[ISN] State Computer Security: Did the Public Get the Full Story?

InfoSec News isn at c4i.org
Wed Mar 29 03:40:58 EST 2006


By Jon Greenberg
March 29, 2006

In February, state officials issued a warning that a bit of malicious
software on a state computer might have put peoples' credit card
information at risk. A few days later, the Office of Information
Technology suspended one of its employees. That employee has never
been named - nor has he been charge with any crime. Now, he has come
forward and he says that the state's problems with hackers were much
greater than officials discussed. New Hampshire Public Radio's Jon
Greenberg has more.


A rough transcript follows:

Before we meet the man who challenges the state's public position,
let's go back to February 15th. Governor John Lynch, along with Rick
Bailey, the state's chief information officer, held a hastily
organized news conference.

The office of information technology discovered this morning that
someone has breached one of the state's smaller servers with a program
that could allow them to watch activity on that server.

At the press conference, the program was identified as something
called Cain and Abel.

The truth, in my mind, is that the server on which Cain and Abel was
found installed, I personally don't think it was hacked at all.

Doug Oliver is the employee who was suspended. He is quick to say, he
was the person who used Cain and Abel on the state's computers. It is
a program that can be used by hackers but can also have legitimate
uses. More on that in bit.

Oliver says that press conference was notable not for what was said,
but for what wasn't.

The most obvious security breach that caused the organization to
respond quickly, intensely, wasn't even mentioned.

Six days before the press conference, a Liquor Commission computer
that handles wholesale purchases, including ones using credit cards,
was hacked. On this point, there is no dispute. Bailey, the state's
chief information officer confirms it. He also confirms that the hack
put the department into high gear with a wide spread effort to plug
security holes on other computers.

What happened next in early February is much more subject to debate.

Using a new widget that tracks suspicious activity when computers talk
to each other, Oliver says he saw evidence of a widespread infection
by a completely different computer threat. Not from Cain and Abel but
from a virus or worm called SQL Slammer.

There were events and incidences being reported by this device that I
was seeing multiple network machines being touched by this worm. In
addition, there were other signatures, other flags or events that this
tool was firing at the same time that were strongly indicative of an
attack against the network.

A network wide assault by a worm is very different from finding
something like Cain and Abel on one server. Now, several people in the
office of information technology disagree that the network had been
attacked by the worm SQL Slammer. Chief Information Officer Rick
Bailey says the security tool that Oliver used is good, but not

In any of the security monitoring tools, there is always the
possibility of false positives. Because it looks for signatures and
patterns. And sometimes those patterns are inappropriate and sometimes
those patterns are caused by legitimate traffic.

Bailey would not go into any more detail saying the entire situation
is under investigation. However, a security specialist contacted by
NHPR says with this particular worm, a false positive is unlikely.  
Pete Lindstrom is the research director for Spire Security in
Pennsylvania. Lindstrom says SQL Slammer first appeared in 2003.

We think of this as the low hanging fruit. Any worm older than a few
months, can reliably be detected. If it pops up on the screen, you can
be fairly confident that it was in fact SQL Slammer, a system has been

The age of the worm matters for another reason. Once a worm appears,
software companies quickly come up with ways to block it. These are
called patches and the Microsoft Corporation wrote a patch for SQL
Slammer three years ago.

One year ago, Bailey put Oliver on an ad hoc security team with the
job of uncovering the weak points in the state's computer network.  
Oliver says, and Bailey confirms, that one of the team's
recommendations was to get computers up to date on patches. For a
variety of reasons, many of those patches were not installed.

But now it's time to get back to that other piece of hacking software,
Cain and Abel – the program that led to the public warning about
credit card safety. Oliver says, his work on that ad hoc security team
has a direct connection to Cain and Abel.

I who was the chief technical hacker you could say used Cain and Abel
for the purpose of diagnosing problems with network vulnerability and
to test the strength of certain passwords.

Oliver says several people around the department knew he was using
Cain and Abel. He says he thought he had removed the program from
every computer. He supposes he made a mistake. Whatever the full
details are, Oliver's name was on the program that was found and it
made him the prime suspect in the state's investigation.

The office of information technology has not stood still since it
found both the hack on the Liquor Commission's server and Cain and
Abel on a different computer. Bailey says much has been done to patch
old computers and to make sure that security is considered first.

Today, 5-6 weeks later, clearly our network is more secure than it was
then. Next month it will be more secure than it is now. And we've
continued on the path of improving and mitigating any of the risks
that we can identify.

Bailey says an overview of the state's computer network points to a
fundamental problem. It is a network that was cobbled together over

If you've got 50 servers and you're trying to watch them for unusual
activity. If they're all built the same way, then it's pretty easy to
detect an anomaly. If they're built 50 different ways, then you're not
sure. Is that just because the way it was built or is it really an
anomaly. And you waste a lot of time chasing down the false positives
that we were talking about earlier.

The challenges are large and Bailey says the resources are stretched
thin. He is confident of the security of the system today. But he says
it remains an ongoing effort. Proof of that came earlier this month.

The same Liquor Commission server that was hacked in early February
was hacked again.

For NHPR News, I'm Jon Greenberg.

More information about the ISN mailing list