SimplicIT Blog

Disclaimer: This article is pure speculation based solely on what was read in the articles below. I am not connected to the incident and public details have been extremely vague.

The Des Moines Register today published an article where the state publicly linked the Chinese government to the recent Iowa Gaming Commission incident. I highly doubt Chinese government involvement. I suspect the State is just deflecting the blame.

In this case hacked generally means someone or something obtained unauthorized access.  It is important not to forget the something as automated bots are still a possibility.

The hacker gained entry to the state’s computer system on Jan. 26 while the state-owned Iowa Communications Network was performing routine maintenance on a firewall. The state firewall functionality was circumvented due to network routing changes.

I suspect routine maintenance in this case to mean we accidentally put the server into a DMZ for a couple hours or maybe just mistyping an IP. It happens. And it’s extremely unlikely that the changes were of a smaller scale and a hacker was made aware and pounced at that exact moment.

.. The hacker then accessed the commission’s database because a firewall on the commission’s computer system had not been properly patched by a private contractor.

The server was on a private LAN and was running insecure services. When that private IP was exposed to the internet, an automated vulnerability scanner picked up on that insecure service and exploited it. This is extremely common.

The amount of time it takes an automated vulnerability scanner to exploit an insecure service accidentally exposed to the internet is referred to as time to infection and may average as little as 4 minutes.

There is nothing to show that even if all the patches had been installed, they still wouldn’t have gotten in because they had already gotten through the state’s firewall.

This is the Gaming Commission deflecting blame from Ambient. Anyone on that private LAN — office employees — could have hacked into the server at any time. Ambient likely relies solely on automated patch management and was not doing any manual verifications. The GC apparently wasn’t either.

He said the computer server affected by the breach was shut down about 15 minutes after it was compromised.

Either the machine started displaying unusual popups, an IDS picked up outgoing bot activity, or Ambient noted unusual event log activity. But an expert hacker wouldn’t trip any of these alarms. Google was compromised by the Chinese government for nearly a month before they noticed. This lends strong credence to my suspicion of routine malware.

Someone was performing configuration changes on the firewall and mistyped an IP address… exposing the server. Ambient was slacking off on their patch management and the server was vulnerable to something like MS09-050. An automated bot on a hacked machine in China exploited the server and installed a replica of itself which started scanning. IDS picked up the traffic flood and the machine was shut off. The records weren’t stolen as no human hacker was ever actually on the machine.

The State and Ambient both made mistakes and had to place the blame somewhere. They didn’t want to say that they failed to verify their new firewall configuration before deploying it, or that they failed to verify that a third-party patch management service was doing it’s job. They certainly didn’t want to say that they got infected by the XP AntiVirus 2010 virus. And the automated bot had a Chinese IP. And the Chinese government was just in the press……

Check back tomorrow for an update: What the State did right and how this relates to local businesses and consumers.