A week after the VPMP deadline.

May 14, 2009

A little more information on the recent compromise of the VPMP and subsequent ransom demand has hit the wires since Wikileaks.org broke the news almost two weeks ago. It was admitted that the VPMP's information security measures were not all they were cracked up to be, as if this would come as a surprise to anyone. The article mentions that a backup system did not appear to be in place, nor a properly configured firewall to control traffic from the public Net. Governor of Virginia Timothy Kaine tried to save face by playing up the countermeasures in place and the sophistication of the attack which, I have to be honest, sounds like jetwash. So long as you don't speak specifically, you can talk about what you know of the state's public homepage and make it sound like a more specific and sensitive information system's security measures by counting on listeners to make the erroneous connection on their own. The state of Virginia went out of its way to hide the fact that this system was cracked rather than alerting the people who were in it that they should call their banks and keep a close eye on their credit records, so I'm not all that inclined to believe him. At this time the system is still offline save for e-mail, and records are now being kept manually until such time that the database can be rebuilt and repopulated.

Officials overseeing the VPMP state that it doesn't appear that the cracker is trying to sell the data on the black market since the passing of the deadline without payment. How would they even know? If bank account information for hundreds of people can be bought and sold and thousands of dollars at a time can be laundered with nary a whisper by someone living in a basement apartment, moving a database like this probably wouldn't be all that difficult using standard techniques. Whomever bought the database dump could then chop the records up into easy to move blocks and sell them off a little at a time, and probably turn a profit when compared to the price of purchase.

The FBI's investigation is still underway, and they're not talking save that it'll take another two calendar weeks to finish forensic analysis. Marilyn Tavenner, Secretary of Health and Human Resources for the state of Virginia went on the record as saying that pharmacists and other providers of legal-yet-controlled substances were being told to watch out for people trying to buy drugs using potentially stolen information.. which is entirely the wrong thing to warn them about. Anyone trying to capitalize on this information isn't going to try to gank Dr. House's vicodin prescription to abuse or sell, they're going to take the path of least resistance, which means social engineering the credit card agency or bank to get a new card sent to an address that the attacker controls, or create an alternate identity complete with new credit cards and bank accounts. The path of least resistance minimizes the amount of public contact necessary on the part of the attacker.

It's telling that so many different groups lobbied heavily against the creation of this program since before its inception in the year 2003 for exactly this reason: putting that much PII (Personally Identifable Information) on a system that you can reach from the public Net is a recipe for disaster. As a result, a multi-million dollar contract with Northrop-Grummon was inked to rebuild their systems and update their security measures. We'll see how good a job they do in a couple of years.