Slashdot Mirror
Fresh Security Breaches At Los Alamos
WrongSizeGlass writes "MSNBC is carrying Newsweek reporting on two new security breaches at Los Alamos. Both of these latest incidents were 'human error' on the part of employees. In one, an e-mail containing classified material was sent over the open Internet rather than through the secure defense network. In the other incident, an employee took his lab laptop on vacation to Ireland, where it was stolen out of his hotel room. The machine reportedly contained government documents of a sensitive nature."
It's worth noting in this example that if the laptop had been allowed to travel to Ireland with the employee with the proper approvals, as the article indicates, the material on the laptop was not classified, but rather deemed "sensitive". There are several classes of such sensitive but unclassified information. In the email instance, anyone can at any time send classified information over an unclassified network. It is up to the user to not do this. Granted, there are various technical and other procedures that can help prevent this, but it can never be completely avoided. These incidents seem rather tame, but since Los Alamos is under the microscope, every such incident will be greatly scrutinized - and sometimes blown out of proportion.
In the information security profession, several classes of threats to security, including physical security, are enumerated. However, the most significant threat of all, and one that can subvert even the best-laid plans for security, is the threat from human action. This threat is unavoidable, as humans are necessarily an integral component of any operation an organization may wish to secure.
The human threat can take the form of threats internal to an organization, and each of those threats can be intentional or accidental. Because of the access an internal person may have to sensitive areas or information, the threat from the actions of internal person are often rightfully considered the most severe. An internal person may also unwittingly act in concert with an external person who is a threat to the organization as well.
A recent example of such a failure of physical security occurred when a 31-year-old man attempted to enter the United States from Canada at the border crossing in Champlain, NY, on May 24, 2007. Upon presenting identification, the Customs and Border Protection agent handling the man's entry received a computer alert. The alert warned that agents should immediately don protective clothing and detain the individual, notifying the originating authority.
The next steps seem obvious: the man is detained, and border agents run the message up the notification chain, CDC eventually learns that the man in question has been located, and appropriate action is taken. The system works.
What happens instead is that the man is allowed to enter the United States with no further questions, and is at the border crossing for a total of less than two minutes. The agent later says he thought the warning was discretionary, that the man "seemed fine", and therefore let him proceed. Every part of the system worked: the CDC was able to properly place the man on appropriate watchlists, his passport was properly flagged upon entry, and relevant information was presented to the processing agent.
Every part, that is, except the human part.
The man in question is Andrew Speaker, an Atlanta lawyer who traveled with his fianceé to Europe for his wedding and honeymoon. While in Europe, he subsequently learned that further testing revealed that he was infected with Extensively Drug Resistant Tuberculosis, or XDR TB, a form of tuberculosis resistant to a wide variety of antibiotics and treatments, and which can have a 70% mortality rate. The CDC and health authorities did all they could to attempt to restrict his further travel, and thus protect the public at large. Speaker sidestepped No-Fly and other watchlists by flying to Prague, then to Montreal, and then driving to the United States.
The Department of Homeland Security has placed the agent, whom it has not identified, on leave while it reviews the incident, and related processes and policies. When a human charged with the ultimate protective responsibility errs, no amount of technology can solve that problem. What if this had been a man identified as on the way to the United States to intentionally spread an infectious agent? The frustrating element here is that all of the underlying information and identification systems were working - which is itself encouraging - but the individual
Viewing the page on firefox displays the printer dialog.
I gather this is a side effect of peoples obsession with removing adverts.
I would rather find the link myself than have things popup and interfere with my surfing.
liqbase
In one, an e-mail containing classified material was sent over the open Internet rather than through the secure defense network.
So he sent one mail and it was intercepted? Damn, this puts the "insecurity" of email communication in an entire new light.
It is a real incitement of the current system that this can still happen in this day and age. After all, Mission Impossible had the whole problem of off-site IT equipment solved decades ago with simple self-destruct technology.
ccalam - acoustic versions of new songs.
The machine reportedly contained government documents of a sensitive nature.
I for one am sick of hearing about the military's sensitive nature. What was the document containing, poems about the war in Iraq or something?
