
24,000 Pentagon Files Stolen in Cyberattack - janektm
http://mashable.com/2011/07/15/pentagon-cyberattack/
======
ck2
I don't understand why it's not a crime to have sensitive information on
computers attached to the internet (or having usb ports for that matter).

Imagine if nuclear silos were built today and powered by Windows and attached
to the internet - insane, right? Well at what level is anything else that
would cause headlines if hacked, okay to be attached to the internet?

~~~
dexen
_> I don't understand why it's not a crime to have sensitive information on
[[vulnerable]] computers (...)_

Easiest question under the Sun:

it's legal and considered perfectly OK because the software, network gear and
configuration comes with the right documents. As long as the documents say the
right procedures were applied during development and deployment, it's
considered OK.

What do you expect, particular software and network gear being declared too
vulnerable merely because everybody with relevant experience _know_ and have
experienced how vulnerable it is? Bureaucracies don't work that way; never did
and probably never will.

We may want to have a way to counter such useless documents to make our
countries' infrastructure safer, but that's not the easiest quest under the
Sun anymore...

~~~
rdtsc
Good insight. A lot of security breach management just involves having someone
else to point a finger too. It is about hiring contractors that have paper
credentials and then when shit hits the fan they can point to them and say
"look we hired the best, if they can't do it, nobody can." In the government
world is it about passing the security script test, having the right stamps on
your cerificates that consist of random 4 letter words.

------
DanHulton
They also don't disclose how the files were stolen - SQL injection? Social
engineering? Compromised email account?

I mean, obviously they don't want to draw specific attention to what methods
were effective to sneak into the freakin' military, but I suspect it was
something simple like that. It seems to always be the case these days.

It interests me though, because I just launched a startup to help mitigate
broken-into email accounts: <http://www.emailambush.com/> I wonder if it WAS a
hacked email account, with someone just sitting there, slurping down emailed
Word and Excel files. Further, I wonder how the heck I'd even begin to
approach them about my service, should that turn out to be the case. I've
never dealt with large-scale procurement-style folks before.

------
zrail
OT: Is the Pentagon the only major group to have unironically adopted the
words "cyberspace" and "cyberattack"? Because I don't see anyone else using
them in 2011.

------
timjahn
I'm confused what this has to do with Mashable. They truly do just report on
anything that will gather page views at this point, don't they?

------
mathiasben
Any word on who the contractor was? Coming on the heels of the Booz Allen &
Hamilton break in, this has been a bad week for infosec in the MIC.

