Government // Cybersecurity
2/1/2013
04:05 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

Alabama State Systems Hit By Cyberattack

The state’s IT network is deemed critical infrastructure

MONTGOMERY – Alabama Department of Homeland Security Director Spencer Collier on Tuesday discussed the recent cyber intrusion at the Alabama Information Services Division (ISD) and outlined action items the state is currently following as part of a coordinated response.

ISD is a part of the Alabama Department of Finance and is responsible for information technology services for the state of Alabama. The state's information technology (IT) network is deemed critical infrastructure and falls under the jurisdiction of the Alabama Department of Homeland Security (ALDHS).

After becoming suspicious of unusual activities, ISD employees self-detected that the firewall protecting the state's IT system had been breached. ISD employees subsequently notified ALDHS. Immediately, the Alabama Department of Homeland Security contacted state and federal authorities to open a criminal case. Simultaneously, Director of ISD Jack Doane activated a computer emergency response team to confirm that an intrusion had taken place and formulate a plan to respond.

As the Director of Homeland Security and newly appointed Senior Law Enforcement Advisor, Director Collier initiated a confidential inquiry into this matter to determine if criminal action had taken place, to assess the initial damage, and to determine the steps necessary to properly address the incident.

According to Director Collier, "We are currently conducting an extensive inquiry with our state and federal partners who are experts in their field regarding cyber security. We are doing everything in our power to protect the evidence, maintain the confidentiality required in a case of this nature, and to prevent future intrusions."

The Alabama Department of Finance has taken further action and has hired a leading information security company to assist in the investigation, help secure the system, and to institute tighter controls on access to eliminate the possibility of a future intrusion.

According to Jack Doane, "ISD and the computer emergency response team is working closely with the contractor on all remediation efforts. We have assembled the best team possible to preserve the evidence and to do the analysis regarding exactly what occurred. There is no way to estimate how long the forensics will take, but it could be weeks or months."

The information regarding the cyber intrusion that is confirmed and available for public knowledge is as follows:

We know that someone:

· Obtained access into the state network, and

· Used this access to examine multiple computers within the network

We have evidence that:

· At least one server containing malware was used to gain access to the systems

In response to this attack, ISD:

· Immediately activated a computer emergency response team to monitor network activity and contain the threat

· Deployed additional firewalls to monitor and control access to State systems

· Consulted with local and federal officials and State Homeland Security to assist in the investigation; a criminal investigation is on-going

· Obtained the services of a national cyber security consulting firm to help collect and analyze attack data

· Began thoroughly examining Internet-accessible applications to ensure they are not vulnerable to future attack

We are still in the process of determining the extent of the unauthorized network access and the potential impact such loss may have on the citizens of Alabama.

Any detailed release of information pertaining to the scope of intrusion or the response measures used to remediate the vulnerabilities could negatively influence the investigation.

"While we are respectful of providing critical information to the public in a timely manner, this is an on going criminal investigation, and releasing sensitive information could jeopardize the process and outcome of the investigation," Director Collier reiterated.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.