It’s been a relatively quiet week in the world of cybercrime. We start off this week’s review with Chevron’s admission yesterday that its IT systems were infected with the Stuxnet malware back in July 2010. This is the first time a U.S. company has acknowledged being infected by the malware which the U.S. and Israel created and used to target Iran’s uranium enrichment program.
Mark Koelmel, general manager of the earth sciences department at Chevron, told the Wall Street Journal that, “I don’t think the U.S. government even realized how far it [Stuxnet] had spread. I think the downside of what they did is going to be far worse than what they actually accomplished.”
Chevron’s admission will no doubt fan the debate over whether Stuxnet escaped into the wild or not, or whether Chevron was itself targeted may have been deliberately targeted.
Chevron told the WSJ that it was not adversely affected by Stuxnet, but I think that all depends on how you define “adversely affected.”
Coincidentally, a story at ComputerWorld yesterday reported that a team of Russian security researchers have found that the Siemens updated WinCC SCADA (Supervisory Control And Data Acquisition) software which was targeted by Stuxnet is still full of security holes. The story says that the research team “found more than 50 vulnerabilities in WinCC’s latest version, so many that Siemens has worked out a roadmap to patch them all… Most are problems that would allow an attacker to take over a WinCC system remotely.”
Looks like Siemens has more work to do.
In a case of do-as-I-say, but-not-as-I-do, Reuters reported yesterday that staffers at the U.S. Security Exchange Commission “failed to encrypt some of their computers containing highly sensitive information from stock exchanges, leaving the data vulnerable to cyber attacks.” The irony is that the staffers were part of the SEC's Trading and Markets Division, which is responsible, Reuters says, “for making sure exchanges follow certain guidelines to protect the markets from potential cyber threats and systems problems.”
The security breach caused the SEC to spend over $200 000 to conduct a security audit to ensure that no information was compromised. The SEC also had to notify all the stock exchanges of the breach, which made none of them very happy (although the schadenfreude felt was likely acute), especially since the SEC has been pushing public companies hard to disclose the risk of cyber incidents.
The SEC had no comment on the Reuters story. It likely will be forced to break its silence and explain to Congress how the breach was allowed to exist, however, once a report is published on the incident in the near future by the SEC Interim Inspector General.
There was also a disturbing story this week in the Minneapolis Star Tribune about a former policewoman who has collected more than $1 million so far from lawsuits filed against a number of Minnesota cities because police officers illegally accessed her driver's license information from the state’s motor vehicle database. According to a story at CityPages, her information had been “accessed 425 times by 104 officers between 2007 and 2011… and additional 174 times in 2006.”
The Star Tribune story noted that police officers accessed the woman’s license “because she was very attractive and so they could see that 'she's changed and she's got a new look.’ ”
The routine and unauthorized access of the Minnesota's driver license database by police has been alleged in the suit, something that the city police departments involved deny. However, city governments across Minnesota have apparently taken steps to tightened police access to driver's license information as well as increase the penalties for unauthorized access in light of the lawsuits. So far, though, none of the officers identified as taking part have been disciplined.
Finally, in a case of locking the barn door after all the horses have escaped, South Carolina announced that it will be spending the next two to three months encrypting its revenue department data. As I noted last week, some 3.6 million unencrypted taxpayer Social Security numbers, 387 000 credit and debit cards, and information on over 657 000 South Carolina businesses were stolen by cybercriminals last month from South Carolina’s Department of Revenue.
Governor Nikki Haley had recently stated that Department of Revenue taxpayer data hadn’t previously been encrypted because doing so was “cumbersome” and what’s more, data encryption wasn’t an IT security industry best practice. I guess she has changed her mind.
It is estimated that South Carolina will be spending in excess of $30 million alone to provide affected taxpayers fraud protection services for the next year.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.