Forgot your password?
typodupeerror

Nuclear Agency Worker Information Hacked 112

Posted by Zonk
from the does-that-seem-unusually-bad-to-anyone-else dept.
Juha-Matti Laurio writes to mention a Reuters report about a fairly worrying case of identity theft. A determined hacker gained access to the U.S. National Nuclear Safety Administration's records and made off with the information for over 1,500 employees and contractors. From the article: "The incident happened last September but top Energy Department officials were not told about it until this week, prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA. An NNSA spokesman was not available for comment."
This discussion has been archived. No new comments can be posted.

Nuclear Agency Worker Information Hacked

Comments Filter:
  • Luckily... (Score:5, Funny)

    by Funkcikle (630170) on Saturday June 10, 2006 @04:44PM (#15510345)
    "An NNSA spokesman was not available for comment."

    Shouldn't be too hard to track down now, though. Phew!

  • just to get the joke out of the way
  • by Doytch (950946)
    Can someone please tell me why employers need all sorts of information about contractors when they're not even technically employing them?

    Oh ya, it's the government, I forgot.
  • Just when I'm on the verge of downloading the programs to simulate a nuclear bomb on a cluster of Playstation 2's, they booted me out and changed the password. This sucks!
    • NTWD (NSA TERRORISM WIRETAP DEAMON) AUTOMATED NOTIFICATION:

      Your use of the words:
      nuclear
      bomb
      password
      downloading
      the

      Indicate that you are probably a terrorist. Please report to:
      1234 NSA Way
      Redmonton, DC

      Special thanks to AT&T.

  • I assume, and hope, that the systems broken into were completely independant from launch control.
  • Sorry, I forgot. They do that in the Middle East.
  • This is truly troubeling news
    Of course there is the chance that we have some James Bond plot underway and that it is some of the really bad guys that have cracked their way to this information. Chances are that this is not the case, but I'll bet this information is now for sale for whoever would be willing to pay the right price.
    Saudi Arabian wealthy people and others might be willing to sponsor those that should not get their hands on information of this kind.
    Sure having information on workers does not
    • Troubling indeed. In 2003 the GAO found that their oversight of
      contractors was lacking [gao.gov]. The NNSA got a panel together to review the issues mentioned by the GAO, and after a couple of years came up with the Mies report. Here's an overview of that [doe.gov]. Chapter 5, "Cyber System Security" mentions a lack of secure voice and data networks.

      If you want to talk about security problems, this is the worst possible
      situation. NNSA is responsible for security operations of contractors at
      nuclear facilities, and has itself be

    • The most likely or immediate threat would be to the personal security of the employees and contractors.
  • by Crasoum (618885) on Saturday June 10, 2006 @05:03PM (#15510393) Journal
    Why aren't laws in place that REQUIRE, on a FEDERAL level people to report to the Attorney General, the company(s) involved with the theft, and the actions taken? California has something close to it, but something nation wide would be nice for the FASTEST growing crime in the US. http://www.usps.com/postalinspectors/idthft_ncpw.h tm [usps.com]. (source)

    The excuse they used that "We thought they knew" is total crap, you'd figure when the head of NNSA says to the ED "Oh hey, we had a security breach where information on 1500 people was stolen, just so you know" Bodman would say "Woooh there, what have you done about it?" as opposed to you know, saying "Mm kay, how about them bears?" and brushing it off...

    • Bruce Schnier wrote about this in the most recent Crypto-Gram [schneier.com]. The reason is that there is tremendous lobbying pressure being applied to Congress to water down this legislation, and trump the more effective state laws in the process.

      Write your Senators and Congresspersons.
  • Why did it take them 9 months to be told of this?

    You would think one of the Net Admins would have looked @ those logs in the last 9 months. Or something would have been found out of whack?

    The NNSA is a semi-autonomous arm of the Energy Department and also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies.

    That's just great. So for 9 months someone that shouldn't has had access? Something just isn't right lately with our gov't security.
    • I think they knew of it, just decided it would hurt National Security if they told the people about it. Or whatever the government says is at stake to with hold information from people.
      • Re:9 months!#$ (Score:3, Insightful)

        by mikesd81 (518581)
        The incident happened last September but top Energy Department officials were not told about it until this week, prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA.

        It's different than telling the public.
    • "So for 9 months someone that shouldn't has had access?"

