Maryland Department of Assessments & Taxation web exposure
Technorati Tag: Security Breach
Date Reported:
1/4/08
Organization:
State of Maryland
Contractor/Consultant/Branch:
Department of Assessments and Taxation
Towson University's Regional Economic Studies Institute
Victims:
Maryland residents applying for a homestead tax credit
Number Affected:
Unknown*
*roughly 900 people used the system on the day in question.
Types of Data:
Names, addresses and Social Security numbers
Breach Description:
A web application used to collect information from residents over the internet was not adequately secured with encryption leaving some sensitive personal information un-protected while transferred from clients to the Web server.
Reference URL:
Washington Times News Story
Report Credit:
Gary Emerling, The Washington Times
Response:
From the online source cited above:
Officials said residents applying Monday for the homestead-tax credit at the Maryland Department of Assessments and Taxation Web site (www.dat.state.md.us) may have exposed their Social Security numbers online because the application system did not have a necessary security certificate to encrypt the information before it was sent out over the Internet.
Robert Young, the department's associate director of assessments and taxation, said the gap briefly left the numbers exposed, but the information was transferred to a secure server after an application was submitted.
[Evan] Let's hope that the "secure server" is actually secure. This breach would not have occurred if proper security testing were carried out prior to production. If the site itself had not been properly tested, should we assume that the secure server had/has been.
"For that minute or so there ... that wasn't encrypted," Mr. Young said. "If they submitted an application, it went to a different section that was encrypted."
[Evan] My interpretation is that the "secure server" encrypts the information and it is stored encrypted. If so, then good work! Although, I could be wrong.
The application system on the site went online Dec. 28 but was not accessed until Monday, after residents had received their assessment notices in the mail. Roughly 900 people used the system that day.
Mr. Young said it would have been nearly impossible for anyone to access the numbers because of the brief amount of time they were exposed and because hackers would have had to tap into Internet transmission lines from a specific location.
[Evan] Not nearly impossible.
"Somebody would have had to been focused in on that site," Mr. Young said. "The chances of that are virtually nil."
[Evan] I do agree that the risk is relatively low, I do not agree that an attacker would have to have "been focused in on that site" in order to capture the information.
Tim Brooks, the institute's associate director in charge of software development, said a hacker would have had to be located right outside the home of a resident accessing the site or outside of the institute's data center at Towson to steal the numbers once they were sent out over the Internet.
[Evan] This is not true. A successful compromise of the data transmission could take place at any point between the resident's computer and the server itself. This would include anywhere between a resident's computer and the resident's internet access point (usually a router), the resident's access point and all traversed points within the resident's internet service provider's (ISP) network, between the resident's ISP and any other traversed points within any other internet network provider on the way to the State of Maryland's ISP, all traversed points within the State of Maryland's ISP, and all traversed points within the Maryland network until it reached the web application server. The risk of compromised between all of these points is still relatively low, but it is unnecessary risk nonetheless.
"While it is technically possible there was some sort of compromise, it is logistically unfeasible," Mr. Brooks said.
[Evan] It is logistically infeasible for a single attacker to capture all of the information sent in the clear.
officials shut down the site on Monday at about 4 p.m. and added the extra protection. The site reopened Wednesday at about 4:15 p.m. and is now secure.
Commentary:
Maybe you read the information about this breach differently, but to me it seems that someone forgot to configure encryption (i.e. http vs. https) for the data in transit to the State of Maryland's web site that was collecting sensitive information.
Althought, I agree with the officials that claim the risk of exposure to resident's personal information is low, it was such an easily avoidable risk. The amount of risk would have risen with the amount of time that the vulnerability existed. Web applications, especially e-commerce shopping carts and others that collect confidential information, must be thoroughly tested by knowledgeable information security personnel prior to production. More than anything else, this breach causes unneeded embarrassment for the State of Maryland and perhaps provides insight into software development practices as it related to information security.
On semi-related note, according to a story posted on the Louisville, Kentucky Courier Journal claims that "A 15-minute search on the Maryland Department of Assessments and Taxation Web site found Social Security numbers on statements filed by creditors who had financed purchases by four consumers in Waldorf, Cambridge, Bowie and Landover in 2003 and 2004."
