http://www.startribune.com/stories/587/5360065.html Pat Doyle Star Tribune April 21, 2005 Reacting to revelations that the state motor vehicle website is vulnerable to hackers, legislators worried Wednesday that more government online sites might be vulnerable to penetration, and their fears were not allayed by the state official who uncovered the weakness. Sen. Thomas Neuville, R-Northfield, asked Legislative Auditor James Nobles if he could offer assurances that the problems with the Department of Public Safety's motor vehicle website are unique among state agencies. "I can assure you it is not the only agency with a problem," Nobles replied. He said later that auditors over the years have noticed weaknesses in online security while conducting other reviews of agencies. "We haven't found any so bad to cause us to recommend a system be shut down," he said. "But we found a lot of problems." The exchange occurred at a hearing of the Legislative Audit Commission, where Public Safety officials told legislators that the department had been falsely assured earlier this year by its information technology employees that problems dating to 2001 had been corrected. "The staff had assured us that ... it was a secure website," said Patricia McCormack, director of driver and vehicle services for the department. Deputy Commissioner Mary Ellison said after the hearing that department officials don't know why they were misinformed or whether employees had lied. "We're investigating it now," she said. The website, which allows drivers to renew license tabs and plates online with a credit card, was taken down April 4, and officials said it could take months to fix the problem and get it running again. As legislators sought answers for how problems in the driver and vehicle services division occurred, Ellison said that the division had sought help last year in securing its site through a homeland security grant awarded to the Department of Administration, but that it hasn't received any. Homeland security grants are distributed by a division of the Department of Public Safety. "There's a huge amount of irony in that," Ellison said, adding that the Public Safety Department might have learned of the problems earlier had it gotten help through the homeland security grant. "That's ridiculous," said Keith Payden, the state's chief information officer and a deputy commissioner of administration. He said the department was trying to determine how to best spend the money among state agencies. Ellison said Public Safety recently received a request for a specific proposal from the Administration Department. Neuville and other legislators asked whether the legislative auditor or other officials could do a comprehensive survey of state agencies to determine the extent of online security problems. But Nobles said such a review would be a difficult undertaking given the variety of computer systems and websites offering government services. Monitoring threats The threat of hackers trying to penetrate state computers is illustrated by the experience of the secretary of state's office, which offers voting and business filing information online. It uses a private firm to monitor Internet transmissions in an effort to detect and deter intruders. In March it found 553,000 incidents deemed unusual; in a typical month, at least 20 to 30 are considered suspicious. "Those are attempts that have not led to breaches," Secretary of State Mary Kiffmeyer said Wednesday. She added that she is confident that her office has blocked any hacking attempt. "You have to stay on top of this every week, every month, every day." _________________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Apr 21 2005 - 10:02:24 PDT