IT worker disputes state government security breach

A New Hampshire state IT employee who was placed on paid leave last month after an alleged security breach involving a government server is disputing the state’s explanation of the incident.

Douglas A. Oliver, 44, a Web middleware engineer who says he was placed on paid leave Feb. 17 in connection with the incident, said he is speaking out because the state’s account is “incredibly skewed in my estimation.”

In the incident last month, state officials in Concord announced that the FBI and the U.S. Department of Justice were part of an investigation into the discovery of the Cain & Abel program during a routine check of state servers. The server was used by the N.H. Division of Motor Vehicles and the state Veterans Home to transmit financial information. It was also used by the state’s Liquor Commission as a backup for sales transactions. No incidents of fraudulent use of credit card numbers on the server have been reported.

Oliver, who has worked in the N.H. Office of Information Technology (OIT) since 2002, said he participated as a member of an OIT security audit team since early last year, when a state government Web site was hit by hackers who defaced several pages with “graffiti” messages. In response, the OIT began conducting penetration-vulnerability and threat-assessment testing to look at the state’s overall IT security, Oliver said.

To conduct the threat assessments, Oliver said he and other IT employees installed and used a collection of software tools, including a copy of Cain & Abel – a password-recovery program for Microsoft products that can also be used as malware by hackers to capture and crack passwords – so that the state’s IT security could be accurately tested against real-world intrusions.

The Cain & Abel program was placed on the server using Oliver’s security credentials, he said. “The reasons it was there was totally authorized and legitimate,” he said. Using the application, testing showed that there were several security problems in the system, including DNS cache poisoning, the presence of plain-text, domain-level administrative passwords in files that were viewable by anonymous users and faulty operational practices – including the presence of local accounts of people no longer employed by the state.

But the Cain & Abel issue was just the tip of the iceberg, Oliver said.

Instead, a more pressing problem was the discovery early in February of suspicious Web traffic coming into the state’s network that appeared to be from the SQL Slammer worm, Oliver said. For several months, as part of its security audit and improvement strategy, the state OIT had been trial testing a network intrusion-monitoring system from Cisco. The Cisco Security Monitoring, Analysis and Response System (MARS) appliance is designed to search for system anomalies, track them down and stop any threats. The MARS device was seeing indications of the worm attack that was affecting many of approximately 60 state servers running Microsoft SQL Server, he said.

The SQL Slammer worm attacks a software vulnerability that can allow unauthenticated remote attackers to execute arbitrary code on the server host, according to information from the U.S. Computer Emergency Readiness Team. Patches have been available from Microsoft since 2003 to repair the vulnerability.

Oliver said that when he and other IT workers discovered the Slammer issue as part of their security investigation, they realized SQL databases that contained credit card information could be vulnerable because those same SQL servers had not been patched. On Feb. 10, OIT workers began a large-scale software-patching routine on the SQL servers, he said.

On Feb. 15, the OIT announced security breach concerns involving Cain & Abel. Two days later, Oliver said he was told by his boss, state CIO Richard C. Bailey Jr., that he was being placed on administrative leave with pay. Oliver said he was told that the action was nondisciplinary and nonpunitive but was being done while an investigation took place.

In an interview today, Bailey said he could not comment directly on Oliver’s claims because the matter involves both a personnel issue and continuing investigations. Bailey declined to confirm that Oliver was the employee placed on leave in the incident.

Bailey said that when the IT staff found Cain & Abel on the server, officials determined that it should not be there and decided to announce a possible breach. “The investigations are ongoing,” he said. “The FBI is still looking at things.”

Asked about Oliver’s claims about a SQL Slammer worm attack on the state’s servers, Bailey demurred.

“SQL Slammer is a denial-of-service attack, isn’t it?” he said. “We did not have a major denial-of-service impact, clearly, at that point.”

A third-party security contractor has been brought in to look over the state’s IT security, and a report is expected soon, Bailey said. “We’re looking to make our network more secure and more in line with industry best practices,” he said.

As for why he is speaking out now, more than a month after the incident, Oliver said, “My only motivation here is to get the information out. I’m certainly not going to wait silently for someone else to assemble a version which may or may not be true.”