GONE PHISHING

09/07/2017
By Donna Rogers, Editor


Cyber attacks can be thought of as new form of terrorism—and they can rain down as much destruction. They can instigate data breeches and immense financial loss. They can bring operations to a grinding halt or expose any number of personal information—causing personal peril to those in sensitive positions. Hackers—both foreign and domestic—constantly attempt to break into banks, law firms, various forms of commerce, and government agencies—and courts are not exempt. 
 
Cyber attacks on our court system are a reality in today’s interconnected world. In 2014, for example, unidentified hackers took aim at the federal court system, blocking access to its public website while preventing lawyers and litigants from filing legal documents online. And a June 2016 cyber attack on the Minnesota Judicial Branch's website underscored a growing threat that state officials warn will become more difficult to combat without additional resources.
Cybercrime comes in different varieties—from phishing to ransomware—and Courts Today examines what the latest dangers are and what courts need to be aware of to mitigate a breech.
 
Minnesota Breach
"Every day, hackers try to find and exploit gaps in Minnesota's networks, hoping to steal sensitive information or bring websites down," said Minnesota IT (MNIT) Services, the agency that administers Minnesota's network, in an article by the Star Tribune on June 25, 2016.  The state web site had just been attacked and shut down. Earlier in the year, Gov. Mark Dayton sought nearly $46 million to upgrade state government computer systems, to better ward off any potential cybersecurity attacks or data breaches. Some of the funding would have also gone toward improving the state's response to a potential data breach. But the funding was never allocated.
 
The Tribune article pointed out the fact that governments didn’t believe they were targets. “Headline-grabbing data breaches have typically focused on instances where hackers steal millions of consumers' financial information from retailers like Target and Home Depot,” it noted. “But experts say that state government systems also are vulnerable targets that hold sensitive information, including bank account information, Social Security numbers and addresses.”
 
The 2016 attack on the Minnesota judicial web site, the second such attack on this court, is known as a distributed denial-of-service (DDOS) attack, whereby a website is overwhelmed with network traffic, effectively blocking out legitimate users. On the positive side, Minnesota court officials said there was no evidence that secure data had been improperly accessed during the attack. Nonetheless, the site was closed down and unavailable to the public for 10 days.
 
According to nearly all accounts, the problem is a worsening one. In the Tribune article, a spokesman for the Minnesota state court administration office, Beau Berentson, noted: "Cybercrime is becoming increasingly organized, and cybercriminals are continually modifying their attacks." MNIT acknowledges on its web page that “state government is a target, and in fact Minnesota’s systems are probed for vulnerabilities and attacks are attempted more than 3 million times each day.”
 
New Levels of Cybercrime
A potent picture of the latest threats unleashed by hackers is portrayed by Symantec Corporation, a leading global cyber security company, in its annual survey, published in April 2017. Internet Security Threat Report states: “Cyber attackers revealed new levels of ambition in 2016, a year marked by extraordinary attacks, including multi-million dollar virtual bank heists, overt attempts to disrupt the U.S. electoral process by state-sponsored groups, and some of the biggest distributed denial of service (DDoS) attacks on record powered by a botnet of Internet of Things (IoT) devices.
 
The Internet of Things is the inter-networking of connected devices or smart devices, buildings, vehicles and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to collect and exchange data, as defined by Wikipedia. Experts estimate that the IoT will consist of about 30 billion objects by 2020.
 
A consortium of court officials in February 2016 addressed the issue with suggested best practices. The Joint Technology Committee (JTC) established by three premier court organizations—the Conference of State Court Administrators, the National Association for Court Management and the National Center for State Courts—published a document that provides a basic explanation of the preparations necessary for court managers to respond quickly and effectively in the event of a cybersecurity incident.
 
According to the JTC report, titled Responding to a Cyberattack, these are the common the ways a computer intrusion can occur:
• Unauthorized access — any access to a system, network, or information without authorization has compromised that system. It may come from within the organization, current and former employees, or hostile individuals and organizations halfway around the world.
• Malware and Viruses — Malware, short for MALicious softWARE, is software used to disrupt computer operations, gather sensitive information, or gain unauthorized access. Viruses, worms, and Trojan horses are all forms of malware.
• Attacks that Disrupt Service — Denial of service (DoS) attacks make system resources unavailable for their intended users by either crashing the system, or by overwhelming it with irrelevant requests. A Distributed Denial of Service (DDoS) attack comes from more than one computer IP address.
• Ransomware — A cyber form of hostage-taking, ransomware is malicious software designed to block data or computer system functionality until a sum of money is paid.
• Zero-Day Exploits — Attackers use unintentional flaws or vulnerabilities in a vendor’s hardware or software, exploiting the flaw before the vendor realizes it exists. Often these attacks are not discovered for months or even years. (These vulnerabilities are called “Zero-Day Exploits” because the application author has zero days after the flaw is uncovered in which to create and issue a patch, or warn users of the issue and provide a workaround.)
Changing tactics
Hackers are finding ways that appear effortless to infiltrate computer systems, Symantec notes. “While cyber attacks managed to cause unprecedented levels of disruption, attackers frequently used very simple tools and tactics to make a big impact,” according to the Internet Security Threat Report. “Zero-day vulnerabilities and sophisticated malware now tend to be used sparingly and attackers are increasingly attempting to hide in plain sight. They rely on straightforward approaches, such as spear-phishing emails and ‘living off the land,’ [that is,] by using whatever tools are on hand, such as legitimate network administration software and operating system features.” The report details that when it is executed well, living off the land approaches can result in almost symptomless infections.
 
