The Indiana Law Blog: Law - More computer problems: Kentucky county's funds stolen by online hackers

« Ind. Decisions - Court of Appeals issues 0 today (and 6 NFP) | Main | Ind. Courts - More on: managing the electronic communication revolution in the Indiana courtroom »

Monday, July 27, 2009

Law - More computer problems: Kentucky county's funds stolen by online hackers

This quote from a LCJ story posted yesterday from Kentucky's courts:

Chief Justice John Minton Jr. said in an interview that Jefferson is the only county in which lawyers file notices of final motions, and even there, the process is too unreliable to be used "as a punishment tool."

He said efforts to streamline reporting suffered a major setback last year when a state computer system crashed and case information had to be retyped into new software.

"This is a work in progress," Minton said.

Today the Courier Journal has an amazing, and long, story by Emily Hagedorn about the theft of Bullitt County's funds by Ukrainian hackers: Some quotes:

The world suddenly seemed a lot smaller in late June, following the theft of $415,000 from a bank account belonging to Bullitt County government.
Advertisement

Investigators say Ukrainian criminals hacked their way into Bullitt government computers using malicious code also used to hijack $6million from banks in the United States, United Kingdom, Spain and Italy in 2007.

Federal investigators are still trying to determine where the Bullitt taxpayers' funds have gone. FBI spokesman David Beyer of the Louisville office said the investigation may take several more weeks.

But computer experts say the malicious code, which Bullitt officials identified as “ZeuS,” is a stealthy type of trojan software popular among hackers. A trojan is a program that appears legitimate but actually performs illicit activity.

“It's one of the biggest malware threats we've seen,” said Don Jackson, director of threat intelligence for Atlanta-based SecureWorks, a computer security consulting company.

And it's become more popular in the past six months, Jackson said, adding that he is seeing two to four major ZeuS incidents a month, compared to one or none in previous months.

Most ZeuS strains are stopped by virus-protection software, but if it gets in, “it's looking over your shoulder when you're doing your banking,” said Elizabeth Clarke, SecureWorks spokeswoman. “It usually grabs everything it needs to play you.”

Bullitt County and its bank, Elizabethtown-based First Federal Savings Bank, are just beginning to grapple with the ramifications left in ZeuS' wake.

Bullitt officials said the culprits hacked into an e-mail to gain access to county government passwords and used them to withdraw funds from an account used to pay county employees.

Bullitt County recovered $105,813.06 of the $415,989.17 discovered missing June 29 by reversing transactions in accounts still containing the stolen money.

The county and bank are battling over who is responsible for the unrecovered funds.

Greg Schreacke, president of First Federal Savings Bank, said the county's computers were compromised, not the bank's, and the bank has refused to refund the rest of the stolen money.

Bullitt Fiscal Court voted July 21 to sue the bank for the unrecovered money, plus interest and legal fees.
Advertisement

Fiscal Court also voted to spend $2,683 for more security measures, including a better router/firewall unit, external drive and hard drive, for the county treasurer.

Other governments have other safeguards to protect against such crimes.

For example, Oldham County government requires physical checks to take money out of accounts, said Shawn Boyle, county financial officer. Money can be transferred online only from one county account to another.

Louisville Metro Government and Oldham Fiscal Court both outsource their payroll, so if the account is compromised, the payroll vendor is responsible for that money.

Louisville also regularly alerts employees to security threats and best Web practices, said Steve Ramirez, chief security officer. * * *

Schreacke said the hackers who stole from Bullitt government were so successful that from the bank's perspective, they transferred money just as if the county had done it.

The layers of protection infiltrated include a separate software program for commercial online banking that's not Web-based and security protocol that recognizes when a different computer accesses it, Schreacke said. A security code is sent via e-mail that is good for 20 minutes and must be used to get into the account.

Transfers also require dual authorization.

The banking software does not allow the administrator's e-mail to be changed, so Schreacke believes someone at the county was alerted to the transactions and approved them.

But Bullitt County Attorney Walt Sholar said no one at the county approved the transactions.

The illegal transfers were discovered after a county employee asked the bank about the account's activity, Schreacke said. * * *

George Cummings, information technology technician with Madisonville-based Computer Knights, an information technology company that contracts with the county, said Bullitt “actually had a really good anti-virus program on there,” which was also up to date.

Posted by Marcia Oddi on July 27, 2009 12:28 PM
Posted to General Law Related