TOPEKA (KSNT) – Kansas is one of four states that lack basic security features on its legislative website, according to a KSNT 27 News investigation.
Without the security features, attackers could eavesdrop or impersonate the website to present alternative information as truth, according to Kansas cyber security experts.
KSNT 27 News contacted Cyber Security Specialist Ely Reyes with CyberSolutionsKS and Technology Director with Networks Plus Jerry Horton for more details on the possibility of security threats to the legislature website.
The legislature website lacks security features called Secure Socket Layers (SSL) or Transport Layer Security (TLS), according to Reyes. The features ensure the website is authentic for users.
KSNT 27 News found Kansas, Florida, Oklahoma and Mississippi lacked these basic internet security features as of March 30, 2023.
Websites with SSL and TLS will display a lock icon next to the website URL. Most modern web browsers will let users know when a website isn’t secure.
Reyes said the lack of SSL and TLS would be considered a security finding on a security assessment. Without the features, an attacker could enter the line of communication between the user and the website.
Why should users be concerned?
Commonly called a Man in the Middle attack (MITM), the attackers could reroute the user’s connection to a fake website.
MITM attacks take two forms, an active attack or eavesdropping, according to internetsociety.org. First, attackers may monitor conversations or read messages. Second, “active” attacks involve attackers changing the contents of messages or communication.
The Open Worldwide Application Security Project (OWASP), a non-profit organization and resource for cyber security, describes different methods attackers may use to perform MITM attacks.
Using different techniques MITM attackers may intercept the connection between the website and the user, according to OWASP. The attacker splits the original connection into two new connections. One connection between the user and the attacker and the other between the attacker and a fake website.
“All websites or other resources available on the Internet (i.e. surveillance cameras, email servers, baby monitors, etc.) are potential targets for cybercriminals,” Horton said. “A website that does not have an SSL/TLS certificate as a part of its security is definitely more prone to attack, such as domain spoofing or fake websites.”
Horton said the lack of SSL or TLS may be disconcerting, but it doesn’t indicate the website is flawed or vulnerable. Horton recommended the team responsible for maintaining the legislature website apply for SSL and TLS certificates, perform regular cyber hygiene and have the website regularly tested by cyber security agencies.
How are MITM attacks performed?
Attackers may use a broad range of techniques to insert themselves into the line of communication.
Attackers within range of unencrypted Wi-Fi routers can enter the line of communication, according to a Consumer Protection Fact Sheet by the Wisconsin Bureau of Consumer Protection.
Alternatively, the Consumer Protection Fact Sheet says an attacker can pose as a merchant or bank letting users sign into a TLS/SSL secure site, then log into the website using a user’s real credentials.
According to the Fact Sheet, if a Wi-Fi router doesn’t request a password, another user could hack into your devices to collect personal information or view the communications you send.
How is the Legislature team handling the security concern?
KSNT 27 News informed the Kansas Legislative Office of Information Services team of the security concern.
“We are currently working with our applications vendor, Propylon, to update the website,” Director of Technical Services Terri Clark said. “Part of the update project will be moving the site to the .gov domain and adding SSL certificates. These changes should bring the site in compliance with most browser security requirements to avoid the ‘Not Secure’ warnings. This work will likely not be completed until after the legislature adjourns in April/May.”
When KSNT 27 News contacted Propylon for comment, they said they were not responsible for hosting the website but did help build the website over 12 years ago.
Propylon referred KSNT 27 News to the Director of Administration Services Tom Day.
After requesting comment from Day on the topic, the Chief Information Technology Officer Alan Weis with the Kansas Legislative Office of Information Services responded to the request for comment.
“I understand you are seeking information on the Kansas Legislature’s website, specifically on the use of the secure https protocol,” Weis said. “We are actively working to implement the secure protocol on the website, however, that may not be completed until after May 1, 2023. Updates we have implemented on the website may have caused user’s web browsers to report an error. Clearing the user’s web browser cache should eliminate the error.”