CISO Witnesses Hack Like No Other
Bob Maley, as Pennsylvania's chief information security officer, has seen some strange attempts to hack the commonwealth's IT systems, but none like the one he witnessed last weekend.
Here's what Maley told attendees to an RSA Conference panel on state cybersecurity on Wednesday:
"We saw thousands of hits on our Department of Transportation driver license exam scheduling site coming out of Russia, the same thing over and over, scheduling driver license exams. It was encrypted traffic, and we were trying to figure out what the heck is going on. Were they trying to test our systems? What exactly were they up to? The answer was, we really didn't know."
Authorities eventually discovered that the hacker who used a proxy server in Russia to mask his identity owned a driving school in Philadelphia, and exploited a vulnerability in the driving test scheduling system to allow the scheduling of more tests than the allotted time slots. It could take upward of six weeks to schedule a driving test in Philadelphia. Said Maley:
"What he was doing was saying (to potential customers), "You go over across the street, to John's driver training, and it's going to take you six to eight weeks to get your test. We can get you in tomorrow."
Maley asked: Is this hack insidious? Does it rise to a crime of theft of services? These are questions Maley said he and other Pennsylvania officials continue to sort out.