Ken Colburn, the CEO of Data Doctors, discusses the recent breach of the Arizona Department of Public Safety’s computer system.
Ted Simons: A computer hacking group that's targeted the CIA and the U.S. senate turned its attention to Arizona last week. Lulz security, or Lulzsec, claimed responsibility for hacking into and stealing files from the state department of public safety's computer system. Here to talk about all of this is Ken Colburn, CEO of valley-based data doctors. Ken, it's always a pleasure.
Ken Colburn: Good to see you, Ted.
Ted Simons: When they say they hacked into the computer system, that's not correct.
Ken Colburn: DPS actual computer systems were never breached. What happened was a handful of I think seven to eight actual email accounts that belonged to officers were compromised. So there's a huge difference between the whole system getting hacked and these guys having their emails exploited.
Ted Simons: When DPS says the larger computer, the larger system - that's still safe? Lock, stock and barrel? That's true?
Ken Colburn: That's true. Everything we've seen in the evidence - the forensic team went through the files to see - did it jive with what they were saying. And they're consistent with these being email attachments, primarily because each file's author, we can dig into the metadata to see who actually created the file. And it was a myriad of people unrelated to the people who got hacked, which is very consistent with you receiving emails attachments from others.
Ted Simons: Basically, talking about emails, this -- one of these, I didn't change my password enough? How did they get into these emails?
Ken Colburn: We don't know for sure. DPS might know, but they are obviously not yet discussing that. But one of things we saw was that the passwords were pretty weak and a weak password makes it real easy. We posted something on our facebook page to show you how easy it is to break into something with a weak password.
Ted Simons: What's a weak password?
Ken Colburn: Six characters, either all numbers or all letters. Takes about 10 minutes for the software that the hackers use to "guess". There's the dictionary attack where they can just try every word in the dictionary. If you use those common mistakes, they'll get into your accounts so fast it's not funny.
Ted Simons: These were rural officers - kind of out in the sticks who may not had the latest up-to-date computer equipment as well. Did they target these people? Find these people?
Ken Colburn: They're making it look like S.B. 1070 was a cause and everything what's happened. They've shut down and so many things have happened. From the beginning, I have said it's a cause taken up because of a hack. So inadvertently came across information and look what we have here and then it took up the sick S.B. 1070 cause because if it was hack based on a cause -- now was that the cause that drove the hack? They wouldn't have gone after the rural officers. They would've literally gone after the DPS system and would have seen a treasure trove of information being released.
Ted Simons: How do you inadvertently come across like this?
Ken Colburn: The hacking community, the way they take advantage and make use of computers all over the world is that they create what are called BOTnets. These are robot computers and unfortunately a lot of people watching this, they're unwittingly participating in these BOTnets right now because they sell for a trick that allowed a piece of software to sneak into their computer. And this person can use it along with 10,000 other pieces of computers that have all been compromised and say, at 2:00 in the morning, attack the PBS website. And that's what happened when PBS.org was taken down. It's a denial of service attack. It's a complexity. They have to compromise a bunch of average Joe computers, and this is my hypothesis, they ran across one or two DPS agents' computers and saw they were DPS agents and had these attachments and said, let's run with this.
Ted Simons: We keep hearing don't open attachments you're not familiar with and don't go to websites you're not familiar with. Because these things can infiltrate. If -- one of these officers simply open an attachment they shouldn't have or -- ?
Ken Colburn: It's quite likely, especially when you consider they're rural officers. I've contended that were probably compromised at home or on an unsecured computer they own or had access to. You think about the fact that email is so accessible and can be accessed from so many places. There's not enough time to talk about all the potential ways they were compromised. If they went into an internet café that has key login software, or if they clicked on a file that allowed something to get in or keeping their security software up to date, there's a million things that can take you anywhere you want by clicking on a link.
Ted Simons: One employee who can check their work email from home, that person slip up there, a house of cards comes down?
Ken Colburn: It's possible. Depending on the access level they have. In this case, based on the evidence, because all they have are email attachments, they didn't get any further than those email attachments. If they had, they could have had this huge database, they're releasing all kinds of information from our organizations much more damaging. Fortunately for DPS it was mostly benign email attachments and certainly disconcerting files but nothing dramatic like a true break-in.
Ted Simons: These things raise the question: How protected is sensitive government information, how protected is my sensitive information?
Ken Colburn: Unfortunately, there's no such thing as a 100% secure system. Other than the really high end, nobody knows about military grade networks we don't have access to. When it comes to the public internet, it's not very secure and it's -- it behooves all of those folks that run websites, you know, this is a wakeup call, anyone could be the next target. Despite the claims of being political and what have you, they're just anarchists and primary hack for the adulation of their friends and Lulz -- doing it for the fun. That's the name of that organization. Fortunately, they've closed up shop, but it's not over.
Ted Simons: How difficult is it to find suspects? Do they leave -- if someone is coming into your system, you would think someone would leave a trail. They don't leave trails?
Ken Colburn: Not at all. There's a number of different ways where you can't get into the technical aspects but the movies where you see they take over a computer and this computer takes that computer -- that's the way they can blend things. They're going to take advantage of the folks I'm talking about out there that are infected and used as a zombie, using those computers to do the hacking and damage. It's real easy to be anonymous on the internet if you know what you're doing, unfortunately.
Ted Simons: Last question: Are we more at frisk our own P.C.s or someone else we exchange email with or our work? I mean where is the greatest risk?
Ken Colburn: The biggest problem everybody watching this has is themselves. The human being is the biggest security risk. Because all it takes is one trick email, one thing, no matter how well you've protected yourself, if you fall for a trick. A common one was, Ted, I can't believe you got caught on video doing this. You get an email, oh, my goodness, and you are just clicking around, you're not thinking about security. You're thinking, I got to see this video. When you get there, you have to update your video player, and -- boom! You've let them in.
Ted Simons: If someone wants your banks account number or social security, because you have to do this or the other. Red flag.
Ken Colburn: And teenage household with high speed internet. Highest risk group out there. And if you're a parent of a teenager, better do your homework.
Ted Simons: Ken, good stuff, good to see you.
Ken Colburn: Thank you, Ted.
Ken Colburn: CEO of Data Doctors;
