N.H. Breach May Have Exposed Credit Card Data

Computerworld - The FBI, the U.S. Department of Justice and New Hampshire officials are investigating a potential security breach after a malicious application was found on a state server during a routine check earlier this month.

State officials said last week that there is no evidence yet that any credit card information was stolen from the server.

The New Hampshire Division of Motor Vehicles and the state Veterans Home use the server to transmit financial information. The state's Liquor Commission uses it as a backup for sales transactions.

The server held only credit card numbers; no other personal information was stored on it, officials said.

New Hampshire CIO Richard C. Bailey Jr. said that an unnamed state Office of Information Technology employee was placed on paid leave as part of the investigation. He declined to comment further on that action.

Impact Unclear

A spokeswoman for New Hampshire Gov. John Lynch said the ongoing investigation will look to determine whether the Cain & Abel application was ever activated on the server to look at the stored credit card numbers. "We don't know at this point [that] it actually happened," she said.

Bailey advised residents who have used the server for transactions to keep an eye on their credit card statements.

Bailey said it is still not clear how Cain & Abel -- a password recovery program for Microsoft Corp. products -- was placed on the server. The program can be used as malware by hackers to capture and crack passwords, according to several security vendors. "It does have some quasi-legitimate purposes, I guess," Bailey said. But the program had been installed without authorization and was not wanted on the server, he added.

Such an action could have been done from inside the state's system or by accessing it through the Internet, Bailey said. A check of other servers on the state's computer network found no evidence of the malware, he said.

The program was found during a routine security check undertaken by state IT workers while they were evaluating a network intrusion monitoring system from Cisco Systems Inc. for potential purchase, according to Bailey.

The product they were evaluating, the Cisco Security Monitoring, Analysis and Response System appliance, can be used to search for system anomalies, track them down and stop any threats, he said.

The affected server was taken to FBI offices last week to undergo forensic analysis, which investigators hope will determine how the program got into the system.

Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa., said the incident underscores the importance of constant network vigilance. "It just gets back to cliches like 'defense in depth' and actually taking the time to monitor your systems," he said.

Lindstrom said the Cisco technology likely helped find the malware, but he noted that it could have also been found through regularly scheduled scans and checks.