We all know 90% of those documents have no reason to be hidden from anyone, except to hide the abuse and money laundering that's going on at furious speeds over there.
In the UK, a large number of intelligence protection failures have occurred basically because of the perceived status of the perpetrators. (the best known cases being Philby, Blunt, MacLean and Burgess, all of whom were fairly upper class members of the Intelligence services.) In his fictional books based on composites of the Philby-Burgess case (A Perfect Spy and Tinker,Tailor,Soldier,Spy), John le Carré (who was in a position to know) suggested that the Intelligence services suspected or half knew that they had traitors in their midst all along, but were inhibited from acting against fellow members of the upper classes and their own community.
It would be very interesting indeed to know how far this culture extends into research establishments. It would be expected to be quite pervasive because of the esprit de corps among any professional group.
Of course, perhaps the real answer is that scientists and engineers, by their nature, are the worst people to be allowed to work on secret weapons systems because it contravenes their tendency to want to cooperate, share knowledge and see their own work published. Let's replace them all with Fortune 500 CEOs. That should result in a real peace dividend.
Pining for the fjords
So a laptop was stolen once. But there have likely been a whole lot more security breaches that no one (including execs) have heard of because the laptops weren't lost. The information has still been available to way too many individuals.
I'd think, like virtually every other email system in the world, that users would have their MUA configured to send outbound email via a single mail server, where all further routing is under administrative control. Do they allow connections to that server from outside?
I could understand the issue, if it was someone sending to an external, insecure email address. But the summary, article, and now you all say the problem is with which network the email was routed over. The other possibility is they were off-site, and didn't have a secure VPN connection running - buy why would a secure system not force SSL email connections? Or is sending even over VPN/SSL not considered secure?
It's just not clear how the user has the control implied here.
(or is it that they're allowed to have personal email accounts on their machines, and that's where the email was sent from?)
"National Security is the chief cause of national insecurity." - Celine's First Law
TFA mentions the missing laptop was equipped with an encryption card (highlighting the loss of the card versus noting it's function). It doesn't mention whether the "sensitive" data on the device was protected with encryption. Likewise, there's no mention about the stray e-mail either. Someone who routinely works with classified data will usually be a routine user of encryption tools to protect communications.
Fact is that Los Alamos is a juicy media target and they will conveniently omit details like that to sell headlines.
Or the violators were pointy-haired managers that thought that high tech encryption stuff was only for the gearheads in the white coats.
Why would anyone in their right mind take their work laptop on vacation especially overseas ? Then again, this is America, a live to work society.
Even though I work in Corporate America, when I go on vacation, I want nothing to do with work during that time even though executive management gets upset that I don't want to be available for work related items such as calls in my absence.
I do take a laptop with me on vacation but it is for personal use such as personal e-mail, process digital pics, surf the web such as getting insight on a vacation spot.
Hi Hon,
I'm going to be late home from the lab tonite so have dinner without me, we are just putting the finishing touches to the doomsday device so we can test it tomorrow.
Love you
xxxxxx
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
wtf
After reading TFA I'm still a bit confused about how the email got off the SIPRNET (secure DoD network for classified material) and onto the NIPRNET (regular unclassified DoD network that is connected to the internet).
SIPRNET computers don't have internet access - or access to any other network. It appears to me someone would have to have taken the data out of the vault and composed it on an unclassified PC to send it anywhere off the secured network.
we see things not as as they are, but as we are.
-- anais nin
That quite a few senators and representatives, in this time of tighter money, see the Los Alamos budget as a juicy target. The more they can keep Los Alamos in the news and hold it up as "incompetent" to handle security, the better chance they have of yanking funding and redirecting it to whatever their pet projects are in their own states. Not that it matters what Los Alamos does to enhance the Nation's security - little things like the chem/bio sensors used at the Salt Lake City Olympics, inventing a lot of the new DNA techniques, work on alternative energy, fighting terror in many ways, and yes, even making sure that the USA has reliable nuclear weapons. Check their web page. They do a lot for the country.
But by yanking funding and threatening to "close the place down", those senators and representatives are risking a valuable National resource. It's their choice I suppose. But I don't think this continued beating down is very productive.
