http://www.cjonline.com/stories/042002/com_security.shtml Last Modified: 1:09 a.m. 4/19/2002 By Mike Hall The Capital-Journal For more than two years, a list of Topekans and their credit card numbers was available to savvy computer users through the city's Web site. When notified Friday, Bill Stephens, the city's Webmaster, removed the file from the computer that hosts the city Web site. Stephens was baffled by how the file got onto the computer and even more baffled by how a man in Redmon, Wash., stumbled onto it. He said the incident technically would be called a security breach, but no one browsing the city's Web site would have ever happened onto the file. The only way it could be seen via the Internet was for someone to know the exact name of the file and where to find it on the particular computer. Still, the fact that someone did find it proves it was possible. In fact, the man who found it and reported it to The Topeka Capital-Journal described the remarkably simple procedure he used and said others surely have found the file by now, too. The problem came to light Friday when The Capital-Journal received an e-mail from Artak Kalantarian, of Redmon. He provided the exact address of the file, which the newspaper was able to access. As he said, it was a listing of 500 people, apparently young people who had at some time signed up for city recreation programs. Other columns in the table provided the parents' names and addresses. Another contained four sets of four numbers, a typical arrangement for credit card numbers. Sixty-six of the 500 individuals on the list had numbers listed in that column. Stephens said those numbers appear to be credit card numbers, but he couldn't be sure because he didn't know where the file came from. Stephens was able to determine that the file had been on the computer since Jan. 3, 2000. He guessed it was a file from another city computer and appeared to be a list of participants in city recreation programs. His guess was that, in moving files from an old computer to a new one, the file might have been misdirected to the computer hosting the city's site. Stephens said it was fortunate that the error was found by a man as conscientious as Kalantarian. "We need more people who handle information that they stumble upon like that to handle it in a responsible manner rather than people who may have come upon some sensitive information and try to take advantage of it," Stephens said. "I wish there were more folks as conscientious as that." Interviewed by telephone Friday afternoon, Kalantarian said finding the file "was actually pretty easy." He described a procedure that just about anyone could use with no more sophisticated software than a Web search engine that many Web browsers know how to use and are free for use on the Web. Asked if he thought it was likely that others might have found the file before he did, he replied, "I'm pretty sure somebody else already has it." He described in general some techniques and special software used by sophisticated computer hackers that would be able to find the same file. Mike Hall can be reached at (785) 295-1193 or mhallat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Apr 23 2002 - 03:01:57 PDT