E-mails from Arlington County’s news list are staid affairs, announcements of upcoming county events, news about developments approved by the county or Crime Stoppers alerts.
So the message sent out late on the afternoon of Friday, June 11, was unusual. “Guyanese born reggae artist DIGNITERY is a Capricorn,” it began, going on to list the musician’s influences, Jamaican dance hall greats like Super Cat, Cutty Ranks and Bounty Killer. There was no link to Arlington in Dignitery’s life story, no upcoming shows to promote.
It took some county e-mail subscribers by surprise when it showed up in their inboxes. Reactions among county staff were surprised and unhappy. The message amounted to an invasion of county bandwidth, and the author of the Dignitery message had hijacked a message system intended exclusively for official use.
Staff have solved the problem of what happened, said Diana Sun, county director of communications, and they’re trying to make sure it can’t happen again. “We’re looking to shut that door and lock it up.”
But that security breach raises concerns about whether county e-mail subscribers could see a more sinister e-mail in the future, said Sushil Jajodia, professor of Information and Software Engineering at George Mason Unvirsity. “This is happening to other organizations, large banks and universities,” he said. “E-mails are being sent out that your password has been compromised, please send password and we’ll take action.”
Recipients see an e-mail coming from an authentic address, and can be lulled into sending confidential information that way, PIN numbers, credit card numbers or other vital information.
The Dignitery message could also signal an ongoing threat to county technologies, said Jim Pebley, a former president of the Civic Federation.
It means that someone had access to a protected Web page on the county server, which also contains information on residents’ Social Security and credit card numbers, and other personal information. “This is the problem facing all these localities when they’re trying to do everything electronically,” said Pebley.
<b>E-MAIL LISTSERV SYSTEMS</b> for the county are set up on a Web page with a blank slate. The page generates a mass e-mail whenever someone writes a message into the blanks and clicks “send.”
Normally, the person clicking “send” is a county employee; the page is password protected. But on June 11, the protection went down. “Anyone who was lucky enough to find the page could send a message,” said Sun.
It wasn’t a hacker, she said. “We weren’t hacked.” The Dignitery message was publicity for a musician, and the name and phone number of his manager were included at the bottom of the message, along with a link to the artist’s Web site. But the Web site is still under construction, and the phone number disconnected.
Saturday, the next day, was a County Board meeting. Staff spent part of that morning dealing with matters before the Board, and part of their time trying to solve the message problem.
<b>IT’S APPARENTLY NOT</b> subterfuge, Sun said, but county technology staff are still taking it seriously. “We requested that the county attorney follow through with that,” she said. “I was a little surprised they had been so obvious. They made it pretty easy to find themselves.”
Still, Pebley said it can be unnerving to see such vulnerabilities in the county system. “A while back, the treasurer wanted us to start paying some of our bills online, with credit card,” he said. “I said at the time, I don’t know how secure their structure is. I realize stuff happens, but that’s kind of a nightmare.”
Jajodia agreed. Even in an area as tech savvy as Northern Virginia, he said, it can be hard to find qualified computer security experts. “I don’t think orgns, especially at the county … level, are aware of the risks that are associated with putting out this kind of information and doing business through e-mail,” said Jajodia. “You have to invest money and resources to make sure abuses are going to be rare.”
<b>THERE WAS NO ACCESS</b> to confidential information. “The person never had access to the e-mail addresses, or to the system at all,” said Sun, let alone confidential files.
There was a programming flaw in the county Web site, she said, but it was an extremely limited flaw. “It’s not acceptable, and we’re not minimizing it. But there was really only access to the push e-mail system.”
“What assurance can they provide us that that is really the case?” said Jajodia. “What have they found out, what tools are they running?”
Some of those answers are confidential, Sun said, intended to prevent hackers and other intentional security threats from knowing too much about the county’s security system.
“It had not happened before,” she said. “It’s a serious concern, and we’re taking it seriously. It’s a good wake up call.”