http://www.informationweek.com/news/security/attacks/231601692 By John Foley InformationWeek September 19, 2011 When Pacific Northwest National Laboratory detected a cyber attack -- actually two of them -- against its tech infrastructure in July, the lab acted quickly to root out the exploits and secure its network. PNNL then did something few other cyber attack victims have been willing to do. It decided to talk openly about what happened. The lab's CIO, Jerry Johnson, last week provided a detailed accounting of the cyber attacks. Speaking at the IW500 Conference in Dana Point, Calif., Johnson described how intruders took advantage of a vulnerability in one of the lab's public-facing web servers to plant a "drive-by" exploit on the PCs of site visitors, lab employees among them. For weeks, the hackers then surreptitiously scouted PNNL's network from the compromised workstations. Simultaneously, a spear-phishing attack hit one of the lab's major business partners, with which it shared network resources. This second group of hackers was able to obtain a privileged account and compromise a root domain controller that was shared by the lab and its partner. When the intruders tried to recreate and elevate account privileges, this action triggered an alarm, alerting the lab's cybersecurity team. Within hours, the lab made the decision to disconnect its network in order to sever the hackers' communications paths and contain any further damage. Over the July 4 weekend, while the rest of us were grilling burgers, PNNL's security team conducted cyber forensics, reconstructed the domain controller, re-imaged systems, and restored network services that had been taken off line. [...] _____________________________________________________________ Register now for the #HITB2011KUL - Asia's premier deep-knowledge network security event now in it's 9th year! http://conference.hitb.org/hitbsecconf2011kul/Received on Tue Sep 20 2011 - 22:35:52 PDT
This archive was generated by hypermail 2.2.0 : Tue Sep 20 2011 - 22:41:15 PDT