Is Arizona ready for the next hack?

By Nick R. Martin | June 26th, 2011 | 6:57 pm | No Comments »
Read the leaked memo
In this memo, leaked by hacker group LulzSec, an Arizona DPS sergeant details poor computers at some of the agency’s offices.

Click for four-page PDF.

Arizona Department of Public Safety memo leaked by LulzSec

Arizona’s state police force, the Department of Public Safety, went into something of a panic on Thursday night after a group of brazen hackers broke into the email accounts of a handful of officers and leaked secret law enforcement documents to the world.

The agency shut down its own website, froze parts of its email system and launched an investigation to try to figure out how bad the breach was and how it happened.

Yet in all the posturing and fist-pounding state officials did in the hours that followed, the question of whether Arizona has a strategy to deal with future attacks seemed to be lost in the noise.

Instead, the focus was on the seven officers, some of whom had their names, home addresses, cell phone numbers, passwords and personal financial information posted on the internet.

State Speaker of the House Andy Tobin said the officers’ lives were in danger. He dubbed the hacker group, known as LulzSec, “cyber terrorists” and called for them to be severely punished — that is, if investigators can ever figure out who they are.

Likewise, after getting its website back online, DPS posted a statement calling LulzSec a “cyber terrorism group” and saying the security of its own officers had become “the agency’s top priority.”

Gov. Jan Brewer, meanwhile, said nothing, despite her state’s own police saying they had fallen victim to terrorism.

There is no question the hacked officers are having difficulty now that anyone with an internet connection and a little savvy can download all their personal information. Some reported receiving harassing phone calls. A Phoenix TV station reported one of the officers planned to move his family out of their house for the time being.

But what officials like Tobin, Brewer and DPS Director Robert Halliday have yet to say — or perhaps realize — is that the hack shows Arizona was at least somewhat unprepared to deal this.

Put another way: If hacking seven police email accounts can send the state into a panic for a day or two and be seen as “terrorism” in the eyes of top officials, what will happen if hackers hit Arizona with an even bigger attack? Is the state ready for that?

Those are hard questions to answer without a full investigation. But LulzSec’s hack brought to light a number of surprising details, including what poor shape some of DPS’s computers are in.

In an agency memo leaked by the hackers, dated Aug. 25, 2010, Sgt. Gary Phelps of the Highway Patrol Division wrote about whether his bureau’s computers, which are scattered across offices throughout northern Arizona, were up to the task of running a new piece of training software.

One DPS office in the town of Wikieup, he wrote, “is equipped with two computers and a dial-up internet connection…One of the computers is old and can only be used as a word processor.”

An office in the town of Beaver Dam, Phelps wrote, had five computers and a faster DSL connection. But two of those computers were “older and only used for word processing.” In Springerville, two computers were OK and two were now only used as word processors. In Holbrook, two of ten computers were word processors only.

At office after office, the situation was similar. Officers were often working on computers so old as to barely function. Some DPS computers, particularly those in small towns, had the type of internet connections most users haven’t seen in almost a decade.

In its postmortem of last week’s attack, DPS said its officers at exactly those types of rural outposts were the ones who fell prey to the hackers. “Because we have people stationed all over the state, not everyone is on the same password requirements,” agency spokesman Steve Harrison told the Arizona Republic. The agency, he added, was now “in the process of changing that.”

The agency also put a statement on its website listing four “safeguards” it has in place to protect its digital records. The list includes having “industry-standard” firewalls and anti-virus software as well as having digital security staffers employed at each state agency.

On his blog, information security professional Jim Lippard wrote that the list represents a “less-than-minimal set of security controls” and could indicate how little the state’s police force understands the problem.

“It’s an embarrassing list,” he wrote, “which suggests they’ve had poor information security and continue to have poor information security.”

Lippard went on to provide his own, much larger list of questions that have yet to be answered publicly in the wake of the attack.

Meanwhile, the hacker group that broke into the DPS email accounts posted a statement Saturday saying it was disbanding. However, it pointed followers to another hacker group carrying out similar operations.