By David Gram
Associated Press Writer
January 30, 2007
MONTPELIER, Vt. -- A Microsoft security patch was downloaded but not
installed on a state computer that hackers later broke into, gaining
access to names, Social Security numbers and bank account information
for nearly 70,000 people, an official confirmed Tuesday.
An internal state report on the hacking incident says Microsoft, a
national computer security institute and "even the Department of
Homeland Security all gave special priority to the application of this
patch in order to fix the vulnerabilities ... that unauthorized
attackers could gain control of a system."
The report goes on to say the patches released in August "were
downloaded but never applied on this system."
The finding was contained in the report on an incident in which hackers
broke into a computer that was set up to track the finances of
noncustodial parents three or more months behind on child support
Banks are required by federal law to provide quarterly reports on the
finances of people who owe back child support. One of nine affected
banks, New England Federal Credit Union, twice provided the information
not just on child support deadbeats, but on nearly all of its roughly
59,000 members. The compromised computer contained that information,
The internal state report was chock full of technical information and
computer terminology, but made repeated references to two things: worms,
which are bits of computer programming that burrow into a computer; and
Trojans, which allow someone from as far away as China to tell the
computer to execute specific commands, including sending its data over
As they announced the breach of the state Office of Child Support
computer on Monday, state officials emphasized that the attacks appeared
to have been launched automatically by hackers targeting hundreds or
thousands of computers on the Internet, looking for vulnerabilities.
"It was an automated attack, which I think is critically important, and
not a targeted attack by an individual," Human Services Secretary
Cynthia LaWare said Monday.
The internal state report pointed to more direct personal involvement.
"Although it is not clear prior to September 12th whether or not this
server was in the control of a human being (as opposed to merely being
passively infected with worms containing Trojans) it is very likely
following this date that the server was under the control of a person,"
the report says. The parenthetical phrase was contained in its text.
Thomas Murray, commissioner of the Department of Information and
Innovation, said officials continued to believe that "somewhere somebody
is launching this thing at hundreds of computers, but it's not Joe
Hacker (getting) into a system and transmitting files."
Murray said officials do not believe the infectious programs were
allowed to spread to other state computers; most are inside a "firewall"
with sufficient security to have rebuffed any attacks. In fact, Murray
said, technicians spotted the security breach in December when the
viruses that had infected the child support computer began trying to
spread to others on the system.
The state report says the first evidence of successful hacking came Aug.
18, 10 days after Microsoft issued its security patch. Initially, the
report says, the state computer was "most likely compromised by an
unknown autonomous worm exploiting a known vulnerability" -- the one
described by Microsoft on Aug. 8.
Officials continued to say Tuesday that, while there was no evidence
that sensitive personal data had been taken from the state computer,
there also was no way to show that had not happened. The state was
sending out letters to people whose information was compromised, said
Heidi Tringe, spokeswoman for the Agency of Human Services.
"All of the affected individuals needed to be notified and provided
suggestions on how they should protect themselves," Tringe said.
At New England Federal Credit Union, CEO David Bard said extra telephone
call takers were being brought in to handle consumer inquiries. "Our
focus is really on trying to provide resources to our members."
Meanwhile, a Norwich University computer security expert on Tuesday said
it was "amazing" that the state had stored the sensitive data on a
computer with such limited security protection.
"We haven't put unprotected computers directly on the Internet in this
type of scenario for more than 10 years," said Peter Stephenson, a
professor, computer security expert and senior scientist at Norwich's
Applied Research Institute. "We're not talking about new technology
On the Net:
Subscribe to InfoSec News