Flaw found in state Web site
  Job listing revealed Social Security numbers, allowed visitors to alter any
  posted resumes
     Associated Press
         LANSING --A Pennsylvania computer expert uncovered a flaw in a
     state job Web site that made thousands of Social Security numbers
     available on the Internet.
         The flaws were found in the Michigan Works job site where
     people post resumes and search job listings and where employers
     scan applicants. The site is run by the Michigan Jobs Commission.
         Since February, the site has been the main tool for people
     looking for work with the state's help. Unemployed workers who get
     state jobless benefits are required to register.
         A state spokesman said about 30 people exploited the flaw and
     changed "a handful" of resumes posted on the site, but it was
     unclear if people were changing their own resumes or others.
         The state plans to spend $20,000 to hire a computer hacker to
     see if there are any other holes in the system.

Plans on hiring a network penetration team, not a hacker
I hope.

         When posting a resume on the Michigan Works Web site, job
     seekers are required to create a user identification code and a
     password to protect the resume. The site suggests using a Social
     Security number as an easy-to-remember user ID.
         That piqued the interest of Glen Roberts, an Oil City, Pa.,
     privacy advocate who runs his own Web site and hosts a shortwave
     radio show about the Internet.
         He started exploring the site and found that the log -- a
     listing of actions performed by the computer controlling the site
     -- included the user IDs and the passwords of people who had posted
         While the user IDs and passwords were not available on the
     Michigan Works site, Roberts was easily able to obtain them from
     the log. He posted some examples from it to his own Web site, as
     well as links to the log.
         "Not only are thousands of Social Security numbers disclosed to
     the public, the information needed for anyone to be a Job Seeker is
     available," Roberts wrote. "Miscreants could easily go into the
     system and 'update' other people's resumes."
         Roberts did not immediately return messages Tuesday.
         Rick Graim, a spokesman for the Coalition for Effective
     Michigan Employment Services, said he had some privacy concerns
     about the computerized resumes required by the state.
         "To put your complete work record on Internet is kind of
     shaky," he said. "This thing has your name, address and Social
     Security number... If folks can hack their way into NASA and the
     Pentagon, why would the state think this is a safe system?"
         The Web site has been at the center of a fight between the
     state, the federal government and advocates who say it puts some
     unemployed workers at a disadvantage if they don't have the skills
     to use the computer.
         Michigan Jobs Commission officials say the system works well
     and saves the state money while still helping workers find jobs.
     U.S. Department of Labor officials say it was put in place without
     its approval and doesn't give some jobseekers enough help finding
         Jim Tobin, a spokesman for the Michigan Jobs Commission, said
     the state took down the Web site shortly after finding out about
     Roberts' page and eliminated the links between the log and Roberts'
     Web page.
         He said the state shut down the system on April 10, a Friday,
     and had it back up by the following Monday.
         State experts found that about 30 people had gained access to
     parts of the huge log file, which covered about two months' of
     transactions. A handful of resumes were altered from the same
     computers that accessed the file, but only in minor ways, such as
     changed dates. No resumes were vandalized.
         "It was an error on our part," Tobin said. "We weren't aware
     that (the numbers) were out there."
         Tobin said the state would hire a security expert to test the
     system. And he said the use of Social Security numbers on the site
     was optional; users could come up with any other ID they wanted.

First a hacker, now a security expert.

         The site, however, still recommends using a Social Security