"How I Found Norm Coleman's Website Database in 2 Minutes"
By scarce Saturday Mar 14, 2009 4:30am
DOWNLOAD (58)
PLAY (115)
Adria Richards on The Rachel Maddow Show last night. Below is her own video uploaded to YouTube earlier this week.
I was the one who found the database which was sitting right out there in a website directory. No hacking was required and the only tool I used was my Firefox web browser.
Although an IT Professional by trade, Adria Richards explains how even a 5th grader could have gained access to ex-Sen Norm Coleman's website, a story initially grossly misreported in the mainstream media ("Hacker steals Coleman donor data"). Or the sheer mindlessness of conspiracy theorists such as John Hinderaker: Liberal Hackers at it again. There is now talk that the Coleman campaign may face charges for not securing their donors credit card information properly, and rightly so.
Login or Register to post comments.
In related news, Norm Coleman left all his sex toys on the front lawn, and is blaming the liberal media's gutter journalists for invading his privacy.
It's awesome to see my video made it onto the media section of Crooks and Liars!
I want to share that I do not have a doctorate degree so there is no, "Dr" in front of my name.
I also just posted a video to YouTube
Why I decided to upload the Coleman photos to Flickr
Thanks!
Adria Richards
Organic Technology Consultant
-----------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
[I'll send a note to the author about the error-Sitemonitor]
Now corrected.
Thanks.
It is very nice work that you have done to show off that people need to be more careful to protect their clients/donors credit card info. Of course, the embarrasment couldn't have happened to a more deserving guy; Norm Colemen the embarrasment from MN.
Every holder of a merchant account -- the ability to accept credit card payments -- agrees to keep sensitive customer, or in this case, donor information confidential and to protect that data via commonly available security protocols. That the database was posted in a publicly available directory provides evidence that the Coleman campaign should 1) immediately lose their merchant account, and thusly their ability to collect payments; and 2) be fined under the agreement they signed with their merchant bank, which if I am correct, starts at $100,000 and only increases from there.
However, this only scratches the surface of the Coleman campaign's negligence in the matter. The campaign should have never kept credit card information in a database to begin with; that's handled by the processor of the charges, a wholly separate entity from the campaign. I'm no lawyer, but the crime here seems to be that the campaign was negligent in their protection of their donors' data.
And before the republicans get all huffy-puffy about the disclosure of their information by anyone, let alone a democrat, they need to answer one question: was a single donor defrauded as a result of the Coleman campaign's negligence? The answer is undoubtedly no, as any donor who saw any fraudulent activity on their credit card accounts is automatically protected by the card issuer (a fact that the powerline dude seems blissfully unaware).
agreed.
In most cases of ecommerce online, the website selling the product or service (vendor) only keeps your name, address, phone, product order details and then sends the "important stuff" to a payment gateway like Authorize.net who processes sale but doesn't store the number.
And creating single mySQL database to hold all of this plus login information indicates the person/company who built the site is selling a dangerous service. Norm Coleman is probably not their only customer.
Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
Thanks for having the guts to expose websites and webmasters who should be held accountable for personal information. This rethug deserves to be in jail. You are correct that ANY person or agency that is this stupid should be brought up on charges.
This is why an IT professional should be used for sites collecting money or just personal info.
Glad to see Coleman uses Ted Stevens as an IT consultant.
For providing a reality-based view of what's really going on with the Coleman database. It never ceases to amaze me how the right wing spins events to give the illusion that they are the ones being wronged, instead of the truth: Coleman was wrong to make his database open to anyone with a Web browser (i.e., the world). So glad you could expose this!
stupidity.
Wanna bet that, in typical Republican fashion, he gave the IT job to a crony - like his cousin's nephew who's good at video games, or some friend of a friend who knew what the letters "IT" stand for.
And, Ms. Richards, thanks for your help.
yes. I suspect this. It's very common in the technology "biz" for non-technical people to hire friends, family members and other people's children to do complex things.
Most never run into trouble but when there's a meltdown, it's usually pretty bad.
My goal with this is to raise awareness and help people understand what they need to ask when planning, building, maintaining and monitoring - websites, networks, computers and all that good stuff.
Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
Dude, the writings on the wall. Go away.
You didn't win and now, you've lost even more of the people who supported you because you have been an asshat this whole election.
Give it up. Go away.
Your kind is no longer welcome 'round these parts.
But it DOES require attention to detail.
Just being able to spell "IT" does not qualify one to actually do "IT"
And if Norm WAS advised of the security breach, and ignored this, then he should be indicted for THAT ...Too!
I did tell people this week I was never contacted by the Coleman office. Not by email, phone or Twitter
Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
This Coleman buffoon needs to be in a position of authority . With typical Repugnant aplomb it's blame it on a third party. No sense of responsibility here
The Coleman organization might still try to sue her in civil court if not a criminal case too. Used this "ping" thing, and distributed data clearly _intended_ to be private. Calculated judgment that she would probably prevail so it ends up as PR well spent?
