Slashdot Mirror
Nuclear Agency Worker Information Hacked
Juha-Matti Laurio writes to mention a Reuters report about a fairly worrying case of identity theft. A determined hacker gained access to the U.S. National Nuclear Safety Administration's records and made off with the information for over 1,500 employees and contractors. From the article: "The incident happened last September but top Energy Department officials were not told about it until this week, prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA. An NNSA spokesman was not available for comment."
Shouldn't be too hard to track down now, though. Phew!
just to get the joke out of the way
Any person using FTFY or editing my postings agrees to a US$50.00 charge
What kind of systems were involved? Specifically, what operating system(s) were they running? Is this just a typical case of a Windows-based server being compromised? Or does it involve a Linux or Solaris server that was in some way vulnerable to attack?
Can someone please tell me why employers need all sorts of information about contractors when they're not even technically employing them?
Oh ya, it's the government, I forgot.
Just when I'm on the verge of downloading the programs to simulate a nuclear bomb on a cluster of Playstation 2's, they booted me out and changed the password. This sucks!
I assume, and hope, that the systems broken into were completely independant from launch control.
Philosophy.
Sorry, I forgot. They do that in the Middle East.
---- Teach Peace. It's Cheaper Than War.
This is truly troubeling news
Of course there is the chance that we have some James Bond plot underway and that it is some of the really bad guys that have cracked their way to this information. Chances are that this is not the case, but I'll bet this information is now for sale for whoever would be willing to pay the right price.
Saudi Arabian wealthy people and others might be willing to sponsor those that should not get their hands on information of this kind.
Sure having information on workers does not directly give access to the nuclear warheads, but it brings you one step closer.
I don't understand why the articles focus on why the notification didn't get to whatever comitee fast enough. Unless I get something wrong this is a matter of national security (and since the nation in question is the US that also means worldwide safety) and then those that needs to be notified ASAP is the some military people and the president, which probably has happened.
Why aren't laws in place that REQUIRE, on a FEDERAL level people to report to the Attorney General, the company(s) involved with the theft, and the actions taken? California has something close to it, but something nation wide would be nice for the FASTEST growing crime in the US. http://www.usps.com/postalinspectors/idthft_ncpw.h tm. (source)
The excuse they used that "We thought they knew" is total crap, you'd figure when the head of NNSA says to the ED "Oh hey, we had a security breach where information on 1500 people was stolen, just so you know" Bodman would say "Woooh there, what have you done about it?" as opposed to you know, saying "Mm kay, how about them bears?" and brushing it off...
Why did it take them 9 months to be told of this?
You would think one of the Net Admins would have looked @ those logs in the last 9 months. Or something would have been found out of whack?
The NNSA is a semi-autonomous arm of the Energy Department and also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies.
That's just great. So for 9 months someone that shouldn't has had access? Something just isn't right lately with our gov't security.
That which does not kill me only postpones the inevitable.
When a few numbers can be used to perpetrate ID fraud, we have a problem. This problem was made possible by the use of the Social Security Number as a "federal serial number." The abuse of the SSN for anything BUT Social Security accounting purposes needs not only to be "discouraged" as it presently is, it needs to be made ILLEGAL.
If you want credit, go apply to the credit agencies the way they once did and use other companies as a reference the way things used to be in the good ole days. What does getting credit or a bank account have to do with your social security account anyway? Why does supplying my social security number become a requisite for getting a bank account? In some states, your SSN is also your driver's license number.
It's "convenient" for the government and all agencies and companies interested in collecting massive pools of information on single individuals. That's kinda the problem. That's been the argument for decades since the inception of the SSN.
We'll always be vulnerable as individuals because we cannot do anything about anyone else having our information... we don't even know who has it. We're ultimately powerless until we can have the use of the SSN for anything but Social Security accounting made illegal.
Seriously, this is real "top secret" info and goverment got it loose to some God damn hacker?
I would bet that again "cool" solutions like Microsoft Windows or Microsoft Office is involved. Or better even, unconfigured and unsecured Linux or BSD server.
Propably will be modded troll, but anyway, it is crazy and scary in same time.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
...why, when something goes wrong in an organization, does the head of organization get called on to resign, when 90% of the time the incident didn't have anything to do with negligence or error on their part?
Can someone please explain for me?
Pirate Party UK
The NNSA is a semi-autonomous arm of the Energy Department and also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies. So I wonder... How long will it be before someone actually utilitizes some of the information that's being stolen. We already know the military was hit for 26.5 million records, and supposedly the Chinese are ramping up their cyberoffense and defense. I'm wondering how long will it be before the ultimate "so that's what they wanted that information for" scenario comes about. It's sickening to see a country that can supposedly defend itself and the world, can't even secure their own networks. Last thing that needs to happen is this new NSA snooping database to get owned as well.
