Forwarded From: Aleph One <aleph1t_private> [Aleph One: Notice the user of "hacker" for "computer security expert"] http://www.detnews.com/1998/metro/9804/23/04230041.htm Flaw found in state Web site Job listing revealed Social Security numbers, allowed visitors to alter any posted resumes Associated Press LANSING --A Pennsylvania computer expert uncovered a flaw in a state job Web site that made thousands of Social Security numbers available on the Internet. The flaws were found in the Michigan Works job site where people post resumes and search job listings and where employers scan applicants. The site is run by the Michigan Jobs Commission. Since February, the site has been the main tool for people looking for work with the state's help. Unemployed workers who get state jobless benefits are required to register. A state spokesman said about 30 people exploited the flaw and changed "a handful" of resumes posted on the site, but it was unclear if people were changing their own resumes or others. The state plans to spend $20,000 to hire a computer hacker to see if there are any other holes in the system. When posting a resume on the Michigan Works Web site, job seekers are required to create a user identification code and a password to protect the resume. The site suggests using a Social Security number as an easy-to-remember user ID. That piqued the interest of Glen Roberts, an Oil City, Pa., privacy advocate who runs his own Web site and hosts a shortwave radio show about the Internet. He started exploring the site and found that the log -- a listing of actions performed by the computer controlling the site -- included the user IDs and the passwords of people who had posted resumes. While the user IDs and passwords were not available on the Michigan Works site, Roberts was easily able to obtain them from the log. He posted some examples from it to his own Web site, as well as links to the log. "Not only are thousands of Social Security numbers disclosed to the public, the information needed for anyone to be a Job Seeker is available," Roberts wrote. "Miscreants could easily go into the system and 'update' other people's resumes." Roberts did not immediately return messages Tuesday. Rick Graim, a spokesman for the Coalition for Effective Michigan Employment Services, said he had some privacy concerns about the computerized resumes required by the state. "To put your complete work record on Internet is kind of shaky," he said. "This thing has your name, address and Social Security number... If folks can hack their way into NASA and the Pentagon, why would the state think this is a safe system?" The Web site has been at the center of a fight between the state, the federal government and advocates who say it puts some unemployed workers at a disadvantage if they don't have the skills to use the computer. Michigan Jobs Commission officials say the system works well and saves the state money while still helping workers find jobs. U.S. Department of Labor officials say it was put in place without its approval and doesn't give some jobseekers enough help finding work. Jim Tobin, a spokesman for the Michigan Jobs Commission, said the state took down the Web site shortly after finding out about Roberts' page and eliminated the links between the log and Roberts' Web page. He said the state shut down the system on April 10, a Friday, and had it back up by the following Monday. State experts found that about 30 people had gained access to parts of the huge log file, which covered about two months' of transactions. A handful of resumes were altered from the same computers that accessed the file, but only in minor ways, such as changed dates. No resumes were vandalized. "It was an error on our part," Tobin said. "We weren't aware that (the numbers) were out there." Tobin said the state would hire a security expert to test the system. And he said the use of Social Security numbers on the site was optional; users could come up with any other ID they wanted. The site, however, still recommends using a Social Security number. -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Dimensional Communications (www.dim.com)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:31 PDT