|
Home > Archive > Apache Server configuration support > November 2006 > Huge Security Vulnerability with California Department of Worker Comp EDEX
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Huge Security Vulnerability with California Department of Worker Comp EDEX
|
|
| Anna Predslava 2006-11-28, 7:28 pm |
| Ok, this is just stupid! Enough is enough... Last week a co-worker of
mine (A Network Engineer) "demonstrated" a major security flaw with
the California DWC EDEX. Believe it or not (Just believe it because it
is true), the California Department of Workers Compensation now has
internet facing access to their injured worker database. Millions of
identities, including SSN, Full name, date of birth and addresses are
now free and easy for the taking. Worst of all, I have an old comp case
on file with the DWC and I cannot get it off their insecure system. The
DWC keeps passing me on from person to person, office to office to no
avail. I'm covering my butt by using identity theft services from my
bank and another through free credit report dot com (almost scam
artists, I would avoid using FCR if possible) The DWC must be stupid or
want to get hacked. I'm no security expert but I am a Systems
Administrator with a major financial institution, I do know what I'm
talking about and I'm certain the easiest way to get to the data is
through one of their cheesy 3rd party internet venders. These web sites
are ripe and just begging to get hacked. See for yourself:
http://www.workcompcentral.com/ezcomp/index.htm
IP = 207.178.203.35
https://secure.edexis.com/members/login1.wcs?account
IP = 65.74.145.237
I hope to god no one has been successful getting in to one of these
sites. I would assume it would be quite profitable for some foreign
entity as these servers do contain several million American Identities
and personal information. This data has the potential to be more
destructive than credit cards info, banking info, credit reports,
background info or any other type data out on the internet. It has got
to be worth multi-millions and a primary target once word of this gets
out... and it will. Remember the Veterans Affairs Data loss of 8/2006
that made headline news? That only involved 38,000 identities on a
missing laptop.
Any thoughts on this one?
Anna
| |
| shimmyshack 2006-11-28, 7:28 pm |
| yes, post to
websecurity[a-t] webappsec d-o-t org
they eat this stuff for breakfast
| |
| Anna Predslava 2006-11-28, 7:28 pm |
|
shimmyshack wrote:
> yes, post to
>
> websecurity[a-t] webappsec d-o-t org
>
> they eat this stuff for breakfast
I'm on it.
Thank you
Anna
|
|
|
|
|