[ISN] Hacker logs onto FWP hunter database, but no information stolen

From: InfoSec News (isn@private)
Date: Thu Jun 30 2005 - 00:49:04 PDT


http://www.bozemandailychronicle.com/articles/2005/06/29/news/02fwp.txt

By NICK GEVOCK
Chronicle Staff Writer 
June 29, 2005

A hacker broke into a Montana Department of Fish, Wildlife and Parks
computer database containing personal information about hunters last
month, but officials say no data was stolen.

The hacker made it onto the FWP server that contained the state's
hunter-harvest survey, FWP spokesman Ron Aasheim confirmed Tuesday.
The database includes personal information about hunters, including
Social Security numbers, along with data on where they hunted and
whether they killed game.

Upon discovering the hacking, FWP immediately contacted Sam Mason, a
state data security specialist, who determined the hacker hadn't
downloaded any information, Aasheim said.

"He told us there's no reason for concern here with identity fraud or
stealing of information," Aasheim said. "If there had been, we would
have taken other actions and certainly contacting the public was one
of them."

The database, which was collected and maintained by FWP's Region 3
staff in Bozeman, was stored on a Montana State University computer
system that lacked several security measures, including a "firewall,"  
Aasheim said.

But that's the fault of FWP, not MSU.

"There were a couple of steps that we didn't take, just because of a
lack of communication," he said. "We take full responsibility."

Based on a review of the database after the incident, it appears that
the hacker was looking for storage space for files, Mason said.

Hackers often use such databases as a temporary location for storing
pirated software so it can be downloaded by others without leaving a
trail.

Had any personal information been downloaded, the computer would have
created a log of the transfer, but none was created, Mason said.

"It seemed to be just a bunch of people throwing movies or pirated
software around," Mason said. "Everything seemed to be quite safe."

Luckily, Aasheim said, the agency's databases use Oracle software,
which compresses inforamtion into a code that is not visible to
hackers as readable text.

In addition, the database takes up 12 gigabytes of disc storage that
can't be accessed in pieces. A transfer of that size would take time,
but the hacker was only on the server for a few minutes.

Americans are increasingly fearful of identity theft, one of the
fastest-growing crimes. Several large breaches of databases have
occurred over the past year, including the theft of thousands of names
from credit card companies and colleges.

FWP has learned from the incident and is taking steps to prevent
someone from hacking into other databases, Aasheim said. It is moving
all of its databases to a state system that has multiple security
steps built in.

FWP also is hiring computer specialists to work at each of its seven
regional headquarters, Aasheim said.

"We've dodged a bullet, that's the good news," he said. "Now we've
taken the steps to correct it."



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Thu Jun 30 2005 - 01:17:15 PDT