Oak Ridge National Laboratory visitor information exposed
Technorati Tag: Security Breach
Date Reported:
12/3/07
Organization:
UT-Battelle, LLC
Contractor/Consultant/Branch:
Oak Ridge National Laboratory (ORNL)*
*Oak Ridge National Laboratory (ORNL) is the Department of Energy's largest science and energy laboratory. ORNL was established in 1943 as a part of the secret Manhattan Project to pioneer a method for producing and separating plutonium. Today, ORNL is home to the world's largest civilian science project, the $1.4 billion Spallation Neutron Source, and has been selected to build the fastest unclassified scientific computer in the world. - Source State Science and Technology Institute
Victims:
"visitors to the lab between 1990 and 2004"
Number Affected:
"about 12,000"
Types of Data:
Personal information including names, addresses, Social Security numbers and dates of birth.
Breach Description:
More than a dozen Oak Ridge National Laboratory employees were duped into installing unauthorized software consisting of keyloggers and other malicious software through a targeted phishing attack ("spear phishing"). The targeted phishing attack consisted of roughly 1,100 emails and resulted in the compromise of personal information pertaining to lab visitors over a 14 year period.
Reference URL:
eWeek.com Story
SecurityFocus.com Story
MyEyeWitnessNews.com Story
Oak Ridge National Laboratory Potential Identity Theft Page
Report Credit:
Oak Ridge National Laboratory
Response:
From the official breach notification site and sources cited above:
Oak Ridge National Laboratory has been bombarded by a coordinated phishing attack aimed at multiple national labs and may have unwittingly handed over to attackers the personal information of anybody who visited the lab over a 14-year span, including Social Security numbers.
"Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." - Laboratory Director Thom Mason on December 3rd.
"When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory." - Laboratory Director Thom Mason
The attack comprised approximately 1,100 targeted phishing attempts.
The attackers cooked up seven phishing variations, one of which purportedly advertised a scientific conference, another of which posed as a notification about a complaint on behalf of the Federal Trade Commission.
"No classified information was lost"
"If you visited ORNL between the years 1990 and 2004 your name and other personal information such as your social security number or date of birth may have been part of the stolen information. While there is no evidence that the stolen information has been used, the Laboratory deeply regrets the inconvenience caused by this event."
Mason said reconstructing the crime is tedious and time-consuming and will likely take weeks, if not longer. ORNL is attempting to send letters to every visitor potentially affected but may have difficulties due to out-of-date addresses, management said in its advisory.
[Comfyllama] If the reports about this attack originating (or proxying through) China are true, then it is unlikely that a full "reconstructing" will ever be complete.
"every security system at ORNL was in place and in compliance."
[Comfyllama] Compliant DOES NOT MEAN Secure! Although we all need to be compliant, this doesn't mean that efforts should stop at that. Do you want to trust the security of your information to a Senator or other lawmaker?
"If you think you're going to prevent all phishing attempts from [succeeding] in an enterprise, that's probably false. And if you think that with training, not a single employee will [click on phishing attempts and let an attacker] get through, that's probably false," - Application Security Vice President of Marketing and Strategy Ted Julian
"There's a million [conduits to data theft], and now that the attackers have gotten much more professional and focused, they only need one to get at the information. You only need one unsecured avenue and they're off and running."
it's likely that employee training about phishing attempts will be given renewed emphasis in the future in order to attempt to close down this particular avenue of data theft.
"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cyber-security issues," "We must not click on e-mail attachments if we are not absolutely sure who the e-mail is from and we must not click on [URLs] embedded in e-mails unless we are certain of the source." - Laboratory Director Thom Mason
The lab has sent letters to about 12,000 potential victims.
"We continue to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network." - Laboratory Director Thom Mason
Commentary:
Scary! Supposedly, there is evidence that points to these attacks originating from servers in China and thus these attacks were sponsored by the Chinese government. I like a conspiracy theory as much as anyone else, but I don't subscribe to this theory. IF the Chinese government were attacking ORNL, I think the attacks would be much more covert.
Think about this for a minute. If I were going to attack a system in the United States without getting caught. Why wouldn't I use (proxy through) an insecure server located in a country that will not cooperate with U.S. authorities? In order to find my true location, investigators will need some level of access to the (proxy) server to look through the evidence. Do you think China (or Iran, North Korea, Russia, etc.) will allow investigators the access they need? Highly unlikely. If I were to guess, I would say that this is a sophisticated attack aimed at gathering information for money and probably orginated by one of the more educated "phishing gangs".
I certainly agree with ORNL Application Security Vice President of Marketing and Strategy Ted Julian in the fact that there is likely no way to prevent all avenues of attack, but the risk of this type of attack can be significantly reduced through regular information security training and awareness. People will be people, no matter what.
Final note, I am curious why ORNL needs to store Social Security numbers in the first place.
Past Breaches:
Unknown
Date Reported:12/3/07
Organization:
UT-Battelle, LLC
Contractor/Consultant/Branch:
Oak Ridge National Laboratory (ORNL)*
*Oak Ridge National Laboratory (ORNL) is the Department of Energy's largest science and energy laboratory. ORNL was established in 1943 as a part of the secret Manhattan Project to pioneer a method for producing and separating plutonium. Today, ORNL is home to the world's largest civilian science project, the $1.4 billion Spallation Neutron Source, and has been selected to build the fastest unclassified scientific computer in the world. - Source State Science and Technology Institute
Victims:
"visitors to the lab between 1990 and 2004"
Number Affected:
"about 12,000"
Types of Data:
Personal information including names, addresses, Social Security numbers and dates of birth.
