[ISN] Help Wanted: Steal This Database

From: InfoSec News (isnat_private)
Date: Tue Jan 07 2003 - 01:27:35 PST

  • Next message: InfoSec News: "[ISN] ISC2 on the warpath?"

    By Brian McWilliams
    January 06, 2003
    Hack-proofing a website is hard enough. But the task becomes 
    gargantuan when you accidentally publish the administrator's password 
    on one of your site's most heavily trafficked pages. 
    Such a security gaffe may have enabled unauthorized visitors to log in 
    and access files undetected for more than six months on a server 
    operated by Carmichael Lynch, a public relations and advertising firm 
    with several big-name clients. The admin password was inadvertently 
    published on a page that contained online job postings. 
    Among the files potentially exposed to outsiders: internal documents, 
    including customer databases owned by two of the company's biggest 
    clients, Porsche and American Standard. 
    Experts said the incident is the latest example of how shoddy security 
    can undermine companies' privacy promises. 
    Carmichael Lynch removed the posting that contained the admin password 
    from its site last week. Contained in the help wanted ad, cached here, 
    were hyperlinks that included a user name and password that human 
    resources employees used to upload job listings. 
    Before the problem was corrected, any Internet user could have 
    accessed files on Carmichael Lynch's server simply by modifying the 
    address in the link. 
    Carmichael Lynch spokeswoman Sara Mulder said the company has no 
    evidence that unauthorized visitors took advantage of the security 
    Mulder said the firm's HR team was using Microsoft's FrontPage Web 
    publishing software to post job listings, and the program embedded 
    "unwanted code, creating that loophole." 
    An Internet user who asked not to be identified said he discovered the 
    problem last June and notified Carmichael Lynch. The user said he 
    decided to go public with the information after the PR company failed 
    to plug the hole. 
    Mulder confirmed that Carmichael Lynch learned last June that its 
    job-posting process contained a security flaw, but she said the 
    company thought at the time that it had resolved the problem. 
    Among the files accessible on the server last week was a 13.5-MB 
    database containing names, addresses, vehicle information and other 
    data on nearly 75,000 luxury car and SUV owners. 
    According to Mulder, Porsche owned the database, which was dated Oct. 
    20, 2002. But the file's Properties tab indicated the database was 
    created by Acxiom, a provider of customer-information tools and 
    Officials from Porsche Cars North America and Acxiom had no immediate 
    comment on the incident. 
    Carmichael Lynch's security flub also exposed a 7-MB spreadsheet that 
    contained contact information, including e-mail addresses and 
    registration passwords, for nearly 12,000 people who had registered 
    with the American Standard website between April 30 and Sept. 10, 
    A pop-up window greets first-time visitors to the plumbing supply site 
    and encourages them to register for access to "site extras" such as a 
    "wish list" and a preferred dealer locator. 
    It was not immediately clear why Carmichael Lynch was storing clients' 
    customer info databases on its public Web server. Such a practice is 
    dangerous but common among site administrators who are not "security 
    savvy," said Harlan Carvey, a security engineer for a financial 
    services company. 
    Privacy policies posted on the websites of Porsche, American Standard 
    and Acxiom state that the companies take "reasonable precautions" to 
    protect customers' personal information in their possession. Mulder 
    said she does not believe Carmichael Lynch has a privacy policy. 
    Mark Litchfield, co-founder of NGSConsulting, said privacy policies 
    are often not backed up by strong security practices. Instead, such 
    statements are merely "jargon" aimed at giving customers "a warm 
    feeling in parting with their credit card and other associated 
    sensitive material." 
    Privacy expert Richard Smith agreed, and said Carmichael Lynch's 
    security practices "don't live up to the promises being made in their 
    clients' privacy policies." 
    To prevent such lapses in the future, Mulder said Carmichael Lynch has 
    "isolated all such data to ensure its security on limited-access 
    Such data spills can be costly to corporations that fail to follow 
    standard practices for protecting customer data. Last August, 
    Ziff-Davis Publishing agreed to pay affected customers $500 each after 
    lax security exposed the personal data of thousands of subscribers. 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 04:57:35 PST