Tuesday, 14th October 2008 - 20:30CET
Attack on MITTS system started in Cairo embassy - information extracted on Sept 4
No evidence of access to emails and back-end systems
American experts commissioned by MITTS, the government IT agency, have established that usernames and passwords belonging to 20,000 people were unlawfully extracted from the government computer network on September 4 and it was probable that the attack was made through the Maltese embassy in Cairo, IT Minister Austin Gatt told Parliament this evening.
Despite the extracted information, there was no evidence of unlawful access to any email account or back-end systems used by the government. This was strengthened by the fact that passwords used by MPs and senior government officials were quickly changed, the minister said.
He said the computer in this embassy was infected by malware which had permitted a connection between the government network and the Internet.
All evidence showed that the attack was not made by a professional.
Describing what had happened, Dr Gatt said in a statement to the House that on September 4 at about 10 a.m., officials noticed that one of the main servers at MITTS was showing performance problems. This server contained the usernames and passwords of more than 20,000 users.
At about 5 p.m. officials noticed that this server was operating an unauthorized program. Further investigation showed this program was being used for the illegal extraction of usernames and passwords.
Further investigations showed that a similar program had been executed on the same server on September 2 and 3. In all cases, the username and password of one of the MITTS team leaders was used.
A complete scan of all systems was made between September 5 and 6 and a copy of this program was found on the server of the Maltese embassy in Cairo and on a computer at Mater Dei Hospital.
HOSPITAL COMPUTER SEIZED
The relevant hospital computer was seized and a number of CDs with copies of software similar to that found on the server were discovered.
Investigations showed that this software, which could be downloaded for free from the internet, showed that extraction of information had probably failed on September 2 and 3 since software was incompatible, while that of September 4 had been stopped.
The persons suspected of involvement were suspended
Dr Gatt said that on September 7 he was told that it was highly unlikely that any information had been extracted.
At a MITTS board meeting on September 10 it was decided that although the probability that usernames and passwords had been extracted was low, the 20,000 users were ordered to immediately change their passwords. The process started and was concluded on September 11. Meanwhile, investigations continued by the MITTS officials and the police.
At a board meeting on September 17, a police officer said that the MITTS team leader who was under investigation had admitted that he had given his password to another employee by phone and other people could overhear. He had done so so that a technical problem could be resolved. The password was subsequently not changed.
On September 17 the same program was found on another computer used by a MITTS employee. Yet another computer used by another employee was found to have conducted aggressive pinging on the server. The employees were suspended and the investigation was widened by the police.
FRESH DOUBTS EXPRESSED
On September 24, for the first time, the MITTS executive management expressed doubts as to whether or not information had been extracted on September 4.
In view of this surprising change, the board gave the executive management two days to re-examine the facts and give a final opinion.
On September 26, the executive management said it was assuming that usernames and passwords had been extracted.
It was at that meeting that the board decided to call in an American company to conduct further investigations.
Dr Gatt said no employee was being investigated for, or had been suspected of accessing emails, including those belonging to Alfred Sant. To date, no case of hacking of the emails of MPs had been found.
It was obvious that this case was not hacking or an attack directed as particular persons.
He said the case did not stem from lack of investment on security systems, but unfortunately not all available security systems were being used. Furthermore, written policies and procedures had been regularly ignored, such as sharing of passwords.
The American experts submitted their report last Wednesday, where they said that information had been extracted on September 4 and it was highly probable that the attack was made from the Maltese embassy in Cairo.
The minster said the embassy has been disconnected form the government network and the embassy hard disks are being examined so that the origin of the attack could be traced.
NO EMAIL ACCOUNTS ACCESSED
At this stage, he was informed that no MITTS employee was being investigated for illegal access to emails. Although it was being assumed that usernames and passwords had been extracted, no email accounts or back-end systems had been accessed.
MITTS had also immediately approved a series of measures to strengthen security.
Among measures which could be disclosed, were the introduction of token/smart cards to MPs and people in sensitive posts, without which email accounts could not be accessed. Secure Mail was also being introduced immediately to encrypt email.
MITTS had also commissioned an External Review Team to analyze the circumstances which led to this incident and the MITTS reaction to it. The team would also recommend other security measures.
Dr Gatt said the MITTS board of directors had offered to resign but he turned down the resignations since the shortcomings which had developed were operational and not the result of some policy adopted by the board.
Dr Gatt said in the coming weeks he would launch the setting up of a National Information Security Agency to work had in hand with the Malta IT Agency and the Malta Communications Authority.
