Update: N.H. state server eyed in possible credit card data breach

February 22, 2006

By Todd R. Weiss, Computerworld


The FBI, the Department of Justice and New Hampshire officials are investigating a potential security breach after a malicious application was found on a state Division of Motor Vehicles (DMV) server during a routine security check last week.

The state's Office of Information Technology said in a statement that no evidence has been found that indicates any user credit card information was accessed. Residents who used the state server for transactions were warned to keep an eye on their credit card transaction histories, but state officials said no illegal credit card use has been reported. The server held only credit card numbers, with no other personal information.

New Hampshire state CIO Richard C. Bailey Jr. said it is still not clear how the freeware known as Cain & Abel, which is a password-recovery program for Microsoft products, was placed on the server. That could have been done from inside the state's system or over the Internet. No other instances of the application have been found on other servers in the state network, Bailey said.

Originally, Bailey said a computer worm called Cain & Abel was found on the server, but he later corrected his description, calling it a malware application.

An unnamed employee at the state's Office of Information Technology (OIT) was placed on paid leave as part of the investigation, Bailey said. He declined to comment further.

The application was found during a routine security checkup as IT workers were evaluating a network intrusion-monitoring system from Cisco Systems Inc. for possible purchase, Bailey said. The Cisco Security Monitoring, Analysis and Response System appliance was used by the IT workers to look for anomalies, track them down and stop any threats, he said.

The Cain & Abel program could allow an intruder to watch activity on the server, according to the OIT. The application can also be used by hackers to capture and crack passwords, according to several security vendors.

"It does have some quasi-legitimate purposes, I guess," Bailey said. But the program had been installed without authorization and was not wanted on the server, he added.

Charles Kolodgy, a security analyst at IDC in Framingham, Mass., said that IT administrators often face challenges when using freeware and other software applications to help them do their jobs. Many such applications are aimed at fixing things or saving time or even improving security, but they can be used destructively by hackers to infiltrate and harm IT systems.

"Almost all of these tools are dual-purpose," he said.

Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa., said the incident underscores the importance of constant network vigilance. "It just gets back to cliches like .defense in depth. and actually taking the time to monitor your systems," he said. Lindstrom said the Cisco technology likely helped find the malware, but he noted that the application could have also been found through regularly scheduled scans and checks.

The affected server and other related equipment was taken last week by the FBI, which is conducting forensic analysis on it to try to determine how the program was placed on it. In addition to being used by the state DMV, the server is also used by the New Hampshire Veterans Home and as a backup system for the state Liquor Commission. The DMV and Veterans Home use the server to transmit financial information, while the Liquor Commission uses it as a backup system for sales transactions in state liquor stores.

"As of yesterday, no one had reported an instance in which their credit card information had been compromised, which we.re taking as a good sign," Bailey said.

Pamela Walsh, a spokeswoman for the New Hampshire governor's office, said the ongoing investigation will probe whether the application was ever activated on the server to look at the stored credit card numbers. "We don't know at this point [that] it that actually happened," she said.

[an error occurred while processing this directive]