Slashdot Mirror
Nuclear Agency Worker Information Hacked
Juha-Matti Laurio writes to mention a Reuters report about a fairly worrying case of identity theft. A determined hacker gained access to the U.S. National Nuclear Safety Administration's records and made off with the information for over 1,500 employees and contractors. From the article: "The incident happened last September but top Energy Department officials were not told about it until this week, prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA. An NNSA spokesman was not available for comment."
Shouldn't be too hard to track down now, though. Phew!
just to get the joke out of the way
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Can someone please tell me why employers need all sorts of information about contractors when they're not even technically employing them?
Oh ya, it's the government, I forgot.
Just when I'm on the verge of downloading the programs to simulate a nuclear bomb on a cluster of Playstation 2's, they booted me out and changed the password. This sucks!
I assume, and hope, that the systems broken into were completely independant from launch control.
Philosophy.
This is truly troubeling news
Of course there is the chance that we have some James Bond plot underway and that it is some of the really bad guys that have cracked their way to this information. Chances are that this is not the case, but I'll bet this information is now for sale for whoever would be willing to pay the right price.
Saudi Arabian wealthy people and others might be willing to sponsor those that should not get their hands on information of this kind.
Sure having information on workers does not directly give access to the nuclear warheads, but it brings you one step closer.
I don't understand why the articles focus on why the notification didn't get to whatever comitee fast enough. Unless I get something wrong this is a matter of national security (and since the nation in question is the US that also means worldwide safety) and then those that needs to be notified ASAP is the some military people and the president, which probably has happened.
Why aren't laws in place that REQUIRE, on a FEDERAL level people to report to the Attorney General, the company(s) involved with the theft, and the actions taken? California has something close to it, but something nation wide would be nice for the FASTEST growing crime in the US. http://www.usps.com/postalinspectors/idthft_ncpw.h tm. (source)
The excuse they used that "We thought they knew" is total crap, you'd figure when the head of NNSA says to the ED "Oh hey, we had a security breach where information on 1500 people was stolen, just so you know" Bodman would say "Woooh there, what have you done about it?" as opposed to you know, saying "Mm kay, how about them bears?" and brushing it off...
Why did it take them 9 months to be told of this?
You would think one of the Net Admins would have looked @ those logs in the last 9 months. Or something would have been found out of whack?
The NNSA is a semi-autonomous arm of the Energy Department and also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies.
That's just great. So for 9 months someone that shouldn't has had access? Something just isn't right lately with our gov't security.
That which does not kill me only postpones the inevitable.
When a few numbers can be used to perpetrate ID fraud, we have a problem. This problem was made possible by the use of the Social Security Number as a "federal serial number." The abuse of the SSN for anything BUT Social Security accounting purposes needs not only to be "discouraged" as it presently is, it needs to be made ILLEGAL.
If you want credit, go apply to the credit agencies the way they once did and use other companies as a reference the way things used to be in the good ole days. What does getting credit or a bank account have to do with your social security account anyway? Why does supplying my social security number become a requisite for getting a bank account? In some states, your SSN is also your driver's license number.
It's "convenient" for the government and all agencies and companies interested in collecting massive pools of information on single individuals. That's kinda the problem. That's been the argument for decades since the inception of the SSN.
We'll always be vulnerable as individuals because we cannot do anything about anyone else having our information... we don't even know who has it. We're ultimately powerless until we can have the use of the SSN for anything but Social Security accounting made illegal.
Seriously, this is real "top secret" info and goverment got it loose to some God damn hacker?
I would bet that again "cool" solutions like Microsoft Windows or Microsoft Office is involved. Or better even, unconfigured and unsecured Linux or BSD server.
Propably will be modded troll, but anyway, it is crazy and scary in same time.
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
...why, when something goes wrong in an organization, does the head of organization get called on to resign, when 90% of the time the incident didn't have anything to do with negligence or error on their part?
Can someone please explain for me?
Pirate Party UK
The NNSA is a semi-autonomous arm of the Energy Department and also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies. So I wonder... How long will it be before someone actually utilitizes some of the information that's being stolen. We already know the military was hit for 26.5 million records, and supposedly the Chinese are ramping up their cyberoffense and defense. I'm wondering how long will it be before the ultimate "so that's what they wanted that information for" scenario comes about. It's sickening to see a country that can supposedly defend itself and the world, can't even secure their own networks. Last thing that needs to happen is this new NSA snooping database to get owned as well.
... Luckily for us Americans, the NSA is snooping the planet so never fear they will find the culprits... Unless of course they get pwned too.
