[ISN] Flaw Found in State Web Sites

From: mea culpa (jerichot_private)
Date: Fri Apr 24 1998 - 14:06:33 PDT

  • Next message: mea culpa: "[ISN] Crackers Set Sights on Submarines"

    Forwarded From: Aleph One <aleph1t_private>
    [Aleph One:  Notice the user of "hacker" for "computer security expert"]
                             Flaw found in state Web site
      Job listing revealed Social Security numbers, allowed visitors to alter any
      posted resumes
         Associated Press
             LANSING --A Pennsylvania computer expert uncovered a flaw in a
         state job Web site that made thousands of Social Security numbers
         available on the Internet.
             The flaws were found in the Michigan Works job site where
         people post resumes and search job listings and where employers
         scan applicants. The site is run by the Michigan Jobs Commission.
             Since February, the site has been the main tool for people
         looking for work with the state's help. Unemployed workers who get
         state jobless benefits are required to register.
             A state spokesman said about 30 people exploited the flaw and
         changed "a handful" of resumes posted on the site, but it was
         unclear if people were changing their own resumes or others.
             The state plans to spend $20,000 to hire a computer hacker to
         see if there are any other holes in the system.
             When posting a resume on the Michigan Works Web site, job
         seekers are required to create a user identification code and a
         password to protect the resume. The site suggests using a Social
         Security number as an easy-to-remember user ID.
             That piqued the interest of Glen Roberts, an Oil City, Pa.,
         privacy advocate who runs his own Web site and hosts a shortwave
         radio show about the Internet.
             He started exploring the site and found that the log -- a
         listing of actions performed by the computer controlling the site
         -- included the user IDs and the passwords of people who had posted
             While the user IDs and passwords were not available on the
         Michigan Works site, Roberts was easily able to obtain them from
         the log. He posted some examples from it to his own Web site, as
         well as links to the log.
             "Not only are thousands of Social Security numbers disclosed to
         the public, the information needed for anyone to be a Job Seeker is
         available," Roberts wrote. "Miscreants could easily go into the
         system and 'update' other people's resumes."
             Roberts did not immediately return messages Tuesday.
             Rick Graim, a spokesman for the Coalition for Effective
         Michigan Employment Services, said he had some privacy concerns
         about the computerized resumes required by the state.
             "To put your complete work record on Internet is kind of
         shaky," he said. "This thing has your name, address and Social
         Security number... If folks can hack their way into NASA and the
         Pentagon, why would the state think this is a safe system?"
             The Web site has been at the center of a fight between the
         state, the federal government and advocates who say it puts some
         unemployed workers at a disadvantage if they don't have the skills
         to use the computer.
             Michigan Jobs Commission officials say the system works well
         and saves the state money while still helping workers find jobs.
         U.S. Department of Labor officials say it was put in place without
         its approval and doesn't give some jobseekers enough help finding
             Jim Tobin, a spokesman for the Michigan Jobs Commission, said
         the state took down the Web site shortly after finding out about
         Roberts' page and eliminated the links between the log and Roberts'
         Web page.
             He said the state shut down the system on April 10, a Friday,
         and had it back up by the following Monday.
             State experts found that about 30 people had gained access to
         parts of the huge log file, which covered about two months' of
         transactions. A handful of resumes were altered from the same
         computers that accessed the file, but only in minor ways, such as
         changed dates. No resumes were vandalized.
             "It was an error on our part," Tobin said. "We weren't aware
         that (the numbers) were out there."
             Tobin said the state would hire a security expert to test the
         system. And he said the use of Social Security numbers on the site
         was optional; users could come up with any other ID they wanted.
             The site, however, still recommends using a Social Security
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Dimensional Communications (www.dim.com)

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:51:31 PDT