For months, access to a massive database of police files was available to anyone with a rudimentary knowledge of computers and an Internet link, according to a man who said he looked up files on the system several times.

The man told legislators his story, anonymously by phone, during a hearing Tuesday on the Multiple Jurisdiction Network Organization (MJNO).

After first accessing the system in April, he told Rep. Mary Liz Holberg, R-Lakeville, about the system's vulnerabilities in October, in part by showing her files the system contained on her. She then warned state officials, prompting the state to temporarily shut it down.

The system's security was upgraded and it is now running again, though with only about half the records it originally contained.

"It was pretty simple," the hacker said of the system, intended for police use only. "There was no security, no warning, no nothing."

The man said he accessed the system by simply adding the words "PersonSearch/PersonSearch.asp" to the end of the link's normal Web address, http://www.mjno.state.mn.us.

From there he was able to search any of the system's roughly 8 million records, containing police information on people who have been suspects, witnesses or victims in crimes in more than 180 law enforcement jurisdictions in the state.

It also contains private information such as juvenile records and whether a person has applied for a handgun or a permit to carry a firearm in public.

While it is used by state agencies and run by state employees on state-owned computers, the network is technically owned by a private nonprofit group -- the Minnesota Chiefs of Police Association.

In separate testimony, attorney Joseph Rymanowski said he has been contacted by others who claimed they were able to access the system through simple computer tricks.

Holberg said she allowed the hacker to testify after being assured by Bureau of Criminal Apprehension officials that an investigation into the hacker's security breach had been closed.

The anonymous testimony was perhaps the most dramatic moment in a three-hour hearing that focused on the system's vulnerabilities to abuse.

A chairwoman of the House Civil Law Committee, noted that the system listed her as a "suspect" because a neighbor complained about where her car was parked six years ago.

"That particular neighbor could likely have accused me of anything and it would still list me as a suspect," she said.

Legislators also questioned whether the system abides by the state's records law, which offers certain privacy protections as well as a promise that individuals can find out what information on them is contained in statewide computer systems.

Don Gemberling, director of the state's Information Policy Analysis Division, said it doesn't appear to comply with the law, in part because all the data in it has been considered "confidential investigative data" regardless of whether it is considered public in the original police files.

"What I heard today is that MJNO doesn't know how its data is classified," Gemberling said. "There needs to be some protection for individuals because of the bad things that can happen."

Dennis Delmont, executive director of the Chiefs of Police association, said the group is working to address those problems. He also said he'll be relieved if and when the state is ready to take over control of the system.

Holberg said her committee will work on a bill addressing problems with the system in the upcoming session of the Legislature.

The Source
_________________________
"The secret to creativity is knowing how to hide your sources."
-Albert Einstein

Tech Ninja Security