News: CJ Exclusives

Business Owner Finds State Websites Vulnerable

Security engineer says credit card fraud a possibility

A Wake County small business owner attempting to pay her employees’ withholding tax bill discovered that the state Department of Revenue website was vulnerable to hackers. A cybersecurity engineer said that vulnerability could have exposed the users of multiple state websites to identity and credit card theft.

“Me as a taxpayer, I’m very concerned about this,” Clellie Allen, said after identifying the agency’s inadequate security protocols. She and her husband Todd run the Wake Weekly newspaper in Wake Forest.

She raised several alarms with DOR in September after confirming through an online diagnostic tool that the agency’s website got an “F” rating for security protection against a variety of potential hack attacks.

Among the potential attacks Allen found were Logjam, which has been identified since May, and Poodle, which was identified in 2014.

“Why these things are not fixed is just unbelievable,” she said. “If this were a corporation … you could expect [customers] to jump ship.”

Even if none of the data has been breached, “it’s just irresponsible on the part of our state government” not to upgrade protocols and warn customers they were at risk, Allen said.

She said the state Division of Employment Security website also receives an “F” grade from SSL Labs for the level of protection it provides users.

In mid-October she demonstrated for Carolina Journal that SSL Labs still assessed both agency websites as vulnerable, and the state had not posted warnings to site users that their sensitive information could be imperiled.

SSL Labs has a free online diagnostic tool that flags vulnerabilities in a web address. SSL is an acronym for secure socket layer. That is the encryption protocol throug which two computers negotiate a secure connection, making information unreadable to others.

A secure connection is identified with “https” in the web address window. Attacks against SSL still show the https security indicator. But they fool a server into thinking it is negotiating the most secure setting, when the security level actually is being downgraded to make it easier to infiltrate.

“We are well aware of the issue you raised, and it is not considered high-risk,” Michelle Vaught, a state Department of Information Technology spokesman, told CJ by email. “We are not aware of anyone’s information being compromised.”

She blamed the issue on security updates by the Firefox and Google Chrome web browsers, “not because of anything the state has or has not done, and it is not unique to state government.”

Allen discovered the state vulnerabilities because her updated browsers had higher security settings than the DOR website and would not allow her to access the riskier server.

Vaught acknowledged that browser security updates could make it difficult to access sites that require security certificate authentication, so the Department of Information Technology implemented its own updates “to ensure security with these browsers,” she said.

People who use Windows XP with Internet Explorer version 7 or below are being notified that they need to update their operating systems. Failing to do so results in the inability to access certain state websites, Vaught said.

“I’m like wow, Internet Explorer?” Allen said. “Who uses Internet Explorer? Nobody uses Internet Explorer. Not even PC people use Internet Explorer.”

And while Vaught said DOR put a user notice on its website that the Windows and Explorer 7 updates are necessary to ensure users have “safe and secure access to online resources,” Allen said the notice didn’t go far enough. She believes users should be informed the site is not secure.

“The state absolutely has a responsibility to be aware. They should have been aware” that its system had security weaknesses, said Bren Briggs, a network and security engineer for a company in Florida and former Raleigh resident who is familiar with the situation at the DOR website.

“There’s websites, forums, the U.S. Cyber Emergency Response Team does a pretty good job of publishing that sort of data,” as do LWN.net, the SANS Internet Storm Center watchdog organization, and any number of Twitter feeds, among other sites, Briggs said.

The fact that Allen appears to be the first person to discover the problem “means they weren’t really paying attention, were they?” he said.

The state must be extremely vigilant about watching for vulnerabilities such as those Allen’s research has exposed because the security protocol “is the front door to your house, and the Internet is a bad neighborhood. Would you leave your front door open in a bad neighborhood?”

A lot of state agencies might not even be aware that it was an issue, he said. State governments “have a long history of that problem.”

What’s most at risk “is probably the individual user’s communication up to the server,” Briggs said. He doubts widespread state government data would be vulnerable via SSL attack.

Hackers could watch an individual session “as though it was unencrypted,” and steal names, addresses, Social Security numbers, and credit cards, Briggs said.

Encryption protocols or algorithms that are not upgraded frequently become weaker as advances in technology make it easier for hackers to break the codes.

The SSL protocol, among the most widely used to manage private data transmission, is one that has been identified as vulnerable to attack, but it is quick and easy to fix, Briggs said.

If the state system had been compromised, a user might not know until unapproved purchases started showing up on a credit card.

And that might not happen immediately. Identity theft is now “a commercial enterprise” for crime organizations, especially in Eastern Europe and Russia, Briggs said. So a hacker might pull information on many credit cards from a site, and sell them at some later date.

Since at least two North Carolina agencies were identified as being prone to attack, it is conceivable others were, too, Briggs said.

Dan E. Way (@danway_carolina) is an associate editor of Carolina Journal.