Hackers set up shop in state agency's server

Hackers had made a state agency's network their old Kentucky home before being discovered by auditors, who revealed the incident publicly last week.

Kentucky State Auditor Ed Hatchett told reporters that the hackers, apparently from France, Croatia and Canada, broke into at least one server on the network of the Kentucky Transportation Cabinet, the state agency for transportation and vehicle-registration functions. Since at least April, the hackers have used it as a warehouse for pirated movies, music, electronic games and DVDs. They probably had access to state-held information such as driver's licenses, Hatchett said.

The discovery was made during a routine network vulnerability assessment as part of a financial audit.

The agency wasn't aware of the problem until Hatchett informed it a few hours before the news was made public. Spokesman Mark Pfeiffer, acknowledging that at least one server at the agency had been hacked, says they do not believe internal records and billing systems were compromised.

Jim Ramsey, CIO for the Transportation Cabinet, says the hacked server is a Microsoft Proxy Server that was sitting on the edge of the agency's Internet access point. "It looks like the hackers gained access by breaking the password and setting up a subdirectory on some obscure area of it, loaded an FTP application, and used it to send files," he says. "They essentially turned it into a file cabinet."

Ramsey, who says his job is probably on the line, didn't shirk from accepting responsibility. The agency lacks a firewall-based "demilitarized zone," as one defense to ward off penetration by hackers.

"We were just in the process of implementing a DMZ, and it was one of things we should have been doing but didn't," Ramsey says. In addition, the agency hadn't done vulnerability testing and has no one on staff with a high level of security experience. Nor had the agency received assistance through outside contractors.

"We were in the process of developing a security audit through state contracts, but we suspended the outside contract because it cost $60,000 and the state auditor was going to go in there and do this," says Ramsey, who has been CIO for three years. A bigger budget for IT and security would help remedy problems, he adds.

That Microsoft Proxy Server has been removed and is in a locked room awaiting investigation by a forensics team. Ramsey says his staff has to stay away from the review because the agency itself must be cleared of any suspicion it played a role in the hacker activity.

Aldona Valicenti, CIO for the state of Kentucky, issued a statement saying his department "has worked very hard to put in place statewide policies and practices for IT security," including a so-called Enterprise Security Network Architecture issued July 21.

Valicenti said his office would seek more funding for IT security and would undertake a "thorough review of IT systems and a transition plan to bring the Transportation Cabinet into compliance" with the envisioned IT security architecture. It also plans to send an independent contractor to conduct a review of the agency.