"Lockheed Martin Corp., the U.S. government's top information technology provider, said on Saturday it had thwarted 'a significant and tenacious attack' on its information systems network a week ago but was still working to restore employee access.So far, so good - although I wonder just how confident the IT folks at Lockheed are, that "No customer, program or employee personal data was compromised."
"No customer, program or employee personal data was compromised thanks to 'almost immediate' protective action taken after the attack was detected May 21, Jennifer Whitlow, a company spokeswoman, said in an emailed statement.
"She said the company, the world's biggest aerospace company and the Pentagon's No. 1 supplier by sales, was working around the clock to restore employee access to the targeted network while maintaining the highest security level....
Maybe this is cynical: but I remember when a Qantas desk jockey insisted that there had been "no explosion" on one of their flights. That didn't explain the hole in their A380 airliners, or debris in Indonesia. (Apathetic Lemming of the North (November 4, 2010))
Bad News, Denial, and the Real WorldSome bureaucrats and managers seem to deny that a problem exists as a sort of knee-jerk reaction to bad news. That may work with hirelings who can be fired if they don't agree: or with equally-clueless organizational deadweight the (delusional?) boss reports to. I don't think it's effective when dealing with the real world, though. And that's another topic.
Whodunit - Good QuestionWhere the attack came from is still unknown, apparently. My guess is that folks at the Department of Homeland Security and the Pentagon are trying to find out, though. Lockheed's system had data about weapons that are in use, and under development: not the sort of think I'd want outfits like Al Qaeda to have. Or none-too-friendly national governments, for that matter.
Reuters says Lockheed isn't alone - the May 21 situation was the latest in a string of attacks on American military contractors. Reuters also said that contractors aren't the only targets. The article says there have been hack attacks on "...defense contractors, security companies and U.S. government labs, including the U.S. Energy Department's Oak Ridge National Laboratory, since the start of this year." That's according to Anup Ghosh, who has been a senior scientist at the Pentagon's Defense Advanced Research Projects Agency, and now runs Invincea, a software security company. Interestingly, Reuters has edited that detail out of the story, as I'm finishing this post. (For now WUOB still has that detail in their copy of the article. (1:47 p.m. Central, May 29, 2011))
So, why doesn't the government 'do something?'
America, Law, and Limited GovernmentBack to that Reuters article:
"...U.S. officials may investigate a cyber breach at a company's request. DHS, the lead agency for securing federal civilian networks, can deploy a team to analyze infected systems, develop mitigation strategies, advise on efforts to restore service and make recommendations for improving overall network security....A key phrase there is "...may...at a company's request." America is a nation of law - and some of those laws control what government agencies can and can't do. We're not the only country to work that way: but I think we do a pretty good job of maintaining a balance between a government that's meddlesome, and one that's ineffectual.
Which doesn't mean that I approve of intrusive and occasionally silly federal regulations - and that's a topic that's outside the scope of this blog.
Finally I'm acutely aware that America isn't perfect. And that's yet one more topic. (July 3, 2008)
How These Attacks WorkThis really should be obvious: but it's a bad to click that link and give personal information. Even if the email seems to come from your bank/credit card company/whatever. I'll get back to that.
"...These attacks typically were carried out through so-called 'spear-phish' inducements to click on a certain link to web sites or through emailed attachments carrying malicious code.I put a link to some common-sense advice about spear phishing under "Background," below.
"Once so compromised, a computer can surreptitiously download other code that can log a victim's key strokes, giving an attacker a path to potentially wide network access....
"...The person with direct knowledge told Reuters on Friday that an intrusion at Lockheed was related to a recent breach of 'SecurID' token authentication technology from EMC Corp's EMC.N RSA security division...."
Besides making the point that most financial institutions don't ask you for your Social Security Number in an email - and that you shouldn't use the phone number that the probably-bogus email provides - there's the same advice I've heard for decades: If it sounds too good to be true, it probably is.
And that, again, is another topic.
- "Lockheed Martin Corp, SecureIDs, EMC, and All That"
(May 28, 2011)
- "Lockheed says thwarted 'tenacious' cyber attack"
Jim Wolf, Andrea Shalal-Esa (Paul Simao, Editor) Edition: U.S., Reuters (May 29, 2011)
- "Spear Phishers"
FBI (April 1, 2009)
1 Excerpt from Reuters article:
"...The Department of Homeland Security, or DHS, said that it and the Defense Department had offered to help curb the risk from the incident....
"...Several top cybersecurity experts with extensive government dealings said they were in the dark about the origin of the attack....
"...Cyber intruders were reported in 2009 to have broken into computers holding data on Lockheed's projected $380 billion-plus F-35 fighter program, the Pentagon's costliest arms purchase.
"A series of once-secret U.S. diplomatic cables released by the WikiLeaks website suggests that China has jumped ahead of the United States when it comes to cyber espionage...."