Attacks/Breaches
11/26/2012
08:53 AM
50%
50%

How South Carolina Failed To Spot Hack Attack

Attackers stole 3.3 million businesses' bank details and 1.9 million social security numbers, cost the state $14 million for cleanup.

Just one look: That's all it took for an attacker to compromise South Carolina state systems.

Specifically, a state Department of Revenue employee likely "unwittingly executed malware, and became compromised" after clicking on an embedded link in a salacious email, allowing an attacker to harvest the employee's username and password. So said a state-commissioned analysis from security firm Mandiant, released last week.

Two weeks after the initial malware infection, "the attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials," according to the report. "The attacker used the Citrix portal to log into the user's workstation and then leveraged the user's access rights to access other Department of Revenue systems and databases with the user's credentials."

Ultimately, the attacker stole 3.3 million unencrypted bank account numbers. Given the recent spike in fraudulent wire-transfer attacks, that information promises to be a goldmine. Equally worrying for consumers is the theft of copies of 3.8 million tax returns, containing social security numbers for 1.9 million children and other dependents.

[ S.C. isn't alone in failing to protect government data. See Stolen NASA Laptop Had Unencrypted Employee Data. ]

Who's to blame for the data breach? South Carolina state officials have pointed the finger at Russian attackers, while also criticizing the Internal Revenue Service for not having required the state to encrypt social security numbers. But based on a reading of Mandiant's report, state officials are perhaps most to blame. On that note, last week Gov. Nikki Haley said at a news conference that South Carolina Department of Revenue director Jim Etter would resign, effective Dec. 31. Etter had reportedly declined the offer of free breach-detection services from the state's IT department.

From a security standpoint, failing to watch for intrusions was an amateur error, and -- no surprise -- the state failed to catch the recent intrusion. Likewise, the state failed to spot the follow-up compromise of 44 different systems, the installation of backdoor software, multiple instances of password hashes being dumped, the running of Windows batch scripts, or the attacker executing numerous arbitrary commands against databases.

As a result, a few weeks after the first successful malware infection, the attacker was still using the stolen credentials to conduct reconnaissance on 21 different state servers, although he or she hadn't yet been able to access sensitive data. But with more work, by Sept. 12, 2012, the attacker had successfully located and begun copying 23 database backup files, containing 74.7 GB of data, to another directory. Soon, the attacker compressed the data into 15 zip files, transferred them to another server, sent the data to an external system -- outside the state's control -- and deleted the zip files to help hide the data breach, according to Mandiant's report.

The breach remained undiscovered until about a month later, on Oct. 10, when the Secret Service informed state officials that information on three residents appeared to have been stolen. Two days later, the state hired Mandiant to help find out what happened.

The bill for the data breach now exceeds $14 million, reported the Associated Press. Related costs include $500,000 for Mandiant's efforts, $12 million for credit monitoring services from Experian, $800,000 for improved information security capabilities, $100,000 for outside legal help, $150,000 for a related public relations campaign as well as $740,000 that will likely be spent to notify the estimated 1.3 million out-of-state taxpayers who were affected by the breach.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/10/2012 | 3:12:58 PM
re: How South Carolina Failed To Spot Hack Attack
Putting aside all that the IRS and state were supposed to do such as the breech detection system, this would not have been such a big deal had all the social security numbers were encrypted. Really 1.2 million social security numbers sitting on a system with basically no security measurements at all to alert IT of intruders? Every IT individual who is involved in this system from a security standpoint, is responsible for this breech. Weather they lacked the knowledge or lacked the enthusiasm to speak up or purpose some form of security, is not an acceptable excuse for a breech f this magnitude.

Paul Sprague
InformationWeek Contributor
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
11/29/2012 | 12:35:13 PM
re: How South Carolina Failed To Spot Hack Attack
That is just passing the buck. SC officials are just recklessly inept when it comes to securing data. Maybe the bare minimal standard does not require encryption, but common sense does. And if the standard is indeed that flawed it needs to be fixed before the end of the year and implemented across the nation in Q1 2013. If there is one state administration that is so clueless I bet that there are 49 more - plus the IRS.
KatieSC
50%
50%
KatieSC,
User Rank: Apprentice
11/26/2012 | 11:11:29 PM
re: How South Carolina Failed To Spot Hack Attack
I hope people realize that credit monitoring services do not protect from identity fraud. This data breach will be a life-long problem for residents of South Carolina and a huge headache for banks. I hope those banks will look into the Personal Firewall Project to protect their customers.
Number 6
50%
50%
Number 6,
User Rank: Apprentice
11/26/2012 | 7:09:29 PM
re: How South Carolina Failed To Spot Hack Attack
They criticized the IRS for not requiring them to encrypt SSN's? So S.C. state officials are saying they need Big Government to tell them what to do? Oh, the irony.
Deirdre Blake
50%
50%
Deirdre Blake,
User Rank: Apprentice
11/26/2012 | 4:20:25 PM
re: How South Carolina Failed To Spot Hack Attack
Makes you wonder how many successful attacks/thefts have gone undetected elsewhere....
Deirdre Blake
Managing Editor, Dr. Dobb's
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1449
Published: 2014-12-25
The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

CVE-2014-2217
Published: 2014-12-25
Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via a full pathname in the UploadID metadata value.

CVE-2014-3971
Published: 2014-12-25
The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-7193
Published: 2014-12-25
The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive information, and potentially obtain the ability to spoof requests to non-CORS routes, via a crafted web site ...

CVE-2014-7300
Published: 2014-12-25
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.