Help Wanted: Steal This Database

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,57066,00.html

By Brian McWilliams
January 06, 2003

Hack-proofing a website is hard enough. But the task becomes 
gargantuan when you accidentally publish the administrator's password 
on one of your site's most heavily trafficked pages. 

Such a security gaffe may have enabled unauthorized visitors to log in 
and access files undetected for more than six months on a server 
operated by Carmichael Lynch, a public relations and advertising firm 
with several big-name clients. The admin password was inadvertently 
published on a page that contained online job postings. 

Among the files potentially exposed to outsiders: internal documents, 
including customer databases owned by two of the company's biggest 
clients, Porsche and American Standard. 

Experts said the incident is the latest example of how shoddy security 
can undermine companies' privacy promises. 

Carmichael Lynch removed the posting that contained the admin password 
from its site last week. Contained in the help wanted ad, cached here, 
were hyperlinks that included a user name and password that human 
resources employees used to upload job listings. 

Before the problem was corrected, any Internet user could have 
accessed files on Carmichael Lynch's server simply by modifying the 
address in the link. 

Carmichael Lynch spokeswoman Sara Mulder said the company has no 
evidence that unauthorized visitors took advantage of the security 
lapse. 

Mulder said the firm's HR team was using Microsoft's FrontPage Web 
publishing software to post job listings, and the program embedded 
"unwanted code, creating that loophole." 

An Internet user who asked not to be identified said he discovered the 
problem last June and notified Carmichael Lynch. The user said he 
decided to go public with the information after the PR company failed 
to plug the hole. 

Mulder confirmed that Carmichael Lynch learned last June that its 
job-posting process contained a security flaw, but she said the 
company thought at the time that it had resolved the problem. 

Among the files accessible on the server last week was a 13.5-MB 
database containing names, addresses, vehicle information and other 
data on nearly 75,000 luxury car and SUV owners. 

According to Mulder, Porsche owned the database, which was dated Oct. 
20, 2002. But the file's Properties tab indicated the database was 
created by Acxiom, a provider of customer-information tools and 
services. 

Officials from Porsche Cars North America and Acxiom had no immediate 
comment on the incident. 

Carmichael Lynch's security flub also exposed a 7-MB spreadsheet that 
contained contact information, including e-mail addresses and 
registration passwords, for nearly 12,000 people who had registered 
with the American Standard website between April 30 and Sept. 10, 
2002. 

A pop-up window greets first-time visitors to the plumbing supply site 
and encourages them to register for access to "site extras" such as a 
"wish list" and a preferred dealer locator. 

It was not immediately clear why Carmichael Lynch was storing clients' 
customer info databases on its public Web server. Such a practice is 
dangerous but common among site administrators who are not "security 
savvy," said Harlan Carvey, a security engineer for a financial 
services company. 

Privacy policies posted on the websites of Porsche, American Standard 
and Acxiom state that the companies take "reasonable precautions" to 
protect customers' personal information in their possession. Mulder 
said she does not believe Carmichael Lynch has a privacy policy. 

Mark Litchfield, co-founder of NGSConsulting, said privacy policies 
are often not backed up by strong security practices. Instead, such 
statements are merely "jargon" aimed at giving customers "a warm 
feeling in parting with their credit card and other associated 
sensitive material." 

Privacy expert Richard Smith agreed, and said Carmichael Lynch's 
security practices "don't live up to the promises being made in their 
clients' privacy policies." 

To prevent such lapses in the future, Mulder said Carmichael Lynch has 
"isolated all such data to ensure its security on limited-access 
servers." 

Such data spills can be costly to corporations that fail to follow 
standard practices for protecting customer data. Last August, 
Ziff-Davis Publishing agreed to pay affected customers $500 each after 
lax security exposed the personal data of thousands of subscribers. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.