      Not as I read it. They cut off the access nine months ago. They're only now telling their bosses that they did it. This snippet from the article explains this, "According to Barton, the NNSA chief knew about the incident soon after it happened in September but did not inform Energy Department officials, including Bodman, until Wednesday."

      Personally, I don't care if he notified the Secretary of Energy. He should have notified someone like the FBI an
    • Why did it take them 9 months to be told of this?

      You would think one of the Net Admins would have looked @ those logs in the last 9 months. Or something would have been found out of whack?


      The Net Admins probably informed the correct people as soon as they found out. The issue is that proper notifications weren't made to people higher in the hierarchy. Non-IT management/workers obviously didn't have thier own procedures for dealing with these matters. Even a one page checklist would have done bett
  • by erroneus (253617) on Saturday June 10, 2006 @05:14PM (#15510417) Homepage
    When a few numbers can be used to perpetrate ID fraud, we have a problem. This problem was made possible by the use of the Social Security Number as a "federal serial number." The abuse of the SSN for anything BUT Social Security accounting purposes needs not only to be "discouraged" as it presently is, it needs to be made ILLEGAL.

    If you want credit, go apply to the credit agencies the way they once did and use other companies as a reference the way things used to be in the good ole days. What does getting credit or a bank account have to do with your social security account anyway? Why does supplying my social security number become a requisite for getting a bank account? In some states, your SSN is also your driver's license number.

    It's "convenient" for the government and all agencies and companies interested in collecting massive pools of information on single individuals. That's kinda the problem. That's been the argument for decades since the inception of the SSN.

    We'll always be vulnerable as individuals because we cannot do anything about anyone else having our information... we don't even know who has it. We're ultimately powerless until we can have the use of the SSN for anything but Social Security accounting made illegal.
    • We're ultimately powerless until we can have the use of the SSN for anything but Social Security accounting made illegal.

      And then once the use of the SSN becomes illegal, someone is going to have to do some clever coding along the lines of... SELECT sekritinph0 WHERE sekritinph0.IllegalizedSSN = sekritinph0.LegalReplacementIdentifer

      Hmmmm, maybe I should get a patent for that while there is still time.

    • Your company phone book is stamped confidential because some attacks are harder without it. Not at all impossible, but harder. Security through obscurity is lame, if you depend on it you're worse off with it than without it, but it does make sense to add a speed bump to your other security measures.

      One question spy recruiters typically ask is "can you get me a list of your coworkers?".

      >also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies.

      That
    • What does getting credit or a bank account have to do with your social security account anyway?

      Bank accounts often pay interest, and the bank needs to send that to the IRS with your SSN. It's fairly reasonable to require the SSN to open an account, since even if the account doesn't pay interest now it might in the future.

      Some interest paid on debt is deductible, so you run into similar requirements there.
      • Tax ID numbers are available to anyone for the asking. That number can be used.

        But as for reporting income, interest and deductable expenses, I think the government should do what it used to do -- "trust" its citizens to supply the information requested. Most people would be pretty honest about most things.

        The issues of invasion of privacy by our "democratic" government just doesn't feel all that democratic to me.
    • With all these issues, I wish I could put a permanent fraud alert on my file. The sad part is that my information keeps getting compromised enough that the annual alerts don't expire much...

      I wouldn't object to a requirement of a witness, identification, and a signed contract for all credit applications.
    • I recently noticed that even Blockbuster lists the "SSN" as a *OPTIONAL* field on an rental application form.

      WTF!?!! If it isn't required, then why even list it?

    • Some states have recently stopped using the SSN as the Driver's License number. Montana, for example. People 'round here have refused to let the state use their SSN number on the Driver's License, forcing the state to come up with a way to generate and handle another type of number. The State finally either got a clue, or gave up, either way, it was an improvement.
  • Seriously, this is real "top secret" info and goverment got it loose to some God damn hacker?

    I would bet that again "cool" solutions like Microsoft Windows or Microsoft Office is involved. Or better even, unconfigured and unsecured Linux or BSD server.

    Propably will be modded troll, but anyway, it is crazy and scary in same time.
    • Seriously, this is real "top secret" info and goverment got it loose to some God damn hacker? I would bet that again "cool" solutions like Microsoft Windows or Microsoft Office is involved. Or better even, unconfigured and unsecured Linux or BSD server. Propably will be modded troll, but anyway, it is crazy and scary in same time.

