Fresh Security Breaches At Los Alamos 127
WrongSizeGlass writes "MSNBC is carrying Newsweek reporting on two new security breaches at Los Alamos. Both of these latest incidents were 'human error' on the part of employees. In one, an e-mail containing classified material was sent over the open Internet rather than through the secure defense network. In the other incident, an employee took his lab laptop on vacation to Ireland, where it was stolen out of his hotel room. The machine reportedly contained government documents of a sensitive nature."
Human element is the greatest danger (Score:5, Informative)
In the information security profession, several classes of threats to security, including physical security, are enumerated. However, the most significant threat of all, and one that can subvert even the best-laid plans for security, is the threat from human action. This threat is unavoidable, as humans are necessarily an integral component of any operation an organization may wish to secure.
The human threat can take the form of threats internal to an organization, and each of those threats can be intentional or accidental. Because of the access an internal person may have to sensitive areas or information, the threat from the actions of internal person are often rightfully considered the most severe. An internal person may also unwittingly act in concert with an external person who is a threat to the organization as well.
A recent example of such a failure of physical security occurred when a 31-year-old man attempted to enter the United States from Canada at the border crossing in Champlain, NY, on May 24, 2007. Upon presenting identification, the Customs and Border Protection agent handling the man's entry received a computer alert. The alert warned that agents should immediately don protective clothing and detain the individual, notifying the originating authority.
The next steps seem obvious: the man is detained, and border agents run the message up the notification chain, CDC eventually learns that the man in question has been located, and appropriate action is taken. The system works.
What happens instead is that the man is allowed to enter the United States with no further questions, and is at the border crossing for a total of less than two minutes. The agent later says he thought the warning was discretionary, that the man "seemed fine", and therefore let him proceed. Every part of the system worked: the CDC was able to properly place the man on appropriate watchlists, his passport was properly flagged upon entry, and relevant information was presented to the processing agent.
Every part, that is, except the human part.
The man in question is Andrew Speaker, an Atlanta lawyer who traveled with his fianceé to Europe for his wedding and honeymoon. While in Europe, he subsequently learned that further testing revealed that he was infected with Extensively Drug Resistant Tuberculosis, or XDR TB, a form of tuberculosis resistant to a wide variety of antibiotics and treatments, and which can have a 70% mortality rate. The CDC and health authorities did all they could to attempt to restrict his further travel, and thus protect the public at large. Speaker sidestepped No-Fly and other watchlists by flying to Prague, then to Montreal, and then driving to the United States.
The Department of Homeland Security has placed the agent, whom it has not identified, on leave while it reviews the incident, and related processes and policies. When a human charged with the ultimate protective responsibility errs, no amount of technology can solve that problem. What if this had been a man identified as on the way to the United States to intentionally spread an infectious agent? The frustrating element here is that all of the underlying information and identification systems were working - which is itself encouraging - but the individual
Re:How does the user control email? (Score:3, Informative)
No. They just send classified information from an unclassified workstation and an unclassified email address, almost like any person would send email in any workplace. That's why some public areas have big signs that say DO NOT DISCUSS CLASSIFIED INFORMATION or watch officers answer phones with, "Good evening, Lt So-and-so speaking, this line is not secure. May I help you?" and insecure fax machines have UNCLASSIFIED decals all over them.
They're all reminders to properly handle classified information, a huge amount of which is up to the user.
And as to what you're asking, someone at LANL sent classified information from their unclassified email address on the unclassified network to someone's unclassified email address at the Nevada Test Site, another DOE facility, which is 1.) completely going over an unclassified network, and 2.) routed over the commodity internet in between.
No, you can't "accidentally" traverse unclassified, secret (L), and top secret (Q) networks. But you can use the wrong network for the wrong kind of information. There are technical controls to help prevent doing this easily, but that doesn't stop someone from manually typing up an email message containing classified information and sending it over the unclassified network.
And as to all your questions about security, yes, both ends are using secure connections to email servers, etc., but even if it was sent encrypted from one end to the other, it's not considered secure if it's going over the unclassified network, whether it's internal to a site or using the commodity internet. It would be the equivalent of you sending a message to joe.blow@nts.doe.gov right now. That's their unclassified email address, and it is "accessible" from the public internet.
Re:How does the user control email? (Score:1, Informative)