... Luckily for us Americans, the NSA is snooping the planet so never fear they will find the culprits... Unless of course they get pwned too.
So here would be the nightmare scenario in my eyes... Hackers get DoD information from those 26.5 million VA database and slowly poison them... While the US is straddled in Iraq militarily, some country starts kidnapping those on the NNSA's list and either killing them or torturing them for information (schematics to facilities, etc.) while all this is going on, someone strikes inside the US on such a big scale, Hiroshima looks like a mild 4th of July show.... Scary isn't it?
Infiltrated dot Net
"We are now entering DefCon Two."
"Want to play a game?"
Knowing Google's lust for data collection, the Soviet Union is still alive and well inside the psyche of Sergey Brin....
Cue old "safe server" jokes,,
Who is running the pool on just when critical mass will be achieved on identity theft and other privacy information related problems will be reached and the meltdown occur? Oh, nvm, you won't be able to collect or even pay the winner, even if you took all your money out of the bank you would just find yourself breaking federal law and having it taken by the DEA or Treasury Department.
Honestly, most of us here make our money with computer systems, but we are building a house of cards, albeit not with our complete approval. A more apt description might be a glass house, perhaps contrary to old proverbs we need to throw some stones.
Oh, how I miss the days when a man's word was good for a loan at the bank, a student's teacher kept records of a students behaviour (read: their opinion of) only in their minds, clerks kept knowledge of your preferences and purchases to themselves,,,,
*note to grammar nazis: instead of attacking the above please either use your blessed skills with the English language to: if you agree with what I've said - rewrite it in a more lucid and convincing fashion,,, if you disagree with it then use your skills to convince myself and other readers that I am wrong. If it makes no sense to you then don't waste your time, AC posted and will languish at 0 if it is that bad or drop to -1.
P.S. Department of Energy = nuclear power plants, U.S. National Nuclear Safety Administration is under them, not the Department of Defense = nuclear missiles etc.
This story reports things quite out of context, the more I find myself directly involved with things in the news, the more I realize its all bullshit.
Here's the actual scoop, I work as an incident response investigator for the NNSA. There are two issues being confused and placed into one, there was an incident last September, it continues on now as a series of incidents that all mesh together as being from the same source- why haven't there been arrests and such? because it requires the cooperation of the foreign nation in question. Last month a service center in new mexico was broken into as part of the larger incident. This was a result of an attack using zero-day that at the moment is still unpatchable (no patch exists).
This is what is now being reported as a result of congressional hearings that took place. The information itself was not stolen almost a year ago, but rather less than a month ago, but the incident as a whole has been going on much longer than that. Alarms went up all over the place when this occured and everyone with a need to know was informed.
So to summarize, two related incidents, the first starting last September, and one occuring last month. The personal data was taken last month as part of the larger incident but is being reported as the data was stolen in september, which is incorrect.
Identity theft is rampant in the US that I believe the way they handle transactions should be changed, however changing the current system doesn't guarantee security especially when people within the said organization body has a mole that will duplicate the form of identity (fake ids). If man made a thing, man can replicate the thing. thank goodness that in some countries where I'm at at the moment, Doesn't rely fully on verbal confirmation but rather a combination of three methods. Verbal, actual, & paperworks. Perhaps because US too is too big now to handle having these additional security makes the productivity worsten and lose the security.
I say we take off and nuke the entire site from orbit. It's the only way to be sure.
...one power plant worker's reaction upon hearing the news.
This new page is just comming online. You can check if your info was stolen. You just need to type your full name, SSN, birthdate, and address. It's really useful. US Goverment Identity Theft Agency Homepage
please excuse my apathy
First the Veterans now this. They can fight back by getting identity shield protection. If anyone uses their credit, the money is returned and the credit level returns to its previous state. Anyone who's worried about identity theft and wants protection should check out this website
God spoke to me.
Your company phone book is stamped confidential because some attacks are harder without it. Not at all impossible, but harder. Security through obscurity is lame, if you depend on it you're worse off with it than without it, but it does make sense to add a speed bump to your other security measures.
One question spy recruiters typically ask is "can you get me a list of your coworkers?".
>also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies.
That sounds like it might include the Nuclear Emergency Support Teams, who train to search for and disarm stolen nuclear "devices". To help them with the disarming part, they deploy with PAL codes (if you haven't heard of those, the unclassified literature describes them as kind of like the root password for a "device"). I don't want the names of the team members to be easy to find. I'd like anyone who's aiming for that information to take the risk of being noticed.