On the other hand, Coleman is in the exact same position. So many best practices, and it would seem laws, were broken dumping the database onto the public web server, unencrypted at that.
...the other white meat.
outsourcing IT jobs to India. I noticed one of the big banks, after sucking up a couple billion is now sending 25% IT dept. off-shore.
Coleman is screwed now. Senator Franken has a ring to it.
I saw this on TV, I really like that girl. hehe ^^
1). Mom not shouting at her from top of basement stairs
2). No Frank Frazetta posters on walls
3). Did not refer to Coleman staffer as, "Worst I.T. person EVER."
4). Fingers free of Cheetos stains
5). She's kinda hot!
Oh snap!
Andy, that is an awesome list! Let's build on that some more and I'll turn it into a YouTube video and credit you.
That's one thing I don't do: blame, criticize and judge. I didn't call the Norm Coleman website person any name or attribute characteristics to them since I've never talked to them.
I was in pure shock when I saw the directory listing and knew I had to act.
If I had known for sure the database file contained private user data, I probably would have responded differently. I figured, "No way there would be a folder sitting in a web facing directory with important info" so I was more poking fun at the setup I saw.
Thanks for the laugh.
Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
At least he won't be taking time out of being a Senator while he is in jail.
...also faked a web site crash back in January.
Norm Coleman is a boob!
What a loser.
Rank Amateurs - no wonder they lost.
*
I really think you did Norm Coleman's donors an important favor.
I'm also glad you got the chance to tell your side of the story so that we don't all have to listen to Coleman's campaign whining that it was all a liberal conspiracy against them...
Yes. For many reasons, IT folks don't often make to the forefront of the news media. We often sit in front of multiple monitors geeking out with technology. With the popularity of social networking, I am seeing (and experiencing) a crossover.
I am happy to help give a voice to people in technology as we often see companies and organizations making the same mistakes over again. Hopefully we can build up a process to educated business owners on best practices.
One idea I have from this is to start finding and interviewing security and "penetration testing" professionals and identify at least one in every state. Then offer a free directory and content about best practices with the focus on "laymen" content. How does that sound?
I am determined to show people that technology isn't so "hard" to understand :)
Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
you are a super-fox! rrrarrr.
Leaving directory browsing enabled and not restricting access using host headers bad! Hosting the database on the front end web server?!?! Really bad! Getting caught by Adria Richards and getting exposed on YouTube priceless!
Nice catch on exposing the PEBKAC error. BTW I concur with onceler, you are a hot tech.
I'll bet Coleman took the lowest bid to make his site
Well, Adria, everyone here seems to be applauding. Let me be the skunk at the garden party. Yeah, his security was abysmal. Yeah, he should stop the charade and concede. Yeah, I'm glad Al won--even though he ran a pretty poor campaign, too--shoulda won in a landslide.
But, Adria, if I leave my front door open, does that give anyone the right to come in, take pictures, and post them all over town saying, "Look who left his front door unlocked!"
I don't think anyone hacked the database (that's breaking and entering), but it sure sounds to me that someone walked in the open front door (simple trespass), and it makes me uncomfortable even if we agree on everything political.
I am maybe naive and old enough to be quaint not chill, but I like to think we are better than the other side, not just more clever.
Sam
--thoughtfully
Have you ever seen what open directory browsing looks like? Not only is your door open but you literally have invited people in. In fact you are invited in the moment you enter the IP and hit [Enter]. Some people intentionally allow directory browsing for people to download files because it's very simple to set up, it requires no web development at all.
She hit the IP and voila there were all the files for her viewing pleasure. There is no sign saying go away, or this is not what I intended to do all you see are directories and files. Only after you look at the data can you tell if it was meant for public viewing or not. So a lot of people could have happened onto the site and not even have known if they were somewhere they shouldn't be.
She didn't crack or break into anything, she simply looked up the IP and hit it with her web browser. She didn't bend over the web servers security it bent over for her and said I'm all yours. It's not trespassing if you put data out on an unsecured site, especially with a registered domain name advertising it's presence, and you have submitted the site to search engines so it can show up on Google, Yahoo, Live etc. search results.
As a systems security officer my job is to secure networks. I will tell you the fault lies 100% on the web master/designer who failed to put in place even the most basic of controls. Unsecured Internet websites are made with the expectation of getting public traffic, they might as well have thrown loose $100 bills on the floor.
I appreciate your posting. It is thoughtful and clear; and I really don't feel strongly, certainly not as strongly as most people who post on anything here feel, but let me expand on my qualms just a bit. That is where they are, "qualms" that don't rise to the level of an opinion.
First, Adria didn't just go to the website, she looked up the IP address and went there, not the usual URL.
Second, when my neighbor (side-by-side apartment doors) left his keys in the door, I didn't say, oh, he is leaving the keys so the public can come in and look around and post some photos on telephone poles. I said, "Oh, he made a mistake, and I need to tell him, not the public, that the keys are in the door." So, I knocked on the door and told him.
