Friday, December 7, 2007

Phishing Attacks Fool 1% of Nuclear Scientists

The Secretary of the Department of Homeland Security, Michael Chertoff, announced today that IT systems at the Oak Ridge National Laboratory have been compromised by phishing.

Secretary Chertoff confirmed the attacks Friday and added:

"Thieves made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven 'phishing' e-mails, all of which at first glance appeared legitimate."

A DHS spokesperson further confirmed:

the hackers potentially succeeded in gaining access to one of the laboratory's non-classified databases that contained personal information of visitors to the laboratory between 1990 and 2004.... the personal information at risk includes names, dates of birth and Social Security numbers of the visitors..."

According to ABC News, one of the fake phishing e-mails appeared to be an announcement for a scientific conference; the other claimed it was a notice of a complaint on behalf of the Federal Trade Commission.

The internal investigation of ORNL, which is ongoing, has so far found that approximately 11 employees out of 1100 targeted "took the bait" and opened the e-mail attachments, "which enabled the hackers to infiltrate the system and remove data."

In other words, phishers scored a hit rate of 1% against employees at one of the world's leading nuclear research facilities.

Let's discuss. First of all, if the target is a consumer, any form of well-crafted phishing attack, such as the recent FTC letter scam, can be called "sophisticated." Consumers are typically not well protected and do not have large IT budgets and enterprise-class filtering systems at their disposal.

However, if you're a four-thousand person enterprise like ORNL, this attack is inexcusable.

Secure Computing, Postini (Google), Microsoft, WebSense, MessageLabs - there are literally hundreds of ISVs and service providers out there, many of whom partner with Authentium, that are highly capable of providing extremely robust, and affordable, email filtering services that can and will prevent these emails getting to in-boxes inside sensitive government facilities.

And then there are emerging technologies such as Raytheon SureView that enable recording, rapid response, and treatment of behavior contrary to an enterprise's security policy, such as clicking on attachments in emails.

Authentium to ORNL: these phishing attacks were "consumer-grade" attacks. Technology exists to stop them. There is no excuse for allowing these attacks to occur within the walls of one of the world's leading scientific facilities.

Note: If you have visited ORNL within the last five years, you should probably give them a call and find out if your data was housed in the database that was compromised. You can do this by contacting ORNL Visitor Services at 865.574.7199.

No comments: