[ISN] Names, credit card numbers found via city's Web site

From: InfoSec News (isnat_private)
Date: Tue Apr 23 2002 - 00:06:19 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - April 22nd 2002"

    Last Modified:
    1:09 a.m. 4/19/2002 
    By Mike Hall 
    The Capital-Journal 
    For more than two years, a list of Topekans and their credit card
    numbers was available to savvy computer users through the city's Web
    When notified Friday, Bill Stephens, the city's Webmaster, removed the
    file from the computer that hosts the city Web site.
    Stephens was baffled by how the file got onto the computer and even
    more baffled by how a man in Redmon, Wash., stumbled onto it.
    He said the incident technically would be called a security breach,
    but no one browsing the city's Web site would have ever happened onto
    the file.
    The only way it could be seen via the Internet was for someone to know
    the exact name of the file and where to find it on the particular
    Still, the fact that someone did find it proves it was possible.
    In fact, the man who found it and reported it to The Topeka
    Capital-Journal described the remarkably simple procedure he used and
    said others surely have found the file by now, too.
    The problem came to light Friday when The Capital-Journal received an
    e-mail from Artak Kalantarian, of Redmon.
    He provided the exact address of the file, which the newspaper was
    able to access. As he said, it was a listing of 500 people, apparently
    young people who had at some time signed up for city recreation
    programs. Other columns in the table provided the parents' names and
    addresses. Another contained four sets of four numbers, a typical
    arrangement for credit card numbers.
    Sixty-six of the 500 individuals on the list had numbers listed in
    that column.
    Stephens said those numbers appear to be credit card numbers, but he
    couldn't be sure because he didn't know where the file came from.
    Stephens was able to determine that the file had been on the computer
    since Jan. 3, 2000. He guessed it was a file from another city
    computer and appeared to be a list of participants in city recreation
    programs. His guess was that, in moving files from an old computer to
    a new one, the file might have been misdirected to the computer
    hosting the city's site.
    Stephens said it was fortunate that the error was found by a man as
    conscientious as Kalantarian.
    "We need more people who handle information that they stumble upon
    like that to handle it in a responsible manner rather than people who
    may have come upon some sensitive information and try to take
    advantage of it," Stephens said. "I wish there were more folks as
    conscientious as that."
    Interviewed by telephone Friday afternoon, Kalantarian said finding
    the file "was actually pretty easy."
    He described a procedure that just about anyone could use with no more
    sophisticated software than a Web search engine that many Web browsers
    know how to use and are free for use on the Web.
    Asked if he thought it was likely that others might have found the
    file before he did, he replied, "I'm pretty sure somebody else already
    has it."
    He described in general some techniques and special software used by
    sophisticated computer hackers that would be able to find the same
    Mike Hall can be reached at (785) 295-1193 or mhallat_private
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Apr 23 2002 - 03:01:57 PDT