Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Department of Energy hack exposes major vulnerabilities

Taylor Armerding | Feb. 6, 2013
Security experts say damage probably not serious, but that the implications are

The U.S. Department of Energy (DoE) is the latest federal agency to become the victim of a cyberattack while not immediately being aware of it.

Several security experts say the intrusion was unlikely a prelude to what outgoing Secretary of Defense Leon Panetta has warned is a coming "cyber Pearl Harbor" aimed at the U.S. But, they said it is serious all the same, because it shows how vulnerable critical government departments are to espionage.

Bill Gertz, of The Washington Free Beacon, reported Monday that unnamed Energy Department officials confirmed that there had been an attack on servers at the agency's Washington headquarters about two weeks ago.

Gertz reported that the sources told him that 14 computer servers and 20 workstations were penetrated, that personally identifiable information of several hundred employees was compromised, but that no classified information was exposed.

The officials said Chinese hackers were the likely source of the attack, although that is not certain. A hacker group called Parastoo, which is Farsi for the swallow bird and a common girl's name, claimed responsibility for the attack on January 21 on Pastebin.

But government sources told the Beacon that the posting "contained information that was dated," and therefore they don't think the group was behind the attack.

The report said that the government defines such personal information as full name; national identification number such as a Social Security number; Internet Protocol addresses, vehicle and driver's license numbers; face, fingerprint or handwriting samples; credit card numbers; digital identity; date of birth; birthplace; and genetic information.

And it quoted Ed McCallum, a security consultant who previously worked for the department's Office of Safeguards and Security, saying breach is evidence of decades of poor security at the department.

"It's a continuing story of negligence," McCallum said.

Michael Murray, managing partner at MAD Security and The Hacker Academy, is not so sure. "Every security person I've ever worked with believes their organization could do more to protect its secrets," he told CSO Online. "'Negligence' is a strong term that, in many cases, turns out to mean 'business decisions that I don't agree with.'"

But James Arlen, a senior security consultant with the Leviathan Security Group, said he thinks McCallum is probably correct. "There's a certain amount of institutional hubris in large government organizations that creates a mentality that says, 'it worked well last year, why change?'"

[See also: Hacktivists have the enterprises' attention. Now what?]

"The DoE, despite a long history of facing espionage attacks, still has the common HR policy in the public service of hiring at a price point rather than a skill point," he said. "And just like buying produce at the dollar store, you get what you pay for."


1  2  Next Page 

Sign up for CIO Asia eNewsletters.