[ISN] State websites' security shaky?

InfoSec News isn at c4i.org
Thu Apr 21 01:24:20 EDT 2005


Pat Doyle
Star Tribune 
April 21, 2005

Reacting to revelations that the state motor vehicle website is
vulnerable to hackers, legislators worried Wednesday that more
government online sites might be vulnerable to penetration, and their
fears were not allayed by the state official who uncovered the

Sen. Thomas Neuville, R-Northfield, asked Legislative Auditor James
Nobles if he could offer assurances that the problems with the
Department of Public Safety's motor vehicle website are unique among
state agencies.

"I can assure you it is not the only agency with a problem," Nobles

He said later that auditors over the years have noticed weaknesses in
online security while conducting other reviews of agencies. "We
haven't found any so bad to cause us to recommend a system be shut
down," he said. "But we found a lot of problems."

The exchange occurred at a hearing of the Legislative Audit
Commission, where Public Safety officials told legislators that the
department had been falsely assured earlier this year by its
information technology employees that problems dating to 2001 had been

"The staff had assured us that ... it was a secure website," said
Patricia McCormack, director of driver and vehicle services for the

Deputy Commissioner Mary Ellison said after the hearing that
department officials don't know why they were misinformed or whether
employees had lied. "We're investigating it now," she said.

The website, which allows drivers to renew license tabs and plates
online with a credit card, was taken down April 4, and officials said
it could take months to fix the problem and get it running again.

As legislators sought answers for how problems in the driver and
vehicle services division occurred, Ellison said that the division had
sought help last year in securing its site through a homeland security
grant awarded to the Department of Administration, but that it hasn't
received any. Homeland security grants are distributed by a division
of the Department of Public Safety.

"There's a huge amount of irony in that," Ellison said, adding that
the Public Safety Department might have learned of the problems
earlier had it gotten help through the homeland security grant.

"That's ridiculous," said Keith Payden, the state's chief information
officer and a deputy commissioner of administration. He said the
department was trying to determine how to best spend the money among
state agencies.

Ellison said Public Safety recently received a request for a specific
proposal from the Administration Department.

Neuville and other legislators asked whether the legislative auditor
or other officials could do a comprehensive survey of state agencies
to determine the extent of online security problems.

But Nobles said such a review would be a difficult undertaking given
the variety of computer systems and websites offering government

Monitoring threats

The threat of hackers trying to penetrate state computers is
illustrated by the experience of the secretary of state's office,
which offers voting and business filing information online.

It uses a private firm to monitor Internet transmissions in an effort
to detect and deter intruders. In March it found 553,000 incidents
deemed unusual; in a typical month, at least 20 to 30 are considered

"Those are attempts that have not led to breaches," Secretary of State
Mary Kiffmeyer said Wednesday.

She added that she is confident that her office has blocked any
hacking attempt. "You have to stay on top of this every week, every
month, every day."

More information about the ISN mailing list