Wednesday, September 1, 2010

Cybersecurity: Maine breaches

Published in the Portland Phoenix

When many Mainers think of "cybersecurity," they probably remember the 2008 HANNAFORD SECURITY BREACH, when 4.2 million credit- and debit-card numbers were stolen from shoppers at the grocery chain's stores.

What received little coverage amid the hype about the vastly overstated threat of identity theft (only 1800 accounts were actually used to make fraudulent charges — 0.04 percent of the stolen numbers) was that the breach was the first documented case of a new way of stealing this kind of information.

Previously, most security breaches resulting in theft of credit-card, bank-account, or even Social Security numbers had come from a single incident — either a physical theft of a computer or drive containing that information, or by connecting to a computer via the Internet and breaking through whatever security it might have in place. (This happened, for example, to THE UNIVERSITY OF MAINE HEALTHCARE CENTER'S COMPUTERS in June, when an unauthorized person accessed data on about 4600 students who had sought mental-health help at the university.)

But Hannaford's data was stolen over the course of several months, during transmission of the data from store cash registers to the system that the company used to verify card transactions. This process takes only seconds, as shoppers know, and became a target for thieves because protection had been beefed up on physical computers and their electronic defenses.

The fact that some credit-card information is not encrypted when traveling over private corporate networks remains an issue for retailers, banks, and credit-card companies to resolve. (When traveling over public networks, the data must be encrypted.) Also, the Hannaford hack was claimed by some to be an inside job — and there's little defense against data theft by a person who is allowed into a data center.

Most Mainers likely do not know that THE MAINE LEGISLATURE'S WEB SITE WAS HACKED just three months ago, resulting in some mild confusion about the lawmaking process. Specifically, the site's ability to designate the status of bills moving through the Legislature — including keeping users up-to-date on amendments and voting — was modified so that a user who clicked on various links would be taken to a Web site that would attempt to download viruses or other harmful software onto a user's computer.

State computer-support staff took the site offline entirely for several days while they fixed the security hole and reloaded correct information into the database. This went largely unnoticed because the Legislature was not in session at the time.