We are agreed on Coleman--and on his webmaster--but what about our side? What are we supposed to do? Are we supposed to post screenshots, or are we supposed to notify the Coleman campaign that innocent supporters are in danger of being hurt?
As I said in my original posting, maybe I am old enough to be quaint, but that is what I would have done--whether it was the door to their database or the door to their headquarters. We are better than they are--not just more clever.
First, looking up the IP addys is something anyone can do. You may not know how to do it, but you can do it, and it's completely legal. For cryin' out loud, it's an address- you can buy reverse directories made of paper that, if you've got a local phone number, will provide you with the name of the entity who's billed by the phone company and their street address. Those same directories allow you to search the street address and find the name and phone number!
Before I go any further, I just saw that Adria made a comment on the thread...I'll bet she's replying to you, so I'll let her handle this.
I would suggest you watch the YouTube video I created,
Why upload Coleman photos to Flickr?
Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
Direct contact might have been better, I know in my career I have tried that and some are grateful and close the door and others become indignant, their ego’s get bruised and they do nothing about the discovery. There are a number of people in IT who have grown weary and unsympathetic of holes such as Adria discovered, especially since the Internet is out of its infancy and best practices have long been established.
Many viruses have wreaked havoc on systems across the Internet over the years as a result of lax security on systems. Code Red and Slammer worms would be good examples of viruses that ravaged the Internet taking advantage of unsecured networks and impeding secured networks performance costing companies billions. As a result some have adopted the philosophy of throwing them out into the light of day as punishment.
I can’t say I blame them it’s angering when you have to take over 50 infected servers a day for a week just to disable the network interface because their infected system is trying to hit machines in your network. Stuff like that causes denial of service attacks on at company firewalls and can even sludge up routing on the Internet of the virus is highly virulent. Been there, done that, and I swore a lot.
You read my mind.
1) we don't know when the breach actually occurred
2) we don't know why the directory files were missing
3) we don't have access to the log files
4) there is no assurance the actual problem was fixed after 1/28/2009
5) site may still have been SQL injection vulnerable before and after screenshots
Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
Sam,
I hear you.
It's not about entitlement. I saw something that alarmed me and I took action. I realized this was yet another example of bad website management. I didn't know what was in the database but I knew I had to document it.
If you look at my first reply to the blog, I didn't directly indicate what I had found. I'm just a techie, not a news/politico/media/journalist so I was poking fun to share a joke with the other people who had posted techie responses.
Now it's "Crashgate" and tempers are flared due to the political decision for our next MN senator.
Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
...is how was it that you became aware that there was a problem with the Coleman site/server (apparently you read something about it on Twitter), and Coleman's people didn't. You'd think that someone might have told them back in January that there was chatter regarding the security of their site/server.
I don't expect you to have an answer for that. We'll only know if Coleman's office comes completely clean about what they knew and when they knew it.
This was the post I saw on Twitter and it is the first link in my blog post (under all the new stuff from March)
"I first picked up this story from @Chuckumentary on Twitter"
I wanted to laugh too so I went to go take a look. That Twitter is all I had to go on. It lead me to the MNIndependent's article, "Did Coleman campaign fake Web site crash?". I had never been there before because I focus on technology, not politics.
Just like when I do regular troubleshooting for computers, networks, remote access, servers, email and hardware, I took the facts and began working with them:
Question: Why put it out on Twitter and when?
I just found my first post on Twitter about the Norm Coleman database and it's dated 1/28/2009 at 11:33pm. It linked to my blog post which I put up sometime before that. I didn't have a high traffic blog before the Coleman thing...most people came to read about really techie stuff (ie boring to most of the human population on earth).
search twitter for "adriarichards + coleman"
I hope that helps to explain things. I will probably be using my replies here for a new blog post this week at ButYoureAGirl.com and hope that's alright with folks.
Adria Richards
Organic Technology Consultant
------------------------------------------
Visit the website http://adennetworks.com
Visit the blog: http://butyoureagirl.com
..but, again, not all of my questions. But like I wrote above, it requires the Coleman camp to be forthcoming if we're to see the whole truth.
But judging from Norm's history, I don't expect to see the truth. Now if someone involved in this affair gets canned from the Coleman camp and doesn't get some good references and adequate hush money, I think we'll get something close to an accurate picture of what happened.
BTW, was following the story over at TPM since it broke over there on Wednesday, and while they usually do great in-depth work there, I've learned a lot more by reading your comments here. :D
And one last thing- I love the name of your site! I'm sure you've heard, "But you're a girl," a lot.
that his money-backing constituents financial data were freely accessible to anyone on the net. Coleman should be very appreciative for the heads up! And Coleman's donors should be very thankful
to Adria too for making it possible that they know that their financial information was exposed on the internet so that they could take action to prevent id theft and great financial loss and turmoil. Adria provided a very important public service. Thank goodness that there are people out there who help other people know when they are put at risk.
Login or Register to post comments.