How hackers made minced meat of Department of Energy networks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://arstechnica.com/security/2013/12/how-hackers-made-minced-meat-of-department-of-energy-networks/

A Department of Energy network breach earlier this year that allowed
hackers to download sensitive personal information for 104,000 people was
the result of a decade-old patchwork of systems, some that hadn't installed
critical security updates in years, according to a federal watchdog.

July's successful hack on the department's Employee Data Repository
database was at least the third one to occur since 2011, DOE Inspector
General Gregory H. Friedman wrote in a recently published review of the
breach. The hack resulted in the exfiltration of more than 104,000
individuals' personally identifiable information (PII), including their
social security numbers, bank account data, dates and places of birth, user
names, and answers to security questions. The department expects to incur
costs of $3.7 million setting up credit monitoring and in lost
productivity. That figure doesn't include the costs of fixing the
vulnerable systems.

The inspector general review recited a litany of failures that allowed
hackers to penetrate system defenses. Chief among them is the fact that
none of the 354 database tables containing social security numbers were
encrypted. Using strong cryptography to protect such "at rest" PII has long
been considered a best practice in government and corporate data security.
The department's management information system (MIS) that allowed access to
the DOEInfo databases also failed to require common security enhancements,
such as two-factor authentication or a department-issued virtual private
network.

Most glaring of all, members of the department's Office of the Chief
Information Officer (OCIO) failed to apply critical security patches,
sometimes going years without installing readily available updates.
According to the review:

"We found that the Department had not taken appropriate action to remediate
known vulnerabilities in its systems either through patches, system
enhancements, or upgrades. Critical security vulnerabilities in certain
software supporting the MIS application had not been patched or otherwise
hardened for a number of years. Specifically, an operating system utility
and a third-party development application that were installed on the MIS
server had not been updated since early 2011. In addition, the
vulnerability exploited by the attacker was specifically identified by the
vendor in January 2013. As a system within the Headquarters environment,
the OCIO was responsible for maintaining and patching the underlying
infrastructure and the operating system on which MIS and DOEInfo operated.
Further, although an upgrade for the application upon which MIS was built
had been purchased jointly by the OCIO and OCFO [Office of the Chief
Financial Officer] in March 2013, it was not installed until after the
breach occurred. The upgrade had been in the test environment since June
2013, but officials commented that it had not been applied to the operating
environment because of functionality issues with an interconnected system.
For the past nine years, the Department's ongoing struggles with
vulnerability management have been noted in our annual reports on the
Department's unclassified cyber security program issued in accordance with
the Federal Information Security Management Act of 2002."

In October, federal prosecutors accused a UK man of hacking thousands of
computer systems operated by the Department of Energy and other sensitive
organizations and stealing massive quantities of data that resulted in
millions of dollars in damages to victims. The hacks, which dated back as
early as October 2012, were carried out by exploiting vulnerabilities in
SQL databases and the Adobe ColdFusion Web application. In August, a
23-year-old Pennsylvania man pleaded guilty to charges stemming from a
scheme to hack in to sensitive computer networks operated by a host of
sensitive organizations, including the Department of Energy.

Given the findings of the inspector general, it's not hard to see why
hackers regularly succeed in piercing the DOE's defenses.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.