RSS
Comments
an anit-virus is not a must!!!!???. gosh man it shows that you really know nothing about I.T.. the anitvirus is one of the most important thing for server apart the firefall well if u get hacked or your bank account gets compromised don't blame the pc!! BLAME YOURSELF!!
"...if one is careful to use an intelligent networking policy on desktop computer .i.e. disallow all outbound connection...."
jahasra Operating system policies can get hacked due to a virus / malware especially without an anti-virus which u claimed its not too important
pfff
for your info. there are viruses that are able to change the operating system files. (2). the server didn't brodcast the info. it was the virus/malware which made the request of brodcasting the info.
The definition of malware is software designed to infiltrate or damage a computer system without the owner's informed consent. Nobody has said that the malware came from the internet. It could have been installed deliberately by a person inside MITTS.
What happened always boils down to lack of end-user awareness, observation of policies and appropriate information security management and governance. Locally we have a lot of certified and valid persons in information security. It is only for organisations to make best use of them, even by just hearing what they have to say.
on an isolated, unconnected computer used strictly by highly knowledgable, alert and careful users, yes you are right, there is no need for antivirus. As you rightly say, by disabling all outbound connections, there is no risk that it will infect other systems, but how useful would a computer be when it cannot communicate with anything else?
As Geoffrey Said said, the biggest threat to any IT system is its users, and is usually the cause of most problems, hacks, viruses, troubles... in the industry we call it the "Layer 8 problem"
The most deadly security attacks are attacks that originate from the inside of an organization as the person/s involved can by pass known security checks and leak information quietly.
No, I did not get it! The server should NEVER broadcast that information on a network, virus of not. Administrative logins should only be allowed locally on such a server.
And, by the way, I do not give weight to promotional messages. Antivirus is not must, if one is careful to use an intelligent networking policy on desktop computer .i.e. disallow all outbound connection. Got it Sir?!
The privacy of 20 000 individuals is threatened and nobody is held responsible. This is a complete failure.
Similar cases abroad who were not as 1% weighty as this were followed by thorough resignations.
The main purpose of viruses etc., is to retrieve sensitive data, destroy data, gain full control of computer systems and access restricted areas. Therefore your statement “Viruses etc, should not have access to password lists” is incorrect. If viruses are denied there is no need for anti-virus software. ;) got it ?!
Who is admitting the 20,000 accounts have been compromised??????
Can you read the article again please? Here is an extract from the above article……
“At a MITTS board meeting on September 10 it was decided that although the probability that usernames and passwords had been extracted was low, the 20,000 users were ordered to immediately change their passwords.”
In other words the probability was low and Mitts ordered an immediate change. IT DOES NOT SAY THAT THE ACCOUNTS WERE COMPROMISED. Sorry, you misunderstood the article.
This, on the other hand, does not mean that it cannot be achieved.
All I am trying to say is that these things happen. Did you read the articles I posted? CERN Nasa etc?
If you think that my comments were politically motivated sorry you are wrong. All I am trying to say is that these things happen everywhere. (If I remember correctly you were the one whole politicised this article in the first place). Quoting your previous post: “I really hope that the P.N. will be taught a lesson and given a good hiding. This is how these people learn to respect our intelligence.”
And yes I agree, some of us are still living in Malta of 50 years ago,
@ E.Bartolo.
You are right “Viruses etc, should not have access to password” however please note that they do.
Viruses etc, should not have access to password lists. The MITTS server under question, should have denied access to that file, irrespective of what credentials it was presented. Centrally important servers should only allow administrative logins LOCALLY and they should be locked in a secure room.
If you still think that if you criticize the authorities, one has to come from an opposing party or has a political agenda, then please may I humbly augur that you evolve politically.
Truly, we are discussing the Mitts saga, but this leads to the incompetence of the current government. We are in the European Union, dear C. Spiteri, but some of us are still living in Malta of 50 years back.
I'm sure that the lame comments posted are from computer illiterate people.
-----
The issue here is NEGLIGANCE from BOTH the mits employees and the USERS using the mitts system either from home or office!!!
There is no point to having a secure system if the users using the system never scan their home/office pcs for spyware and virus, and don’t own a decent anti-virus.
@ C. Spiteri
The most disturbing thing is that we have this INTELLIGENT minister elected from the people for the people ?? lying for a whole month and now finally admitting that more than 20,000 passwords were eventually stolen.
