Attacks/Breaches
11/26/2012
08:53 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

How South Carolina Failed To Spot Hack Attack

Attackers stole 3.3 million businesses' bank details and 1.9 million social security numbers, cost the state $14 million for cleanup.

Just one look: That's all it took for an attacker to compromise South Carolina state systems.

Specifically, a state Department of Revenue employee likely "unwittingly executed malware, and became compromised" after clicking on an embedded link in a salacious email, allowing an attacker to harvest the employee's username and password. So said a state-commissioned analysis from security firm Mandiant, released last week.

Two weeks after the initial malware infection, "the attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials," according to the report. "The attacker used the Citrix portal to log into the user's workstation and then leveraged the user's access rights to access other Department of Revenue systems and databases with the user's credentials."

Ultimately, the attacker stole 3.3 million unencrypted bank account numbers. Given the recent spike in fraudulent wire-transfer attacks, that information promises to be a goldmine. Equally worrying for consumers is the theft of copies of 3.8 million tax returns, containing social security numbers for 1.9 million children and other dependents.

[ S.C. isn't alone in failing to protect government data. See Stolen NASA Laptop Had Unencrypted Employee Data. ]

Who's to blame for the data breach? South Carolina state officials have pointed the finger at Russian attackers, while also criticizing the Internal Revenue Service for not having required the state to encrypt social security numbers. But based on a reading of Mandiant's report, state officials are perhaps most to blame. On that note, last week Gov. Nikki Haley said at a news conference that South Carolina Department of Revenue director Jim Etter would resign, effective Dec. 31. Etter had reportedly declined the offer of free breach-detection services from the state's IT department.

From a security standpoint, failing to watch for intrusions was an amateur error, and -- no surprise -- the state failed to catch the recent intrusion. Likewise, the state failed to spot the follow-up compromise of 44 different systems, the installation of backdoor software, multiple instances of password hashes being dumped, the running of Windows batch scripts, or the attacker executing numerous arbitrary commands against databases.

As a result, a few weeks after the first successful malware infection, the attacker was still using the stolen credentials to conduct reconnaissance on 21 different state servers, although he or she hadn't yet been able to access sensitive data. But with more work, by Sept. 12, 2012, the attacker had successfully located and begun copying 23 database backup files, containing 74.7 GB of data, to another directory. Soon, the attacker compressed the data into 15 zip files, transferred them to another server, sent the data to an external system -- outside the state's control -- and deleted the zip files to help hide the data breach, according to Mandiant's report.

The breach remained undiscovered until about a month later, on Oct. 10, when the Secret Service informed state officials that information on three residents appeared to have been stolen. Two days later, the state hired Mandiant to help find out what happened.

The bill for the data breach now exceeds $14 million, reported the Associated Press. Related costs include $500,000 for Mandiant's efforts, $12 million for credit monitoring services from Experian, $800,000 for improved information security capabilities, $100,000 for outside legal help, $150,000 for a related public relations campaign as well as $740,000 that will likely be spent to notify the estimated 1.3 million out-of-state taxpayers who were affected by the breach.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Apprentice
12/10/2012 | 3:12:58 PM
re: How South Carolina Failed To Spot Hack Attack
Putting aside all that the IRS and state were supposed to do such as the breech detection system, this would not have been such a big deal had all the social security numbers were encrypted. Really 1.2 million social security numbers sitting on a system with basically no security measurements at all to alert IT of intruders? Every IT individual who is involved in this system from a security standpoint, is responsible for this breech. Weather they lacked the knowledge or lacked the enthusiasm to speak up or purpose some form of security, is not an acceptable excuse for a breech f this magnitude.

Paul Sprague
InformationWeek Contributor
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
11/29/2012 | 12:35:13 PM
re: How South Carolina Failed To Spot Hack Attack
That is just passing the buck. SC officials are just recklessly inept when it comes to securing data. Maybe the bare minimal standard does not require encryption, but common sense does. And if the standard is indeed that flawed it needs to be fixed before the end of the year and implemented across the nation in Q1 2013. If there is one state administration that is so clueless I bet that there are 49 more - plus the IRS.
KatieSC
50%
50%
KatieSC,
User Rank: Apprentice
11/26/2012 | 11:11:29 PM
re: How South Carolina Failed To Spot Hack Attack
I hope people realize that credit monitoring services do not protect from identity fraud. This data breach will be a life-long problem for residents of South Carolina and a huge headache for banks. I hope those banks will look into the Personal Firewall Project to protect their customers.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
11/26/2012 | 7:09:29 PM
re: How South Carolina Failed To Spot Hack Attack
They criticized the IRS for not requiring them to encrypt SSN's? So S.C. state officials are saying they need Big Government to tell them what to do? Oh, the irony.
Deirdre Blake
50%
50%
Deirdre Blake,
User Rank: Apprentice
11/26/2012 | 4:20:25 PM
re: How South Carolina Failed To Spot Hack Attack
Makes you wonder how many successful attacks/thefts have gone undetected elsewhere....
Deirdre Blake
Managing Editor, Dr. Dobb's
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web