Attacks/Breaches
11/26/2012
08:53 AM
Connect Directly
RSS
E-Mail
50%
50%

How South Carolina Failed To Spot Hack Attack

Attackers stole 3.3 million businesses' bank details and 1.9 million social security numbers, cost the state $14 million for cleanup.

Just one look: That's all it took for an attacker to compromise South Carolina state systems.

Specifically, a state Department of Revenue employee likely "unwittingly executed malware, and became compromised" after clicking on an embedded link in a salacious email, allowing an attacker to harvest the employee's username and password. So said a state-commissioned analysis from security firm Mandiant, released last week.

Two weeks after the initial malware infection, "the attacker logged into the remote access service (Citrix) using legitimate Department of Revenue user credentials," according to the report. "The attacker used the Citrix portal to log into the user's workstation and then leveraged the user's access rights to access other Department of Revenue systems and databases with the user's credentials."

Ultimately, the attacker stole 3.3 million unencrypted bank account numbers. Given the recent spike in fraudulent wire-transfer attacks, that information promises to be a goldmine. Equally worrying for consumers is the theft of copies of 3.8 million tax returns, containing social security numbers for 1.9 million children and other dependents.

[ S.C. isn't alone in failing to protect government data. See Stolen NASA Laptop Had Unencrypted Employee Data. ]

Who's to blame for the data breach? South Carolina state officials have pointed the finger at Russian attackers, while also criticizing the Internal Revenue Service for not having required the state to encrypt social security numbers. But based on a reading of Mandiant's report, state officials are perhaps most to blame. On that note, last week Gov. Nikki Haley said at a news conference that South Carolina Department of Revenue director Jim Etter would resign, effective Dec. 31. Etter had reportedly declined the offer of free breach-detection services from the state's IT department.

From a security standpoint, failing to watch for intrusions was an amateur error, and -- no surprise -- the state failed to catch the recent intrusion. Likewise, the state failed to spot the follow-up compromise of 44 different systems, the installation of backdoor software, multiple instances of password hashes being dumped, the running of Windows batch scripts, or the attacker executing numerous arbitrary commands against databases.

As a result, a few weeks after the first successful malware infection, the attacker was still using the stolen credentials to conduct reconnaissance on 21 different state servers, although he or she hadn't yet been able to access sensitive data. But with more work, by Sept. 12, 2012, the attacker had successfully located and begun copying 23 database backup files, containing 74.7 GB of data, to another directory. Soon, the attacker compressed the data into 15 zip files, transferred them to another server, sent the data to an external system -- outside the state's control -- and deleted the zip files to help hide the data breach, according to Mandiant's report.

The breach remained undiscovered until about a month later, on Oct. 10, when the Secret Service informed state officials that information on three residents appeared to have been stolen. Two days later, the state hired Mandiant to help find out what happened.

The bill for the data breach now exceeds $14 million, reported the Associated Press. Related costs include $500,000 for Mandiant's efforts, $12 million for credit monitoring services from Experian, $800,000 for improved information security capabilities, $100,000 for outside legal help, $150,000 for a related public relations campaign as well as $740,000 that will likely be spent to notify the estimated 1.3 million out-of-state taxpayers who were affected by the breach.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Deirdre Blake
50%
50%
Deirdre Blake,
User Rank: Apprentice
11/26/2012 | 4:20:25 PM
re: How South Carolina Failed To Spot Hack Attack
Makes you wonder how many successful attacks/thefts have gone undetected elsewhere....
Deirdre Blake
Managing Editor, Dr. Dobb's
Number 6
50%
50%
Number 6,
User Rank: Apprentice
11/26/2012 | 7:09:29 PM
re: How South Carolina Failed To Spot Hack Attack
They criticized the IRS for not requiring them to encrypt SSN's? So S.C. state officials are saying they need Big Government to tell them what to do? Oh, the irony.
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
11/29/2012 | 12:35:13 PM
re: How South Carolina Failed To Spot Hack Attack
That is just passing the buck. SC officials are just recklessly inept when it comes to securing data. Maybe the bare minimal standard does not require encryption, but common sense does. And if the standard is indeed that flawed it needs to be fixed before the end of the year and implemented across the nation in Q1 2013. If there is one state administration that is so clueless I bet that there are 49 more - plus the IRS.
KatieSC
50%
50%
KatieSC,
User Rank: Apprentice
11/26/2012 | 11:11:29 PM
re: How South Carolina Failed To Spot Hack Attack
I hope people realize that credit monitoring services do not protect from identity fraud. This data breach will be a life-long problem for residents of South Carolina and a huge headache for banks. I hope those banks will look into the Personal Firewall Project to protect their customers.
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/10/2012 | 3:12:58 PM
re: How South Carolina Failed To Spot Hack Attack
Putting aside all that the IRS and state were supposed to do such as the breech detection system, this would not have been such a big deal had all the social security numbers were encrypted. Really 1.2 million social security numbers sitting on a system with basically no security measurements at all to alert IT of intruders? Every IT individual who is involved in this system from a security standpoint, is responsible for this breech. Weather they lacked the knowledge or lacked the enthusiasm to speak up or purpose some form of security, is not an acceptable excuse for a breech f this magnitude.

Paul Sprague
InformationWeek Contributor
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.