Sunday, May 17, 2009
Security breach under scrutiny at the Clark County auditor's office
Security breach under scrutiny at the Clark County auditor's office
By MATT KOESTERS
Matt.Koesters@newsandtribune.com
April 04, 2009 08:26 pm
— Concerns over applications installed on a computer in the Clark County auditor’s office have prompted an internal investigation, but law enforcement officials have not been asked to get involved.
Yet.
In a Thursday e-mail obtained by The Evening News, Clark County government systems administrator Matt Dyer told the county commissioners he received a phone call Monday indicating that there were concerns about applications on one of the computers in the auditor’s office.
Dyer said he believed the two programs — “Cain & Abel” and “LCP” — could be used to breach security and discover user passwords on the county network.
“Due to the nature of these programs, this kind of activity cannot be tolerated and is illegal,” Dyer wrote. “If the administrator password is compromised, then that person would have full access to all county office computers and servers.
“Due to the severity of this situation, and our liability if information protected by HIPAA laws and state laws becomes compromised, I have spoken with [Auditor] Keith Groth and have informed him on all the details, including the persons that may be involved.”
When contacted for comment, Groth said between two and three employees were in the office when the incident is alleged to have occurred, and that the incident remains under investigation.
“It’ll probably be the middle or latter part of next week until I can sit down with the … people involved,” Groth said. “I need to sit down and talk with them to get their side of the story.”
The county auditor’s office is normally open from 8:30 a.m. until 4:30 p.m., but overtime has occasionally kept the office open later, Groth said.
Ed Meyer, president of the county commissioners, said he and the other commissioners were aware of the situation, but that he would have to learn more about the incident before taking action.
“I’ve investigated a little bit,” Meyer said. “I only learned of this late [Thursday].”
If a special meeting of the commissioners were to be convened, Meyer would be responsible for calling the meeting. Meyer said law-enforcement involvement was a possibility.
Commissioner Mike Moore called the possibility of a security breach a “very serious matter,” and said he would leave it to the experts to discover exactly what had been done.
“The breach in security that sounds like has taken place is far more serious than anything internally that we’ve dealt with since I’ve been a commissioner,” Moore said. “It needs to be dealt with immediately.”
Programs like the ones alleged to have been used in the incident are not illegal, but the way in which they could be put to use are, said Tito Villalobos, a Columbus, Ohio-based network security expert and certified ethical hacker.
“They’ll sniff passwords used for network log-ins, and then run cracks against them, basically,” Villalobos said. “‘Dictionary attacks’ and ‘brute-force’ attacks.”
A dictionary attack uses common words and likely possibilities from an exhaustive list to determine a user’s password. A brute-force attack systematically plugs in large numbers of password possibilities.
Lt. Charles Cohen, commander of special investigations sections for the Indiana State Police, said he could not speak directly to the incident without it having been referred to law enforcement. Generally, accessing a computer network without permission is illegal, he said.
“When we do an investigation involving an allegation that someone has accessed information they didn’t have permission to access, there are a couple things we look for,” Cohen said. “One thing we look for is whether or not in fact someone did that without authorization, and we also look at what information, if any, was compromised. The last thing we look at is what they did with that information if it was compromised.”
State law prohibits computer trespass, and can be investigated by any law enforcement agency in Indiana, Cohen said. Additionally, there could be federal law enforcement involvement in some cases, depending on the nature of the intrusion.
By MATT KOESTERS
Matt.Koesters@newsandtribune.com
April 04, 2009 08:26 pm
— Concerns over applications installed on a computer in the Clark County auditor’s office have prompted an internal investigation, but law enforcement officials have not been asked to get involved.
Yet.
In a Thursday e-mail obtained by The Evening News, Clark County government systems administrator Matt Dyer told the county commissioners he received a phone call Monday indicating that there were concerns about applications on one of the computers in the auditor’s office.
Dyer said he believed the two programs — “Cain & Abel” and “LCP” — could be used to breach security and discover user passwords on the county network.
“Due to the nature of these programs, this kind of activity cannot be tolerated and is illegal,” Dyer wrote. “If the administrator password is compromised, then that person would have full access to all county office computers and servers.
“Due to the severity of this situation, and our liability if information protected by HIPAA laws and state laws becomes compromised, I have spoken with [Auditor] Keith Groth and have informed him on all the details, including the persons that may be involved.”
When contacted for comment, Groth said between two and three employees were in the office when the incident is alleged to have occurred, and that the incident remains under investigation.
“It’ll probably be the middle or latter part of next week until I can sit down with the … people involved,” Groth said. “I need to sit down and talk with them to get their side of the story.”
The county auditor’s office is normally open from 8:30 a.m. until 4:30 p.m., but overtime has occasionally kept the office open later, Groth said.
Ed Meyer, president of the county commissioners, said he and the other commissioners were aware of the situation, but that he would have to learn more about the incident before taking action.
“I’ve investigated a little bit,” Meyer said. “I only learned of this late [Thursday].”
If a special meeting of the commissioners were to be convened, Meyer would be responsible for calling the meeting. Meyer said law-enforcement involvement was a possibility.
Commissioner Mike Moore called the possibility of a security breach a “very serious matter,” and said he would leave it to the experts to discover exactly what had been done.
“The breach in security that sounds like has taken place is far more serious than anything internally that we’ve dealt with since I’ve been a commissioner,” Moore said. “It needs to be dealt with immediately.”
Programs like the ones alleged to have been used in the incident are not illegal, but the way in which they could be put to use are, said Tito Villalobos, a Columbus, Ohio-based network security expert and certified ethical hacker.
“They’ll sniff passwords used for network log-ins, and then run cracks against them, basically,” Villalobos said. “‘Dictionary attacks’ and ‘brute-force’ attacks.”
A dictionary attack uses common words and likely possibilities from an exhaustive list to determine a user’s password. A brute-force attack systematically plugs in large numbers of password possibilities.
Lt. Charles Cohen, commander of special investigations sections for the Indiana State Police, said he could not speak directly to the incident without it having been referred to law enforcement. Generally, accessing a computer network without permission is illegal, he said.
“When we do an investigation involving an allegation that someone has accessed information they didn’t have permission to access, there are a couple things we look for,” Cohen said. “One thing we look for is whether or not in fact someone did that without authorization, and we also look at what information, if any, was compromised. The last thing we look at is what they did with that information if it was compromised.”
State law prohibits computer trespass, and can be investigated by any law enforcement agency in Indiana, Cohen said. Additionally, there could be federal law enforcement involvement in some cases, depending on the nature of the intrusion.
# posted by raveneye @ 10:15 AM 
