Vulnerability Management

Hacked Marin County website prompts shutdown of all California state sites

A hacked county website in California that redirected users to a pornographic site triggered the federal government late Tuesday to initiate a system-wide shutdown of all government sites in the Golden State.

The process was never completed, after state officials urged the feds to reverse their decision to take offline all state websites bearing the "ca.gov" suffix. The U.S. General Services Administration (GSA) is responsible for all ".gov" sites.

"It was kind of like a rolling blackout," Jim Hanacek, spokesman for the California Department of Technology Services, told SCMagazineUS.com today. "Fortunately we were able to get to it before it completely took down ‘ca.gov.'"

Aaron McLear, spokesman for Gov. Arnold Schwarzenegger, told SCMagazineUS.com today that the problem began when the website of the Marin County Transportation Authority was compromised by a hacker who redirected some traffic to an erotic website. A county IT representative did not return a call for comment.

The hacker apparently made an adjustment in the domain name system (DNS) server that rerouted certain traffic, Hanacek said.

"That apparently sent a red flag to the federal government," said McLear.

The shutdown process did not get far, and there were no reports of state services being interrupted, he said. Hanacek's department checked with critical departments such as the state Highway Patrol, which reported its web and email systems were operating, albeit slowly. The state declared all operations normal by 10:30 p.m. EST on Tuesday.

Hanacek said he was upset the state was not notified that the federal government was planning to take all state sites offline.

"They just made the change unbeknownst to us," he said. "I think there should have been a notification of a change of that magnitude."

A GSA spokesperson did not return a call for comment.

David Perry, global director of security education at Trend Micro, told SCMagazineUS.com today that the hacker may have embedded a malicious IFRAME or exploited a vulnerable ActiveX control to redirect traffic.

But it does not appear he was looking to profit off the attack, Perry said.

"This seems more like a vandal to me," he said. "It's kind of old school. What we're seeing these days is mostly crimeware. This looks like something from 1998, not something from 2007."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.