SALEM — Oregonians who used state websites to pay child support, file unemployment claims and renew their vehicle registration in recent months were vulnerable to attackers who could intercept Social Security numbers and other sensitive information.
The state and private contractors left the door open to what is known as a “man in the middle attack” by using outdated encryption protocols on some websites. In that scenario, the attacker intercepts data as it’s passed from the sender to the intended recipient.
A spokeswoman for the Employment Department said Thursday that, to her knowledge, no one’s personal information had been compromised due to the weakness.
State employees do not know how many websites might have this vulnerability because although some information technology work is centralized at the Department of Administrative Services, many agencies have autonomous IT teams and websites, according to Oregon Chief Information Security Officer Stefan Richards.
The EO Media Group/Pamplin Media Group Capital Bureau tested more than a dozen websites and found several with outdated encryption protocols and other weaknesses. Most of the websites tested were on a list of vulnerable websites that a private web developer sent the Department of Administrative Services in early February.
For example, the Employment Department website still uses the encryption protocol TLS 1.0 that has been known to be vulnerable for years, including at a portal where people are asked to enter their social security numbers to file an unemployment claim.
A web portal for Department of Human Services employees uses another older protocol, SSL 2, although the agency’s chief information officer, Kristen Duus, said the site does not contain sensitive information and the agency plans to upgrade it in a couple of weeks.
The EO Media Group/Pamplin Media Group Capital Bureau found two other state websites — the child support payment portal at the Oregon Department of Justice and the vehicle registration renewal portal at the Department of Motor Vehicles — using a newer, but still outdated and vulnerable, encryption technology called SSL 3.
“That does sound bad!” Jacob Hoffman-Andrews, senior staff technologist for the Electronic Frontier Foundation, wrote in an email Wednesday after he learned of the situation. “It’s not likely to lead to bulk data breaches, but it means that individual’s data is at risk whenever they are accessing these websites.”
Stefan Richards, Oregon’s chief information security officer, also said the older protocols are known to be vulnerable.
“I’m a little bit surprised there’s SSL 2 out there,” Richards said Wednesday. He added the problem “needs to be fixed” and “there’s kind of no excuse not to get rid of (SSL 2) ...”
Richards and a spokeswoman for the Department of Justice said, in these cases, they need to assess how it would affect the public when they transition off the outdated encryption protocol because many people still use outdated versions of web browsers that would not display websites with newer technology.
For example, Richards said, people with Windows XP, which runs up to Internet Explorer 6, would not be able to use that browser to view websites with updated encryption technology.
“We receive nearly a $1 million a day in child support payments, serving thousands of Oregon kids and families,” DOJ spokeswoman Kristina Edmunson wrote in an email. “We are currently in the process of updating our system, and we are always trying to balance security with user needs. Any quick changes to our system can have an immediate impact on Oregonians — especially those who are using older smart phones, iPads, etc. Older computers and processors can’t always support the higher security measures.”
That issue has not stopped some state agencies from upgrading their website security. For example, the state Department of Revenue website where people can pay their taxes, www.payortax.com, uses one of the more secure encryption protocols.
The EO Media Group/Pamplin Media Group Capital Bureau tested select state websites using a free online tool from the cybersecurity company Qualys.
The Department of Justice actually started to transition way from SSL 3 approximately six months ago, and child support is the last area to receive the upgrades. “It sounds like this has been a slowly rolling process,” Edmunson said Thursday.
Attorney General Ellen Rosenblum has identified cybersecurity as an important issue, and is pushing for the Legislature to pass a bill that would expand protections for consumers’ personal data. The legislation would also allow the state Department of Justice to pursue civil penalties against individuals and organizations that fail to comply.
David House, a DMV spokesman, said the vehicle registration renewal portal is handled by the Department of Administrative Services and the contractor NIC Inc. The Oregon Department of Transportation where the DMV is housed did make a security improvement on its end Wednesday, when the agency upgraded its digital certificate to replace a certificate that expired March 31.
Richards said even if the Department of Administrative Services where he works decided the entire state government should switch to a newer, more secure encryption technology, it could not order all agencies to make the change. DAS is currently assessing how many people who use old versions of Internet Explorer and other web browsers that would be cut off from state websites if agencies upgrade to technology that doesn’t work with those old browsers.
If the state tomorrow stopped supporting old versions of web browsers that still use older encryption, “we’d have to be willing to have as much as 29 percent of our citizens not accessing our sites,” Richards said. And despite known vulnerabilities, “You’ll find lots of sites running SSL 3,” Richards said.
For approximately a month, the state has been assessing the impact that an update would have on people with old web browsers. Benjamin Kerensa, a web developer in Portland, contacted the Department of Administrative Services Feb. 6 and told staff he had noticed encryption protocols were outdated. Richards said Kerensa’s calls and emails caused the Department of Administrative Services to look into the issue, but it was also his understanding employees at the state data center were already aware of the outdated encryption on some websites and were working on a solution.
At the Employment Department, Legislative and Public Affairs Manager Andrea Fogue said the agency has been forced to continue using TLS 1.0 because its computer servers are so old. The agency suffered an unrelated bulk data breach in October that affected more than 800,000 people. It is still under investigation by the Oregon State Police and FBI.
The agency is replacing its servers as part of an IT modernization project, but she declined to provide the age of the old servers because that might reveal vulnerabilities that attackers could exploit. Fogue said IT employees have taken additional steps to encrypt the sensitive information entered by people who use their website so even if an attacker intercepted the information, “it would take years” to decipher.
“This points to why this is such a high priority for us that we’re taking on this IT modernization project,” Fogue said. “It’s something that we are not only aware of, but it’s a very high priority for us to address.”
This story first appeared in the Oregon Capital Insider newsletter. To subscribe, go to oregoncapitalinsider.com