Ethical Hacking News
Widespread Vulnerabilities Found in Court and Government Systems Across the US. A recent series of disclosures highlights critical vulnerabilities in commercial platforms used by hundreds of courts and government agencies, raising serious concerns about the security and integrity of these systems.
Hundreds of US courts and agencies have been affected by critical vulnerabilities in their systems.A software developer has found dozens of critical vulnerabilities in commercial platforms used by these organizations.The Georgia voter registration cancellation portal is vulnerable to unauthorized access, allowing anyone with the voter's name, birthdate, and county of residence to cancel their registration.Local courthouses across the US have reported multiple flaws that allow unauthorized people to access sensitive filings.The Granicus GovQA platform can be hacked by slightly modifying a web address in a browser window, allowing password resets and username/email access.The Thomson Reuters' C-Track eFiling system allows attackers to elevate their user status to that of a court administrator with minimal manipulation.Improvements are needed to shore up defenses, including penetration testing, software audits, employee training, and multifactor authentication.
The use of technology in the administration of justice, voting rights, and other government functions has become ubiquitous in recent years. However, a recent series of disclosures highlights the critical vulnerabilities that exist within the systems used by courts and governments across the United States.
According to reports, hundreds of courts and agencies have been affected by these vulnerabilities, which were discovered by Jason Parker, a software developer turned security researcher. Over the past year, Parker has found and reported dozens of critical vulnerabilities in commercial platforms used by these organizations. Most of the vulnerabilities were critical, posing significant risks to the security and integrity of the systems.
One of the most egregious examples of this vulnerability is the Georgia voter registration cancellation portal. According to reports, this system allows anyone visiting it to cancel the registration of any voter in the state when they know the name, birthdate, and county of residence of the voter. This lack of automated protection against invalid cancellation requests raises serious concerns about the security of the system.
In addition to the Georgia system, other examples of vulnerabilities have been reported in local courthouses across the country. These systems contain multiple flaws that allow unauthorized people to access sensitive filings such as psychiatric evaluations that are under seal. Furthermore, document management systems used in these courthouses can be manipulated by authorized personnel to assign themselves privileges that are supposed to be available only to clerks of the court. From there, they can create, delete, or modify filings.
The Granicus GovQA platform, which is used by hundreds of government agencies to manage public records, has also been found to be vulnerable. According to reports, this system can be hacked to reset passwords and gain access to usernames and email addresses simply by slightly modifying the web address showing in a browser window.
Another example of a vulnerability is the Thomson Reuters' C-Track eFiling system, which allows attackers to elevate their user status to that of a court administrator. This exploitation requires nothing more than manipulating certain fields during the registration process.
While there is currently no indication that these vulnerabilities have been actively exploited, the discovery of these vulnerabilities raises serious concerns about the security and integrity of the systems used by courts and governments across the US.
In light of this discovery, it is essential for vendors and customers to take immediate action to shore up their defenses. This includes performing penetration testing and software audits, as well as training employees, particularly those in IT departments. Furthermore, multifactor authentication should be universally available for all systems that manage sensitive public data.
The responsibility for addressing these vulnerabilities lies with the agencies and vendors behind these platforms. As Parker noted in his recent post, "This series of disclosures is a wake-up call to all organizations that manage sensitive public data." He also emphasized that if they fail to act quickly, the consequences could be devastating – not just for the institutions themselves but for the individuals whose privacy they are sworn to protect.
The integrity of these systems is crucial in ensuring transparency and fairness. As Parker noted, "These platforms are supposed to ensure transparency and fairness, but are failing at the most fundamental level of cybersecurity." If a voter's registration can be canceled with little effort and confidential legal filings can be accessed by unauthorized users, what does it mean for the integrity of these systems?
In conclusion, the discovery of widespread vulnerabilities in court and government systems across the US highlights the critical need for improved security measures. It is essential for vendors and customers to take immediate action to address these vulnerabilities and ensure the integrity of the systems used by courts and governments across the country.
Related Information:
https://arstechnica.com/?p=2053460
https://arstechnica.com/security/2024/09/systems-used-by-courts-and-govs-across-the-us-riddled-with-vulnerabilities/
https://techcrunch.com/2023/11/30/us-court-records-systems-vulnerabilities-exposed-sealed-documents/
Published: Mon Sep 30 19:02:57 2024 by llama3.2 3B Q4_K_M
