More state websites found vulnerable

07/27/2005

Pat Doyle,
Star Tribune
July 27, 2005

In the aftermath of reports that four state websites were vulnerable to hackers, a recently completed government review found five more government sites that had “critical vulnerabilities” to data thieves or cyber hijackers.

The state moved quickly this spring to fix the five websites after being told of the problems by a computer consultant hired by the state, according to a government memo released Tuesday. However, state officials can’t tell how long the websites were vulnerable before the problems were fixed and can’t rule out that hackers penetrated them.

“While there is no evidence that data on the servers identified with critical vulnerabilities had been compromised, there was a danger until these vulnerabilities were corrected,” said the memo, written by state chief information officer Keith Payden to officials in Gov. Tim Pawlenty’s office.

The review underscores the need for improved security features for state-operated websites, Payden said. But he also said the review proved “somewhat reassuring” in that only five of more than 850 state websites were regarded as having critical vulnerabilities to hackers.

The Pawlenty administration didn’t release the report on the review, done by the firm EDS on a $90,000 contract. Payden said the report is hundreds of pages long and identifies the specific websites that were vulnerable, the kind of data that was exposed and measures taken to correct the problems—information he argued could be helpful to hackers.

Payden said that he, Commissioner of Administration Dana Badgerow and other officials had decided against immediate release of the report, but that they were considering releasing portions of it later if doing so wouldn’t jeopardize security.

Two of the five sites regarded as having critical vulnerabilities had data that was accessible to hackers because it wasn’t encrypted. The state won’t say what kind of data was accessible, only that it wasn’t personal or financial information of state employees or members of the public.

The three other sites considered critical were vulnerable to being hijacked by hackers who could then use those sites to launch attacks on other websites.

Another 297 state websites were considered vulnerable to a lesser degree; someone might have been able to deface a site but not obtain data from or hijack the site.

The five sites having critical vulnerabilities are in addition to the websites run by the Department of Public Safety, the Department of Transportation, the Health Professionals Services Program and the Board of Accountancy that were found earlier this year to have security problems, Payden said.

The legislative auditor drew attention to the Public Safety website in April after the auditor reported that a page used by more than a quarter-million motorists a year to register their vehicles had long been vulnerable to hackers, exposing personal information to the possibility of tampering or theft.

The Star Tribune later learned that a Transportation Department website, which takes license plate and credit card information from motorists seeking passes to drive in freeway fast lanes, offered applications through an online link that was not secured against hackers.