Friday, October 23, 2009

UC Berkeley computer science professor and privacy expert, Doug Tygar, consulted about security flaws in CalJOBS website

When "CBS 5 Investigates" discovered a state-run website may be putting hundreds of thousands of Californians at risk of identity theft, they asked UC Berkeley Computer Science professor and privacy expert Doug Tygar to take a look at a problem experienced by laid off worker Tom Diederich.

Diederich had posted his resume on CalJOBS, the state's job site, as is required for getting unemployment benefits. However, when Diederich logged back in to the site the next day, he saw someone else's information, including their name, where they live, email and phone number. The next time, he got someone else's information and the following 5 or 6 times he logged in, he saw the same info about those other people.
Professor Tygar said, "I consider that to be a serious security breach." Moreover, Tygar was able to get into the site and look at other applicants' supposedly private data. "I was able to access other people's personal information including their address, their phone numbers, email, personal details," Tygar said. Just by changing a few numbers in the URL, he was able to go in and change information on peoples' resumes. "I would in fact have been able to go through and change that if I were a malicious attacker," he said.

The glitch that allowed Diederich to click on his bookmark and read other peoples' resumes appears to be fixed. EDD said their web site team is now following up on the other possible vulnerabilities identified by CBS 5 Investigates. They say if such vulnerabilities are found, they will correct them immediately.

See full story at CBS News.

UC Berkeley Professor David Wagner contracted by the state to investigate voting logs

The state of California is conducting a months-long investigation into audit logs inside the state's electronic voting systems after reports of serious problems with the logs, even to the point where an election official or someone else could delete votes while leaving no electronic trail of such action.

According to Secretary of State Debra Bowen, the investigation is examining what the audit logs actually record and whether they can be easily altered or deleted. Bowen, appearing at an event concerning an open source voting project in development, told Threat Level that the state had contracted with David Wagner, a computer scientist with the University of California at Berkeley to investigate what the logs on the Premier/Diebold e-voting system, as well as every other voting system used in California, do and do not record.

See full article in THREAT LEVEL.