      Not a troll :P Anyhow, I'd be willing to bet it was just some social engineering.

      "Hello? Personnel? This is Paul in accounting. We just got a memo to about a new track
    • In most Federal organizations for most employees personnel contact and identity information is not "top secret". For this particular information, perhaps a small number of employees might fall into that category, but the bulk undoubtedly do not.

      In fact, personnel contact and identity data is normally considered to be "sensitive but unclassified", which is only one notch above "display it on a public web site" and its security receives very little attention and is not taken seriously by most managers. T
    • Seriously, this is real "top secret" info and goverment got it loose to some God damn hacker?

      Nope! It was some god damn black hat [catb.org] cracker [catb.org].

  • ...why, when something goes wrong in an organization, does the head of organization get called on to resign, when 90% of the time the incident didn't have anything to do with negligence or error on their part?

    Can someone please explain for me?

    • Well in this case the head of the NNSA knew about the breach and didn't notify anyone of said breach which is negligence. The majority of the time they are guilty of negligence, either they knew something and did nothing or they didn't know something they should. As the head of a corporation or department you are responsible for the entire operation not just signing papers although very few do more than that.
    • Is the head of an organization not responsible for the
      correct functioning of that organization?

      And if the organization does not function, who should
      be held most responsible?
    • Ask not why some poor little schmuck lost his job for hiring idiots and building a culture of cover-up and deceit in his organization. Ask why some other bigger schmuck did not.

      What I don't understand is why we don't hold people accountable more often. It clearly is a tradition that has fallen on hard times in the U.S. In Europe it seems to be more common for government heads to be "held accountable" for the organization they run.
    • ...why, when something goes wrong in an organization, does the head of organization get called on to resign, when 90% of the time the incident didn't have anything to do with negligence or error on their part?
      Boss: "Do we have a backup regime?"
      Flunkie: "Sure."
      Boss: "Have we tested recovering from them?"
      Flunkie: "Uhhh ..."

      It's their job to ensure everybody under them are doing their jobs.
  • by packetmon (977047) on Saturday June 10, 2006 @05:34PM (#15510462) Homepage
    The NNSA is a semi-autonomous arm of the Energy Department and also guards some of the U.S. military's nuclear secrets and responds to global nuclear and radiological emergencies. So I wonder... How long will it be before someone actually utilitizes some of the information that's being stolen. We already know the military was hit [informationweek.com] for 26.5 million records, and supposedly the Chinese are ramping up their cyberoffense and defense [fcw.com]. I'm wondering how long will it be before the ultimate "so that's what they wanted that information for" scenario comes about. It's sickening to see a country that can supposedly defend itself and the world, can't even secure their own networks. Last thing that needs to happen is this new NSA snooping database to get owned as well.

    So here would be the nightmare scenario in my eyes... Hackers get DoD information from those 26.5 million VA database and slowly poison them... While the US is straddled in Iraq militarily, some country starts kidnapping those on the NNSA's list and either killing them or torturing them for information (schematics to facilities, etc.) while all this is going on, someone strikes inside the US on such a big scale, Hiroshima looks like a mild 4th of July show.... Scary isn't it? ... Luckily for us Americans, the NSA is snooping the planet [google.com] so never fear they will find the culprits... Unless of course they get pwned too.
    • "It's sickening to see a country that can supposedly defend itself and the world, can't even secure their own networks."

      Sickening, I agree, but I hope it doesn't come as a surprise. The all-too-common blindness that states, 'I don't care how it works; just make it work.' is finally exacting its toll. The stupid false alternative that assumes any criticism is an attack has made it downright dangerous for anyone to disagree, and now the price of conflating 'right' with 'agrees with me' is beginning to be fe

    • And the summer movie fest hasn't even started...

      What you said is actually possible, but to what end? World domination? Come on now, that's just lame.
      Much more likely is a telecom attack where they deliver propaganda through the media and scare everybody shitless, which would be doing G.W a big favor.

      And if they ever do that, I hope they use Fox as a HQ.
  • "We are now entering DefCon Two."
  • by Anonymous Coward on Saturday June 10, 2006 @06:00PM (#15510565)
    This story reports things quite out of context, the more I find myself directly involved with things in the news, the more I realize its all bullshit.

