(Oregonian (Portland, OR) Via Acquire Media NewsEdge) June 28--The hackers who breached the Oregon Secretary of State's website in February probably exploited software that cybersecurity websites had identified as vulnerable but that state IT officials had not patched, documents and information obtained by The Oregonian show.
On Friday, agency spokesman Tony Green said the hackers first gained access to the site Jan. 21. That's one week earlier than previously disclosed and two weeks before the breach was detected Feb. 4.
The attack, possibly from China or North Korea, prompted officials to take the state's campaign finance and business registry databases offline for about three weeks. State officials also closed international access to the entire website for weeks, and this week declined to say what controls on foreign traffic remain.
Agency emails obtained through a public records request indicate that the hackers probably exploited a weakness in a free open-source software program. State officials confirmed that suspicion Friday but asked The Oregonian not to name the program out of security concerns. While the Secretary of State's website is secure, Green said, hackers could target other agencies.
Alerts about a vulnerability in the software circulated on cybersecurity websites months before the Oregon breach.
An alert posted in September 2013 warned that hackers could take control of a system, install new programs, create new accounts, or view, change or delete data. It listed the problem as "high risk" for government agencies.
A fall 2013 bulletin on another site recommended that developers "immediately upgrade" to a patched version of the program.
Chris Molin, the deputy information officer for the Secretary of State's Office at the time of the attack who is now the chief, acknowledged in an email Friday that patching the program was the responsibility of state Information Technology specialists.
Green did not respond to a question Friday about whether any employee was disciplined for failing to patch the program. The breach ended up costing taxpayers $177,000 for cybersecurity contractors, staff overtime and other expenses.
Documents shed light on possible damage. A Feb. 18 email from configuration manager Christine DuVal said the hackers gained access to unencrypted security questions and answers for Oracle Identity Management, a program the Secretary of State's Office uses to manage user accounts and access to the campaign finance and business registry databases.
After the breach, agency officials emailed all 337,811 users who had ever created an account with one of the systems to tell them their passwords had been deleted.
Officials declined to give details on what other damage the hackers caused.
Julie Pearson-Ruthven, who was the agency's chief information officer at the time of the breach and is now with the Department of Administrative Services, did not return a message seeking comment Friday.
Molin, her successor, requested that questions be submitted in email but then declined to answer most of them out of security concerns. "Publicly addressing these questions could expose other state agencies and private organizations to the risk of harm," he wrote in an email.
Responding to a question about whether any information was stolen, he wrote: "Some data was taken, but any personally identifiable information was encrypted. No credit card data was stored on our systems and neither internal or external reviews have uncovered any evidence that the intruders were able to use any information to compromise the security of those who use our applications."
He said chief information officers in other state agencies were notified and that technical details were shared under nondisclosure agreements. The agency, which has 31 IT employees, installed a vulnerability management tool after the breach, he said, and made other security improvements that he didn't specify.
The agency forwarded three Internet Protocol addresses -- which can be used to identify computers -- to the FBI for investigation, according to documents. The addresses may have been "pass-throughs" and not the points of origin, Green said Thursday.
Kathryn Ash, president of Portland cybersecurity firm IPCopper, said after reviewing some of the agency's messages that it appears state officials cannot definitively determine where the hackers broke in.
"After a data breach, the key thing is to know what happened," she said. "Upgrades and patches will only get you so far. Patching a system is not going to improve your ability to find out what happened if they find another vulnerability."
-- Yuxing Zheng
(c)2014 The Oregonian (Portland, Ore.)
Visit The Oregonian (Portland, Ore.) at www.oregonian.com
Distributed by MCT Information Services