Sex Offender Web sites are insecure
January 12, 2001
<!--Web surfers can browse through files and directories they shouldn't be able to see because of a security vulnerabilty at several sex offender registry Web sites.-->
Nine state sex offender registries that are online have had inadequate computer security and easily could have been hacked, an MSNBC.com investigation has found. And in two states, more general criminal records databases also were found to be insecure. The flaws put Web site data at risk and raised the possibility that a computer intruder could add or remove people from the online versions of the databases.
A source at London's600 club -- a loosely connected group of computer hackers -- provided MSNBC.com with details of "how even unsophisticated criminals or terrorists could break into sex offender registry databases."
MSNBC.com was able to verify evidence of the flaws -- both the club and MSNBC.com used "non-invasive" methods. The vulnerabilities could be demonstrated simply by viewing files through a Web browser; no computer systems were actually hacked.
In each case, the states failed to take simple steps to protect computers from well-known security vulnerabilities -- some up to two years old. The vulnerable systems were running Microsoft's Internet Information Server, and the fixes involved downloading and installing patches from Microsoft. (MSNBC is a Microsoft-NBC joint venture.)
MSNBC.com informed the states -- Virginia, Michigan, Illinois, North Carolina, Mississippi, Louisiana, Nebraska, Florida and South Carolina -- of the specific flaws earlier this week, and most have since fixed the problems. Some of the the states suffered from a single missing patch; others had numerous vulnerabilities.
"Clearly this is a wake-up call," said Terri Teuber, public information officer for the Nebraska State Patrol. "We are not lax in maintaining our security, but the fact that there was a hole tells us we need to do more." Nebraska had a single vulnerability that is now fixed.
Innocent at risk?
The states confirmed the security flaws when contacted by MSNBC.com and agreed the data on their Web sites had been at risk. But each maintained that hackers would have been unable to access or change the official database of sex offender criminals maintained by state and local law enforcement.
Still, the hackers say they could have easily altered data on the Web sites. "Convicted sexual predators could pass due diligence checks and gain access to children and other potential victims by being hidden from the official sex offender registry," said the hacker in an e-mail to MSNBC.com.
"Innocent people could have forged details posted to the [registry], a devastating libel, which could lead to extortion or any number of hate crimes, including vigilante attacks."
The source said he informed each of the Web sites about the problems on his own, and when the sites failed to fix the flaws, he contacted MSNBC.com. It's common practice for so-called "white hat" hackers -- computer security researchers with good intentions -- to find security problems and inform system administrators.
Other data at risk
Several states are putting more general databases of convicted criminals on the Internet and the London 2600 hackers found similar flaws in them, too.
Kentucky launched its "Online Offender Lookup" in December, a database of offenders who are currently serving terms in Kentucky's jail system. The site suffers from numerous flaws -- including no password protection for its database. Jennifer O'Nan, who works in the Governor's Office for Technology for Kentucky State Government, said officials in her office were concerned that the Department of Corrections, which published the site, didn't put enough effort into computer security when it launched the site last month.
Her office is currently reviewing the site's security. The London group also found vulnerabilities in South Carolina's online criminal records database, which sits on the same server as that state's sex offender registry.
Government security spotty
Two of the states -- Mississippi and Virginia -- have suffered hacker attacks to their sex offender databases in the past. They were defaced by intruders in November 1999. Still, the hackers complained, those attacks did not act as a needed wake-up call regarding the need for more diligent security measures.
"The responsible authorities are obviously being negligent in keeping up with computer security since then," the hacker wrote.
While every state involved described the security holes as isolated incidents, information gleaned in dozens of MSNBC.com interviews suggests security at government-run, sex offender registry Web sites can be spotty.
Most database administrators have a host of other duties, and are overworked. In fact, Nebraska's Web site contains the admission that e-mails might not be answered because "Unfortunately, we do not have a full-time webmaster."
"Clearly, our IT people have full plates," Teuber admitted.
