The online telephone directory that allows members of the public to contact Utah state employees was back up on utah.gov this week after officials took it down for a couple of weeks to beef up security.
“Clearly more secure websites have been the direction that society has been moving,” State Auditor John Dougall said. “More and more folks are moving to encrypted websites to provide better security for their users.”
Dougall remembers using the directory during his time as a state representative from 2003-13, and the Department of Technology Services noticed that the directory had not had any security updates in some time.
While the directory was still available for employees behind the government’s firewall, it was taken down for the public while a security team added protections that help to prevent screen scraping, a practice used by hackers to harvest all available data on a given page at once.
The technique, according to DTS spokeswoman Stephanie Weteling, can be used for some “nefarious purposes” including sending scam emails with false instructions to pay fraudsters.
While the only information available in the directory are the phone numbers and email addresses of state employees, that information could still be useful for scammers. For example, bad actors could use bots to quickly pull all of the email addresses and contact each of them posing as department officials or other employees.
The scammers could then send phishing messages with dangerous links that, if clicked on, grant a fraudster access to the host’s computer, where they could steal confidential information and even enter private accounts, including social media sites. Another risk is from malware.
The Federal Bureau of Investigation warns about such business email compromise, and the Bureau’s website describes it as “one of the most financially damaging online crimes.”
“We have a security team within our department that monitors sites all the time,” Weteling said. “We have thousands of state websites that we monitor. We’ll have a security team monitoring [the directory] to make sure it doesn’t go down again because we know it’s a valuable tool for the public.”
The security team has installed CAPTCHA technology on the site, which makes harvesting the data more cumbersome for potential fraudsters. Frequent scraping can also overload the site where the data is being pulled from, causing performance issues, but CAPTCHA slows the scraping process down by forcing hackers to click a “I’m not a robot” check box instead of using bots to scrape without pause.
The directory also was not behind the HTTPS encryption key before it was taken offline. Dougall explained that updating the site to HTTPS prevents middle men from seeing what visitors are inquiring about on the site.
The phone numbers and email addresses of state employees are required to be accessible to the public in Utah because of the Government Records Access and Management Act (GRAMA). While the updates made to the site will hopefully slow hackers down, there is nothing that can prevent a crafty hacker from downloading information when it is publicly available.
Previously, employee information could be found by searching their last name, but now inquirers will need to enter the first and last name of an employee to pull up his or her contact information.
Accessing government employees and officials through the directory is, “especially important now, with so many people working remotely,” Dougall said. “Sometimes there’s issues with just calling the generic number on a department’s website.”
“Let’s suppose you’re having problems with a road issue in your community,” Dougall continued. “If it’s a state road, you’ll want to reach out to the Utah Department of Transportation. You may not just want to call a generic number on their website. You may actually want to direct your questions at a specific individual, and you can use the directory to access their information.”
Dougall says that when a government is more transparent, the public trusts the institution more.
“ “The public can see what the government is doing, but also see why government officials are making the decisions they’re making,” Dougall said. “They can either better understand and accept that, or provide better input based on their perspective to government officials to help them see the problem in a different way.”