Past Breaches:
August, 2007 - Stolen laptop from the Maryland Department of the Environment
Date Reported:1/4/08
Organization:
State of Maryland
Contractor/Consultant/Branch:
Department of Assessments and Taxation
Towson University's Regional Economic Studies Institute
Victims:
Maryland residents applying for a homestead tax credit
Number Affected:
Unknown*
*roughly 900 people used the system on the day in question.
Types of Data:
Names, addresses and Social Security numbers
Breach Description:
A web application used to collect information from residents over the internet was not adequately secured with encryption leaving some sensitive personal information un-protected while transferred from clients to the Web server.
Reference URL:
Washington Times News Story
Report Credit:
Gary Emerling, The Washington Times
Response:
From the online source cited above:
Officials said residents applying Monday for the homestead-tax credit at the Maryland Department of Assessments and Taxation Web site (www.dat.state.md.us) may have exposed their Social Security numbers online because the application system did not have a necessary security certificate to encrypt the information before it was sent out over the Internet.
Robert Young, the department's associate director of assessments and taxation, said the gap briefly left the numbers exposed, but the information was transferred to a secure server after an application was submitted.
[Evan] Let's hope that the "secure server" is actually secure. This breach would not have occurred if proper security testing were carried out prior to production. If the site itself had not been properly tested, should we assume that the secure server had/has been.
"For that minute or so there ... that wasn't encrypted," Mr. Young said. "If they submitted an application, it went to a different section that was encrypted."
[Evan] My interpretation is that the "secure server" encrypts the information and it is stored encrypted. If so, then good work! Although, I could be wrong.
The application system on the site went online Dec. 28 but was not accessed until Monday, after residents had received their assessment notices in the mail. Roughly 900 people used the system that day.
Mr. Young said it would have been nearly impossible for anyone to access the numbers because of the brief amount of time they were exposed and because hackers would have had to tap into Internet transmission lines from a specific location.
[Evan] Not nearly impossible.
"Somebody would have had to been focused in on that site," Mr. Young said. "The chances of that are virtually nil."
[Evan] I do agree that the risk is relatively low, I do not agree that an attacker would have to have "been focused in on that site" in order to capture the information.
Tim Brooks, the institute's associate director in charge of software development, said a hacker would have had to be located right outside the home of a resident accessing the site or outside of the institute's data center at Towson to steal the numbers once they were sent out over the Internet.
[Evan] This is not true. A successful compromise of the data transmission could take place at any point between the resident's computer and the server itself. This would include anywhere between a resident's computer and the resident's internet access point (usually a router), the resident's access point and all traversed points within the resident's internet service provider's (ISP) network, between the resident's ISP and any other traversed points within any other internet network provider on the way to the State of Maryland's ISP, all traversed points within the State of Maryland's ISP, and all traversed points within the Maryland network until it reached the web application server. The risk of compromised between all of these points is still relatively low, but it is unnecessary risk nonetheless.
"While it is technically possible there was some sort of compromise, it is logistically unfeasible," Mr. Brooks said.
[Evan] It is logistically infeasible for a single attacker to capture all of the information sent in the clear.
officials shut down the site on Monday at about 4 p.m. and added the extra protection. The site reopened Wednesday at about 4:15 p.m. and is now secure.
Commentary:
Maybe you read the information about this breach differently, but to me it seems that someone forgot to configure encryption (i.e. http vs. https) for the data in transit to the State of Maryland's web site that was collecting sensitive information.
Althought, I agree with the officials that claim the risk of exposure to resident's personal information is low, it was such an easily avoidable risk. The amount of risk would have risen with the amount of time that the vulnerability existed. Web applications, especially e-commerce shopping carts and others that collect confidential information, must be thoroughly tested by knowledgeable information security personnel prior to production. More than anything else, this breach causes unneeded embarrassment for the State of Maryland and perhaps provides insight into software development practices as it related to information security.
On semi-related note, according to a story posted on the Louisville, Kentucky Courier Journal claims that "A 15-minute search on the Maryland Department of Assessments and Taxation Web site found Social Security numbers on statements filed by creditors who had financed purchases by four consumers in Waldorf, Cambridge, Bowie and Landover in 2003 and 2004."
Past Breaches:
August, 2007 - Stolen laptop from the Maryland Department of the Environment
Posts Atom 1.0
Comments