Utah State Employee Directory Is Back Online After Security Update
The online phone book that allows members of the public to contact Utah state employees was back on utah.gov this week after authorities suppressed it for a few weeks to beef up security.
“Obviously, more secure websites have been the direction taken by the company,” said State Auditor John Dougall. “More and more people are turning to encrypted websites to provide better security for their users. “
Dougall recalls using the directory during his tenure as state representative from 2003 to 2013, and the Department of Technology Services noticed that the directory had not had security updates for some time.
While the directory was still available to employees behind the government firewall, it was removed for the public while a security team added protections that help prevent screen scraping, a practice used by hackers to collect all the data available on a given page at a time.
The technique, according to DTS spokesperson Stephanie Weteling, can be used for “nefarious purposes,” including sending fraudulent emails containing false instructions to pay fraudsters.
Although the only information available in the directory are the phone numbers and email addresses of state employees, that information could still be useful for crooks. For example, bad actors could use bots to quickly extract all email addresses and contact each of them pretending to be department managers or other employees.
The crooks could then send phishing messages with dangerous links which, if clicked, allow a fraudster to gain access to the host’s computer, where they could steal confidential information and even enter accounts. private, including social media sites. Another risk comes from malware.
The Federal Bureau of Investigation warns against such compromise of commercial email, and the bureau’s website describes it as “one of the most financially damaging online crimes.”
“We have a security team within our department that monitors the sites around the clock,” Weteling said. “We have thousands of state websites that we monitor. We will have a security team to monitor [the directory] to make sure it doesn’t come back down because we know it’s a valuable tool for the public.
The security team has installed CAPTCHA technology on the site, which makes data collection more difficult for potential fraudsters. Frequent scratching can also overload the site from which the data is extracted, causing performance issues, but CAPTCHA slows down the scratching process by forcing hackers to click an “I’m not a bot” checkbox instead. to use bots to scratch without pausing.
The directory was also not behind the HTTPS encryption key before it was taken offline. Dougall explained that updating the site to HTTPS prevents intermediaries from seeing what visitors are requesting on the site.
State employee phone numbers and email addresses must be publicly available in Utah due to the Government Records Access and Management Act (GRAMA). While updates to the site will hopefully slow down hackers, nothing can stop a crafty hacker from downloading information when it is publicly available.
Previously, employee information could be found by searching for their last name, but now applicants will have to enter an employee’s first and last name to extract their contact details.
Access to employees and government officials through the directory is “particularly important now, with so many people working remotely,” said Dougall. “Sometimes there are problems with just calling the generic number on a department’s website. “
“Suppose you are having trouble with a road problem in your community,” continued Dougall. “If this is a national highway, you’ll want to go to the Utah Department of Transportation. You might not want to just call a generic number on their website. You may want to direct your questions to a specific person and you can use the directory to access their information.
Dougall says that when a government is more transparent, the public trusts the institution more.
“The public can see what government does, but also why government officials make the decisions they make,” said Dougall. “They can either better understand and accept this or provide a better input based on their point of view to government officials to help them see the problem in a different way.”
The state phone book is available at utah.gov under the “Government” tab or at https://statephone.utah.gov.