Fresh Security Breaches At Los Alamos

WrongSizeGlass writes "MSNBC is carrying Newsweek reporting on two new security breaches at Los Alamos. Both of these latest incidents were 'human error' on the part of employees. In one, an e-mail containing classified material was sent over the open Internet rather than through the secure defense network. In the other incident, an employee took his lab laptop on vacation to Ireland, where it was stolen out of his hotel room. The machine reportedly contained government documents of a sensitive nature."

Human element is the greatest danger

[daveschroeder]

It's worth noting in this example that if the laptop had been allowed to travel to Ireland with the employee with the proper approvals, as the article indicates, the material on the laptop was not classified, but rather deemed "sensitive". There are several classes of such sensitive but unclassified information. In the email instance, anyone can at any time send classified information over an unclassified network. It is up to the user to not do this. Granted, there are various technical and other procedures that can help prevent this, but it can never be completely avoided. These incidents seem rather tame, but since Los Alamos is under the microscope, every such incident will be greatly scrutinized - and sometimes blown out of proportion.

In the information security profession, several classes of threats to security, including physical security, are enumerated. However, the most significant threat of all, and one that can subvert even the best-laid plans for security, is the threat from human action. This threat is unavoidable, as humans are necessarily an integral component of any operation an organization may wish to secure.

The human threat can take the form of threats internal to an organization, and each of those threats can be intentional or accidental. Because of the access an internal person may have to sensitive areas or information, the threat from the actions of internal person are often rightfully considered the most severe. An internal person may also unwittingly act in concert with an external person who is a threat to the organization as well.

A recent example of such a failure of physical security occurred when a 31-year-old man attempted to enter the United States from Canada at the border crossing in Champlain, NY, on May 24, 2007. Upon presenting identification, the Customs and Border Protection agent handling the man's entry received a computer alert. The alert warned that agents should immediately don protective clothing and detain the individual, notifying the originating authority.

The next steps seem obvious: the man is detained, and border agents run the message up the notification chain, CDC eventually learns that the man in question has been located, and appropriate action is taken. The system works.

What happens instead is that the man is allowed to enter the United States with no further questions, and is at the border crossing for a total of less than two minutes. The agent later says he thought the warning was discretionary, that the man "seemed fine", and therefore let him proceed. Every part of the system worked: the CDC was able to properly place the man on appropriate watchlists, his passport was properly flagged upon entry, and relevant information was presented to the processing agent.

Every part, that is, except the human part.

The man in question is Andrew Speaker, an Atlanta lawyer who traveled with his fianceé to Europe for his wedding and honeymoon. While in Europe, he subsequently learned that further testing revealed that he was infected with Extensively Drug Resistant Tuberculosis, or XDR TB, a form of tuberculosis resistant to a wide variety of antibiotics and treatments, and which can have a 70% mortality rate. The CDC and health authorities did all they could to attempt to restrict his further travel, and thus protect the public at large. Speaker sidestepped No-Fly and other watchlists by flying to Prague, then to Montreal, and then driving to the United States.

The Department of Homeland Security has placed the agent, whom it has not identified, on leave while it reviews the incident, and related processes and policies. When a human charged with the ultimate protective responsibility errs, no amount of technology can solve that problem. What if this had been a man identified as on the way to the United States to intentionally spread an infectious agent? The frustrating element here is that all of the underlying information and identification systems were working - which is itself encouraging - but the individual

Re:Human element is the greatest danger

[WgT2]

Speaker sidestepped No-Fly and other watchlists by flying to Prague, then to Montreal, and then driving to the United States.

Sounds to me that his actions were completely intentional, that he was not at all concerned about the health of others, that he wanted to fulfill his desires regardless of how it might affect others.

I wonder if there are charges that could be brought up against him.

In any case, you make a very good point about the human factor in security.

Re:Human element is the greatest danger

[djmurdoch]

You're missing one important piece of information in your description: how many false alarms does the border agent get from this system and all the other watchlist systems he has to work with? If the agent is getting hundreds of warnings that all turn out to be crap, why would he believe one good one?

Re:Human element is the greatest danger

[daveschroeder]

You're missing one important piece of information in your description: how many false alarms does the border agent get from this system and all the other watchlist systems he has to work with? If the agent is getting hundreds of warnings that all turn out to be crap, why would he believe one good one?

Warnings on a passport to detain, immediately don protective gear, and notify DHS and CDC?

Not many.

That's why the agent's handling of this is such a big problem. And it represents another aspect of human failure in security.

Your point about false alarms is a valid one; this just isn't one of those examples.

