[ISN] State's Web systems bogged down

InfoSec News isn at c4i.org
Mon Jun 13 04:03:56 EDT 2005


June 12, 2005 
ST. PAUL - The delivery of thousands of driver's licenses and state
identification cards was delayed recently and the state's vehicle
registration Web site was suspended because of insecure Web pages and
the limitations of an old computer system.

As the Department of Public Safety works to bring its vehicle
registration site back online, the Star Tribune of Minneapolis learned
that other state agency Web sites may be vulnerable to computer
hackers, including the Department of Transportation, the Board of
Accountancy and the Health Professionals Services Program.

Officials from the health program, which helps doctors and health
workers who have problems with drugs, alcohol and mental or physical
ailments, received an e-mail saying their Web site was being used to
corrupt another computer system, said Monica Feider, manager of the

A computer security company determined that a hacker had hijacked the
program's Web site and gained access to its case management database.

Feider disclosed the problem in a March 31 letter sent to nearly 2,000
health professionals.

"The case management system database includes private and public
information about you," she wrote. "The security company believes that
the primary purpose of the attack was most likely to use our system to
launch additional attacks against other organizations. The security
company also reported that the breach may have been used to seek data
for the purpose of identity theft."

The database includes names, addresses, dates of birth and illnesses
of the health workers. It also includes names and phone numbers of
people who referred them to the program.

"We don't know that any personal data was accessed. That's the most
frustrating piece," she said. "If we could have ruled that out we
wouldn't have had to send the letter. But because we couldn't say for
certain, we decided to err on the side of caution."

At the Board of Accountancy, a hacker forced a weeklong suspension of
the online renewal system earlier this year.

Forensic computer investigators determined the hacker didn't gain
access to private data because it was stored on a separate server,
said Doreen Johnson Frost, the board's executive director.

At the Department of Transportation, a Web site that takes license
plate and credit card information of motorists seeking passes to drive
in freeway fast lanes had offered applications through an online link
that was not secure.

As many as 1,500 motorists were believed to have used the MnDOT site
in April while it had an unsecured link, but it's unclear how many
entered credit card data through that link or through other secured

More information about the ISN mailing list