Department of Energy hack exposes major vulnerabilities
Security experts say damage probably not serious, but that the implications are
February 05, 2013 — CSO — The U.S. Department of Energy (DoE) is the latest federal agency to become the victim of a cyberattack while not immediately being aware of it.
Several security experts say the intrusion was unlikely a prelude to what outgoing Secretary of Defense Leon Panetta has warned is a coming "cyber Pearl Harbor" aimed at the U.S. But, they said it is serious all the same, because it shows how vulnerable critical government departments are to espionage.
Bill Gertz, of The Washington Free Beacon, reported Monday that unnamed Energy Department officials confirmed that there had been an attack on servers at the agency's Washington headquarters about two weeks ago.
Gertz reported that the sources told him that 14 computer servers and 20 workstations were penetrated, that personally identifiable information of several hundred employees was compromised, but that no classified information was exposed.
The officials said Chinese hackers were the likely source of the attack, although that is not certain. A hacker group called Parastoo, which is Farsi for the swallow bird and a common girl's name, claimed responsibility for the attack on January 21 on Pastebin.
But government sources told the Beacon that the posting "contained information that was dated," and therefore they don't think the group was behind the attack.
The report said that the government defines such personal information as full name; national identification number such as a Social Security number; Internet Protocol addresses, vehicle and driver's license numbers; face, fingerprint or handwriting samples; credit card numbers; digital identity; date of birth; birthplace; and genetic information.
And it quoted Ed McCallum, a security consultant who previously worked for the department's Office of Safeguards and Security, saying breach is evidence of decades of poor security at the department.
"It's a continuing story of negligence," McCallum said.
Michael Murray, managing partner at MAD Security and The Hacker Academy, is not so sure. "Every security person I've ever worked with believes their organization could do more to protect its secrets," he told CSO Online. "'Negligence' is a strong term that, in many cases, turns out to mean 'business decisions that I don't agree with.'"
But James Arlen, a senior security consultant with the Leviathan Security Group, said he thinks McCallum is probably correct. "There's a certain amount of institutional hubris in large government organizations that creates a mentality that says, 'it worked well last year, why change?'"
"The DoE, despite a long history of facing espionage attacks, still has the common HR policy in the public service of hiring at a price point rather than a skill point," he said. "And just like buying produce at the dollar store, you get what you pay for."
Tommy Stiansen, CTO of Norse, said McCallum is correct, "given the information I can get from the Internet, I'm personally sure."
"The DoE server, their Linux box, tells me they're not security minded," he said. "The box is outdated, not hardened and there is not adequate security in front of it."
And he said the names of employees and contractors were easily available, "which can be used in numerous ways by hackers to gain more information. Nobody should have personal accounts facing the Internet," Stiansen said.
However, while the DoE is a prime target for hostile nation states, both experts doubt that this attack caused any major immediate damage, either to the agency or its employees.
If it was a traditional cyberattack, Murray said employees would be at greater risk. But from a nation-state or an activist group like Anonymous, "the impact of [personall identifiable information] exposure is minimal," he said.
Arlen said if the attackers were able to get classified information (which the DoE has reportedly denied), it could be significant. "If it is espionage, with the outcome being a more traditional physical attack with either advanced knowledge of weaknesses or advanced knowledge of weapons," then it could be serious, he said.
Regardless, the attack should prompt the DoE to get much more serious about security, the experts agree. Arlen said it comes down to "doing the basic stuff correctly."
"Have preventative controls on information assets," Arlen said. "Lock it up, disconnect it, treat information like toxic waste and sequester it with appropriate technologies. Use detection controls -- reduce complexity, simplify network design, introduce appropriate choke points, do behavioral analysis on information flows, be vigilant."
"And stop relying on technologies, techniques and training which are obviously not working," he said. "Assemble the cyber special forces -- why are the best-of-the-best infosec people not on call for issues like this?"
Dominique Karg, chief hacking officer at AlienVault, said "the solution is right in front of their noses and it's cheap as hell."
"It just requires three things," he said. "First, it requires their arrogance to go down. They need to acknowledge that the government/military is no longer best in breed at this particular type of warfare. Second, it requires increased respect for those who do know. Government jobs don't pay the six- to seven-figure salaries that security jobs at public companies in Silicon Valley pay. And even if someone said 'Screw it, I'm doing this for my country,' he'll get back to the private soon enough after being sneered at by everyone and being labeled as the 'printer fixing guy'. Finally, they need to accept outside help."
"There are people who want to help, for free. Let them," Karg said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Other stories by Taylor Armerding