Kentucky shakes up systems after large-scale hacking

Kentucky officials have reassigned some network management duties after discovering a "monstrous" systems intrusion in which hackers, apparently from France, used Transportation Cabinet computers to store large quantities of pirated movies, music, games and books.

The state has shifted responsibility for the cabinet's routers to the Governor's Office for Technology. Auditor of Public Accounts Ed Hatchett referred information about the hacking incident, as well his office's discovery of employees' use of state computers to access porn sites, to state and federal prosecutors.

State officials met today to cope with the aftermath of the hacking incident, which began in April 2003, according to a statement from Hatchett.

State CIO Aldona Valicenti said her office is working with state auditors and Transportation Cabinet officials to preserve evidence that may be needed by prosecutors. According to the auditor's staff, the hackers may have committed the crimes of theft of services and illegal access to a state computer.

B.J. Bellamy, CIO of Hatchett's office, said the hackers had started penetrating a proxy server in the Transportation Cabinet on April 2, according to a log they left behind in the system. The hacking incident continued until late last week, Bellamy said, when computer specialists in the auditor's office discovered that the server had been penetrated. When the auditors realized the scale of the intrusion, he said, they discontinued their security audit work and informed the cabinet and the Governor's Office for Technology of their findings and recommendations on how to cope with the intrusion.

"Part of those recommendations was to cut off the communication flow to the exploited services," Bellamy said. "The hackers had set up a File Transfer Protocol server to upload and download large files and an Internet relay chat bot," he said. "It was monstrous," Bellamy said, comprising many gigabytes of information. "Most of it was computer games, movies and that type of thing."

Bellamy said the auditor's team realized that the hackers did their work from France because they left behind a log of their own activity that recorded French addresses. "Also the configuration files and some of the software were actually in French," he said. "There was also a note from the original hacker saying 'I was the one who did this.'"

Valicenti said, "I would say this is definitely the most visible hacking incident" Kentucky has ever experienced. She said the lack of passwords to protect routers in the cabinet was one of the factors that allowed the incident to happen.

GOT computer specialists will take over some tasks formerly carried out by cabinet employees, such as running the cabinet's routers, Valicenti said.

"Obviously we didn't do as good a job of password protection as we should have," Valicenti said.

"As of last Monday, July 21, we have put a whole new security architecture in place," she said. "GOT is going to managing all the state firewalls. ? These firewalls will be run centrally where we can monitor intrusions."

Mark Pfeiffer, director of public affairs for the cabinet, said, "We will take steps to remedy" the hacking problem. "We do dispute one claim the auditor made, that public records pertaining to driver's licenses and vehicle licensing could potentially be jeopardized." He said those records are on a different network.

Pfeiffer said the auditor's staff found that between 30 and 35 computers owned by the cabinet had been used to access porn sites, which is a violation of state policy. "We already have an investigation to look into [those] possible abuses," he said. The cabinet has about 6,000 employees, Pfeiffer said.

Wilson P. Dizard III writes for Government Computer News