So I surf on over to The UpTake this afternoon to see if the winter storm we got last night will make it hard for Franken's witnesses to make it to the courtroom today -- the Franken team won't rest now until tomorrow because of the danged storm -- and this greets me at the front page:
COLEMAN DONOR DATABASE LEAKED...AGAIN!
Wikileaks.org releases database after Coleman refuses to notify donors - Coleman reps claim database did not leak earlier, despite evidence to contrary
The short story: The Coleman campaign claimed about six weeks ago that his website was allegedly crashed by thousands of people looking to see if their absentee ballots were on Norm's list of rejected absentee ballots. Local blogger MNPublius showed evidence indicating that Norm's people may have 'crashed' their own site by hiding it for a period of time so they could blame the disappearance on being overwhelmed by visitors. IT security consultant Adria Richards decided to investigate the situation -- and found a security nightmare:
I had to see what all the fuss was about. Was there really an attempt to bring down the website due to political unrest with these ballots in my state? Were the allegations of a poorly coded website true?
What I got instead was a plain text listing of directories…
The Database of Norm Coleman
That's right: She stumbled upon Norm Coleman's donor database. Complete with credit-card information, home addresses, and phone numbers.
Now, most campaigns, faced with abundant bad publicity and made aware of a significant security leak, would fix the problem. But it seems Norm's a little too distracted by his hopeless recount battle to bother with such trivia.
This, as we shall see, could lead Norm to spend yet more time in courtrooms:
[UPDATE : Norm could be in serious legal hot water over this. Neglecting to fix a known vulnerability on a site charged with securing credit-card data is a big, big no-no.]
He and his lawyers are desperately trying to spin this as evil mean hackers attacking poor pathetic them for partisan purposes. Au contraire: it seems the database was released by people annoyed by the Coleman crew's inaction on addressing the original security breach. Besides, no hacking was necessary:
Congratulations, Norm! It looks like you're in the running for Most Incompetent Con 2009. Al Franken's whuppin' your ass, but you might just win something this year.The accusation made by Wikileaks.org is that the data wasn't actually hacked, but that the campaign for a few hours in January stored the entire unencrypted database of their site in a publicly-accessible location.
[snip]
One other thing that has to be noted, as well: Vendors are not supposed to store the three-digit security code of a credit card on their servers -- it's meant to be used solely for a vendor to clear a card with the credit company, and then deleted. But in fact, the downloaders were able to get those, too.
1 comment:
Dana,
Glad you're a fan of the Uptake. I really enjoyed their reporting last year during the elections!
I want to let you know that I am not a "security consultant".
I help business clients with hardware, software, servers, ecommerce, Joomla, Wordpress training, **this is probably getting boring**. I am an Organic Technology Consultant :)
Security folks do audits and website probes all the time and have a huge set of tools for this.
I spend more time talking with my clients and helping them grow their businesses with technology.
Thanks!
Adria Richards
Organic Technology Consultant
----------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
Post a Comment