Fresh Security Breaches At Los Alamos 127
WrongSizeGlass writes "MSNBC is carrying Newsweek reporting on two new security breaches at Los Alamos. Both of these latest incidents were 'human error' on the part of employees. In one, an e-mail containing classified material was sent over the open Internet rather than through the secure defense network. In the other incident, an employee took his lab laptop on vacation to Ireland, where it was stolen out of his hotel room. The machine reportedly contained government documents of a sensitive nature."
Re:Human element is the greatest danger (Score:5, Insightful)
Re:Sensitive nature (Score:5, Insightful)
I'm not a fan of conspiracy theories, but if you honestly believe their strategy is competent and it's money wise spent, then I better be a tinfoil beanie.
Just because you don't care doesn't mean our enemies don't either.
Don't forget: they're not "our enemies". They're just the US military/govt current targets.
Why on Earth would Iraq be your enemy as a US citizen. What did Iraqi do to you or your US buddies. The only thing happening in Iraq right now is a bunch of citizen wars, caused by the invasion by USA in there. Saddam is dead, there weren't WMD-s in there, and Iraq had no connection to the 9/11 attacks.
I don't like how short people's memory about those things is.
How does the user control email? (Score:5, Insightful)
I'd think, like virtually every other email system in the world, that users would have their MUA configured to send outbound email via a single mail server, where all further routing is under administrative control. Do they allow connections to that server from outside?
I could understand the issue, if it was someone sending to an external, insecure email address. But the summary, article, and now you all say the problem is with which network the email was routed over. The other possibility is they were off-site, and didn't have a secure VPN connection running - buy why would a secure system not force SSL email connections? Or is sending even over VPN/SSL not considered secure?
It's just not clear how the user has the control implied here.
(or is it that they're allowed to have personal email accounts on their machines, and that's where the email was sent from?)
Re:An employee took his lab laptop on vacation (Score:3, Insightful)
Right. We should make the laptops constantly read some sort of signal that fades away out of the pentagon, for example.
If the signal fades away, the laptop explodes.
Now combine this with the recent news about NSA brownouts, and we're effectively decimating our military in few minutes.
Or how about a laptop battery fire causing the explosive to go off.
Who would walk with a ticking bomb in his suitcase? Get real. This is not a movie where everything is scripted and accidents don't happen, just like that, for no reason at all (unless there's a very thick plot around the accident, and it involves aliens).
If I was given the task of making sure no one even brings his laptop out of the lab, I'd make sure two things:
1) no regular laptop ever gets inside the lab (by making rules clear, and checking for devices on entry).
2) make the in-lab laptops and devices so ridiculously branded with military signs on their case, and use so ridiculous colors, that anyone would be immediately spot such a device in the wild (and hence no one would dare to put it out). And of course checking for such marked devices on lab exit.
It's not a perfect solution, but a step in the right direction at least.
Re:Human element is the greatest danger (Score:5, Insightful)
Warnings on a passport to detain, immediately don protective gear, and notify DHS and CDC?
Not many.
That's why the agent's handling of this is such a big problem. And it represents another aspect of human failure in security.
Your point about false alarms is a valid one; this just isn't one of those examples.
And for anyone who is thinking about No-Fly lists or watchlists possibly falling into the "too many false alarms" category, they don't. When a name is on a watchlist, more detailed information about the person (e.g. DOB, addresses, etc.) is passed up the chain to any number of originating entities or authoritative sources. If that is the target, instructions for handling are passed back. If it isn't, the person is cleared. The reason why it's done this way is for a variety of reasons, not the least of which is so that people at airline ticket counters or fronline TSA staff don't have access to classified or private personal information (beyond what is volunteered or required to be given by the passenger) when processing passengers, to say nothing of the enormous technical complexities involved. That's why you hear stories about people not being able to "get off" watchlists. It's not "them" that's on the watchlist; it's someone who shares that - or a similar - name. That's why people who aren't actually wanted for anything whose names are on "watchlists" are always allowed to fly after the check. Persons in such situations who are frequent travelers are also able to get special documentation to solve this problem. But "they" can't "get off" the watchlist, because it's someone else who is on it, and that's what the detailed checking process confirms. Yes, it's a very, very imperfect system, but identification has always been a cornerstone principle in law for recorded history. We're using the best balance of technologies and privacy we have - really - to attempt to identify persons who should not be allowed to enter the US, fly, etc.
Little mention of countermeasures (Score:3, Insightful)
Fact is that Los Alamos is a juicy media target and they will conveniently omit details like that to sell headlines.
Or the violators were pointy-haired managers that thought that high tech encryption stuff was only for the gearheads in the white coats.
Work laptop & vacation (Score:2, Insightful)
Even though I work in Corporate America, when I go on vacation, I want nothing to do with work during that time even though executive management gets upset that I don't want to be available for work related items such as calls in my absence.
I do take a laptop with me on vacation but it is for personal use such as personal e-mail, process digital pics, surf the web such as getting insight on a vacation spot.
Re:Human element is the greatest danger (Score:4, Insightful)
But nothing stops someone from typing up an email that contains classified information and sending it from their unclass account, inadvertently or otherwise. It's not like they magically need to be on JWICS to send top secret information. That's why we segregate the networks, yes - to attempt to prevent this from a technical standpoint as much as possible.
Also, there are ways to migrate information between networks, and those can be abused or used inappropriately. There are a lot of ways this accident might occur, and it probably happens more than we'd like.
Laptops are not and will never be secure! (Score:4, Insightful)
Given the ease of use and portability of a modern laptop you may as well just post a copy of the data to anyone who might be interested.
Stolen laptops are actually the lowest risk area, given that most laptop theives are after the shiny hardware and its so rare to come accross data with any resale value that they probably dont even look. A far greater risk for a high security installation like Los Alamos is someone borrowing a laptop for long enough to install some worm/trojans/keyloging software which the dedicated sceintist can then physically carry through all those firewalls back into the lab.
Any sane security profesional would just plain ban them from a set up with the security requirements of Los Alamos.
The best solution would be to have all hardware in a locked server room and only access them via "dumb" terminal servers. Plus a private network with no physical connection to the outside world.
Re:Sensitive nature (Score:3, Insightful)
The middle east is not one amorphous entity. Some parts of it, say Palestine, really do have a long tradition of violence. The Ba'athist government was a stable, secular dictatorship which did commit atrocities, but it was nothing like the full on neighbor vs neighbor civil war which the US instigated.
Re:Human element is the greatest danger (Score:3, Insightful)
Any human system works best with "targeted" warnings. Yet the HS system seems designed to scan everything. It's like finding a needle in a haystack by ordering more hay.
So the man with Tuberculosis got through, because a lot of people who shouldn't be on a watch list break the system. We probably have worse security response now than before 9/11. I certainly think the quality of suspects paraded into court right now have gone down.