Phishing At Top Lab Lands A Big One

Oak Ridge Reveals Cyber Attacks May Have Stolen Personal Info About Lab Visitors

(CBS/AP)  The Oak Ridge National Laboratory revealed on Thursday that a "sophisticated cyber attack" over the last few weeks may have allowed personal information about thousands of lab visitors to be stolen.

The assault appeared "to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country," lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

Oak Ridge officials would not identify the other institutions affected by the breach. But they said hackers may have infiltrated a database of names, Social Security numbers and birth dates of every lab visitor between 1990 and 2004.

"There was no classified data of any kind compromised," lab spokesman Bill Stair said Thursday. "There are people who think that because they accessed this database that they had access to the lab's supercomputer. That is not the case. There was no access at all."

Officials at Pacific Northwest National Laboratory in Richland, Wash., discovered on Thursday that one desktop computer had potentially been compromised. However, the computer contained no sensitive information, and security officials immediately isolated it from other computers while they analyze it, spokeswoman Judith Graybeal said.

Security officials couldn't yet say if the attack was related to the Oak Ridge attack, she said.

The Oak Ridge lab currently has the second-fastest supercomputer in the world, an open-research, 101.7-teraflop Cray XT3/XT4 known as "Jaguar," and has plans to build another.

According to its Web site, "ORNL has six major mission roles: neutron science, energy, high-performance computing, systems biology, materials science at the nanoscale, and national security." It was established in 1943 as part of the Manhattan Project that developed the first atomic bombs, but says its mission is now "very different."

About 3,000 researchers annually visit the facility, a major DOE energy research and high-performance computing center, about 25 miles west of Knoxville.

Officials have sent letters to about 12,000 potential victims. Mason said so far there was "no evidence that the stolen information has been used."

The assault was in the form of phony e-mails containing attachments, which when opened allowed hackers to penetrate the lab's computer security. The practice is called "phishing."

The first fake e-mail arrived Oct. 29. At least six more waves followed.

"At first glance, they appeared legitimate," Mason wrote. One notified employees of a scientific conference. Another pretended to notify the employee of a complaint on behalf of the Federal Trade Commission.

Each one instructed recipients to open an attachment for further information. And when they did, it "enabled the hackers to infiltrate the system and remove data," Mason wrote.

The lab's cyber police determined about 1,100 phony e-mail messages entered the lab's network. In 11 cases, an employee took the bait and opened the attachments.

"Our cyber security staff has been working nights and weekends to understand the nature of this attack," Mason wrote. "Reconstructing this event is a very tedious and time-consuming effort that likely will take weeks, if not longer, to complete."

Meanwhile, the lab will post updates on its Web site.

"Every year we build bigger and more sophisticated fences around our databases and every year our enemies find new and more sophisticated ways to tunnel under the fence," Stair said. "This is an ongoing challenge that is going to be there as far as we can see in the future."

[hissteps4u]

Toolmangler if you read the story it clearly stated it started by an employee opening up an attachment (Phishing) then the Hack began. Got to work on those comprehension skills. LOL (Just poking fun at your expense)

[hissteps4u]

My Father got taken for over 100,000 dollars due to a Phishing scam which was used. it looked like an email from the bank and he opened it and gave His account information and by the next day His Money was gone forever.

People must be educated, and taught ot o avoid such scams and what to look for and even then to let your guard down for a second could cost you your lifes savings.

Be scared and be afraid I get this *** 10 times a day and isolate it and report it but it does little good for the next day I get ten more trying the same thing in ten different ways they are relentless..

[albrightw]

The security on computers has been left up to a bunch of puts. I''m scared as hell ! Lets pay a nut big wages to run a company and squash the people with stupidy. You can contact me on the golf course or at the club on my cell phone. maybe.

[zuggerjack1]

Bad news indeed that a major research facility can be compromised like this.

Kind of reminds me of the novel Doomwatch: The Legacy (written by David Kagan author of Sunstroke) in which rogue agents launch a major cyber attack against a fictitious aerospace firm. But that was fiction, this is real.

[lizardbate]

Computers are great, BUT BUT BUT BUT ----- BUT

I have a small local network (100 Workstations with seven servers), but it reaches out further. I maintain fifteen warehouses with a Linux server in each one with seven to 10 workstations networked to it.

