Friday, May 15, 2009

Lessons learned from the WV State Bar breach

According to the FAQ released by the WV State Bar yesterday, the data breach reported a couple of weeks ago was the result of a unpatched Linux sever being compromised. The Bar further says it has "an unsupported FoxPro database containing member information" some where on its network that was also compromised.

It's unclear from the FAQ how the hacker or hackers took control of the Bar's webserver and started serving malware. The bar does say, "The State Bar will no longer host its own website internally, it will be hosted off-site at a secure location with a company that specializes in website development and internet security. The State Bar website will be completely re-written in a more secure manner."

Netcraft shows the Bar site was running on Windows 2000 on Apache/2.0.54 Win32 PHP/5.0.4 on 22-Mar-2006. Previously the site ran Windows 2000, Microsoft-IIS/5.07 as of Nov-2004 according to Netcraft.

As far as secruity, they say they had a firewall, "The State Bar's computer system was equipped with a firewall, which previously was believed to be secure. However, the State Bar's forensic computer experts have advised that no firewall would have prevented the sophisticated hack of the website and database. The State Bar is taking extraordinary measures, as set forth in response to question number 1 above, to prevent a security breach from occurring again in the future."

The Bar has pulled the unpatched Linus box off its network, has stopped hosting it's website internally, and has removed social security number from it's databases. Also it says it's website is being rewritten in a more secure manner.

So what can we learn from the breach. First, don't run unpatched servers, Linux, Windows, or any other OS on your network.

Second, attacks on webservers are very much in style by hackers. Since most of us have deployed firewalls, antivirus, patch management, vulnerability scanners, and intrusion detection systems, the webserver is often the weekest link in some networks. As a result, web application security has becoming very important. Secure you web apps and use web application firewalls. Also don't host websites in-house or on the same network as your production network.

Third, know what applicatons, operating systems, and servers are on your network and where they are, and document eveything. The Bar says, "Further complicating matters, there existed no documentation regarding the State Bar network layout, hardware, software and/or legacy applications. As such, the upgrade process has been a cycle of discovery and repair which has taken longer than anyone could have expected or foreseen."

As far as the breach itself, the Bar say, "The State Bar had social security numbers for approximately 4,000 members. Members whose social security numbers are believed to have been contained on the State Bar's database should have received a second and third email notifying them of that fact. Some members do not have an email address on file with the State Bar. For those members, a separate letter was mailed to them through the United States Postal Service."

The Bar has turned hard drives over to the FBI and says it will keep it's member up-to-date on the investigation.

Labels: ,


Blogger Michael said...

The very likely scenario here is that they hired a friend or relative "tech" that could do the site on the cheap. After this person finished the job he was "done". Since it was a Linux box, the server most likely just sat there and ran without any obvious problems. At least without any problems that a non-tech would divine.

The Kanawha valley is absolutely crawling with shady "technicians". I am pretty sure that they are responsible for the abhorrent IT employment scenario in the area as well. They are willing to work for $10/hr so when these places want to hire someone to be their "guru", that's all they want to pay. You get what you pay for....

4:13 AM  

Post a Comment

<< Home