Nebraska court vulnerability pointed out as example at hacker conference (2024)

The Nebraska Supreme Court found itself in an unwelcome spotlight as an example of what not to do at last weekend's Def Con.

At a talk Saturday in Las Vegas at an annual security conference that draws thousands of hackers, researchers and professionals, Bill Demirkapipointed out that 15,000 developer secrets were hard-coded into the state's court software and other website issues he was able to find that can make systems more vulnerable to cyberattacks.

The independent security researcher who gained attention as a teenager in 2019for exposing vulnerabilities in his high school's software works now to find security problems.

In his talk, Demirkapi said he was able to find hundreds of username and password details linked to Nebraska’s Supreme Court and its IT systems.

He also said he was able to obtain the details needed to gain access to Stanford University’s Slack channels and over a thousand authentication keys of OpenAI customers.

Still, it was a group Nebraska State Court Administrator Corey Steel would rather not have been among.

This week, he said it came as a bit of a surprise, though he got a brief heads-up a day earlier from the researcher.

It's never welcome news to be used in an example like this, Steel said.

But, thankfully, nothing bad happened as a result of the vulnerability, which was discovered back in December 2022.

Steel said the researcher notified the court then that he had found a document on the dark web that could make their systems vulnerable to attack.

Steel said a programmer who worked for the state had saved a file of passwords to some court systems in a cloud vault, which the researcher was able to hack.

"It just so happened one document of ours — and it was only one document — was uploaded to the dark web," he said.

When they were notified, they immediately changed all passwords, even though some already were outdated. He said then they worked with the Office of the Chief Information Officer, which did a vulnerability test to make sure no one was accessing those systems from an IP address not owned by the courts.

"It showed that there was no outsider IP address using those passwords to infiltrate the systems," he said.

Not surprisingly, Steel said it was a huge relief.

"It's difficult, because you feel sometimes that you're one step behind," he said of the ever-evolving cyberthreats online.

But, in this case, it worked out.

"We were able to get on top of it right away and close the loophole and make sure that nothing was infiltrated and that no information was disseminated from any of our systems," Steel said.

He said he was thankful it was brought to their attention because it allowed them to act to make sure the court's systems were secure.

"It also strengthened the system in a sense," Steel said, "because it made us continue to review policies, procedures and implement new strategies to make sure that we are secure."

In this year's State of the Judiciary Address, Chief Justice Mike Heavican told state lawmakers of the need to upgrade protection for the court's online records.

"Much like banks, retail outlets, and health care providers, we handle a large amount of confidential information online — including bank account numbers, Social Security numbers, credit card information, and other financial details," he said.

They also store sensitive information on paternity and child custody and criminal case data, he said.

Heavican said the Kansas court system, which fell victim to a foreign cyberattack last fall, "serves as a warning for the rest of us."

"Without needed upgrades we must consider ourselves equally vulnerable," he told lawmakers.