All these BUBBLES you have mentioned have been bursting for quite some time after the 8th of March- Don`t you think??
Once again I ask the question - IS ANYONE ACCOUNTABLE FOR ANYTHING IN THIS COUNTRY ??
Internationally recognised information security certifications are also available to local organisations to train employees or source qualified professional people to manage their information security requirements.
being connected to the internet equals can be hacked.. not matter how secure your system is, the possibility of being hacked is very high.
Do you know that NASA were hacked too? and they have one of the most secured systems in the world, but still got hacked...
And how is Austin Gatt related exactly? Yes he is the minister responsible for MITTS, but would you expect Dolores Cristina to resign or take responsibility if your kid's schoolteacher decided to ignore the syllabus and teach students whatever he/she wants?
This was a virus/malware infection, brought about by the lack of implementation of security policies and security measures by MITTS employees. The only politics relevant here are MITTS own internal company politics.
And I thought we were discussing the MITTS hack… Okay okay, Now I know the reasons behind certain postings.. What I really like is the way people project themselves……..
It seems that we are all INTELLIGENT in this country………
May I kindly remind you that the next election is not that far away. In 7 months' time we can use our vote intelligently by electing the RIGHT MEP's to represent us in the European Parliament. I really hope that the P.N. will be taught a lesson and given a good hiding. This is how these people learn to respect our intelligence.
These things are very common. Take a look at the following sites;
CERN Hack
http://infotech.indiatimes.com/Enterprise_IT/CERN_hacked_before_Big_Bang/articleshow/3478847.cms
NASA Hack
http://www.itworld.com/030203nasahack
And a similar hack at an American power grid
http://www.networkworld.com/news/2008/040908-rsa-hack-power-grid.html
Sorry to burst your bubble people.......... But yes, it is possible......
Servers are being hacked all over the world irrelevant whether it is a Maltese, American or Chinese server.
For your own information:
The US military had suffered several attacks by outsiders since the invention of the internet.
Your internet connection is never secured and your pc is always vulnerable to be hacked once it is hooked to the internet inspite all the firewalls, anti-virus and anti-spyware applications you own.
This week the WiFi WPA encryption has been hacked using a VIDEO CARD!!! http://www.scmagazineuk.com/WiFi-is-no-longer-a-viable-secure-connection/article/119294/
Several Large corporations had their web site server hacked and customers credit card information was leaked
Next major terrorist attack is expected to be a cyber attack (I’m convinced that it will happen in the near future).
MIITS had suffered the price of the internet. Deal with it!!!
On the other hand the issue here is negligence from both the employees and the USERS using the system!!!! It’s useless to have a secure system when the users never scan their home/office pcs for spyware and virus, and don’t own a decent anti-virus.
I am also one of many of others awaiting JPO's resignation ... even though I know I am waiting for this in vain. Shame, shame, shame!!!! If ANYONE is still believing that if such an issue is kept in hush-hush and no fuss is made upon, people will eventually forget all about it, hey ... time to wake up!!!! The pity is that next election is a bit too far ahead ...
OH my GOD what a Banana Republic!!!
And the base line is that as usual ,no one seems to be ACCOUNTABLE for all this failure
Incidentally, the funny thing is that the MITTS chief is abroad on HOLIDAY . Is this a coincidence ???!!!
UNBELIEVABLE!!!
Your reasoning is appreciated. What you omit is that Dr Austin Gatt sounds like coming straight from a banana republic.
Dear Minister,
PLEASSSSSSSSE...... Stop giving us that kind of bull... At least, the LEAST you could now do, is to respect OUR INTELLIGENCE & INTEGRITY.... ALL of you Ministers, are to STOP saying one thing today, and contradict yourselves, the following day....
How come, a few days ago, you were so much AGAINST saying anything now on this case so that we do not DISTURB (!!!), police investigations, and on the CONTRARY, a few days after, you come up with such details and conclusions....!!!!!!!!
AAAAAAHHHH..... YESSSSS.... BECAUSE WE LIVE IN A ``..PAJJIZ TAL-MICKEY MOUSE..``, GOVERNED BY A ``..MICKEY MOUSE..`` TYPE OF GOVERNMENT....... HAAA... HAAA.. HAAA...
In other enterprises with such highly critical information, IT departments have a security team dedicated to ensuring systems are deployed throughout and policies are enforced. If I was on that team, the least I would do was downgrade that team leader's access level, force him to change his password and make sure it does not happen again.