Los Alamos has name recognition. It makes great headlines every time anyone even takes a dump out there.
http://www.truecrypt.org/
People should be fired/prosecuted for negligence these days.
Deleted
"Each user will be assigned a login ID and password for the Windows NT system"
.. Any files downloaded to floppy or printed must be entered into the Automated Security Control Program (ASCP) by Document Control personnel"
"The SIPRNET workstation may be used to download files from the SIPRNET. Anti-virus software has been installed and runs as a TSR program
davecb5620@gmail.com
It seems to me that just as serious as how the email is being routed, perhaps more so, is how classified material got on the unclassified workstation in the first place (you mentioned one possibility), and why is that not also being reported as a violation. (i.e. why focus on the email aspect, that's just a result - the root cause is classified info being placed where it shouldn't be)
"National Security is the chief cause of national insecurity." - Celine's First Law
Is it a gross simplification to state that using encryption would have rendered both mistakes harmless?
Is this really so hard for IT departments to set up PGP or one of its clones? Same goes for disk encryption? I have argued with people up and down who claim this is too hard to deploy, but I say that something is better than nothing, even if it nothing more than checking “encrypted folder” on your NT system.
These tools have gotten so easy to use these days and while I understand this is largely a social and policy problem, there is plenty of low-hanging fruit that can help mitigate the damage.
Why bother.
You'd think that Los Alamos would become a safer (pun intended) place for sensitive materials after Feynman left.
I'm more interested to know who's got it in for Los Alamos.
Of all the people employed by the government in this line of work, there's got to be many, many more cases just like this out there. How is it possible that this *one* government funded R&D facility has security problems that boil down to human error rather than process?
I have a feeling the others have the same issues, except this one is someone's punching bag. That someone is powerful enough to get the gears of government working against Los Alamos. Maybe there are too many Democrats in New Mexico?
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
...In the email instance, anyone can at any time send classified information over an unclassified network. It is up to the user to not do this. Granted, there are various technical and other procedures that can help prevent this, but it can never be completely avoided. These incidents seem rather tame, but since Los Alamos is under the microscope, every such incident will be greatly scrutinized - and sometimes blown out of proportion.It's not possible to inadvertently email classified information off the DoD classified network - the classified network isn't connected to the internet for this reason ;-)
The user would had to have moved the data off the secure network to send it over the internet.
we see things not as as they are, but as we are.
-- anais nin
In these such cases of negligence, where an employee "loses" custody of important data, then their boss should be the one who gets fired / prosecuted / jailed. Only then will the people who are in charge of running the show get truly serious about enforcing strict and proper measures regarding the security of sensitive data.
nerd looking guy: damn i cant seem to break the security stupid boss: you have 3 min. nerd: I need a pen to bite..thanks...awesome...***password accepted***. and the password is 'ithoughtiwasafuckingspy'
Its an axiom in security that if someone physical access to the hardware they can do what they like.
Given the ease of use and portability of a modern laptop you may as well just post a copy of the data to anyone who might be interested.
Stolen laptops are actually the lowest risk area, given that most laptop theives are after the shiny hardware and its so rare to come accross data with any resale value that they probably dont even look. A far greater risk for a high security installation like Los Alamos is someone borrowing a laptop for long enough to install some worm/trojans/keyloging software which the dedicated sceintist can then physically carry through all those firewalls back into the lab.
Any sane security profesional would just plain ban them from a set up with the security requirements of Los Alamos.
The best solution would be to have all hardware in a locked server room and only access them via "dumb" terminal servers. Plus a private network with no physical connection to the outside world.
Old COBOL programmers never die. They just code in C.
Somebody grabs the wrong keyboard, types their email, sends it... oops.
Somebody confuses the government's classified project code word with the company's unclassified project name... oops.
We could make a 'great' start by putting Haliburton on the list.
I would be worried that they might outsource the research to China though. That might cause a bit of a problem security wise.
The email thing happens occasionally at my office. Sometimes, there are certain numbers that are classified in a particular context, but the other information is not. For instance, someone who is working on new type of laser may be able to talk about the laser (the knowledge of the technology is unclassified), as long as they don't disclose certain properties of it (for instance, its specific power and waveband may be classified).
