the over-resourced, led by the corrupt and incompetent, to do the unnecessary for the blindly oblivious
or something like that.....
Doesn't surprise me either. But if anything, HB Gary were given carte blanche by their political and corporate sponsors. And yet somehow, they ended up completely pwned as they proceeded to f*k up their mission.
The Feds and Banksters would have been better off trying to recruit anonymous members directly.
Amazing how such people can even be considered for security work or counter-intel.
Team USA really needs to sharpen up its tools before engaging in cyber warfare with the like of the PLA or the russkies, me thinks. Bloody embarassing
Government con-tractor IT
Much like every other kind of corporate IT except taxpayers pay for it and more people could end up dead as a result of the leak.
go home china drone clone
I am not shocked they are hacking the US, and if they were not trying i would be more worried!
I hope the UK is also hacking the US systems on a daily basis, the USA is not to be trusted, they break promises & agreements after they get what they want...
I don't need no steenkin' title!
Qinetiq is actually a British company formed from the sale of the old DERA to some of its bosses, though they have been buying up smaller US defence firms for a while.
The question is were all the hacks confined solely to US operations or were they company-wide?
Re: I don't need no steenkin' title!
No, the question is what was stolen.
There is a little thing called counter-espionage too.
And the answer is, apparently, everything.
QinetiQ : a study in failure.
If only it were the only one.
Tip of the Iceberg
How many companies are currently compromised and don't know it.
How many more have been compromised, but for fear of reputational and financial loss won't disclose it's happened.
Unless this involves some leak it's happened, or bragging rights by the hackers, very few of these ever come to light.
However - let them be a lesson to anyone or any corporation that taking security and data protection is a serious, time-consuming, expensive and specialised business.
Re: Tip of the Iceberg
"However - let them be a lesson to anyone or any corporation that taking security and data protection is a serious, time-consuming, expensive and specialised business."
And doomed to failure when these machines are connected to the internet. Air gapping has its limitations, but its a damned good start, as is separate systems within the company for separate functions.
Blaming someone else for one's own lack of ability is a recipe for disaster at an increasing pace
It may very well be the actuality and reality that the West is no longer top dog in the intelligence gathering/phishing/phorming world. Get used to it ...... for whenever it be true, would an arrogant denial be even more damaging to western national and international security interests, and thus is it to be avoided at any and all cost.
Well, incompetent and corrupt maybe, but the thing about the secretary's PC made me wonder if this wasn't "just" another aspect of the self-jamming bomber radar fiasco from the 1980s, which was engineered purely from the rather extreme rules on compartmentalization that prevent people from different parts of a large project talking to each other, even the military liaisons assigned to the civilian teams.
Everyone has worked on a project in which different teams did not communicate properly. Now imagine that project if the different teams were prevented form any contact whatsoever other than the original design spec. Now add in modular scope creep and rethinks and stir until there's a loud *snap!* and the smell of frying insulation.
On getting any useful information out of qinetiq - we never managed to while working on a joint project with them.
Not that we wanted to work with them, but anybody doing any sort of high-tech defence project in the UK is 'encouraged' to partner with them. It's fantastic, all the red tape and inefficiency of Soviet era bureaucracy but you get to pay them lots of money.
In other words, it may have actually been a partner trying to expedite getting the job done.
Easiest way, hack QinetiQ.
Idiots in charge of security
I assume the idiots in charge were fired
Facebook graph search. Thousands upon thousands upon thousands of people publicly list their employment position when such position implies access to sensitive data and probably a TS-SCI clearance. It's not hard for the Chinese to friend some of these people, build minimal trust, then get them to click a link to stealthy unpatched 0-day. A fully patched OS won't matter much.
As far as how sloppy/lazy/unenforced security controls are, this video is depressing...
DEFCON 20: An Inside Look Into Defense Industrial Base (DIB) Technical Security Controls
Situation likely has not changed much either....
NIST Issues Major Revision of Core Computer Security Guide: SP 800-53 (April 30, 2013)
Things will still go unenforced and people will still be lazy.
Gang, I kind of doubt. . .
. . . .much access to classified nets was had: they're air-gapped. Now. . . . sensitive stuff being sneakernetted over to the "low" side by the vegetables-that-walk-like-men, that I can see (and DID see. . . ) all the time.
Besides, you don't NEED classified info to get the "merely" sensitive stuff. As noted by others, the state of security on the vast majority of corp nets is a sad, sad joke. ESPECIALLY when Senior Manglement DEMANDS holes in firewalls for preferred apps, admin access on their own boxes. etc. . . We don't NEED the BOFH. . . we have the lusers. . .
Re: Gang, I kind of doubt. . .
Worked in a similar government lab. There were two complete networks, one for normal, one for restricted stuff.
A few scientists and managers naturally needed access to both so their machines got two network cards (this was the 90s)
Then the purchasing system was moved to the 'restricted' net for security reasons, which meant every admin/shipping/stores PC needed a connection to both networks - the result was a super restricted network with 500 bridges to the public network
Seriously, they hired THOSE fools to deal with security? Do they not remember how incompetent they were proven to be? Do they not have Google? Did they also hire Fox, Inc. to deal with security for Henhouse & Co.?
Yeah, not surprised, just wondering why the idiots at QinetQ who make decisions like this should be trusted with secrets more readily than the Chinese, Mossad or Al Qaeda?