So here would be the nightmare scenario in my eyes... Hackers get DoD information from those 26.5 million VA database and slowly poison them... While the US is straddled in Iraq militarily, some country starts kidnapping those on the NNSA's list and either killing them or torturing them for information (schematics to facilities, etc.) while all this is going on, someone strikes inside the US on such a big scale, Hiroshima looks like a mild 4th of July show.... Scary isn't it?
Infiltrated dot Net
"We are now entering DefCon Two."
This story reports things quite out of context, the more I find myself directly involved with things in the news, the more I realize its all bullshit.
Here's the actual scoop, I work as an incident response investigator for the NNSA. There are two issues being confused and placed into one, there was an incident last September, it continues on now as a series of incidents that all mesh together as being from the same source- why haven't there been arrests and such? because it requires the cooperation of the foreign nation in question. Last month a service center in new mexico was broken into as part of the larger incident. This was a result of an attack using zero-day that at the moment is still unpatchable (no patch exists).
This is what is now being reported as a result of congressional hearings that took place. The information itself was not stolen almost a year ago, but rather less than a month ago, but the incident as a whole has been going on much longer than that. Alarms went up all over the place when this occured and everyone with a need to know was informed.
So to summarize, two related incidents, the first starting last September, and one occuring last month. The personal data was taken last month as part of the larger incident but is being reported as the data was stolen in september, which is incorrect.
I say we take off and nuke the entire site from orbit. It's the only way to be sure.
"Oh, how I miss the days when a man's word was good for a loan at the bank, a student's teacher kept records of a students behaviour (read: their opinion of) only in their minds, clerks kept knowledge of your preferences and purchases to themselves,,,," Wow, I didnt realize 90 year old people read Slashdot. Way to be hip grandpa!
This new page is just comming online. You can check if your info was stolen. You just need to type your full name, SSN, birthdate, and address. It's really useful. US Goverment Identity Theft Agency Homepage
please excuse my apathy
Your company phone book is stamped confidential because some attacks are harder without it. Not at all impossible, but harder. Security through obscurity is lame, if you depend on it you're worse off with it than without it, but it does make sense to add a speed bump to your other security measures.
One question spy recruiters typically ask is "can you get me a list of your coworkers?".
>also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies.
That sounds like it might include the Nuclear Emergency Support Teams, who train to search for and disarm stolen nuclear "devices". To help them with the disarming part, they deploy with PAL codes (if you haven't heard of those, the unclassified literature describes them as kind of like the root password for a "device"). I don't want the names of the team members to be easy to find. I'd like anyone who's aiming for that information to take the risk of being noticed.
The compromise sounds like it won't do direct damage, but in the wrong hands that information could be a stepping stone to something worse.
He probably just wanted to find out, once and for all, what state Homer lives in.
Can you blame him?
Lightman, you just don't learn, do you? Stop hacking the WOPR!
Circumcision is child abuse.
well,
considering that a large part of the government
went to windows 10 years ago (I know, I had family
working in government at the time and they all thought
it was a BAD IDEA because of security risks) it would
not surprise me in the least that this is precisely
how it was done.
I hate to say this, but government should have stayed with
UNIX (SVR4) or converted to BSD (OpenBSD is my favorite
for security stuff).
Still, I think it was a matter of someone paying a
talented skript-kiddie to do this job. IMHO, no
self-respecting hacker would want the trouble that
breaking into a government system would attract.
p. please mod this "informative" as that is pretty much what it is. thnx.
Understanding is much like a 3-edged-sword. in this: there are always 2 sides and the truth.
To everyone who claimed I was a "paranoid" in describing the value of "privacy" over vague promises of "security":
<font size=4> told ya' so </font>barack to the future?
Sorry, it's China who does the most executions, not the U.S.:
"China performed more than 3400 executions in 2004, amounting to more than 90% of executions worldwide." http://en.wikipedia.org/wiki/Death_penalty
The US is in third place at 1.6% of all executions, behind Iran. Maybe next time your knee jerk U.S. response will have merit.
"prompting (...) to demand the resignation of the head of the NNSA"
Demand resignation of the remaining 1499 employees on the list, and the list will become useless. Problem solved.
If you know the enemy captured the plans of your attack, change the plans.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
"You're fired. Your soooo fired!"
http://www.privacyrights.org/ar/ChronDataBreaches. htm
whoa is right
Oh, they're pretty good at it in the Far West. The USA is one of the countries who carry out more executions in the world
Bit different when they've been tried first. Don't let a small technicality like that get in the way of your beliefs though!
I recently noticed that even Blockbuster lists the "SSN" as a *OPTIONAL* field on an rental application form.
