What it means for search What we're playing ๐ŸŽฎ How to lower your bill Top Online Shops
TECH
Elections

S.C. data breach just latest in hacker onslaught

Byron Acohido, USA TODAY
South Carolina Gov. Nikki Haley and Chief Mark Keel of the South Carolina Law Enforcement Division answer questions at a news conference in Columbia S.C. on Friday.
  • Data thieves breach Department of Revenue website
  • Multiple intrusions since August leads to cache of residents' data
  • South Carolina is latest local government in in a string of data breaches

The disclosure on Friday that data thieves pilfered millions of South Carolinians' Social Security numbers from the state's Department of Revenue is the latest evidence that hackers are continuing an onslaught against companies and agencies that increase their web presence without fully appreciating security risks.

State officials confirmed that the South Carolina Department of Revenue's website was hacked some five times from late-August to mid-October. The intruders took 3.6 million Social Security numbers and 387,000 payment card records. None of the Social Security numbers was encrypted, while the vast majority of the credit card numbers โ€” all save 16,000โ€” were encrypted.

Internet hacking of government networks is nothing new. There have been 603 publicly disclosed cases of breaches of government and military networks since 2005, in which at least 141 million records were stolen, according to The Privacy Rights Clearinghouse Chronology of Data Breaches.

Most of the cases involved state and local agencies. By contrast, big federal agencies, led by the Department of Defense, have been beefing up their network security for the past decade.

Thus far in 2012, there have been 76 government and military network data breaches, in which 9.8 million records were taken. Cyber security and law enforcement experts say the publicly disclosed cases represent only a fraction of the actual number of successful hacks of corporate and government networks.

From late-September through mid-October, damaging hacks were reported by the city of Burlington, Wash.; the Centers for Medicare & Medicaid Services (CMS) in Baltimore, Md.; the Town Council of Chapel Hill, N.C.; the Robeson County Board of Elections in Lumberton, N.C.; the Brightline Interactive, Army Chief of Public Affairs office in Alexandria, Va.; and the city of Tulsa, Okla.; and the Town of Willimantic, Conn.

Meanwhile, cyber criminals' expertise at hiding their tracks while cracking into company and government networks has advanced considerably over the past decade.

Data thieves today commonly alter the fonts, web addresses and strings of alphanumeric characters in their attack code to throw investigators off the scent.

"There is a lot of spoofing and head fakes going on to make it seem like an attack is originating from a different region," says Kurt Baumgartner, senior security researcher at Kaspersky Lab.

Generally speaking, the more sophisticated cyber attacks that are being conducted daily for criminal gain appear to originate in Russia, while "noisier" attacks tend to originate from other nations in Asia and Eastern Europe, tech security experts say.

The cutting-edge Russian attacks tend to be stealthy, while noisy attacks tend to be persistent and resilient. "Noisy attacks are much more prevalent and less stealthy on all sorts of operational levels," Baumgartner says. "And they tend to be prolonged; the attackers will keep returning to their target, sometimes for years."

There are two main ways criminals leverage the intrinsic anonymity of the Internet to crack into company and government databases. The first hinges on human gullibility, the other on moderate hacking skills:

โ€”Spear phishing. From society's pervasive use of web commerce and social networks has arisen social engineering: the ability for a data thief to extensively profile a targeted victim and subsequently fool that person into clicking on an infected attachment or web link. The infection turns control of the victim's PC over to the attacker. If the victim uses his or her computer for work, the intruder now has a foothold to probe an organization's network, map the location of key databases and pilfer data, typically over the course of months or even years.

โ€”SQL injection attacks. SQL hacks involve querying the databases underlying a web page until a database hiccups and accepts an injection of malicious code. Up until early 2008, SQL hacks were done manually, one web site at a time. In the spring of 2008, a bright hacker came up with a way to quickly locate thousands of weakly-protected databases and automatically inject them with malicious code. That technique is now widely used to crack into weakly protected databases underlying company and government web sites all across the Internet.Most of

Often data thieves are in the hunt for information they can quickly sell to the highest bidder in a cyber underground that revolves around an online marketplace as rich and efficient as eBay. Buyers of stolen data include crime rings that use the information to hijack funds from online financial accounts. Others specialize in using stolen identities to set up online accounts through which to launder illicit online cash transfers.

Recently, stolen identity data has come under rising demand from tax fraudsters. One popular caper uses stolen names, addresses and Social Security numbers to generate faked tax returns. Refunds get directed to a debit card account โ€” set up with a stolen identity โ€” that the thief controls. A debit card is then used to make cash withdrawals at an ATM.

Last July, the Treasury Inspector General for Tax Administration issued a report showing that the IRS failed to prevent 1.5 million potentially fraudulent tax returns from being processed last year, resulting in refunds to identity thieves of more than $5.2 billion. The Inspector General estimated that the IRS could issue $21 billion in fraudulent tax refunds as a result of identity theft over the next five years.

"We're seeing a considerable variety in the ways in which cyber thieves are turning stolen data into money," says Stephen Cobb, security analyst at antivirus firm ESET. "It's based on the type of data stolen, the type of operations the data thief is running and also on market conditions."

Recent chatter in the cyber underground suggest that money launderers may be having some difficulty hiring mules, who sometimes carry out the risky final step of extracting cash from the last of series of counterfeited online accounts.

"There may not be enough takers (for stolen data) in the black market," Cobb says.

Two things are certain: Information Technology is complex and data thieves are endlessly inventive at cashing in.

"Some data owners don't fully understand the format of their stored data and can be fooled into thinking an attacker has data when they do not," Baumgartner says.

In the same vein, criminals may have cracked into a web server, but gained only cursory access to the underlying databases. Under that scenario, the attacker "may be trying to convince the targeted victim that he has access to all this valuable data, when he does not."

Featured Weekly Ad