NEWS | Wednesday, 15 October 2008

PRINT THIS ARTICLE

CONFIRMED – Over 20,000 government passwords stolen

Karl Schembri
IT minister Austin Gatt yesterday admitted that more than 20,000 passwords were stolen from the government IT agency, MITTS.
In a shocking declaration he gave in the House of Representatives yesterday night after a month of denials, Gatt revealed that the usernames and passwords of all the MITTS users – from Members of Parliament to ministries, government agencies and departments – were extracted illegally last September.
Although MITTS technicians were alerted to problems on the government server on 4 September, it took them until 24 September to realise that all the passwords had been stolen.
The illegal theft was confirmed by American security experts last week.
In an 11-page statement, the minister admitted that on 4 September 2008 at around 10am, technical operators at the Network Operations Centre (NOC) situated at Gattard House in Blata l-Bajda, noticed that one of the data servers was “manifesting performance problems”.
The server contained the usernames and passwords of all the MITTS clients.
By 5pm of the same day, the technicians found that the server was operating an unauthorised programme that was intended to illegally extract all the usernames and passwords on the server and transmit them elsewhere.
Upon the identification of the programme, the NOC administrator informed the executive management of the investigations that were carried until that time.
On the following day, the MITTS chief executive officer Alex Attard appointed MITTS officials of the Information Security and Risk Management Department (ISRM) – who also serve on the National Information Security Authority – to take control of the internal investigation into the incident.
ISRM started immediate investigations, while the executive management started interviewing NOC employees to establish the involvement of staff on duty on the day of the incident.
From the investigation, it emerged that a similar programme to the one executed on 4 September was also executed on 2 and 3 September on the same server.
In the three cases, it was found that the username and password of one of the MITTS team leaders who formed part of NOC, and who had administrator rights on the server, were used to access the server involved in the incident.
On 5 and 6 September, ISRM carried out a total scan of all the computers linked to the government network, to establish if the same programme was present on other computers. In fact, a copy of the programme was found on two other computers: one on the server of the Maltese Embassy in Cairo and the other on a computer at the Mater Dei Hospital.
The Mater Dei computer was elevated by ISRM, which was also found to have hidden inside a number of CDs with software that was similar to that found operating on the server.
The installation of this kind of software is strictly prohibited according to ICT government policies.
The MITTS chairman, Claudio Grech, was informed on the night of 5 September and on the following day by ISRM and NOC technical operators that there was a “great probability that no extraction had taken place”.
According to the technical operators, the programme used on 2 and 3 September was incompatible with the information structure of the attacked server, while on 4 September the process had been stopped by the NOC technicians.
“In all cases, the software used was one that can be downloaded for free from the internet and is easily installed and operated – therefore there was no particular sophistication. These conclusions obviously laid everyone’s mind at rest”.
As a result of its preliminary investigations, the executive management had expressed its suspicions about two NOC employees, who together with the team leader were immediately put on forced leave.
ISRM started discussions with the police on 6 September.
“On Sunday 7 September, I was informed of what had happened by the MITTS chairman, who also told me that according to MITTS technicians it was ‘highly unlikely’ that any information had been stolen,” Gatt said.
On the same day, at around 11:45am, it was decided that the investigation and all the material identified had to be passed on to the police, which police started their investigations on the same day, independently of MITTS.
On 10 September, an extraordinary meeting was called by the MITTS Board of Directors, in which the executive management presented the facts they had gathered. Although the management was of the belief that the extraction of usernames and passwords was on the low side, the board of directors still issued instructions for an immediate forced password change to eliminate every risk.
This means that over 20,000 MITTS users were forced to change their passwords in one day on 11 September.
“This was why Dr Sant probably (like several others) had problems accessing his email on 12 September,” Gatt said.
The board of directors was convened again on 17 September and briefed further by the executive management, which gave more details about the incident and the measures that were being taken to tackle deficiencies to the system.
“Until that day, the executive management was insisting with the board of directors that there was no evidence of a successful extraction of usernames and passwords,” Gatt said.
In the same meeting, a police officer had explained that the police were far from reaching a hypothesis into the case and that the police was excluding nothing.
The directors were also informed that the team leader had admitted to the police that he had communicated his password to another MITTS employee by telephone in the vicinity of other people. He had claimed he did this to solve a technical problem, and that he had not changed his password since.
