SALEM Oregonians who used state websites to pay child support, file unemployment claims and renew their vehicle registration in recent months were vulnerable to attackers who could intercept Social Security numbers and other sensitive information.
The state and private contractors left the door open to what is known as a man in the middle attack by using outdated encryption protocols on some websites. In that scenario, the attacker intercepts data as its passed from the sender to the intended recipient.
A spokeswoman for the Employment Department said Thursday, April 2, that to her knowledge, no ones personal information had been compromised due to the weakness.
State employees do not know how many websites might have this vulnerability because although some information technology work is centralized at the Department of Administrative Services, many agencies have autonomous IT teams and websites, according to Oregon Chief Information Security Officer Stefan Richards.
The Pamplin Media Group/EO Media Group Capital Bureau tested more than a dozen websites and found several with outdated encryption protocols and other weaknesses. Most of the websites tested were on a list of vulnerable websites that a private Web developer sent the Department of Administrative Services in early February.
For example, the Employment Department website still uses the encryption protocol TLS 1.0 that has been known to be vulnerable for years, including at a portal where people are asked to enter Social Security numbers to file an unemployment claim.
A Web portal for Department of Human Services employees uses another older protocol, SSL 2, although the agencys chief information officer Kristen Duus said the site does not contain sensitive information and the agency plans to upgrade it in a couple of weeks.
The Capital Bureau found two other state websites the child support payment portal at the Oregon Department of Justice and the vehicle registration renewal portal at the DMV using a newer, but still outdated and vulnerable, encryption technology called SSL 3.
That does sound bad, wrote Jacob Hoffman-Andrews, senior staff technologist for the Electronic Frontier Foundation, in an email Wednesday, April 1, after he learned of the situation. Its not likely to lead to bulk data breaches, but it means that individuals data is at risk whenever they are accessing these websites.
Richards, the states chief information security officer, also said the older protocols are known to be vulnerable. Im a little bit surprised theres SSL 2 out there, Richards said. He added that the problem needs to be fixed and theres kind of no excuse not to get rid of (SSL 2).
Richards and a spokeswoman for the Department of Justice said in these cases, they need to assess how it would affect the public when they transition off the outdated encryption protocol because many people still use outdated versions of Web browsers that would not display websites with newer technology.
For example, Richards said, people working on computers running Windows XP, which can use up to Internet Explorer 6, would not be able to use that browser to view websites with updated encryption technology.
We receive nearly a $1 million a day in child support payments, serving thousands of Oregon kids and families, DOJ spokeswoman Kristina Edmunson wrote in an email. We are currently in the process of updating our system, and we are always trying to balance security with user needs. Any quick changes to our system can have an immediate impact on Oregonians especially those who are using older smart phones, iPads, etc. Older computers and processors cant always support the higher security measures.
That issue has not stopped some state agencies from upgrading their website security. For example, the state Department of Revenue website where people can pay their taxes, www.payortax.com, uses one of the more secure encryption protocols.
The Capital Bureau tested select state websites using a free online tool from the cyber security company Qualys.
The Department of Justice actually started to transition way from SSL 3 approximately six months ago, and child support is the last area to receive the upgrades. It sounds like this has been a slowly rolling process, Edmunson said Thursday, April 2.
Attorney General Ellen Rosenblum has identified cyber security as an important issue, and is pushing for the Legislature to pass a bill that would expand protections for consumers personal data. The legislation would also allow the state Department of Justice to pursue civil penalties against individuals and organizations that fail to comply.
David House, a DMV spokesman, said the vehicle registration renewal portal is handled by the Department of Administrative Services and the contractor NIC Inc. The Oregon Department of Transportation where the DMV is housed did make a security improvement on its end April 1, when the agency upgraded its digital certificate to replace a certificate that expired March 31.
Richards said even if the Department of Administrative Services where he works decided the entire state government should switch to a newer, more secure encryption technology, it could not order all agencies to make the change. DAS is assessing how many people who use old versions of Internet Explorer and other web browsers that would be cut off from state websites if agencies upgrade to technology that doesnt work with those old browsers.
If the state tomorrow stopped supporting old versions of Web browsers that still use older encryption, wed have to be willing to have as much as 29 percent of our citizens not accessing our sites, Richards said. And despite known vulnerabilities, Youll find lots of sites running SSL 3, Richards said.
A very high priority
For approximately a month, the state has been assessing the impact that an update would have on people with old web browsers. Benjamin Kerensa, a web developer in Portland, contacted the Department of Administrative Services Feb. 6 and told staff he had noticed encryption protocols were outdated. Richards said Kerensas calls and emails caused the Department of Administrative Services to look into the issue, but it was also his understanding employees at the state data center were already aware of the outdated encryption on some websites and were working on a solution.
At the Employment Department, Legislative and Public Affairs Manager Andrea Fogue said the agency has been forced to continue using TLS 1.0 because its computer servers are so old. The agency suffered an unrelated bulk data breach in October that affected more than 800,000 people. It is still under investigation by the Oregon State Police and FBI.
The agency is replacing its servers as part of an IT modernization project, but she declined to provide the age of the old servers because that might reveal vulnerabilities that attackers could exploit. Fogue said IT employees have taken additional steps to encrypt the sensitive information entered by people who use their website so even if an attacker intercepted the information, it would take years to decipher.
This points to why this is such a high priority for us that were taking on this IT modernization project, Fogue said. Its something that we are not only aware of, but its a very high priority for us to address.
Hillary Borrud is a reporter with the Pamplin Media Group/EO Media Group Capital Bureau in Salem.