Several states outsource a part of their computer administration, and in some cases responsibility for maintaining database security slipped through the cracks. When asked who's responsible for applying security patches, one outsourcing firm admitted, "We're not sure. We're trying to determine that."
Why on the Web
Publication of sex offender data on the Internet is both increasingly popular and increasingly controversial. Since 1997, 28 states have placed sex offender databases on the Internet, according to the nonprofit group "SEARCH, The National Consortium for Justice Information and Statistics."
The data is made public so concerned citizens and institutions can regularly check to see if a known sex offender lives nearby. Effort to make the information widely available began in 1994 after the murder of Megan Kanka, a 7-year-old New Jersey girl who was raped and murdered by a neighbor with two prior sex crime convictions. In 1996, a federal statute known as "Megan's Law" mandated that states release relevant information about child molesters and violent sex offenders to the public.
In 1997, state agencies started turning to the Internet in an effort to make the information more widely available.
Who's in the list
The rules governing who's included online vary widely. In Nebraska, only offenders classified as high risks for "recidivism," or likely repeat offenders, are published online. Louisiana's database is much more inclusive -- even some prostitutes are listed.
Such sites are immensely popular. When Mississippi opened its site last year, it was shut down by a deluge of traffic. More than 1.5 million people have visited Virginia's sex offender registry Web site since Dec. 29, 1998, and over 2.1 million searches have been conducted through North Carolina's site since April 1998.
But increased use of the Internet to distribute the sex offender information has sparked new public debate on the disclosure issue. Advocates say it helps parents and schools protect children. Critics say it keeps ex-convicts from having a fair chance at returning to society.
That renewed debate led members of London's 2600 hacker club to scan sex offender databases looking for obvious flaws. It didn't take long to find them.
Some of the problems
Six of the states had the so-called "Unicode" flaw, which was released in October 2000. That flaw allows anyone to browse through any computer file stored on a Web server -- including files that are supposed to be hidden -- by pasting a single URL into a Web browser.
By itself, that flaw would not allow an intruder to alter data on the Web site, but it would provide an important first step toward breaking into the system. The computer researcher who discovered the flaw told MSNBC.com that he hasn't seen widespread exploitation of the flaw yet, but that may soon come.
"If history is any indication, it usually takes three months for a bug to get firmly planted into the hands of the kidddies," said researcher. "Rain Forest Puppy," who discovered the Unicode problem and worked with Microsoft to develop a fix for it. "So if it's going to be an Internet-wide havoc, it will probably start ramping up soon."
But there were often multiple issues at each Web site; many were vulnerable to the much more dangerous "RDS" vulnerability, which allows a hacker to execute commands on a Web site from anywhere across the Internet. That was discovered in August 1999.
It can be difficult to assess blame when security vulnerabilities exist at a Web site. Billion-dollar companies with large full-time information technology staffs suffer from computer hacker attacks. Government agencies can't match the salaries offered to security professionals in private industry.
"There needs to be some kind of Senate Judiciary Committee or Attorney General-level investigation into how the various states were allowed to put the innocent at risk in this way," said the London hacker who contacted MSNBC.com. "And funding for the appropriate vulnerability audit and staff re-training to prevent it happening in the future."
Scott Morris, an employee at Datamaxx Applied Technologies, which built Michigan's sex offender database, blamed the software used to run the Web sites. When asked who was responsible for the security problems, he answered "Where should we start, Microsoft?"
"Hackers get to pound away and they find a little hole and they tend to bust it as wide open as they can," he said. Joel de la Garza, a security consultant with Silicon Valley firm Securify.com, agrees that blame should be spread around.
"There is a two-fault problem here," he said. "Administrators are overworked and underpaid. And software vendors are not held liable."
But while that age-old computer security problem hasn't been solved either by big corporations or government agencies, de la Garza says government agencies rushing to put information online will likely continue to suffer from security vulnerabilities. "This is a bad situation," he said.
Source: ZDnet Developer, by Bob Sullivan