I am constantly in touch with my virus protection company, reading about everything that is already our there and was to expect. I love this job because of the necessity to protect everyone I am in touch with. People, the easiest way to prevent this, is to NOT OPEN ATTACHMENTS on your computer at all. Make sure you have the latest Internet Browser and its protection turned on. DO NOT DOWNLOAD SCREENSAVERS. They might look cool, but in this day and age, nothing is FREE!! I have actually read the "TERMS" you have to accept and they say you are installing a third party software to monitor your activities. How many people here have actually read the terms, instead of just clicking yes and move on? I call it "CLICK HAPPY"

In a business, it is up to the IT department to ensure proper Internet and Email safety. There is a lot more involved in business networking than just a modem. With that said, what appeared to have happened is some people opened up an attachment they thought was being sent to them from someone they know. Someone they know has a trogan virus on their computer that uses the Outlook Address Book and then sends out the emails on its own. When the atachment was opened, it caused the infected computer to open up certain ports on the Windows Firewall which set off the crrok''s computer to receive those open ports and then they started the "hacking" procedure. The IT department didn''t do enough research necessary to be aware of these ports, and it is simple to automatically close the said ports from the IT Department''s firewall.

[toolmangler-2009]

That seems more like hacking than phishing.

Posted by renrivers at 03:36 PM : Dec 07, 2007


phishing is the first phase of hacking.

[toolmangler-2009]

What about turning computers and modems off when they''''re not in use? In the end, that''''s seems the only possible thing one can do to stop those idiots.

Posted by denn034 at 05:17 PM : Dec 07, 2007


in large networked company you cannot do that even though it would be best.

[denn034]

What about turning computers and modems off when they''re not in use? In the end, that''s seems the only possible thing one can do to stop those idiots.

[bareemperor]

Who''s to say the breach wasn''t a CIA glitch while using the latest TIA software...
But then, we will never really know...

[scottyusa]

""There was no classified data of any kind compromised," lab spokesman Bill Stair said Thursday."


Wouldn''t you think that all the names, social security numbers and birth dates of anyone would be treated as CONFIDENTIAL at least?

[Renegade.Rivers]

Correct me if I am wrong, but that seems more like a hack than phishing. No information was sent back by those opening the emails. The email attachment held information, that allowed the writer to gain control of the system, and exploit it. That seems more like hacking than phishing.

This whole phishing junk started with adaware and spyware. Infecting computers with trojans following what is being done on websites. When people sign up for things I suggest using an email account you only use for junk mail. Never ever think your bank wants you to go into their website and make changes, they still use snail mail for that. Never believe an ebay or paypal email as well. As a matter of fact, every paypal or ebay email you get, forward them to either spoof@paypal.com or spoof@ebay.com.....Anything else, use comon sense. And anyone who just copy and pastes things from Wikipedia and think what they just plagiarized from is fact is a complete moron...lazy one too.

genabit, and I notice all you did was copy and paste what you found on Wikipedia, which is an editable website. So instead of educating yourself from a website that takes in all sorts of "other" people''s words and ideas, why not come up with your own, instead of plagiarizing others.

genabit , that''s pretty much what JackTheElder said, only in fewer words. An attempt to gather sensitive information such as passwords and usernames and account numbers is phishing. So before you start bashing what someone says, take you head out of your butt and read what they write first you moron....

[genabit-2009]

In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay, PayPal and online banks are common targets. Phishing is typically carried out by email or instant messaging,[1] and often directs users to enter details at a website, although phone contact has also been used.[2] Phishing is an example of social engineering techniques used to fool users.[3] Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical measures.

so Jacktheelder needs to EXPAND his narrow minded thinking process. A theft of information obtained by sending out thousands of emails is exactly what phishing is all about... get educated Jack!

[jacktheelder-2009]

What might be a big help is to have reporters that know about computers. Phishing is when someone sends an email purporting to be from some company so you will answer and give your login, account, password, etc.

The attack the article talks about is not of this type. The headline writer was going for cute and not accuracy. This speaks volumes of today''s news media.

Oscarez, only if you''re stupid enough to play silly online games and download screen savers, smiley faces and click on "warning" banners from Internet sites.

[oscarez]

If your computer is connected to the World Wide Web your data are not safe. There is no security for computers that access the internet. Open access will cause security to become unmanageable in the next five years.