Breach Description:
More than a dozen Oak Ridge National Laboratory employees were duped into installing unauthorized software consisting of keyloggers and other malicious software through a targeted phishing attack ("spear phishing"). The targeted phishing attack consisted of roughly 1,100 emails and resulted in the compromise of personal information pertaining to lab visitors over a 14 year period.
Reference URL:
eWeek.com Story
SecurityFocus.com Story
MyEyeWitnessNews.com Story
Oak Ridge National Laboratory Potential Identity Theft Page
Report Credit:
Oak Ridge National Laboratory
Response:
From the official breach notification site and sources cited above:
Oak Ridge National Laboratory has been bombarded by a coordinated phishing attack aimed at multiple national labs and may have unwittingly handed over to attackers the personal information of anybody who visited the lab over a 14-year span, including Social Security numbers.
"Oak Ridge National Laboratory (ORNL) recently experienced a sophisticated cyber attack that appears to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country." - Laboratory Director Thom Mason on December 3rd.
"When the employees opened the attachment or accessed an embedded link, the hacker planted a program on the employees' computers that enabled the hacker to copy and retrieve information. The original e-mail and first potential corruption occurred on October 29, 2007. We have reason to believe that data was stolen from a database used for visitors to the Laboratory." - Laboratory Director Thom Mason
The attack comprised approximately 1,100 targeted phishing attempts.
The attackers cooked up seven phishing variations, one of which purportedly advertised a scientific conference, another of which posed as a notification about a complaint on behalf of the Federal Trade Commission.
"No classified information was lost"
"If you visited ORNL between the years 1990 and 2004 your name and other personal information such as your social security number or date of birth may have been part of the stolen information. While there is no evidence that the stolen information has been used, the Laboratory deeply regrets the inconvenience caused by this event."
Mason said reconstructing the crime is tedious and time-consuming and will likely take weeks, if not longer. ORNL is attempting to send letters to every visitor potentially affected but may have difficulties due to out-of-date addresses, management said in its advisory.
[Comfyllama] If the reports about this attack originating (or proxying through) China are true, then it is unlikely that a full "reconstructing" will ever be complete.
"every security system at ORNL was in place and in compliance."
[Comfyllama] Compliant DOES NOT MEAN Secure! Although we all need to be compliant, this doesn't mean that efforts should stop at that. Do you want to trust the security of your information to a Senator or other lawmaker?
"If you think you're going to prevent all phishing attempts from [succeeding] in an enterprise, that's probably false. And if you think that with training, not a single employee will [click on phishing attempts and let an attacker] get through, that's probably false," - Application Security Vice President of Marketing and Strategy Ted Julian
"There's a million [conduits to data theft], and now that the attackers have gotten much more professional and focused, they only need one to get at the information. You only need one unsecured avenue and they're off and running."
it's likely that employee training about phishing attempts will be given renewed emphasis in the future in order to attempt to close down this particular avenue of data theft.
"While our hope is that no one would fall for these kinds of tricks from hackers, we believe there is an ongoing benefit to re-emphasizing staff awareness about cyber-security issues," "We must not click on e-mail attachments if we are not absolutely sure who the e-mail is from and we must not click on [URLs] embedded in e-mails unless we are certain of the source." - Laboratory Director Thom Mason
The lab has sent letters to about 12,000 potential victims.
"We continue to put in place new and more sophisticated security systems in an attempt to stop thieves who are equally determined to break into the cyber network." - Laboratory Director Thom Mason
Commentary:
Scary! Supposedly, there is evidence that points to these attacks originating from servers in China and thus these attacks were sponsored by the Chinese government. I like a conspiracy theory as much as anyone else, but I don't subscribe to this theory. IF the Chinese government were attacking ORNL, I think the attacks would be much more covert.
Think about this for a minute. If I were going to attack a system in the United States without getting caught. Why wouldn't I use (proxy through) an insecure server located in a country that will not cooperate with U.S. authorities? In order to find my true location, investigators will need some level of access to the (proxy) server to look through the evidence. Do you think China (or Iran, North Korea, Russia, etc.) will allow investigators the access they need? Highly unlikely. If I were to guess, I would say that this is a sophisticated attack aimed at gathering information for money and probably orginated by one of the more educated "phishing gangs".
I certainly agree with ORNL Application Security Vice President of Marketing and Strategy Ted Julian in the fact that there is likely no way to prevent all avenues of attack, but the risk of this type of attack can be significantly reduced through regular information security training and awareness. People will be people, no matter what.
Final note, I am curious why ORNL needs to store Social Security numbers in the first place.
Past Breaches:
Unknown
Posted by Evan Francen at 12/11/2007 1:33 PM 
Categories: Phishing, UT-Battelle LLC, Oak Ridge National Laboratory
Categories: Phishing, UT-Battelle LLC, Oak Ridge National Laboratory
Posts Atom 1.0
Comments