The websites of local law enforcement agencies across the country were hacked Saturday, Aug. 6, and 10 GB of sensitive data was posted online — but security experts say it’s not surprising that the websites were susceptible to a cyber-attack.
The hacking collective AntiSec — a combination of Anonymous and LulzSec — hacked into Brooks-Jeffrey Marketing (BJM), an online marketing company that hosts websites. Through BJM, AntiSec accessed the websites of more than 70 law enforcement agencies and stole sensitive information. According to The New York Times, the agencies were mostly rural and in at least one jurisdiction, information was leaked about an ongoing investigation. The attacks were spread across 11 states including Arkansas, Kansas, Louisiana, Missouri and Mississippi.
BJM took the websites offline after an initial attack on July 31 and tried to fix the problem by removing malware that AntiSec had placed on the sites, said Wasim Ahmad, vice president of data security at Cupertino, Calif.-based Voltage Security. The company called the FBI for assistance and after BJM thought the problem was resolved, put the websites back online.
However, the company hadn’t removed all of the malware, which resulted in the second attack on Aug. 6, Ahmad said. The hackers posted 10 GB of stolen data online, which contained confidential e-mails, passwords, Social Security numbers and credit card numbers, which were used to make donations on behalf of the card holders.
According to news reports, AntiSec said in a statement, “It took less than 24 hours to root BJM's server and copy all their data to our private server.”
Ahmad said the attack on BJM was not a typical cyber-threat because an advanced persistent threat, a highly customized and targeted attack, was used to steal the government agency data.
“This type of attack, you can’t really prevent it by using the kind of security countermeasures that people have been using over the last 10 years,” Ahmad said. “You have to have something different because the attackers are doing something different.”
Harry Sverdlove, chief technology officer of security vendor Bit9, said a government agency doesn’t need to be federal level to be susceptible to this type of attack. The theft of data from local-level law enforcement agencies shines light on the issue that any public-sector agency or anyone with sensitive data needs to evaluate the level of security being used to protect that information.
Sverdlove said he wasn’t surprised that government agencies at this level were susceptible to an attack of this magnitude in part because IT security may not be a top priority for local law enforcement. “It is not surprising that [AntiSec] focused their attention on really target-rich, low-profile accounts,” Sverdlove said.
He also said it’s not surprising that the attack occurred due to a pattern that’s developed from previous incidences. Last year during the WikiLeaks scandal, AntiSec unsuccessfully tried to attack Amazon.com. And Anonymous and LulzSec already created a slew of cyber-security issues this year after attacking corporate giants Sony and Apple as well as the FBI.
Ahmad said to prevent security breaches, government agencies should ask vendors hosting their data the following questions:
1. How are you protecting my data?
2. What happens when that data is moved?
3. What kind of monitoring is being done around that particular system, cloud or data center to identify threats coming in?
Sverdlove said state and local government agencies should look to the federal level for data requirements for vendors hosting sensitive information. Because there are numerous requirements for vendors and subcontractors that the federal government must deal with — such as security standards and common criteria requirements — the federal government has started establishing guidelines for vendors who sell it software, and the companies also must meet compliance standards.
“I think local law enforcement needs to start adopting some of those standards,” Sverdlove said, “so that if they’re dealing with, for example, a service provider, an e-mail provider, a storage provider … They should have a set of requirements where they ask the vendor, ‘Do you meet the following standards? Have you been audited?’”