Researcher finds government cybersecurity is still porous
Supposedly, the catastrophic breach of the federal government’s Office of Personnel Management (OPM) that started in 2012 but didn’t become public until 2015 was a “wake-up call” that would stimulate vast improvements in cybersecurity within government agencies.
Apparently, not so much. If anything, things may have gotten worse.
That breach, allegedly by hackers working on behalf of the Chinese government, exposed the personal and employment data — including in many cases detailed security clearance information and fingerprint data — of more than 22 million current and former federal employees, ranging from entry-level clerks to former FBI director James Comey.
But here we are more than a decade later, and a single security researcher has documented that, as Ars Technica put it, “Public records systems that courts and governments rely on to manage voter registrations and legal filings have been riddled with vulnerabilities that made it possible for attackers to falsify registration databases and add, delete, or modify official documents.”
That researcher, Jason Parker, in a recent post on GitHub, reported dozens of vulnerabilities, most of them critical, in 19 commercial platforms used by hundreds of government entities including police departments, courts, and government agencies that operate sensitive services like voter registration. The vulnerabilities could allow attackers access to court files, police records, voter records, prison inmate records, and other data connected to government agencies.
On GitHub, Parker wrote that one of the worst vulnerabilities he found was in the Georgia voter registration cancellation portal, “allowing unauthorized individuals to submit a cancellation request without proper identity verification. The issue involved bypassing the driver’s license or Social Security number requirement, leaving the registration of any voter susceptible to exploitation.”
That means all an attacker would need to cancel a voter’s registration was the name, birthdate, and county of residence of the voter.
In another case, Parker found that the New York City Police Department’s officer complaints platform “allowed unauthenticated attackers to access the administrative dashboard. Attackers could view and edit user accounts, SQL queries, database connection information, and officer profile data. Additionally, it was possible to add malicious files.”
In a now-deleted post on Medium, Parker wrote that “these platforms harbor vulnerabilities that could be exploited with ease — even by attackers with minimal technical expertise, thus underscoring the fragility of systems meant to safeguard our most sensitive public records.”
Not doing the basics
Indeed, the cause of most of the vulnerabilities was a failure to implement some of the most basic security measures. “At the heart of the issue is weak permission controls and poor validation of user inputs, allowing attackers to gain unauthorized access to sensitive areas of the system,” Parker wrote, adding that “many platforms rely on predictable user IDs or allow users to manipulate data fields, thus granting themselves higher-level access. Once inside, attackers can view or even alter confidential records, including legal filings and personal data.”
The good news is that all those vulnerabilities have been fixed. Parker worked over the past year with the privacy advocacy group Electronic Frontier Foundation on so-called “responsible disclosure” — notifying the vendors and agencies about the vulnerabilities before making them public. And so far there has been no known exploitation of them, although Parker added a caveat: “A lack of evidence doesn’t prove that it hasn’t happened,” he said in an online interview.
And given the sensitivity of the information involved, the potential damage of such lax security is enormous. Among the comments on the Ars story is this from a reader who identified as “JohnDeL”: “To make matters worse, judges and courts have started sending out questionnaires to potential jurors and telling them that they are ‘legally required to answer.’ The questionnaires include information such as Social Security number, date of birth, mother’s maiden name, places that you’ve lived, marital status, name of spouse.”
“I’ve chewed out two judges over this; neither one seemed to understand that those questionnaires would be a windfall to any identity thief.”
Ironically, Parker’s revelations come more than three years after President Joe Biden’s May 2021 Executive Order on Improving the Nation’s Cybersecurity, a sprawling document hailed as transformative, and that called for improved security practices on multiple levels including multifactor authentication, data encryption, software supply chain security, zero-trust environments, and more.
Yet authentication vulnerabilities — such as insufficient permission checks and lack of identity verification — were among the most frequent of the problems Parker cited. Again, that means the agencies and the vendors they were using weren’t even doing the basics.
Ray Kelly, a Fellow at the software security company Black Duck, said he shares Parker’s concerns. “Issues like input validation, server hardening, and authorization flaws have been prevalent for decades, yet local governments still lag behind,” he said. “A comprehensive overhaul of security protocols is often necessary to address all vulnerabilities and ensure sensitive information is properly protected.”
Parker’s GitHub post, which listed the vulnerabilities he found in the 19 platforms, noted that Granicus GovQA, a platform used by government agencies for managing public records, “demonstrated one of the more significant findings. Attackers were able to easily reset passwords without verifying a user’s identity and, more concerningly, could gain access to usernames and emails by simply manipulating web addresses.”
Hazy in the long term
Parker said at one level the response to his findings has been good, since the vulnerabilities he found have been patched. But he said any long-term response is uncertain.
“I’ve had some conversations with a lawyer for the Senate Judiciary Committee, but they weren’t immediately fruitful and it’s unclear where things have gone behind the scenes,” he said. But he believes one hopeful sign is that “some governments are starting to require things like FedRAMP and StateRAMP.”
RAMP stands for Risk and Authorization Management Program, which helps governments use cloud services securely by providing a standardized approach for security assessments, authorization, and monitoring of cloud services.
“It will help, Parker said, “but it’s fairly limited thus far.”
Another commenter on the Ars story who identified as “A Very Tired Geek,” wrote that things are unlikely to improve. “Court staffs are filled with people who can barely turn on computers, let alone understand the implications of their actions,” Geek wrote. “They can’t, and in many cases won’t, think through things to their logical ends. Politicians that create and fund the mandates are no better, and in both cases theoretical ideological ends often override reality.”
“The vendors have no incentives to improve this system. Their metrics are to minimize the number of support calls over the lifetime of their deployments. This disincentivizes changes to methods of access and utilization while incentivizing ‘common sense,’ which is anything BUT common or sensible in these cases.”
Yet another commenter, identified as “Enlightened doggo,” called Parker’s findings the “tip of the iceberg. It is generally safe to assume that local government systems are vulnerable given the types of vendors they have and the horrendous wages they pay IT administrators.”
Overhaul needed
Parker’s view aligns with many of the commenters. “Fixing these issues requires more than just patching a few bugs,” he wrote. “It calls for a complete overhaul of how security is handled in court and public record systems.”
“To prevent attackers from hijacking accounts or altering sensitive data, robust permission controls must be immediately implemented, and stricter validation of user inputs enforced. Regular security audits and penetration testing should be standard practice, not an afterthought, and following the principles of secure by design should be an integral part of any software development lifecycle.”
