http://www.wired.com/news/infostructure/0,1377,57066,00.html By Brian McWilliams January 06, 2003 Hack-proofing a website is hard enough. But the task becomes gargantuan when you accidentally publish the administrator's password on one of your site's most heavily trafficked pages. Such a security gaffe may have enabled unauthorized visitors to log in and access files undetected for more than six months on a server operated by Carmichael Lynch, a public relations and advertising firm with several big-name clients. The admin password was inadvertently published on a page that contained online job postings. Among the files potentially exposed to outsiders: internal documents, including customer databases owned by two of the company's biggest clients, Porsche and American Standard. Experts said the incident is the latest example of how shoddy security can undermine companies' privacy promises. Carmichael Lynch removed the posting that contained the admin password from its site last week. Contained in the help wanted ad, cached here, were hyperlinks that included a user name and password that human resources employees used to upload job listings. Before the problem was corrected, any Internet user could have accessed files on Carmichael Lynch's server simply by modifying the address in the link. Carmichael Lynch spokeswoman Sara Mulder said the company has no evidence that unauthorized visitors took advantage of the security lapse. Mulder said the firm's HR team was using Microsoft's FrontPage Web publishing software to post job listings, and the program embedded "unwanted code, creating that loophole." An Internet user who asked not to be identified said he discovered the problem last June and notified Carmichael Lynch. The user said he decided to go public with the information after the PR company failed to plug the hole. Mulder confirmed that Carmichael Lynch learned last June that its job-posting process contained a security flaw, but she said the company thought at the time that it had resolved the problem. Among the files accessible on the server last week was a 13.5-MB database containing names, addresses, vehicle information and other data on nearly 75,000 luxury car and SUV owners. According to Mulder, Porsche owned the database, which was dated Oct. 20, 2002. But the file's Properties tab indicated the database was created by Acxiom, a provider of customer-information tools and services. Officials from Porsche Cars North America and Acxiom had no immediate comment on the incident. Carmichael Lynch's security flub also exposed a 7-MB spreadsheet that contained contact information, including e-mail addresses and registration passwords, for nearly 12,000 people who had registered with the American Standard website between April 30 and Sept. 10, 2002. A pop-up window greets first-time visitors to the plumbing supply site and encourages them to register for access to "site extras" such as a "wish list" and a preferred dealer locator. It was not immediately clear why Carmichael Lynch was storing clients' customer info databases on its public Web server. Such a practice is dangerous but common among site administrators who are not "security savvy," said Harlan Carvey, a security engineer for a financial services company. Privacy policies posted on the websites of Porsche, American Standard and Acxiom state that the companies take "reasonable precautions" to protect customers' personal information in their possession. Mulder said she does not believe Carmichael Lynch has a privacy policy. Mark Litchfield, co-founder of NGSConsulting, said privacy policies are often not backed up by strong security practices. Instead, such statements are merely "jargon" aimed at giving customers "a warm feeling in parting with their credit card and other associated sensitive material." Privacy expert Richard Smith agreed, and said Carmichael Lynch's security practices "don't live up to the promises being made in their clients' privacy policies." To prevent such lapses in the future, Mulder said Carmichael Lynch has "isolated all such data to ensure its security on limited-access servers." Such data spills can be costly to corporations that fail to follow standard practices for protecting customer data. Last August, Ziff-Davis Publishing agreed to pay affected customers $500 each after lax security exposed the personal data of thousands of subscribers. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 04:57:35 PST