http://www.boston.com/news/local/vermont/articles/2007/01/30/state_was_warned_of_potential_computer_security_breach/ By David Gram Associated Press Writer January 30, 2007 MONTPELIER, Vt. -- A Microsoft security patch was downloaded but not installed on a state computer that hackers later broke into, gaining access to names, Social Security numbers and bank account information for nearly 70,000 people, an official confirmed Tuesday. An internal state report on the hacking incident says Microsoft, a national computer security institute and "even the Department of Homeland Security all gave special priority to the application of this patch in order to fix the vulnerabilities ... that unauthorized attackers could gain control of a system." The report goes on to say the patches released in August "were downloaded but never applied on this system." The finding was contained in the report on an incident in which hackers broke into a computer that was set up to track the finances of noncustodial parents three or more months behind on child support payments. Banks are required by federal law to provide quarterly reports on the finances of people who owe back child support. One of nine affected banks, New England Federal Credit Union, twice provided the information not just on child support deadbeats, but on nearly all of its roughly 59,000 members. The compromised computer contained that information, officials said. The internal state report was chock full of technical information and computer terminology, but made repeated references to two things: worms, which are bits of computer programming that burrow into a computer; and Trojans, which allow someone from as far away as China to tell the computer to execute specific commands, including sending its data over the Internet. As they announced the breach of the state Office of Child Support computer on Monday, state officials emphasized that the attacks appeared to have been launched automatically by hackers targeting hundreds or thousands of computers on the Internet, looking for vulnerabilities. "It was an automated attack, which I think is critically important, and not a targeted attack by an individual," Human Services Secretary Cynthia LaWare said Monday. The internal state report pointed to more direct personal involvement. "Although it is not clear prior to September 12th whether or not this server was in the control of a human being (as opposed to merely being passively infected with worms containing Trojans) it is very likely following this date that the server was under the control of a person," the report says. The parenthetical phrase was contained in its text. Thomas Murray, commissioner of the Department of Information and Innovation, said officials continued to believe that "somewhere somebody is launching this thing at hundreds of computers, but it's not Joe Hacker (getting) into a system and transmitting files." Murray said officials do not believe the infectious programs were allowed to spread to other state computers; most are inside a "firewall" with sufficient security to have rebuffed any attacks. In fact, Murray said, technicians spotted the security breach in December when the viruses that had infected the child support computer began trying to spread to others on the system. The state report says the first evidence of successful hacking came Aug. 18, 10 days after Microsoft issued its security patch. Initially, the report says, the state computer was "most likely compromised by an unknown autonomous worm exploiting a known vulnerability" -- the one described by Microsoft on Aug. 8. Officials continued to say Tuesday that, while there was no evidence that sensitive personal data had been taken from the state computer, there also was no way to show that had not happened. The state was sending out letters to people whose information was compromised, said Heidi Tringe, spokeswoman for the Agency of Human Services. "All of the affected individuals needed to be notified and provided suggestions on how they should protect themselves," Tringe said. At New England Federal Credit Union, CEO David Bard said extra telephone call takers were being brought in to handle consumer inquiries. "Our focus is really on trying to provide resources to our members." Meanwhile, a Norwich University computer security expert on Tuesday said it was "amazing" that the state had stored the sensitive data on a computer with such limited security protection. "We haven't put unprotected computers directly on the Internet in this type of scenario for more than 10 years," said Peter Stephenson, a professor, computer security expert and senior scientist at Norwich's Applied Research Institute. "We're not talking about new technology here." -=- On the Net: http://www.nefcu.com _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Jan 30 2007 - 23:20:58 PST