    Here's the actual scoop, I work as an incident response investigator for the NNSA. There are two issues being confused and placed into one, there was an incident last September, it continues on now as a series of incidents that all mesh together as being from the same source- why haven't there been arrests and such? because it requires the cooperation of the foreign nation in question. Last month a service center in new mexico was broken into as part of the larger incident. This was a result of an attack using zero-day that at the moment is still unpatchable (no patch exists).

    This is what is now being reported as a result of congressional hearings that took place. The information itself was not stolen almost a year ago, but rather less than a month ago, but the incident as a whole has been going on much longer than that. Alarms went up all over the place when this occured and everyone with a need to know was informed.

    So to summarize, two related incidents, the first starting last September, and one occuring last month. The personal data was taken last month as part of the larger incident but is being reported as the data was stolen in september, which is incorrect.
    • "Last month a service center in new mexico was broken into as part of the larger incident. This was a result of an attack using zero-day that at the moment is still unpatchable (no patch exists)."

      What are you talking about? If there's no readily available patch, then you inspect the source and assign someone to patch the flaw. Sheesh!

      And what was sensitive information doing sitting on a system which is breakable via a single exploit?

    • Bullshit.

      An incident response investigator for the NNSA would be fired for posting something like this to Slashdot. Furthermore, they probably wouldn't take the risk, because they would be smart enough to know that it wouldn't be hard for someone familiar with the group's writings to figure out who you are, if in fact you do work for them. So expect to be fired any day now, in the unlikely event that you were not posting crap.
  • I say we take off and nuke the entire site from orbit. It's the only way to be sure.
  • by malraid (592373) on Saturday June 10, 2006 @06:27PM (#15510654)
    This new page is just comming online. You can check if your info was stolen. You just need to type your full name, SSN, birthdate, and address. It's really useful. US Goverment Identity Theft Agency Homepage [mafia-ident.ru]
  • First the Veterans now this. They can fight back by getting identity shield protection. If anyone uses their credit, the money is returned and the credit level returns to its previous state. Anyone who's worried about identity theft and wants protection should check out this website [pppaulson.com]
  • by nickthecook (960608) on Saturday June 10, 2006 @06:36PM (#15510668)
    He probably just wanted to find out, once and for all, what state Homer lives in.

    Can you blame him?
  • Damnit... (Score:3, Funny)

    by Stormwatch (703920) <<rodrigogirao> <at> <hotmail.com>> on Saturday June 10, 2006 @06:38PM (#15510674) Homepage
    Lightman, you just don't learn, do you? Stop hacking the WOPR!
    • He stopped that way, way back in the 1980s; this is a DOUBLE WOPR with CHEESY US Government Security!

      Would you like a quote of FRY'S with that?

      *head bursts from pun overload*
  • To everyone who claimed I was a "paranoid" in describing the value of "privacy" over vague promises of "security":

    <font size=4> told ya' so </font>
  • "prompting (...) to demand the resignation of the head of the NNSA"

    Demand resignation of the remaining 1499 employees on the list, and the list will become useless. Problem solved.

    If you know the enemy captured the plans of your attack, change the plans.
  • ...prompting the chairman of the House of Representatives Energy and Commerce Committee to demand the resignation of the head of the NNSA...

    "You're fired. Your soooo fired!"
  • by mycall (802802) on Saturday June 10, 2006 @08:48PM (#15511005)
  • Feel Safer? (Score:2, Insightful)

    by Doc Ruby (173196)
    The Department of Homeland Security is busy spying on every American's phonecalls and email. The Republican government is furiously working to fail to pass Homophobia Amendments to the Constitution. Meanwhile, our nuclear workers can now be blackmailed on an unprecedented scale.

    Do you feel safer?
  • So, we've suffered through the start of some real trouble. The US government doesn't really get data security issues, we've lost information on millions of veterans, and now someone compromised information about the nations nuclear workers.

    At this point, we need a real solution, we need accountability. Just like Sarbanes-Oxley for public corpoations, we need to appoint someone to be accountable for data security in the government. Every sensitive database, every record room needs a security officer who i
  • No wonder the stuff got nicked, the NSA is too busy creating a database from peoples blog websites, never mind protecting their own things. wow, first post, and it's something Anti-pentagon. looks like I'll be carted off to guantanamo soon.

Never trust an operating system.

Working...