Pickaway County Commissioners, Sheriff Clash Over Reported Hacking Attempt

By
Trish Bennett - Circleville Herald Editor

Dateline
Updated Thu, Oct 10, 2013 10:16 am

The Pickaway County Commissioners cite a lack of evidence in their decision not to pursue action against a Sheriff’s office employee they believe attempted to hack into the county’s computer system on Aug. 13.

Sheriff Robert Radcliff, who launched an outside investigation into the charges when he was notified of the issue on Aug. 20, said he believes the employee has been cleared of any wrongdoing in the event, which was identified as a port scan of the county’s system that originated from an IP address assigned to the Sheriff’s office.

The outside investigation includes two forensic computer experts from the Bureau of Criminal Identification and Investigation (BCI) and an independent investigator from the Ross County Sheriff’s Office.

“Through our investigation, only one employee would have had administrative access, and in a thorough interview with BCI and the independent investigator, there was nothing found,” Radcliff said. “I do not believe there was criminal conduct involving this employee.”

Jay Wippel, president of the Pickaway County Board of Commissioners, said access to the county’s servers was never gained through the port scan, but the commissioners consider it an intentional attempt to hack into the system.

“From our standpoint, BCI confirmed there was a potential breach of the system that came from the Sheriff’s office,” Wippel said. “That’s what we’re being told by our IT person, and it was confirmed by BCI. We know it came from that office, but we don’t know who.”

A report issued by BCI confirms an agent was assigned to the investigation Aug. 21, and the agency obtained a subpoena for records from Time Warner that confirmed the IP address belonged to the Sheriff’s office on the date and time in question.

By the time investigators were able to view network logs and activity directory logs for the Sheriff’s department, however, the log data no longer existed due to a two-week retention period set by default in the system.

According to BCI’s report, “Based on the aforementioned, there is no evidence to prove the port scanner was run from the sheriff’s department computer system.”

The commissioners — Wippel, Brian Stewart and Harold Henson — met in open session with Judy Wolford, county prosecutor, during their regular meeting Oct. 1 to discuss the attacks on the county’s IT network. Radcliff also was invited to that meeting but was unable to attend due to a scheduling conflict.

During that meeting, which Wolford recommended be held in executive session but was declined by the commissioners, she said BCI confirmed it might be possible to recreate the overwritten logs, but to do so would require removing all computers and servers from the Sheriff’s office and replacing them at great expense to the county. Additionally, since access was never made into the system, any possible charges would be considered a misdemeanor.

Wolford also informed the commissioners on Oct. 1 that the employee in question passed a polygraph test administered by the Pickaway County Sheriff’s polygraph examiner, and the commissioners questioned why the test was not administered by an outside party. At Tuesday’s meeting, Radcliff said he asked Wolford in advance if the test could be administered in-house, and she said it would be OK.

In an unprecedented move, the commissioners published an unapproved draft copy of the minutes from the Oct. 1 meeting on their Web site. Traditionally, minutes must be approved at the next regular meeting before being published Online.

Wippel said the commissioners chose not to hold the discussion in executive session because they believed the investigation was over and there was no need for it.

As for publishing a draft copy of the minutes, Wippel cited the importance of the subject matter.

“We felt we needed to get that posted right away,” he said. “They were listed as draft, and we did approve the final minutes from that meeting (Oct. 8).”

The draft minutes, however, contained a specific accusation that was later admitted to be false at the Oct. 8 regular meeting of the commissioners attended by Radcliff and Wolford, as well as Jeff Wappelhorst, computer forensics specialist for BCI; Vicki Angelopoulos, special agent supervisor for the cybercrimes unit at BCI; and Lt. Col. Randy Bliss of the Ross County Sheriff’s Office investigative unit.

According to the draft, “This is the second of such incidences made from an IP address at the PCSO that has occurred since May 2009, and the county’s firewall was enhanced as a result. Also in 2009, a letter was ultimately signed by an individual at the PCSO who admitted responsibility for the prior hacking attempts, stating that neither he, nor anyone at the PCSO, would ever utilize such a tactic again. The letter was also signed by Sheriff Dwight Radcliff.”

Sheriff Robert Radcliff said such a document never existed, but he was able to produce documentation from May of 2009 that indicated access was indeed gained to the county’s server by the same Sheriff’s office employee, who immediately notified his superiors, who in turn notified the county commissioners at the time of the security risk and provided recommendations for steps to correct the problem.

When asked about the specific accusation of a letter that admitted fault in 2009 signed by the employee and the previous Sheriff Radcliff, Wippel said it was a mistake.

“We do not have a letter like that,” he said. “We were told there might be a letter like that, but we can’t find one.”

The draft minutes posted Online were revised to remove that section on Tuesday, but they are still published as draft minutes that have not yet been officially approved.

At Tuesday’s meeting, Radcliff said it was possible the port scan may have registered as a “false-positive” or that it could have been some type of virus. He then presented the commissioners with documentation from an event in 2010 when the county’s system attacked the Sheriff’s office system for five days before a virus was discovered and eliminated.

Wippel said he could not speak to those issues, but even though the commissioners would not be pursuing the matter further, they still considered it a very serious issue.

“This board considers the information in our system the utmost importance, so any attempt, I don’t care who it was from, is taken seriously,” Wippel said. “Wherever it came from, we take it seriously.”

Though the commissioners will not be pursuing it, Radcliff said the Sheriff’s office investigation by Lt. Col. Bliss is expected to last at least another two weeks.

“That investigation is still moving forward,” Radcliff said. “A complaint has been filed that a criminal act has been committed against the county’s network, and it’s my obligation to follow through with that complaint.”

Tags: