http://www.nhpr.org/node/10492 By Jon Greenberg March 29, 2006 In February, state officials issued a warning that a bit of malicious software on a state computer might have put peoples' credit card information at risk. A few days later, the Office of Information Technology suspended one of its employees. That employee has never been named - nor has he been charge with any crime. Now, he has come forward and he says that the state's problems with hackers were much greater than officials discussed. New Hampshire Public Radio's Jon Greenberg has more. -=- A rough transcript follows: Before we meet the man who challenges the state's public position, let's go back to February 15th. Governor John Lynch, along with Rick Bailey, the state's chief information officer, held a hastily organized news conference. The office of information technology discovered this morning that someone has breached one of the state's smaller servers with a program that could allow them to watch activity on that server. At the press conference, the program was identified as something called Cain and Abel. The truth, in my mind, is that the server on which Cain and Abel was found installed, I personally don't think it was hacked at all. Doug Oliver is the employee who was suspended. He is quick to say, he was the person who used Cain and Abel on the state's computers. It is a program that can be used by hackers but can also have legitimate uses. More on that in bit. Oliver says that press conference was notable not for what was said, but for what wasn't. The most obvious security breach that caused the organization to respond quickly, intensely, wasn't even mentioned. Six days before the press conference, a Liquor Commission computer that handles wholesale purchases, including ones using credit cards, was hacked. On this point, there is no dispute. Bailey, the state's chief information officer confirms it. He also confirms that the hack put the department into high gear with a wide spread effort to plug security holes on other computers. What happened next in early February is much more subject to debate. Using a new widget that tracks suspicious activity when computers talk to each other, Oliver says he saw evidence of a widespread infection by a completely different computer threat. Not from Cain and Abel but from a virus or worm called SQL Slammer. There were events and incidences being reported by this device that I was seeing multiple network machines being touched by this worm. In addition, there were other signatures, other flags or events that this tool was firing at the same time that were strongly indicative of an attack against the network. A network wide assault by a worm is very different from finding something like Cain and Abel on one server. Now, several people in the office of information technology disagree that the network had been attacked by the worm SQL Slammer. Chief Information Officer Rick Bailey says the security tool that Oliver used is good, but not perfect. In any of the security monitoring tools, there is always the possibility of false positives. Because it looks for signatures and patterns. And sometimes those patterns are inappropriate and sometimes those patterns are caused by legitimate traffic. Bailey would not go into any more detail saying the entire situation is under investigation. However, a security specialist contacted by NHPR says with this particular worm, a false positive is unlikely. Pete Lindstrom is the research director for Spire Security in Pennsylvania. Lindstrom says SQL Slammer first appeared in 2003. We think of this as the low hanging fruit. Any worm older than a few months, can reliably be detected. If it pops up on the screen, you can be fairly confident that it was in fact SQL Slammer, a system has been infected. The age of the worm matters for another reason. Once a worm appears, software companies quickly come up with ways to block it. These are called patches and the Microsoft Corporation wrote a patch for SQL Slammer three years ago. One year ago, Bailey put Oliver on an ad hoc security team with the job of uncovering the weak points in the state's computer network. Oliver says, and Bailey confirms, that one of the team's recommendations was to get computers up to date on patches. For a variety of reasons, many of those patches were not installed. But now it's time to get back to that other piece of hacking software, Cain and Abel – the program that led to the public warning about credit card safety. Oliver says, his work on that ad hoc security team has a direct connection to Cain and Abel. I who was the chief technical hacker you could say used Cain and Abel for the purpose of diagnosing problems with network vulnerability and to test the strength of certain passwords. Oliver says several people around the department knew he was using Cain and Abel. He says he thought he had removed the program from every computer. He supposes he made a mistake. Whatever the full details are, Oliver's name was on the program that was found and it made him the prime suspect in the state's investigation. The office of information technology has not stood still since it found both the hack on the Liquor Commission's server and Cain and Abel on a different computer. Bailey says much has been done to patch old computers and to make sure that security is considered first. Today, 5-6 weeks later, clearly our network is more secure than it was then. Next month it will be more secure than it is now. And we've continued on the path of improving and mitigating any of the risks that we can identify. Bailey says an overview of the state's computer network points to a fundamental problem. It is a network that was cobbled together over time. If you've got 50 servers and you're trying to watch them for unusual activity. If they're all built the same way, then it's pretty easy to detect an anomaly. If they're built 50 different ways, then you're not sure. Is that just because the way it was built or is it really an anomaly. And you waste a lot of time chasing down the false positives that we were talking about earlier. The challenges are large and Bailey says the resources are stretched thin. He is confident of the security of the system today. But he says it remains an ongoing effort. Proof of that came earlier this month. The same Liquor Commission server that was hacked in early February was hacked again. For NHPR News, I'm Jon Greenberg. _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Wed Mar 29 2006 - 01:07:56 PST