[b:3d9677239b]Hackers invade department website
19 January 2006
By REUBEN SCHWARZ[/b:3d9677239b]

The Labour Department sent nearly 3000 virus-infected e-mails to unsuspecting members of the public after its website was breached by a hacker.

The e-mails, all with the subject line "Important Update Information", asked people who subscribed to newsletters published by the department to download a security program from a link in the message.

However, the program was a virus that infected computers, allowing hackers to steal information.

The department said the hackers guessed an administrator's password to hack into its website and steal its e-mail subscription lists.

"Basically, someone deliberately trying to enter the website got lucky," acting corporate deputy secretary Raewyn Pointon said.

Nick Bolton, director of Christchurch security firm Firetrust, identified the virus in the e-mail as a "trojan horse" program. Such programs hide themselves and allow hackers to take control of a computer.

In this case, the virus seemed to take pictures of computer screens to steal information to send to a computer in Beijing. This information could include passwords to online bank accounts and credit card details.

Mr Bolton said the virus looked "reasonably sophisticated".

Many major anti-virus programs did not detect the virus, so anyone who did download the file might not realise their computer was infected.

The department did not know whether anyone downloaded the file. The department contacted the 2900 recipients of the e-mail yesterday to apologise and advise them to delete it.

Ms Pointon said the guessed password had since been "significantly changed" but no other major changes would be made to the security of the department's website.

Andy Prow, managing director of Wellington firm Aura Software Security, said it was extremely difficult to guess a good password without a "brute force" attack that used special software to bombard a website with random attempts tilltill one worked.

The Labour Department did not believe such software was used in this case.

"The possible combinations of usernames and passwords are immense and the possibility of guessing a password is remote," Mr Prow said.

"For a password to be guessed, it would normally suggest a weak password policy."