From: InfoSec News (alertsinfosecnews.org)
Date: Mon Aug 27 2007 - 02:34:18 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://newsok.com/article/3110406/1188011081

By Josh Rabe
Staff Writer
August 25, 2007

Someone hacked into computers at three Oklahoma law enforcement agencies
and may have stolen private information meant only for police use, the
state Department of Public Safety announced Friday.

Details of the extent of the security compromise remained sketchy
Friday, but officials said only the Elk City and Eufaula police
departments and the Kiowa County Sheriff Department were affected.

The Department of Public Safety is urging anyone who has had contact
with those agencies to check for any suspicious charges on credit cards
or to obtain a credit report as soon as possible. Even people pulled
over for a traffic stop but not given a ticket could be at risk.

"Because this is an ongoing investigation, we are not able to release a
lot of information,” said Capt. Chris West, spokesman for the Oklahoma
Highway Patrol.

West said he could not elaborate on how long security had been
compromised at those locations or how many people may be affected by the
security breach.

"We believe it is a small number of individuals,” West said. "Those
individuals will be contacted by the involved law enforcement agency.”

What was affected

The breach involved information used by the Oklahoma Law Enforcement
Telecommunications System, a statewide computer network used by
dispatchers to obtain instant access to all types of local, state and
federal law enforcement databases.

Police dispatchers typically use the system to verify the status of
driver licenses, vehicle registration and to check for outstanding
warrants and criminal history.

Gene Thaxton, telecommunications director for the Department of Public
Safety, said central files for the system are stored at his agency and
were not affected by the breach. The system is accessible at roughly 380
terminals statewide at law enforcement agencies.

Any information accessed by dispatchers that was displayed on their
computer screen may have been sent to a third party by a computer virus
found on the three affected computers.

Both driver license numbers and Social Security numbers are listed in
the database along with names and addresses, Thaxton said.

How it happened

The security breach was the first discovered in the computer network,
which has been in use since 1986.

West said computers law enforcement agencies use for the Oklahoma Law
Enforcement Telecommunications System often serve a variety of other
functions, including unrestricted Internet access.

Employees at the three agencies apparently accessed "inappropriate or
undesirable Web sites,” where viruses were unknowingly downloaded onto
the computers, West said.

West said he could not elaborate on the type of sites in question, but
Internet access at all 380 terminals has since been limited to a list of
15 approved sites related to law enforcement.

Thaxton said the problem was discovered during a routine inspection of
the system, which found private information was being sent to a third
party outside law enforcement from those three computers.

West said hard drives were removed from the infected computers and have
been sent to the FBI for forensic analysis.

A surprise for police

Eufaula Police Chief Don Murray said he first learned about the problem
about 11 a.m. Friday.

Murray said the state provided the computer his dispatchers use to
access the telecommunications system and he didn't know it was capable
of doing anything else.

"I would have thought that was all they were restricted to do to begin
with,” Murray said.

Murray said he was surprised to learn that improper use of the computer
may have led to the security breach and that he will take disciplinary
action against anyone involved if the FBI can prove guilt.

Murray said he is urging anyone who has had contact with his officers
within the past year to watch out for identity theft, but that state
officials didn't provide him a specific time frame of the breach.

Elk City police officials were not available for comment, and Kiowa
County officials didn't return a call seeking comment.

____________________________________
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!
http://conference.hitb.org/hitbsecconf2007kl/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]