Sunday, May 29, 2011

Lockheed Martin, Oak Ridge, Spear Phishing, and Common Sense

I mentioned the latest hack attempt in an American network yesterday. (May 28, 2011) Today, a Reuters article gave a bit more detail and background.1
"Lockheed Martin Corp., the U.S. government's top information technology provider, said on Saturday it had thwarted 'a significant and tenacious attack' on its information systems network a week ago but was still working to restore employee access.

"No customer, program or employee personal data was compromised thanks to 'almost immediate' protective action taken after the attack was detected May 21, Jennifer Whitlow, a company spokeswoman, said in an emailed statement.

"She said the company, the world's biggest aerospace company and the Pentagon's No. 1 supplier by sales, was working around the clock to restore employee access to the targeted network while maintaining the highest security level....
So far, so good - although I wonder just how confident the IT folks at Lockheed are, that "No customer, program or employee personal data was compromised."

Maybe this is cynical: but I remember when a Qantas desk jockey insisted that there had been "no explosion" on one of their flights. That didn't explain the hole in their A380 airliners, or debris in Indonesia. (Apathetic Lemming of the North (November 4, 2010))

Bad News, Denial, and the Real World

Some bureaucrats and managers seem to deny that a problem exists as a sort of knee-jerk reaction to bad news. That may work with hirelings who can be fired if they don't agree: or with equally-clueless organizational deadweight the (delusional?) boss reports to. I don't think it's effective when dealing with the real world, though. And that's another topic.

Whodunit - Good Question

Where the attack came from is still unknown, apparently. My guess is that folks at the Department of Homeland Security and the Pentagon are trying to find out, though. Lockheed's system had data about weapons that are in use, and under development: not the sort of think I'd want outfits like Al Qaeda to have. Or none-too-friendly national governments, for that matter.

Reuters says Lockheed isn't alone - the May 21 situation was the latest in a string of attacks on American military contractors. Reuters also said that contractors aren't the only targets. The article says there have been hack attacks on "...defense contractors, security companies and U.S. government labs, including the U.S. Energy Department's Oak Ridge National Laboratory, since the start of this year." That's according to Anup Ghosh, who has been a senior scientist at the Pentagon's Defense Advanced Research Projects Agency, and now runs Invincea, a software security company. Interestingly, Reuters has edited that detail out of the story, as I'm finishing this post. (For now WUOB still has that detail in their copy of the article. (1:47 p.m. Central, May 29, 2011))

So, why doesn't the government 'do something?'

America, Law, and Limited Government

Back to that Reuters article:
"...U.S. officials may investigate a cyber breach at a company's request. DHS, the lead agency for securing federal civilian networks, can deploy a team to analyze infected systems, develop mitigation strategies, advise on efforts to restore service and make recommendations for improving overall network security....
A key phrase there is " a company's request." America is a nation of law - and some of those laws control what government agencies can and can't do. We're not the only country to work that way: but I think we do a pretty good job of maintaining a balance between a government that's meddlesome, and one that's ineffectual.

Which doesn't mean that I approve of intrusive and occasionally silly federal regulations - and that's a topic that's outside the scope of this blog.

Finally I'm acutely aware that America isn't perfect. And that's yet one more topic. (July 3, 2008)

How These Attacks Work

This really should be obvious: but it's a bad to click that link and give personal information. Even if the email seems to come from your bank/credit card company/whatever. I'll get back to that.
"...These attacks typically were carried out through so-called 'spear-phish' inducements to click on a certain link to web sites or through emailed attachments carrying malicious code.

"Once so compromised, a computer can surreptitiously download other code that can log a victim's key strokes, giving an attacker a path to potentially wide network access....

"...The person with direct knowledge told Reuters on Friday that an intrusion at Lockheed was related to a recent breach of 'SecurID' token authentication technology from EMC Corp's EMC.N RSA security division...."
I put a link to some common-sense advice about spear phishing under "Background," below.

Besides making the point that most financial institutions don't ask you for your Social Security Number in an email - and that you shouldn't use the phone number that the probably-bogus email provides - there's the same advice I've heard for decades: If it sounds too good to be true, it probably is.

And that, again, is another topic.

Related post:
In the news:
1 Excerpt from Reuters article:
"...The Department of Homeland Security, or DHS, said that it and the Defense Department had offered to help curb the risk from the incident....

"...Several top cybersecurity experts with extensive government dealings said they were in the dark about the origin of the attack....

"...Cyber intruders were reported in 2009 to have broken into computers holding data on Lockheed's projected $380 billion-plus F-35 fighter program, the Pentagon's costliest arms purchase.

"A series of once-secret U.S. diplomatic cables released by the WikiLeaks website suggests that China has jumped ahead of the United States when it comes to cyber espionage...."

No comments:

Unique, innovative candles

Visit us online:
Spiral Light CandleFind a Retailer
Spiral Light Candle Store


Note! Although I believe that these websites and blogs are useful resources for understanding the War on Terror, I do not necessarily agree with their opinions. 1 1 Given a recent misunderstanding of the phrase "useful resources," a clarification: I do not limit my reading to resources which support my views, or even to those which appear to be accurate. Reading opinions contrary to what I believed has been very useful at times: sometimes verifying my previous assumptions, sometimes encouraging me to change them.

Even resources which, in my opinion, are simply inaccurate are sometimes useful: these can give valuable insights into why some people or groups believe what they do.

In short, It is my opinion that some of the resources in this blogroll are neither accurate, nor unbiased. I do, however, believe that they are useful in understanding the War on Terror, the many versions of Islam, terrorism, and related topics.