[ISN] Hacker calls police database easy target

From: InfoSec News (isn@private)
Date: Wed Dec 03 2003 - 02:11:26 PST

  • Next message: InfoSec News: "[ISN] Top Security Pros Head to National Cybersecurity Summit"

    Forwarded from: William Knowles <wk@private>
    
    http://www.startribune.com/stories/789/4245418.html
    
    Patrick Howe
    Associated Press 
    Published December 3, 2003 
    
    For months, access to a massive database of police files was available
    to anyone with a rudimentary knowledge of computers and an Internet
    link, according to a man who said he looked up files on the system
    several times.
    
    The man told legislators his story, anonymously by phone, during a
    hearing Tuesday on the Multiple Jurisdiction Network Organization
    (MJNO).
    
    After first accessing the system in April, he told Rep. Mary Liz
    Holberg, R-Lakeville, about the system's vulnerabilities in October,
    in part by showing her files the system contained on her. She then
    warned state officials, prompting the state to temporarily shut it
    down.
    
    The system's security was upgraded and it is now running again, though
    with only about half the records it originally contained.
    
    "It was pretty simple," the hacker said of the system, intended for
    police use only. "There was no security, no warning, no nothing."
    
    The man said he accessed the system by simply adding the words
    "PersonSearch/PersonSearch.asp" to the end of the link's normal Web
    address, http://www.mjno.state.mn.
    
    >From there he was able to search any of the system's roughly 8 million
    records, containing police information on people who have been
    suspects, witnesses or victims in crimes in more than 180 law
    enforcement jurisdictions in the state.
    
    It also contains private information such as juvenile records and
    whether a person has applied for a handgun or a permit to carry a
    firearm in public.
    
    While it is used by state agencies and run by state employees on
    state-owned computers, the network is technically owned by a private
    nonprofit group -- the Minnesota Chiefs of Police Association.
    
    In separate testimony, attorney Joseph Rymanowski said he has been
    contacted by others who claimed they were able to access the system
    through simple computer tricks.
    
    Holberg said she allowed the hacker to testify after being assured by
    Bureau of Criminal Apprehension officials that an investigation into
    the hacker's security breach had been closed.
    
    The anonymous testimony was perhaps the most dramatic moment in a
    three-hour hearing that focused on the system's vulnerabilities to
    abuse.
    
    Listed as suspect
    
    Holberg, chairwoman of the House Civil Law Committee, noted that the
    system listed her as a "suspect" because a neighbor complained about
    where her car was parked six years ago.
    
    "That particular neighbor could likely have accused me of anything and
    it would still list me as a suspect," she said.
    
    Legislators also questioned whether the system abides by the state's
    records law, which offers certain privacy protections as well as a
    promise that individuals can find out what information on them is
    contained in statewide computer systems.
    
    Don Gemberling, director of the state's Information Policy Analysis
    Division, said it doesn't appear to comply with the law, in part
    because all the data in it has been considered "confidential
    investigative data" regardless of whether it is considered public in
    the original police files.
    
    "What I heard today is that MJNO doesn't know how its data is
    classified," Gemberling said. "There needs to be some protection for
    individuals because of the bad things that can happen."
    
    Dennis Delmont, executive director of the Chiefs of Police
    association, said the group is working to address those problems. He
    also said he'll be relieved if and when the state is ready to take
    over control of the system.
    
    Holberg said her committee will work on a bill addressing problems
    with the system in the upcoming session of the Legislature.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Dec 03 2003 - 04:33:33 PST