Coleman posts credit card numbers online, doesn't warn donors, and then blames hackers

(this guy is a putz)

Norm Coleman’s campaign spokesman Cullen Sheehan suggested in an e-mail sent to supporters this morning that Wikileaks.org’s publication of the campaign’s donor database — including donors’ credit card numbers and the three-digit security codes for those cards — is the work of politically motivated people who have “found a way to breach private and confidential information.”

Sheehan hinted that the leak might be a work of political sabotage: “We don’t know if last evening’s e-mail is a political dirty trick or what the objective is of the person who sent the e-mail.”

MinnPost’s Joe Kimball echoed Sheehan’s notion that the database was hacked, writing this morning that “some hackers (Web enthusiasts, calls them), apparently discovered that list.”

But the database was not revealed by hackers, according to IT professional Adria Richards, who was the first to share news of the unprotected file in late January.

“It’s not hacking,” she said. “I didn’t use any hacking tools. A browser was my tool.”

Richards said she discovered the database by entering normcoleman.com, into OpenDNS’ cache-check tool, which gave her an IP address where the Web site lived.

Simply copying that address into a Firefox browser revealed the Web site directories for colemanforsenate.com.

Richards didn’t download the database herself, but she posted a screen capture of what she’d found online after she made the discovery. An IT consultant for 10 years, she published her findings on her blog to educate others about the risks of improperly managed websites, she said.

http://minnesotaindependent.com/28748/colemans-site-wasnt-hacked-says-it-pro-who-discovered-donor-breach

www.dailykos.com

I'll be emailing this out in a minute.

Was Norm on the Homeland Security Committee? Moron. (I just can't bring myself to misspell on purpose.)

The webmaster neglected to make an index.html page for each folder. Website security basics 101:

the error lies in having the private financial information within the website structure - right? That should be entirely separate (I would think) or at the most available between local computers/server but the damn stuff ought to be encrypted if it's that sort of information - by default - right?

Are they saying that they intended to post a list of donors (for bragging rights) deliberately - they just didn't plan to add the financial info? Please tell me that's not the case. I have to go back and read the posts in this thread.

Either way, there is no possible way to shirk responsibility for this. Isn't this the second time they've had a major 'innernets' snafu? This is worse than the first - which I think was just dumb, not massively harmful.

Please - someone, anyone - make this person go away... this isn't even amusing (and it never was, unlike some other comical goofballs who keep reappearing, like Steele... even Palin, though her bloom seems increasingly faded - or at least it's quieter, I'm grateful to say).

Coleman isn't even humorously bad and this story isn't even shake-your-head-at-the-stupidity funny... I don't think so, anyway. Nor, I'm sure, do those who had their info displayed on innumerable computer screens around the globe.

What a blick.

My only guess is that they put it on the ftp server so that campaign workers could download it for their own use. From what I've read the file was password protected but the fact that it was so easily available to anyone and cracking passwords is a fairly easy process, Coleman's campaign was grossly negligent in protecting the personal data of its donors.

that just is not good enough... please tell me Mr. Coleman didn't create the password (no he wouldn't be bothered with that). Wonder if they shared a "group" password... something original like "password01"...

Grossly negligent is an understatement. I wonder if any of those people's accounts were compromised - or if they know about it yet.

ugh...

About two months after the fact - by Wikileaks.

This is why folks are proposing that the Coleman campaign violated Minnesota election law. It was his campaign's duty to inform donors that their information had been exposed. The woman that originally discovered the vulnerability notified the Coleman campaign but got no response. That database has been bouncing around the interwebs since January.

The site uses host headers. Host headers enable a single TCP/IP Address to host multiple web sites, with each domain name pointing at separate directories on a web server. When a browser searches for the site address, it is redirected to the subdirectory on the web server, and the broswer window displays the website address (such as colemanforsenate.com).

The problem here, is that they are using an on-site database to collect the information. Any script-kiddie can go looking for common names of directories that might contain such data using the method that was used for the screen cap. It was stupid for them to use database storage on the same server.

Most companies will use a secure web page to collect the information, but the page will use a secure channel to input that data into a database that is on the back end, and not readily accessible from the web. The campaign should have spent a little money to get some dedicated hosting me thinks...

He left the directory structure exposed, so anyone who knows anything could look at the directories (folders) and see the files therein. Worse, access to those files was not protected, so they could be downloaded or opened by anyone with a browser.

Now, he's trying to blame this incompetence on the Franken team. Utter nonsense.

Leaving your site open like that is a bonehead, beginner move. It's what you get for having kids design your website, instead of professionals.

Coleman's a moron. His web designer is a cretin.

I can't imagine why it was there in the first place.

And were too lazy to hide or erase the other columns? Stupid.

That info is for the FEC, period. If they wanted the database for mailings there is still no reason to have it on the website, that's ridiculous.

It's amazing how many sites are set up this loosely, though. It's child's play to have a look around a lot of sites.