WTF!?!! If it isn't required, then why even list it?
heheh,
yeah, it figures both CIA and NSA would be able to shoot that down
(they would have MOUNTAINS of evidence pointing to security flaws
in M$ Windows thus making it "unsuitable for use in a secure environment").
I am rather surprised this was allowed to happen in the NNSA and the NRC.
ah well, thats what happens when you get a $100 Billion dollar company
throwing around gobs of cash to have things their way.
Understanding is much like a 3-edged-sword. in this: there are always 2 sides and the truth.
Bruce Schnier wrote about this in the most recent Crypto-Gram. The reason is that there is tremendous lobbying pressure being applied to Congress to water down this legislation, and trump the more effective state laws in the process.
Write your Senators and Congresspersons.
If you mod me down, I shall become more powerful than you could possibly imagine.
The most likely or immediate threat would be to the personal security of the employees and contractors.
If you mod me down, I shall become more powerful than you could possibly imagine.
Some states have recently stopped using the SSN as the Driver's License number. Montana, for example. People 'round here have refused to let the state use their SSN number on the Driver's License, forcing the state to come up with a way to generate and handle another type of number. The State finally either got a clue, or gave up, either way, it was an improvement.
If you mod me down, I shall become more powerful than you could possibly imagine.
In most Federal organizations for most employees personnel contact and identity information is not "top secret". For this particular information, perhaps a small number of employees might fall into that category, but the bulk undoubtedly do not.
In fact, personnel contact and identity data is normally considered to be "sensitive but unclassified", which is only one notch above "display it on a public web site" and its security receives very little attention and is not taken seriously by most managers. This might be only my opinion, but it is an opinion backed up by a fair bit of unfortunate circumstantial information in the past few weeks, as well as a history of trying to get customers to take it more seriously.
If you mod me down, I shall become more powerful than you could possibly imagine.
The Department of Homeland Security is busy spying on every American's phonecalls and email. The Republican government is furiously working to fail to pass Homophobia Amendments to the Constitution. Meanwhile, our nuclear workers can now be blackmailed on an unprecedented scale.
Do you feel safer?
--
make install -not war
Bullshit.
An incident response investigator for the NNSA would be fired for posting something like this to Slashdot. Furthermore, they probably wouldn't take the risk, because they would be smart enough to know that it wouldn't be hard for someone familiar with the group's writings to figure out who you are, if in fact you do work for them. So expect to be fired any day now, in the unlikely event that you were not posting crap.
If you mod me down, I shall become more powerful than you could possibly imagine.
*NIX isn't any safer than Windows! I've worked in net and OS security for years and I've found that neither one is any safer than the other. The safest route would be completely create your own OS from scratch and then kill all the developers to prevent the source code and internals of the OS from ever leaking. Hackers will still go after it but it will be far much more difficult when they have to learn from scratch and with no knowledge of the OSes internal structure.
Security through obscurity is no better than having no security at all.
That's not the worst of it. The United States is the only country other than Nigeria to execute minors.
Time makes more converts than reason
Nope! It was some god damn black hat cracker.
Have you driven a fnord... lately?
You must wait a little bit before using this resource; please try again later.
So, we've suffered through the start of some real trouble. The US government doesn't really get data security issues, we've lost information on millions of veterans, and now someone compromised information about the nations nuclear workers.
At this point, we need a real solution, we need accountability. Just like Sarbanes-Oxley for public corpoations, we need to appoint someone to be accountable for data security in the government. Every sensitive database, every record room needs a security officer who is ultimately responsible for data security. We need an office of information security, just like we have an office of management and budget, and we need to make data security negligence a criminal offense.
Call your representative, ask them to make data security a priority.
------ Tim O'Brien
I beg to differ.
at least with *NIX, you have ACL's and some of "features"
that windows does not. also when was the last time you ever
heard of a *NIX system taking down a significant chunk of
a shipwide lan and shutting down the propulsion systems
such that a tow was required (this actually happened with
windows NT).
with a properly programmed *NIX system, such values would
have been kicked back with "invalid entry, try again!".
Understanding is much like a 3-edged-sword. in this: there are always 2 sides and the truth.
According to this the Supreme Court ruled that the execution of persons who committed their crimes while under the age of 18 was unconstitutional. That it was a violation of the 'cruel and unusual punishment' clause of the 8th amendment. Also according to the same article; China, Iran, and Pakistan also execute minors. We weren't THAT lonely on that list...
No wonder the stuff got nicked, the NSA is too busy creating a database from peoples blog websites, never mind protecting their own things. wow, first post, and it's something Anti-pentagon. looks like I'll be carted off to guantanamo soon.