LULZ Group Hacks DPS records, while DPS downplays effect of the security breach

Posted by: Arizona Criminal Defense Attorney, Nick Alcock

The Arizona Department of Public Safety worked Friday to strengthen its computer networks after an international group of hackers exploited a weak spot in the system by accessing the e-mail accounts of eight officers stationed in rural areas of the state.

The hacking group Lulz Security, which has claimed responsibility for breaching CIA and U.S. Senate websites, said in a bulletin Thursday afternoon that it had successfully stolen 700 DPS files. The group posted the information on its website in retaliation for the state’s passage last year of Senate Bill 1070, a tough immigration law largely on hold pending a review by the U.S. Supreme Court.

DPS officials characterized LulzSec’s breach as isolated and said it did not affect the agency’s larger servers and the information contained on them.

The incident is one of many recent efforts targeting government websites to make political statements. It raises concerns about the security of sensitive information on government computers and prompted some state lawmakers to suggest that the state may need to toughen penalties to deter future attacks.

In the latest strike, the hackers obtained reams of information, including personal details about officers and other documents. The eight officers whose e-mails were attacked were part of a separate, outdated system that did not require users to update their passwords on a regular basis. It also did not require a complex combination of capital and lower-case letters and numbers for a password.

Most DPS personnel are on a system that requires password changes every 60 days.

“Because we have people stationed all over the state, not everyone is on the same password requirements,” DPS spokesman Steve Harrison said Friday. “We were in the process of changing that system over already. Obviously, this will make us go a little faster.”

The documents obtained by LulzSec were either e-mail attachments or stored on the hard drive of the computers used by the officers, he said.

“Obviously there are some training issues related to this,” Harrison said of the simplistic passwords. “They need to use a little more robust system.”

Harrison said the department is “unlikely” to discipline the officers because “we don’t believe the officers did anything wrong.”

Harrison declined to discuss specifically what measures the department is taking to contain the breach and ensure it doesn’t happen again. But he did say the department’s information-technology team immediately changed the officers’ passwords Thursday afternoon.

They also blocked external access to DPS servers Thursday evening in response to the attack. The servers were brought online again shortly after noon Friday, he said.

Other systems safe?

The breach raises questions about whether other state agencies also might be vulnerable to a cyberattack.

The hackers vowed to release more classified documents each week to embarrass authorities and sabotage their work.

State agencies operate on different computer networks, which range in age, and contain a wide range of personal data, including health information, motor-vehicle records and tax returns.

Officials in the Governor’s Office declined to comment directly on the security of the state’s computer network and would speak only to the scope of this breach.

“We have received no information that leads us to believe that the DPS servers . . . or the larger state system have been compromised,” spokesman Matthew Benson said.

The DPS notified the Governor’s Office and other law-enforcement agencies of the incident, Harrison said. At some point during the evening, the state’s Information Technology Department and the Department of Administration also were briefed on the breach, but it was unclear whether details of the hack were formally shared with other state agencies.

A spokesman with the Department of Administration did not return phone calls and e-mails seeking comment.

Recent budget requests suggest some of the state’s computer systems are overdue for upgrades. For example, the Department of Administration asked earlier this year for $5 million in its fiscal 2012 budget to start building an integrated statewide financial system.

In the request to Brewer, agency officials spoke in dire tones about the aging Arizona Financial Information System, which processes more than $30 billion in expenditures each year and handles 14 million transactions. The system was installed 19 years ago. Some components are even older. It noted that the “inflexibility of the current system(s) security features does not provide the necessary controls to mitigate potential major risks.”

There is nothing in budget documents that indicates the request was honored.

The DPS issued a statement Friday saying safeguards were in place at all agencies to “ensure the security of electronic and computerized records.” Those measures include round-the-clock monitoring of external access to the state’s computer network, firewalls and anti-virus software.

Several laws broken

The Arizona hacking appears to be part of a joint effort between hacking groups Anonymous and LulzSec, which they have dubbed Operation Anti-Security, according to a statement released by LulzSec. The intent is to target government websites, the group said.

The groups have released the Arizona information and the names of 2,800 Colombian special police-unit members. They also claim to have breached Britain’s Serious Organized Crime Agency and two Brazilian government websites.

Tom Holt, assistant professor in the School of Criminal Justice at Michigan State University, said Thursday’s hacking appears to fit with a growing trend called “hactivism.”

Hackers used to work individually, either for entertainment or to make money, he said. But “hactivists” are grass-roots groups with a political motivation.

What is somewhat disturbing about these two groups, Holt said, is that they are increasingly incorporating others into the various efforts. They’ve developed websites that help individuals start their own attack and provide resources via Twitter.

Holt said the hack was sophisticated, which could hamper identifying any culprit.

“This seems a little bit more complex, and the amount of data acquired suggests that these actors have some degree of skill,” he said. “The way in which they got the information might leave some trails. But it will require a degree of sophistication by the investigators.”

In accessing the DPS files, LulzSec appears to have violated both federal and state laws. The DPS said Friday that it anticipates bringing in the FBI to help with the investigation.

Title 13, Section 2316 of the Arizona Revised Statutes makes it a crime, among other things, to “recklessly use a computer, computer system or network to engage in a scheme or course of conduct that is directed at another person and that seriously alarms, torments, threatens or terrorizes the person.”

Violation of the statute is a Class 2 felony and punishable by up to 12.5 years in prison, the state Attorney General’s Office said.

Federal computer crimes are prosecuted under the Computer Fraud and Abuse Act, which sets penalties of one to 10 years in prison, depending on the crime.

The released documents included information from federal agencies, including the U.S. Department of Homeland Security.

Law-enforcement officials said Friday that finding the guilty parties will be difficult, given that hackers can commit their crimes from virtually anywhere in the world.

It is not clear who would prosecute the case if a suspect were identified.

State Attorney General Tom Horne said the DPS would have the discretion to send the criminal probe either to his office or to the U.S. attorney for Arizona, or both.

Tougher statutes

Thursday’s hack could lead to a push for tougher state laws against cybercrime, several state lawmakers said Friday.

House Speaker Andy Tobin, R-Paulden, said he was “outraged” by the attack, particularly because it may have endangered DPS officers and their families.

Tobin said he had “been hearing from (legislative) members all day.”

He said he believes lawmakers would be receptive to giving the DPS additional resources to improve its computer networks, if it determined that was needed, and increasing the state penalties for hacking into government computers.

“This is as important to protecting our law-enforcement officers and their families as a bulletproof vest might be,” Tobin said. “It would absolutely be a priority for the Legislature.”

Sen. John McComish, R-Phoenix, said he would like to ensure the penalty for cyberattacks is harsh enough to deter future hackers.

Others said solutions against additional attacks might be as simple as requiring the state’s e-mail administrators to enact more rigorous password-protection programs.

The military, for example, uses “challenge words” to verify the validity of a password, adding another layer of security, said Rep. Jack Harper, R-Surprise, a member of the House Military Affairs and Public Safety Committee.

Contact Alcock & Associates if Facing DUI, Criminal, or Immigration Charges

Read more: http://www.azcentral.com/arizonarepublic/news/articles/2011/06/25/20110625arizona-dps-email-hacking-effect.html#ixzz1QK3tUsWv