This is what you get when you don't want to pay someone enough to get a professional. Some college kid ends up with the job for free or for peanut wages, and you get what you pay for.

Now it comes back to bite Coleman on the butt, so he is trying to deflect his incompetence off onto someone else. It won't wash.

and I do the website for the local Democratic Party. I would love to get help from some High School kid who knows more and could do a better job, but they probably would not know everything. Some professionals do not know everything either. Some of those college kids probably start their own side businesses, based on websites they have designed. But just because they now have a business does not mean they know all that much.

My local computer repair store told me I needed a new motherboard for my laptop, and when I called HP, they told me I just needed to reinstall windows which I could do from my hard drive. Just because they had a business, doesn't mean they always knew what they were doing.

most boneheaded one any web designer can make. If you're making it, then shame on you for working on a website without knowing one of the most basic of security measures. Your local party head should have someone examine your site for security breaches, and right away.

Anyone can design a web site. Most often, it doesn't matter about the security so much. If, however, sensitive data is stored in an insecure directory on the web server, then it does matter. Not knowing how that might happen is the mark of an amateur who should not be designing sensitive web site. It's that simple.

Any site that collects customer or donor information needs to take security very, very seriously. If it does not, it's liable to end up on the business end of a major lawsuit when (not if) that information becomes compromised. The folks looking for that sort of information know how to find it, and they're looking all the time.

Our site does not collect any information from visitors.

But at some point, as we keep improving it, we might create a way to donate. I think other, larger counties are doing it. The simplest way might just be to link to an ActBlue page.

what to do to maintain security. If your site doesn't have any information on users stored on its server, then it doesn't really matter.

However, keeping things out of public-accessible folders is a very good idea. Drafts of new pages, embarrassing photos that aren't on the site...that sort of thing. As I said, it's amazing what shows up on sites that aren't careful.

You don't goto normcoleman.com and see a tab that says "view donor information". Instead the computer saved that information in a way that was not at all secure. The computer did it, not the website designer. Coleman is right in a sense, that this information was sorta hacked, although it is basic hacking. Still, it's not something that is there for the way people typically surf the web. Nothing particularly fancy about what the person did to get that information, but it's also something that probably 80% of web surfers don't know anything about. I certainly have not done things like that in my ten years on the web.

If 20% of web surfers are doing it, as you suggest, then protecting your site from such exploits is worthwhile, don't you think?

Teenage boys use the trick to access all sorts of porn stuff. Industrial espionage folks use the technique all the time, just as a start. Every campaign site on the planet gets looked at in that way. Only an incredibly stupid person would leave a donor database in an unprotected folder on the web server, for pete's sake.

Sure, it was "hacked," if you want to call a technique known to every kid over 14 hacking.

Should you be concerned? You bet you should. If some place you've put personal information on is using this bonehead web design mistake, your information is out there, and can be easily accessed. Don't you suppose that the identity theft folks know about this?

Did Franken's people look at this information? I don't know. I doubt they'd have any use for it, though, and they'd be fools to use it in any case.

Coleman's just trying to cover up his own foolishness.

Ummm, computers do nothing, but what humans tell them to do (my curses directed at recalcitrant systems notwithstanding).

It's true we rely on others to write software for us, which we then administer. I'd hate to have to have written every line of code, in machine language, for the Debian system running on our server -- that server would be ready to go sometime around my 99th birthday, assuming I started in the '90's when our site first went online (under a Solaris OS in those days). The many people who wrote the OS and the server code and the many others who devised the languages, compilers, and interpreters they used to do it means we have much less work to do, but that does not mean we have no work to do.

I can't swear that my server is perfectly secure (not that I keep secure data on it, but we do have to defend against being used as a zombie or targeted by the purely malicious). I'm not a security expert, though I try to learn and use as much as I can to keep the server functioning. But you know what? If tomorrow somebody uses an exploit to trash the server, it won't be because "the computer did it". It will be because I didn't know about something soon enough and respond appropriately in time to prevent it.

:rofl: "Coleman's a moron. His web designer is a cretin"

the same thing with the Colorado State SoS office. revealing not just CC numbers but the social security numbers of CEO's.

Fucking incompetence.

and Franken is denying the people of MN good representation.

sort of website is, just Google "Parent Directory"

Keep the quotes. It's a fun adventure.

:hi:

Good find.

Sid

Add Video outside of the quotes.

All the 14 year old boys know that trick. They do.

There's much more you can do, but I won't expand any further.

It's not hacking. It's just advanced amateur level web browsing.

The identity thieves use the same techniques to find database files containing customer information, with some modifications I won't describe.

shame

cripes.

cc companies require PCI DSS compliance (security audits by outside companies) If you are not compliant and have a data breach the fines are astronomical.

There is no way he was compliant if he was storing that data unprotected.


http://pcistuff.blogspot.com/2006/12/pci-fines-teeth-of-pci-dss-compliance.html