And for anyone who is thinking about No-Fly lists or watchlists possibly falling into the "too many false alarms" category, they don't. When a name is on a watchlist, more detailed information about the person (e.g. DOB, addresses, etc.) is passed up the chain to any number of originating entities or authoritative sources. If that is the target, instructions for handling are passed back. If it isn't, the person is cleared. The reason why it's done this way is for a variety of reasons, not the least of which is so that people at airline ticket counters or fronline TSA staff don't have access to classified or private personal information (beyond what is volunteered or required to be given by the passenger) when processing passengers, to say nothing of the enormous technical complexities involved. That's why you hear stories about people not being able to "get off" watchlists. It's not "them" that's on the watchlist; it's someone who shares that - or a similar - name. That's why people who aren't actually wanted for anything whose names are on "watchlists" are always allowed to fly after the check. Persons in such situations who are frequent travelers are also able to get special documentation to solve this problem. But "they" can't "get off" the watchlist, because it's someone else who is on it, and that's what the detailed checking process confirms. Yes, it's a very, very imperfect system, but identification has always been a cornerstone principle in law for recorded history. We're using the best balance of technologies and privacy we have - really - to attempt to identify persons who should not be allowed to enter the US, fly, etc.

Re:Sensitive nature

[suv4x4]

Get a grip on that tinfoil beanie.

I'm not a fan of conspiracy theories, but if you honestly believe their strategy is competent and it's money wise spent, then I better be a tinfoil beanie.

Just because you don't care doesn't mean our enemies don't either.

Don't forget: they're not "our enemies". They're just the US military/govt current targets.

Why on Earth would Iraq be your enemy as a US citizen. What did Iraqi do to you or your US buddies. The only thing happening in Iraq right now is a bunch of citizen wars, caused by the invasion by USA in there. Saddam is dead, there weren't WMD-s in there, and Iraq had no connection to the 9/11 attacks.

I don't like how short people's memory about those things is.

Perceived status as an issue

[Flying+pig]

What makes the Speaker case even more interesting is two factors. First, an educated professional given grave personal information behaved in a way that could possibly be interpreted by some people as irrational and maybe even putting others in danger. Second, subsequent comments reported to be by Speaker suggested that, like many lawyers, he is a very forceful individual who sees his own interests as paramount. It would be very interesting to know if the customs agent felt intimidated by Speaker and this accounted for his being allowed into the country.

In the UK, a large number of intelligence protection failures have occurred basically because of the perceived status of the perpetrators. (the best known cases being Philby, Blunt, MacLean and Burgess, all of whom were fairly upper class members of the Intelligence services.) In his fictional books based on composites of the Philby-Burgess case (A Perfect Spy and Tinker,Tailor,Soldier,Spy), John le Carré (who was in a position to know) suggested that the Intelligence services suspected or half knew that they had traitors in their midst all along, but were inhibited from acting against fellow members of the upper classes and their own community.

It would be very interesting indeed to know how far this culture extends into research establishments. It would be expected to be quite pervasive because of the esprit de corps among any professional group.

Of course, perhaps the real answer is that scientists and engineers, by their nature, are the worst people to be allowed to work on secret weapons systems because it contravenes their tendency to want to cooperate, share knowledge and see their own work published. Let's replace them all with Fortune 500 CEOs. That should result in a real peace dividend.

How does the user control email?

[msauve]

In the email instance, anyone can at any time send classified information over an unclassified network.

How does the user control that? Are they all running sendmail (or some other MTA) locally on their machine, and given full control of email routing?

I'd think, like virtually every other email system in the world, that users would have their MUA configured to send outbound email via a single mail server, where all further routing is under administrative control. Do they allow connections to that server from outside?

I could understand the issue, if it was someone sending to an external, insecure email address. But the summary, article, and now you all say the problem is with which network the email was routed over. The other possibility is they were off-site, and didn't have a secure VPN connection running - buy why would a secure system not force SSL email connections? Or is sending even over VPN/SSL not considered secure?

It's just not clear how the user has the control implied here.

(or is it that they're allowed to have personal email accounts on their machines, and that's where the email was sent from?)

Re:Sensitive nature

[Vitriol+Angst]

It turns out that a lot of the Security breaches at Los Alamos in the past were mistakes of the FBI. Due to a database reporting error, they "lost" documents that didn't exist, and still others were recovered inside the area.

So the "Los Alamos security breach" stories got big headlines and the "FBI screws up" got little headlines. Maybe there is a pattern there. As the newly privatized single-source nuclear weapons manufacturing company for the USA had a walk-out of 500 security guards over 36-hour work shifts and poor security protocols that didn't make headlines.

I think there is a dangerous move to privatize a lot of key military functions. And the FBI seems to bring up a lot of accusations before verifying the actual security risk.

Couple this with their seeming lack of interest in securing laptops and databases of American citizens. The rates is about a few million records a month. No biggie if some third party has your SSN right? The government can't have a Total Information Awareness database, but it appears that a private company can. Check out what John Poindexter (Iran/Contra felon) is still up to these days. Who knew he was such a great database expert?

Los Alamos is now privatized, and the good old "employee takes laptop with sensitive files and gets it stolen" oops is happening at rapid pace. Anyone want to be whether THAT particular employee gets reprimanded? My bet they will get a promotion. As does everyone who seems to fail upwards in this current administration.
http://www.fas.org/blog/secrecy/2007/05/los_alamos _blocks_researcher_a_1.html