PUTNAM COUNTY — On July 10 the Lima News published an article by Sam Shriver entitled, “Area gov’ts beef up cybersecurity,” in regards to a ransomware attack on Fayette County. This article included comments from long-time IT professional and Putnam County Commissioner Michael Lammers regarding Putnam County’s cyber security efforts.

Commissioner Lammers was quoted in this article in a manner that could be construed as boasting of Putnam County’s IT security. The same article also noted that, “A representative in Allen County did not want to discuss their IT capabilities for fear it would encourage a hacker to break into the system.”

It would now appear that this concern was warranted.

“Our county website was hacked on Wednesday the 24th,” said Putnam County’s IT Director Joe Burkhart during a meeting held in the Commissioner Office on Tuesday, July 30. “That was just a YouTube video on a separate page. Nobody would even know there was a hack unless it was the dark web sort of thing.”

“We got rid of that really easy,” said Mr. Burkhart, essentially confirming the statement Commissioner Lammers provided to the Lima News. This breach, and those which have occurred since, are the digital equivalent of spray paint on the side of a building. It’s vandalism. Concerning, yes, but, as of yet, no sensitive information has been accessed, and no essential systems compromised.

“Then, on Friday [July 26] we got hacked again,” Mr. Burkhart continued. “The county’s website and the recycling website both got hacked with a not-so-good picture…They actually replaced the indexed page with their own page.”

The county uses DotNetNuke (DNN), an open source content management system based on Microsoft’s .Net framework. Returning to the vandalism analogy of spray paint on the side of a building, the DNN places the content county administrators want people to see onto a website’s page, just as a building’s owner might place a physical billboard on the side of their building.

The hacker(s) replacing the indexed page with one of their own is the equivalent of taking down a legitimate billboard and putting up an unauthorized one. Again, everything inside the theoretical building remains untouched. Just as the county’s backend IT systems have remained untouched. In this sense, it is perhaps more appropriate to say that the county’s websites have been ‘defaced,’ and not so much, ‘hacked.’

“We thought they got in through the [content management system]. That’s what the Secretary of State’s office said,” Mr. Burkhart continued. “We’ve got backups of everything. So, we took a backup, put it on there, and everything came right back up to our web server.”

“But, it’s still susceptible?” asked Commissioner John Schlumbohm.

“Exactly,” confirmed Mr. Burkhart. “Then, on Sunday I got a call from the Health Dept. Their [website] got hacked. Their [website] is not on a content management system. It’s just an html page, just like a lot of pages out there.”

“Content management is where you have a program you have to log into it to make changes. The Health Dept. doesn’t have that. They actually just make the page and upload the [html] onto a static site.”

Since the Health Dept. does not use the county’s content management system, it is unlikely that this system is the entry point for the ongoing breaches, according to Mr. Burkhart.

“This morning,” he continued, “Between 7-8 a.m., the sheriff’s office, office of public safety, and the Recorder’s page all got hit. On one of the pages, he replaced an html and it took over (i.e. the billboard was changed). On the other ones, he edited the PHP, or changed the PHP. We’re done on that one. We have to go back to the backups for those.”

“None of these pages have any social security numbers or anything like that. They’re all just information pages. That’s all they are,” Mr. Burkhart added. This is true. Everything accessed to this point consists of publicly facing websites with publicly available information. The auditor’s website is maintained on a completely separate server. Records in the Recorder’s Office remain secure. Clerk of Courts’ records remain secure. The Board of Elections’ website is also maintained on separate servers located at a different physical location, and that system is also completely different and kept separate from what is used to conduct elections.

Only the forward facing pages of some county government offices have been defaced, nothing essential or sensitive has been accessed.

How these breaches are occurring remains unknown. The IT department is still going through logs searching for the specific access point the hacker(s) are using, and trying to figure out how they are creating a new user with read/write permission on each county site. Still, options for stopping the attacks are already being explored. Until they are implemented, however, Mr. Burkhart expects the digital vandalism to possibly continue.