Kentucky state auditor says hackers infiltrated agency network

Hackers, apparently from outside the U.S., have made one Kentucky state agency’s computer network their old Kentucky home, according to Kentucky’s state auditor.

In a press conference held in the city of Frankfort Tuesday, State Auditor Ed Hatchett told reporters that hackers who appeared to be from France broke into servers on the internal network of the Kentucky Transportation Cabinet, the state agency for transportation and vehicle-registration functions.

Since at least April, the hackers have been using it as a warehouse for pirated music, electronic games and movies – even new films like “Lara Croft Tomb Raider: The Cradle of Life” and “Spy Kids 3D: Game Over.”

The hackers also probably had access to bill-paying systems and state-held information such as driver’s licenses, the state auditor said.

Harold McKinney, attorney in the state auditor’s office, said the problems were uncovered during a recent vulnerability assessment of the state agency’s computer network done as part of a routine financial audit of records.

There were signs that some activity originated from Canada and Croatia, in addition to France. The state auditor, who has no more specific information about the hackers, immediately notified the Transportation Cabinet staff about the matter and decided to call a press conference to inform the public.

The Kentucky Transportation Cabinet wasn’t aware of the problem until informed Tuesday. Since then, agency staff have been busy assessing the damage and trying to answer press questions.

Transportation Cabinet spokesman Mark Pfeiffer, who acknowledged at least one server at the agency had been hacked, said the agency does not believe internal records and billing systems were compromised.

“The auditor claimed our public records and driver’s license records were in jeopardy, but that’s not true,” said Pfeiffer, because those systems reside on separate networks that are securely separated from the hacked server.

Jim Ramsey, CIO for the Transportation Cabinet, said the hacked server is a Microsoft Proxy Server that was sitting on the edge of the agency’s Internet access point. “It looks like the hackers gained access by breaking the password and setting up a subdirectory on some obscure area of it, loaded an FTP application onto it, and used it to send files,” he said. “They essentially turned it into file storage for them.”

Acknowledging his job is probably on the line, Ramsey didn’t shirk from accepting responsibility for some of the agency’s shortcomings in network security. The agency lacks a firewall-based “demilitarized zone,” as it’s often called, as one defense to ward off penetration by hackers.

“We were just in the process of implementing a DMZ, and it was one of things we should have been doing but didn’t,” Ramsey acknowledged. In addition, the agency hadn’t done vulnerability testing and has no one on staff with a high level of security expertise. Nor had the agency gotten assistance through hiring outside contractors.

“We were in the process of developing a security audit through state contracts, but we suspended the outside contract because it cost $60,000 and because the state auditor was going to go in there and do this,” Ramsey noted. Ramsey has held the CIO position for three years, and has 27 years in the state government. He added that a bigger budget for IT and security would help remedy problems.

In addition to its hacker woes, the Kentucky Transportation Cabinet was also coping with another shocking public disclosure from the state auditor yesterday: some Transportation Cabinet employees have been looking at porn sites on the Internet during their working hours.

The Transportation Cabinet has a policy for its 6,000 employees that prohibits such activity, but according to the state auditor, a random check showed that 6,000 porn images were accessed in just four days. Ramsey said the agency doesn’t use Web-based content filtering software specifically for blocking and monitoring. But the agency does have staff reviewing logs from the proxy server to identify inappropriate behavior.

That proxy server has now been removed and is in storage in a locked room awaiting a forensics team as part of the investigative process. Ramsey said as part of the investigation, the agency staff have to remain at a distance from the computer forensics review since the agency itself must be cleared of any suspicion that it had a part in the hacker activity.

The hacker and porn scandal at the Transportation Cabinet triggered a response from the state governor’s office, saying that it was directing the Governor’s Office on Technology to work with officials in the Transportation Cabinet to help rectify the situation.

Aldona Valicenti, CIO for Kentucky, issued a statement Wednesday saying his department “has worked very hard to put in place statewide policies and practices for IT security,” including a so-called “enterprise security network architecture” issued July 21.

Valicenti said his office would seek to obtain more funding for IT security, and would be undertaking a “thorough review of IT systems and a transition plan to bring the Transportation Cabinet into compliance” with the envisioned IT security architecture. It would also be sending in a third-party independent contractor to do a review of the Transportation Cabinet.