The compromise sounds like it won't do direct damage, but in the wrong hands that information could be a stepping stone to something worse.
He probably just wanted to find out, once and for all, what state Homer lives in.
Can you blame him?
Lightman, you just don't learn, do you? Stop hacking the WOPR!
Circumcision is child abuse.
To everyone who claimed I was a "paranoid" in describing the value of "privacy" over vague promises of "security":
<font size=4> told ya' so </font>barack to the future?
"prompting (...) to demand the resignation of the head of the NNSA"
Demand resignation of the remaining 1499 employees on the list, and the list will become useless. Problem solved.
If you know the enemy captured the plans of your attack, change the plans.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
"You're fired. Your soooo fired!"
http://www.privacyrights.org/ar/ChronDataBreaches. htm
whoa is right
Think about it. That information was not stolen to make illegal credit card purchases, that's really small potatoes and not even close to necessary, breaking into such a server is a very serious breech, full of ramifications. Nukes are the big kahuna now. These people are the bomb makers. Now someone knows who to go to get some secret information-using any means necessary, or to set up a little on purpose monkey wrenching, to get something sabotaged, but my guess is to try and get intel. The people who broke in knew full well what agency and server they were on, they needed and wanted the list of people, and now they got it, that is the important information, not necessarily their SS. All they wanted was names, they can take it from there. Every one of those people is now at serious risk, and not just losing a few dollars type of risk.
I recently noticed that even Blockbuster lists the "SSN" as a *OPTIONAL* field on an rental application form.
WTF!?!! If it isn't required, then why even list it?
Bruce Schnier wrote about this in the most recent Crypto-Gram. The reason is that there is tremendous lobbying pressure being applied to Congress to water down this legislation, and trump the more effective state laws in the process.
Write your Senators and Congresspersons.
If you mod me down, I shall become more powerful than you could possibly imagine.
The most likely or immediate threat would be to the personal security of the employees and contractors.
If you mod me down, I shall become more powerful than you could possibly imagine.
Some states have recently stopped using the SSN as the Driver's License number. Montana, for example. People 'round here have refused to let the state use their SSN number on the Driver's License, forcing the state to come up with a way to generate and handle another type of number. The State finally either got a clue, or gave up, either way, it was an improvement.
If you mod me down, I shall become more powerful than you could possibly imagine.
In most Federal organizations for most employees personnel contact and identity information is not "top secret". For this particular information, perhaps a small number of employees might fall into that category, but the bulk undoubtedly do not.
In fact, personnel contact and identity data is normally considered to be "sensitive but unclassified", which is only one notch above "display it on a public web site" and its security receives very little attention and is not taken seriously by most managers. This might be only my opinion, but it is an opinion backed up by a fair bit of unfortunate circumstantial information in the past few weeks, as well as a history of trying to get customers to take it more seriously.
If you mod me down, I shall become more powerful than you could possibly imagine.
The Department of Homeland Security is busy spying on every American's phonecalls and email. The Republican government is furiously working to fail to pass Homophobia Amendments to the Constitution. Meanwhile, our nuclear workers can now be blackmailed on an unprecedented scale.
Do you feel safer?
--
make install -not war
Bullshit.
An incident response investigator for the NNSA would be fired for posting something like this to Slashdot. Furthermore, they probably wouldn't take the risk, because they would be smart enough to know that it wouldn't be hard for someone familiar with the group's writings to figure out who you are, if in fact you do work for them. So expect to be fired any day now, in the unlikely event that you were not posting crap.
If you mod me down, I shall become more powerful than you could possibly imagine.
Nope! It was some god damn black hat cracker.
Have you driven a fnord... lately?
You must wait a little bit before using this resource; please try again later.
So, we've suffered through the start of some real trouble. The US government doesn't really get data security issues, we've lost information on millions of veterans, and now someone compromised information about the nations nuclear workers.
At this point, we need a real solution, we need accountability. Just like Sarbanes-Oxley for public corpoations, we need to appoint someone to be accountable for data security in the government. Every sensitive database, every record room needs a security officer who is ultimately responsible for data security. We need an office of information security, just like we have an office of management and budget, and we need to make data security negligence a criminal offense.
Call your representative, ask them to make data security a priority.
------ Tim O'Brien
No wonder the stuff got nicked, the NSA is too busy creating a database from peoples blog websites, never mind protecting their own things. wow, first post, and it's something Anti-pentagon. looks like I'll be carted off to guantanamo soon.