Attackers, ranging from cyber criminals to state-sponsored groups, have clearly begun to change their tactics, making more use of operating system features, off-the-shelf tools, and cloud services to compromise their victims.
 
Mirai, the botnet behind a wave of major DDoS attacks, was primarily composed of infected routers and security cameras. These low-powered and poorly secured devices, are those considered to be connected by the Internet of Things. Symantec research noted “a twofold increase in attempted attacks against IoT devices over the course of 2016 and, at times of peak activity, the average IoT device was attacked once every two minutes.”
 
Malicious emails disguised as routine correspondence, such as invoices or delivery notifications, were meanwhile the favored means of spreading ransomware, furthers the Internet Security Threat Report. “Ransomware continues to plague businesses and consumers, with indiscriminate campaigns pushing out massive volumes of malicious emails. Attackers are demanding more and more from victims with the average ransom demand in 2016 rising to $1,077, up from $294 a year earlier.”
 
Symantec emphasizes that cloud attacks have become a reality and are likely to increase in 2017. A growing reliance on cloud services should be an area of concern for enterprises as they present a security blind spot. Many IT staff aren’t aware of the extensive cloud-based apps used within their organizations, the report notes.
 
And finally, says Symantec, although it is a vital communications tool across enterprises, email is one of the prime sources of disruption to the organization. It can come in the form of sometimes harmless spam to more dangerous threats such as the propagation of ransomware or targeted spear-phishing campaigns. The survey found that email malware increased about 70% in 2016, from 1 in 220 emails sent containing malware in 2015, to 1 in 131 emails in 2016.
 
Past Attacks on Public Administrations
In addition to the Minnesota attack, other state and federal governments have experienced major cyber attacks—often with devastating financial impact.
Sometime between the fall of 2012 and February 2013, the Washington State Court system was hacked, and up to 160,000 Social Security numbers and 1 million driver's license numbers of residents may have been accessed during the data breach of its public website. Administrative Office of the Courts (AOC) reported that no court records were altered and no personal financial information, such as bank account numbers or credit card numbers, is maintained on the site.
 
The breach, considered a “zero-day exploit,” happened due to vulnerability in an Adobe Systems Inc. software program, ColdFusion, that has since been patched, court officials said. The hack happened sometime after September but wasn't caught until February, they said.
In response, state officials have added a number of additional security measures, including isolating anything that could be sensitive into more protected areas, implementing code to prevent hackers from getting to other parts of a server, and new encryption rules.
Washington state's CIO, Michael Cockrill, said the breach hadn't affected the state's executive branch, which is on a separate network. He added the governor’s office and the state’s IT services would be charged with improving the information security of the judicial systems. "The AOC data breach is a sobering reminder for every branch and every level of government, that protection of personal and confidential data entrusted to government is a paramount responsibility."
 
Two additional accounts of breaches illustrate how costly such errors can be.
In Utah, hackers broke into a Medicaid server in 2012 that a technician had placed online without changing the factory password and then downloaded the personal information of 780,000 Utahns. While some of those were on Medicaid, others were privately insured, uninsured and retirees on Medicare whose providers had sent their data to Medicaid in the hopes of billing the low-income program. Most at risk were the 280,000 individuals whose Social Security numbers were exposed.
 
According to the Salt Lake Tribune, “the state has spent about $9 million on security audits, upgrades and credit monitoring for victims—and that's just the beginning.”
And in Texas, a data breach in 2011 exposed the Social Security numbers, driver's license numbers, and the names and addresses of more than 3.5 million Texans. The exposed personal information was included in files sent to the state comptroller's office by the Teacher Retirement System of Texas, the Texas Workforce Commission and the Employees Retirement System of Texas for use in a property verification system. The data was mistakenly sent unencrypted to the comptroller's office—and was inadvertently exposed on a publicly accessible website for nearly a year.
 
The breach has already cost the comptroller's office more than $1.8 million and could end up costing a whole lot more, according to reports.
 
As of only days after the breach, the state had spent $1.2 million on sending out notification letters, close to $300,000 for Gartner's and Deloitte's services, and another $393,000 to set up a call center for handling queries from those affected by the breach, according to the Austin American-Statesman's website.  In addition, the site noted that the identity monitoring service being offered by the controller’s office could cost up to $21 million if everyone affected enrolls in it.
The controller’s office planned to implement a series of additional measures—including the installation of new data leak prevention software and an enhanced file-transfer system featuring robust encryption capabilities—to mitigate the chances of a similar incident occurring.
On January 24, 2014, a DoS attack blocked access to the federal judiciary, leaving lawyers hard-pressed to meet deadlines and officials scrambling to restore service, according to the Washington Times.
 
The attacks affected bankruptcy, district and appeals courts all across the U.S. for several hours, though the Supreme Court’s site remained up. The outages essentially shut down much of the federal judiciary from a little after 3pm to 7pm on a Friday afternoon. It blocked lawyers, judges and clerks from filing and reviewing documents electronically and prevented public access to judiciary records through the PACER system. Public users of the courts’ electronic system for reviewing records were greeted with an error message, “Server not found.”
 
While little harm was done in that case, court officials everywhere are beginning to acknowledge the event of a cyberattack on the courts is not “if” but “when.” Personal data of court patrons is at risk— compromising their identities and inviting fraud. Intrusion into the court systems could sabotage the workings of the judiciary—even introduce subversive information that could throw the outcome of a case.
 
JTC’s Responding to a Cyberattack is worth a read regarding steps courts can take to keep their records safe. As concerns deepen, safeguarding justice networks will become more vital as court leaders work together to sustain our great system of justice. Gone phishing cannot be an option.  CT

 

    Request More Information

    Required = *