Rather, it was just some dumb fool in the Cairo embassy and hospital which downloaded some rogue program (probably a game or some other such triviality) which was infected with a virus. The user of the Cairo PC must have had elevated rights which allowed him/her to install the game, so the virus got installed along with it. These particular computers did not have adequate virus/malware protection so the virus remained resident on this computer. Sonds like a personal laptop not under the control of MITTS, but connected to the Cairo network "just to get some internet, please..." It's an internal infection, so no firewall would have stopped this.
However, hearing about MITTS team leaders sharing passwords over the phone and that "not all available security systems were being used" echoes the attitude in the Maltese IT industry. Most IT 'professionals' have no sense of security and hold their elevated accounts as a trophy rather than a responsibility. The IT team at MITTS must realise that they hold keys to an entire country's knowledge, most of which is private information.
ctd
The Gov. Intranet should not be accessible from the outside. I mean, Gov. Intranet servers should always refuse administrative logins from outsiders, irrespective of supplying the correct credentials!
A top banana story except that it is not credible.
No person with a sensible and responsible mind would ever give away his password on the phone. That is the no.1 basic rule in computing as it is in atm banking and other similar things.
That person made a mockery of the whole system-according to this latest spoof.
And what is the result? Yeah you've guessed it.
It is always the same story, administrative blunders here there and everywhere and nobody resigns as if we are on a jolly ride.
Is this the promised serious way of ruining sorry running the country? I don't think so.
While this is happening we are forced to pay through our noses for these bunch of first grade amatuers.
What if they were professionals?
If this Governemnt is serious enough to change it ways, make responsible people from Ministers, MPs to the office cleaner resign , it cannot be taken seriously.
It won't last the whole term as it has been caught in a spiders' web.
Very bad times are looming ahead.
Bad bananas
This article may only be convincing for non IT people, but for the rest.... it creates a thousand questions.
Security at MITTS is mandatory. Defaulters should be 'visibly' held responsable. Strickter rules and disciplinary measures together with rigorous management should be introduced. There's little point in creating another 'watchdog' to control a 'watchdog'.
As a Maltese citizen, I do feel embarassed that our Country's computer system has been hacked!
Why not form two new agencies that way the problem will be solved twice as fast.
Then to show how serious we are we should form another authority to supervise these agencies.
So my conclusion is that if MITTS can't stop spam mail, how can they stop malware and hackers?
i hope the professionals you're refering to are not like the TEAM LEADER who shared his own password... that wasn't a smart move for a professional... unless its just a cowardly attempt to diminish what really happened... kind of "uh oh, i gave my password on the phone and someone overheard and made this mess... sorry, it wasn't me..."
there is no firewall that can withstand the stupidity of certain people... this team leader, if found guilty, should be banned from working in IT or at least from working in similar positions...
Really?! How come that malware can penetrate so deeply? Government, get a real firewall out there! And please, do not depend on ready made commercial firewalling. You have many professionals, put them to good use. They have the necessary abilities; let your professionals use them!
But tell me do you know the definition of hacking ? spoofing, worms, key loggers, social engineering, rootkits, you name it.... tt's all hacking because hacking is just a breach through a system. Was the system breached ? Hell YES. Then how can Mr. Bill Gatt say this was obviously not a case of hacking ? (He thinks he knows something but he knows nada, nil. Oh he must have another definition for hacking. he's widening my spectrum of knowledge :) )
P.S. you can implement retina scans for all I know... all useless if a team leader is sharing server passwords over the phone!
"written policies and procedures had been regularly ignored, such as sharing of passwords." - PROFESSIONALS.
From these statements I can see that MITTS people are a bunch of amateurs:
1) "All evidence showed that the attack was not made by a professional."
2) it took them 7 hours to realise that there was an anauthorised program on the server
3) "Investigations showed that this software, which could be downloaded for free from the internet"...
4) "On September 17 the same program was found on another computer used by a MITTS employee". 15 days after the first attack! OMG and are they still sure no emails passwords were extracted ? LOL they make me laugh.
And obviously like happens in all cases, a fake resignation takes place. Imagine MITTS controlled nuclear weapons.
Is the minister going to resign or we sweep it under the carpet once again ?
Dr Gonzi wake up and show us who is the leader in this country . Hope you do not end up doing what you have been doing since the election result : that you say one thing and you do another .
All evidence showed that the attack was not made by a professional.
Does this mean that MITTS has been penetrated by someone who is not a professional? How far would a professional have gone?