[ISN] State was warned of potential computer security breach

From: InfoSec News (alerts@private)
Date: Tue Jan 30 2007 - 23:10:32 PST


By David Gram
Associated Press Writer
January 30, 2007

MONTPELIER, Vt. -- A Microsoft security patch was downloaded but not 
installed on a state computer that hackers later broke into, gaining 
access to names, Social Security numbers and bank account information 
for nearly 70,000 people, an official confirmed Tuesday.

An internal state report on the hacking incident says Microsoft, a 
national computer security institute and "even the Department of 
Homeland Security all gave special priority to the application of this 
patch in order to fix the vulnerabilities ... that unauthorized 
attackers could gain control of a system."

The report goes on to say the patches released in August "were 
downloaded but never applied on this system."

The finding was contained in the report on an incident in which hackers 
broke into a computer that was set up to track the finances of 
noncustodial parents three or more months behind on child support 

Banks are required by federal law to provide quarterly reports on the 
finances of people who owe back child support. One of nine affected 
banks, New England Federal Credit Union, twice provided the information 
not just on child support deadbeats, but on nearly all of its roughly 
59,000 members. The compromised computer contained that information, 
officials said.

The internal state report was chock full of technical information and 
computer terminology, but made repeated references to two things: worms, 
which are bits of computer programming that burrow into a computer; and 
Trojans, which allow someone from as far away as China to tell the 
computer to execute specific commands, including sending its data over 
the Internet.

As they announced the breach of the state Office of Child Support 
computer on Monday, state officials emphasized that the attacks appeared 
to have been launched automatically by hackers targeting hundreds or 
thousands of computers on the Internet, looking for vulnerabilities.

"It was an automated attack, which I think is critically important, and 
not a targeted attack by an individual," Human Services Secretary 
Cynthia LaWare said Monday.

The internal state report pointed to more direct personal involvement.

"Although it is not clear prior to September 12th whether or not this 
server was in the control of a human being (as opposed to merely being 
passively infected with worms containing Trojans) it is very likely 
following this date that the server was under the control of a person," 
the report says. The parenthetical phrase was contained in its text.

Thomas Murray, commissioner of the Department of Information and 
Innovation, said officials continued to believe that "somewhere somebody 
is launching this thing at hundreds of computers, but it's not Joe 
Hacker (getting) into a system and transmitting files."

Murray said officials do not believe the infectious programs were 
allowed to spread to other state computers; most are inside a "firewall" 
with sufficient security to have rebuffed any attacks. In fact, Murray 
said, technicians spotted the security breach in December when the 
viruses that had infected the child support computer began trying to 
spread to others on the system.

The state report says the first evidence of successful hacking came Aug. 
18, 10 days after Microsoft issued its security patch. Initially, the 
report says, the state computer was "most likely compromised by an 
unknown autonomous worm exploiting a known vulnerability" -- the one 
described by Microsoft on Aug. 8.

Officials continued to say Tuesday that, while there was no evidence 
that sensitive personal data had been taken from the state computer, 
there also was no way to show that had not happened. The state was 
sending out letters to people whose information was compromised, said 
Heidi Tringe, spokeswoman for the Agency of Human Services.

"All of the affected individuals needed to be notified and provided 
suggestions on how they should protect themselves," Tringe said.

At New England Federal Credit Union, CEO David Bard said extra telephone 
call takers were being brought in to handle consumer inquiries. "Our 
focus is really on trying to provide resources to our members."

Meanwhile, a Norwich University computer security expert on Tuesday said 
it was "amazing" that the state had stored the sensitive data on a 
computer with such limited security protection.

"We haven't put unprotected computers directly on the Internet in this 
type of scenario for more than 10 years," said Peter Stephenson, a 
professor, computer security expert and senior scientist at Norwich's 
Applied Research Institute. "We're not talking about new technology 


On the Net: 

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 30 2007 - 23:20:58 PST