I frequently see situations where a particular classified value could be derived from 3 other values. Typically, only one or two of those three values will be classified. If you work a lot with those numbers, it can be easy to forget which one is the classified value and drop it in an email to a coworker to clarify information That would be a security violation.
Another example is resolution of data. In the past, I have seen that certain data is classified only if specified to a certain number of significant digits (usually >1). Or, certain dates may be classified, but the month of the event is unclassified. Or specifying any more accurately than the Quarter may be classified.
Not to mention you can be told a classified number and the person forgets to tell you its classified. This happened recently. The guy who heard it dropped the number in an email and got a security violation. You can see how uncertainty of classifications can sneak into people's heads.
... but it's not just the end user. In my role I look at my IT team just as much as the end user as they're just as human. There's nothing more hilarious to me than "secure" DoD operations with dual workstations (for confidential vs. connected to the public Internet and therefore general use) that are all locked down but then don't prevent something as silly as unplugging a USB printer to then use a thumb drive. There's always technology or room for innovation to prevent such human errors via checks & balances systems. In this case, how did that file make it onto an unsecured network since it's so easy to prevent through file-tagging technologies and a number of other almost full-proof methods? Even if not "classified" and only deemed "sensitive" why the hell was it on a laptop period? Simple, if it's sensitive and we don't want just anyone seeing it then don't let some idiot take it on a laptop to another country while he's there for pleasure.
Do your due diligence and lock down environments to appropriate security levels. Put in processes that may decrease productivity but maintain these levels. Grow yourself a backbone and fight the political bullshit that seeks to subvert security. If you're faced with a solution that has security issues recommend changes that correct them even if it requires more resources or makes it more cumbersome for the end user. If you're fired for standing your ground and refusing to relax security to inappropriate levels then that same asshole would likely fire you for the first security incident created as a result of it. Hence you're better off somewhere else...
PS That asshole that wants his way regardless of security is the other weak link
That's just my POV... no more, no less.
As for the email, I'm surprised the even have a open link to the internet on a machine with sensitive information.
Copy/Paste of an A/C 15 min earlier.
= 19651353
http://it.slashdot.org/comments.pl?sid=241331&cid
los alamos has a press release response to this. The laptop did not contain sensitive info. Indeed it would be highly unusual for a laptop with sensitive info to leave the Los Alamos site on travel. Moreover, what Los Alaoms considers "sensitive" info is a much higher standard than you would think. For example, if an employee has someones resume on their computer and that resume, despite being a public document, perhaps taken off Monster.com or Nature.jobs, has a birthdate in it, then it's treated as sensitive information. Think about that next time you hear "sensitive" info being lost at Los alamos.
Some drink at the fountain of knowledge. Others just gargle.
you linked to. I get a "Missing Web Page."
"National Security is the chief cause of national insecurity." - Celine's First Law
Above link is dead. release cached here
Some drink at the fountain of knowledge. Others just gargle.
The problem is that many terrorists don't come from western countries, they don't even have the Latin alphabet at home. Passports are supposed to have names in Latin which are used for comparison but there are multiple possible mappings between say Arabic or Cyrillic and Latin. Dates of birth can also be ambiguous. Believe me, I worked on the problem of identifying people on watch lists for banks. Not only do names and dobs present problems but even the watch lists from say the US and the EU show discrepancies for apparently the same person.
The next point is that the watch lists for the US are maintained by the TSA. You submit a passenger manifest and they tell you clear or not. The system doesn't work in real-time. There have been many instances where the clearance hasn't appeared until the plane is over the Atlantic. This why there isn't a pre-fly check, the TSA cannot cope. Often the TSA would even mix up passenger manifests and flights.
The real check is the overworked entry clearance officer in the visa dept of the consulates and the immigration officer at the point of entry. As is usual, resources are stretched whilst people try to throw technology at the problem.
See my journal, I write things there
In the other incident, an employee took his lab laptop on vacation to Ireland, where it was stolen out of his hotel room.
... why?
Does that idiot still have a job? And if so
The higher the technology, the sharper that two-edged sword.