In the same meeting, the board of directors had sought once again further reassurances from the executive management about the fact that the extraction was unsuccessful, and the management kept its position – that probably the extraction had failed.
On the same day, the same programme was found on a computer of yet another MITTS employee, while the analysis of more logs revealed that the computer of another employee had pinged aggressively the same server involved in the incident.
The employees and their computers were handed over to the police and also put on immediate forced leave.
On 24 September the board of directors asked the executive management to give more updates about the incident and about preventive measures being taken. It was in this meeting that the management expressed, for the first time, its suspicions that the extraction of information on 4 September could have been successful, after all.
“In view of this surprising change, the board of directors gave the executive management two days to analyse all the facts and present its final opinion.”
The board met again on 26 September and was informed by the executive management that at that stage, it was assuming that the extraction of usernames and passwords had been successful.
In the circumstances, the board decided that the team leader and the employee whose computer was found to contain the programme would be suspended without pay. The other employees were kept on forced leave. The public official whose computer at Mater Dei was found to have the programme was put on leave on half-pay.
“I want to make it extremely clear that at no time – neither in these days nor before – was any of these employees, or any other MITTS employee, investigated upon suspicions of having accessed, or modified information or emails of users, including Dr Alfred Sant, Dr Charles Mangion and Dr George Vella,” Gatt said.
“This was also confirmed by the Commissioner of Police to the MITTS Chairman. I also add that it does not result to MITTS that there was any hacking whatsoever of emails belonging to Members of Parliament. I think it is obvious that the case I am talking about is neither hacking nor has it been directed at any person in particular.
“I can also add that Dr Sant’s allegation – that in September last year (or at any other time) he had complained about problems related to his password – was probably more due to a bad use of the system than the probability of hacking.”
On the 26 September meeting, the board of directors had established “in the most clear of ways” that the organisation had a number of deficiencies that it had to tackle most urgently. These deficiencies were in place because the security systems were not all being used, and because established security policies and procedures were being regularly ignored. The most classical example was that there was a whole culture of employees giving their personal passwords to each other “to speed up work”.
The board agreed to engage an international company specialised in information security to analyse all the information collected by ISRM and the executive management, with the aim of establishing with certainty whether the extraction had taken place.
An American company was contracted, which sent two experts to Malta on Saturday 4 October. Their expert report was presented to the board of directors on 8 October, concluding that the extraction had taken place successfully on 4 September, and that there was a high probability that the attack originated from the Maltese Embassy in Cairo.
The computer at the embassy was found to be infected by a malware that was permitting the connection between the government network and the internet. All the traces indicated that the attack was led by an amateur and not by professionals.
The experts recommended that the embassy’s system be cut off from the government network and that a copy of the hard disks held in Cairo be passed on for analysis.
At the same time, the police reached the same conclusions regarding the origin of the attack and elevated all the material for investigations.
“I am informed that none of the MITTS employees are being investigated by the police with regard to the illegal access of email accounts of MITTS users. Although the assumption is that the extraction of usernames and passwords was successful, MITTS so far has no evidence that email accounts were accessed, nor any back-end systems used by the government.”
“This is not the first time that problems related to security of information originate from a Maltese Embassy, and the reason is because of the complex nature of connections between the government network, the internet and the Maltese embassies abroad,” Gatt said.
MITTS approved a series of measures with immediate effect to strengthen security, including issuing a token/smart card to all MPs and the introduction of Secure Mail so that emails are encrypted.
The MITTS board commissioned an external review team to analyse all the circumstances that led to this incident and to list recommendations.
Meanwhile all members on the board of directors offered their resignation.
“I decided not to accept their resignation because it was evident that all the shortcomings were operational and not related to policies adopted by the board… In past years, the board consistently approved all the investments requested by the management that related to security of operations at MITTS. The board took all the right steps consistent with the information that it was given by the management when it was informed about the problem. It was the board itself that insisted on the forced password change,” Gatt said.

PRINT THIS ARTICLE

Any comments?
If you wish your comments to be published in our Letters pages please click button below.
Please write a contact number and a postal address where you may be contacted.