[ISN] Audit: State voter system left information vulnerable

From: InfoSec News (isn@private)
Date: Fri Mar 18 2005 - 23:27:36 PST


March 18, 2005

LANSING, Mich. (AP) -- State databases with confidential information
from registered voters and driver's licenses in Michigan were not
adequately secure and were vulnerable to computer hackers, state
auditors said in a report released Friday.

The state elections and technology departments agreed that the systems
were vulnerable, but they told the Office of the Auditor General they
are not aware of any time information in the Digital Driver's License
System and the Qualified Voter File was compromised.

State auditors said the departments of state and information
technology did not ensure that an outside contractor effectively
secured the Digital Driver's License System, which may lead to
identity theft. The system included information from about 7.2 million
driver's licenses and 1 million personal identification cards in
January 2004.

Auditors had similar security concerns with the Qualified Voter File,
according to the report that covers records from Sept. 30, 1997 to
June 30, 2004.

The Qualified Voter File was one of the first systems in the country
to compile accurate, up-to-date voter information. It ties 468 local
jurisdictions and 83 counties in Michigan to a database that has the
names and addresses of about 6.8 million registered voters.

"We identified numerous and, in some cases, very significant
vulnerabilities in the configuration of the QVF operating system and
database that preclude management from preventing or detecting
unauthorized access," auditors said in their report.

Auditors said similar security problems with the Qualified Voter File
were discovered in an October 2002 assessment by a private contractor
at the request of the Department of State.

State strategies and the federal Help America Vote Act of 2002 call
for a secure confidential voter information database, but the state
and technology departments were concerned that more security measures
would hurt the performance and function of the system, auditors said.

The state audit was released as lawmakers are trying to clamp down on
the sale of Social Security numbers by private companies after a few
large information brokers reported security breaches that resulted in
scores of stolen identities.

The departments told auditors they have developed a security plan and
have corrected significant areas of vulnerability.

Kelly Chesney, spokeswoman for Secretary of State Terri Lynn Land,
said most of the security issues raised in the audit were addressed
before the report was released.

The Department of State has limited access to the Qualified Voter File
to only those individuals who need it, Chesney said. It is not
available online and information is encrypted when it is transmitted,
she said.

"It's not like this is available online. It's a closed system,"  
Chesney said. "This system is considered one of the best in the
nation. Michigan was used as a model in the Help America Vote Act."

A telephone message seeking additional comment on the audit was left
Friday afternoon with Kurt Weiss, spokesman for the Department of
Information Technology.


On the Net: 
Michigan Office of the Auditor General, http://audgen.michigan.gov 

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Sat Mar 19 2005 - 01:49:27 PST