[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Flaw Found in State Web Sites
From: mea culpa <jericho () dimensional ! com>
Date: 1998-04-24 21:06:33
[Download RAW message or body]
Forwarded From: Aleph One <aleph1@dfw.net>
[Aleph One: Notice the user of "hacker" for "computer security expert"]
http://www.detnews.com/1998/metro/9804/23/04230041.htm
Flaw found in state Web site
Job listing revealed Social Security numbers, allowed visitors to alter any
posted resumes
Associated Press
LANSING --A Pennsylvania computer expert uncovered a flaw in a
state job Web site that made thousands of Social Security numbers
available on the Internet.
The flaws were found in the Michigan Works job site where
people post resumes and search job listings and where employers
scan applicants. The site is run by the Michigan Jobs Commission.
Since February, the site has been the main tool for people
looking for work with the state's help. Unemployed workers who get
state jobless benefits are required to register.
A state spokesman said about 30 people exploited the flaw and
changed "a handful" of resumes posted on the site, but it was
unclear if people were changing their own resumes or others.
The state plans to spend $20,000 to hire a computer hacker to
see if there are any other holes in the system.
When posting a resume on the Michigan Works Web site, job
seekers are required to create a user identification code and a
password to protect the resume. The site suggests using a Social
Security number as an easy-to-remember user ID.
That piqued the interest of Glen Roberts, an Oil City, Pa.,
privacy advocate who runs his own Web site and hosts a shortwave
radio show about the Internet.
He started exploring the site and found that the log -- a
listing of actions performed by the computer controlling the site
-- included the user IDs and the passwords of people who had posted
resumes.
While the user IDs and passwords were not available on the
Michigan Works site, Roberts was easily able to obtain them from
the log. He posted some examples from it to his own Web site, as
well as links to the log.
"Not only are thousands of Social Security numbers disclosed to
the public, the information needed for anyone to be a Job Seeker is
available," Roberts wrote. "Miscreants could easily go into the
system and 'update' other people's resumes."
Roberts did not immediately return messages Tuesday.
Rick Graim, a spokesman for the Coalition for Effective
Michigan Employment Services, said he had some privacy concerns
about the computerized resumes required by the state.
"To put your complete work record on Internet is kind of
shaky," he said. "This thing has your name, address and Social
Security number... If folks can hack their way into NASA and the
Pentagon, why would the state think this is a safe system?"
The Web site has been at the center of a fight between the
state, the federal government and advocates who say it puts some
unemployed workers at a disadvantage if they don't have the skills
to use the computer.
Michigan Jobs Commission officials say the system works well
and saves the state money while still helping workers find jobs.
U.S. Department of Labor officials say it was put in place without
its approval and doesn't give some jobseekers enough help finding
work.
Jim Tobin, a spokesman for the Michigan Jobs Commission, said
the state took down the Web site shortly after finding out about
Roberts' page and eliminated the links between the log and Roberts'
Web page.
He said the state shut down the system on April 10, a Friday,
and had it back up by the following Monday.
State experts found that about 30 people had gained access to
parts of the huge log file, which covered about two months' of
transactions. A handful of resumes were altered from the same
computers that accessed the file, but only in minor ways, such as
changed dates. No resumes were vandalized.
"It was an error on our part," Tobin said. "We weren't aware
that (the numbers) were out there."
Tobin said the state would hire a security expert to test the
system. And he said the use of Social Security numbers on the site
was optional; users could come up with any other ID they wanted.
The site, however, still recommends using a Social Security
number.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Dimensional Communications (www.dim.com)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic