Almost a month ago I was talking with Jerry Johnson, the CIO of Pacific Northwest National Laboratory (PNNL), which provides cyber security research for a variety of government agencies and many in the intelligence community. A friend and advisor to InformationWeek, he had reached out to talk about recent attacks on everyone from RSA to Lockheed-Martin--and specifically about some of his concerns regarding advanced persistent threats (APTs).
Our chat seems almost ominous now, given last week's attack on PNNL, and another wave of breaches culminating, for now at least, with yesterday's Monday Military Meltdown, so dubbed by the brash Antisec, whose mottos include "disclose nothing," "destroy everything," and "hide your mother" (OK, that last one was my own).
Johnson said that his biggest concern had become remote and home workers, accessing systems on the network, logging in over a variety of wireless connections, sometimes with malware running, and watching everything those users do. He didn't mention new attack vectors, like tablets, but the inherent insecurity of mobile devices, combined with recent vulnerabilities are causing security practitioners and IT pros some big headaches. Johnson said that recent NSA advisories urged that the threats have been understated. He seemed on high alert, and said that PNNL had some interesting new tools on hand.
Perhaps those tools helped PNNL shut down most of its network and servers; for now, the company isn't saying who it suspects, nor the nature of the attack, other than that is was not--as some reported--a spearphishing attack, but an APT, and that it exploited a zero-day vulnerability in a vendor's product, which has now been patched. Johnson said that PNNL is gradually turning some of its services back on, but it is being extremely cautious, given the sophistication of hackers, and the massive amounts of communications PNNL conducts ("we are capable of streaming tens of billions of bits of information per second," the organization said in a Q&A).
PNNL is operated under contract with the US Energy Department, and it works on some fairly critical issues, like reducing our dependence on imported oil and coming up with new energy solutions; in other words, its work and its data are vital to national security. And that is what is most concerning.
Last week attackers breached servers at FBI contractor IRC Federal, unveiling all sorts of damaging loot. That attack used SQL injection. Yesterday, the same group claimed to have obtained the email addresses and passwords of 90,000 military personnel after compromising systems of defense contractor, Booz Allen Hamilton.
Years ago, a well-respected security research who is now with a CIA outfit told me that it wouldn't be long before attackers shorted a stock and then took down a site. This might be a stretch, but in its report on the Booz Allen compromise yesterday, The Wall Street Journal said that the company's shares fell 2.3%. I raise this because it is difficult sometimes to gauge the ethos of this new era of hacker. If I could summarize it in one word, it would be: Punish.
In the so-called 50 days of LulzSec existence, the company claimed to target corruption, but sometimes just to target companies because they could, or, in some cases, just because someone asked, like the five-year-old who asks his big brother to come down to the playground and knock around the bully. They reveled (indeed, revel still) in the thrill of anarchy (their words) and entertainment. If their actions weren't so damaging, it might be tempting to find them entertaining. Their posts and tweets were creative writing, including the liberties they took with grammar.
I can't remember where LulzSec started and Anonymous ended, or LulzSec began again with Anonymous, or what the relationship between those two is now, or might be with Antisec. Nor can I discern any differentiation in mottos or actions. Reading the prelude to Antisec's data dump on The Pirate Bay gives no further clues, but once again, it makes for good reading. In hailing their capture, Antisec says of Booz Allen: ". . . in this line of work you'd expect them to sail the seven proxseas with a state-of-the-art battleship, right? Well you may be as surprised as we were when we found their vessel being a puny wooden barge." The post goes onto blast the defense contractor, shining a light on potential conflicts of interest and secret work Antisec alleges the company has done in an effort to spy on U.S. citizens.
It's fruitless to engage in a debate about whether the casualties of Antisec's war (the exposure of private information of innocent, everyday folks) are worth revealing the dirty details of the usual suspects of hypocrisy and duplicity--which exist in all walks of life and in nearly every industry. But the real debate that should be taking place inside organizations everywhere is what steps can be taken to ensure that these thrill seekers can't easily target your organization. That's what Johnson was telling me before PNNL was so rudely interrupted.
There's plenty of information about how to prevent vulnerabilities like SQL Injection attacks, and what some of the likely vulnerabilities are, including government databases. My colleague Kelly Jackson Higgins recently published a multi-faceted list of tips that could help thwart attackers.
Fritz Nelson is the editorial director for InformationWeek and the Executive Producer of TechWebTV. Fritz writes about startups and established companies alike, but likes to exploit multiple forms of media into his writing.
Follow Fritz Nelson and InformationWeek on Twitter, Facebook, YouTube and LinkedIn:
A service catalog is pivotal in moving IT from an unresponsive mass of corporate overhead to an agile business partner. In this report, we chart the new service-oriented IT landscape and provide a guide to the key components: service catalogs, cost and pricing models, and financial systems integration. Read our report now. (Free registration required.)