Who Breached: Oklahoma Department of Corrections
Number Affected: Tens of thousands
Information breached: Social Security Numbers
How: Unsecured website

Another security breach caught my attention today. Some very bad website programming left a huge hole in the Oklahoma Department of Corrections website for at least three years - a hole that would allow anyone with very basic SQL knowledge to access the names, addresses and Social Security Numbers of tens of thousands of Oklahoma residents.

Not only was this data freely available to anyone with basic SQL knowledge, but the data could be possibly be changed. All of the databases for the Department of Corrections could be accessed and possibly changed. That means that public records could be tampered with. You could turn your neighbor into a sex offender or wipe clean your criminal record.

The writer for “thedailywtf” is the one to discover the breach. In a routine search of a site, he stumbled across information that led him to believe it could be hacked. Which he proved in mere seconds.

So, how was this possible? Well, the search function on the Sexual and Violent Offender Registry gave you a little link to “list all results in a printer-friendly format.” That link contained a very long URL containing the SQL statement that created the search results (something it shouldn’t show), and the link could be modified (also bad). So, by changing that URL, you could bring up all the “hidden” information, like SSNs.

Although this “hack” was brought to the attention of the Department of Corrections, the “fix” also was hack-able easily. The author of “thedailywtf” then gave them specific instructions to take down the roster pages completely to make the site secure. This fix has now been put in place. You can read the full details here.

Still, it is unknown if the data was accessed, since it was very easily available. Identity thieves have long been exploiting security issues of this kind. What is known is that it is a scary breach to happen, and one that definitely could make you concerned about the security of important public records.

hat tip to schneier Tags: , , , , , , , , , , , , ,

Share this post: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • Digg
  • StumbleUpon
  • Technorati