You Can't Protect Against Stupid

They're calling it a "sophisticated cyber attack," but the phishing expedition that enabled hackers to break into Oak Ridge National Laboratory in Tennessee relied on a disarmingly simple strategy -- tricking unwitting email recipients into opening a malicious attachment. Fortunately for the hackers, there are plenty of unwitting email recipients around, including employees working at federal facilities that store sensitive and classified information on their networks. Not so fortunate for the rest of us. In a statement emailed to Oak Ridge employees, Laboratory Director Thom Mason said:

"...hackers potentially succeeded in gaining access to one of the laboratory's nonclassified databases that contained personal information of visitors to the laboratory between 1990 and 2004."

That personal information of the lab's visitors includes not only their names and dates of birth, but Social Security numbers. Then Mason explains:

"...thieves made approximately 1,100 attempts to steal data with a very sophisticated strategy that involved sending staff a total of seven 'phishing' e-mails, all of which at first glance appeared legitimate."

I wonder. One of the emails apparently purported to be a complaint from the Federal Trade Commission. Why would it sound "legitimate" to an Oak Ridge employee that the FTC was filing a complaint against the lab? I've received that FTC email many times in the past; I've never once been tempted to open the attachment. Just like I've never been tempted to open the file attached to the many fake eBay messages I've received telling me a bidder has a question on the item I'm selling. Supposedly several investigative agencies are looking into the data breach. Who knows if we'll ever find out what really happened, but on the surface is sure seems as though security policies at Oak Ridge regarding attachments were ignored or (even worse) never established or communicated. And what about the lapse in perimeter security? The Lawrence Livermore National Laboratory in California reported similar phishing attacks in October and November that were thwarted by its network defenses. What did Lawrence Livermore do that Oak Ridge failed to do? And how many more security breaches are waiting to happen at federal agencies?