What’s worse than losing a Minnesota Senate race?
Losing your website’s entire database, that’s what. As if claiming your website was brought down by too much traffic wasn’t bad enough, Norm Coleman’s website received a second round of criticism when I found a database file sitting in a directory that anyone could download…
I first picked up this story from @Chuckumentary on Twitter about Norm Coleman’s office saying their website had been “inundated by tens of thousands of hits today – temporarily crashing the website.” Of course that got me curious as an IT consultant and I went to check it out. Aaron Landry broke this story because previous website traffic reports and the location of the domain name didn’t match up. Paul Schmelzer at the Minnesota Independent picked up the story which is where I first saw it.
Norm Coleman’s website crash revealing a database full of supporters is now known as Crashgate.
Update 7: How ironic is it that January 28th, the day I posted this was also Data Privacy Day?
Update 6: Interviewed by MPR Coleman warns donors after data breach
Update 5: Interviewed on The Rachel Maddow Show, MSNBC
Update 4: Interviewed by MN Independent Coleman’s site wasn’t ‘hacked,’ says IT pro who discovered donor breach
Update 3: Blog Post Breaking: Coleman’s unsecured donor database revealed on Wikileaks
Update 2: Blog Post Who is Searching Google for Norm Coleman’s Database?
Update 1: Wikileaks.org is putting Norm Coleman’s business out on the Internet.
Curious, I wanted to see where the domain was currently pointing. I used OpenDNS.com’s cache check to identify the current ip address of 220.127.116.11 and then loaded that address into my web browser.
I had to see what all the fuss was about. Was there really an attempt to bring down the website due to political unrest with these ballots in my state? Were the allegations of a poorly coded website true?
What I got instead was a plain text listing of directories…
The Database of Norm Coleman
Wowza. As I was tooling around in the directories, I saw a database file. I thought, “That’s not right.” I began taking screenshots and uploading them to Flickr. I didn’t know what the database contained but hoped there wasn’t financial information in that database. I figured it was a list of email addresses for Norm Coleman supporters and staff but I did not download it find out. Did you download the database?
There is a term known as “Google Hacking” where you can actually search for files that people have on sites and ftp areas that have names like “passwords.txt”, “backup.tar.gz”. Eeek! Backups should be stored above the “root” folder that is shared out to the internet. This is showing up because the server located at http://18.104.22.168 was not told to restrict directories from the web.
All photos are licensed under Creative Commons.
Norm Coleman database photos on Flickr
I began posting links to the photos on the blogs of the Minnesota Independent and Minpublius to bring awareness to what I had found. Would I have done the same if this were a democrat? Probably. For me, it’s about computer security and data privacy, not about political affliation.
You can become Norm Coleman’s Website Admin
I will give them the benefit of the doubt and assume I was only able to get here because the website is not functioning. Below you can see that I could enter an email address, name and password and if this site was working, it would create an administrator in the database. I found similar files to edit and delete records as well. Being able to write to the database like this from a form should require an authenticated and active session but I can’t see the code so I don’t know.
Indexing of directories is turned on
This is a security risk. I would hope they have .htaccess files in place to restrict access to the admin directory and that index listings are turned off for the current site.
Website errors show you configuration file locations
You see errors like this a lot on Joomla websites when there is a problem connecting to the database, there is a permissions issue on a file or when files are missing.
Missing log files
This directory is empty. It doesn’t mean there are no log files (deleted?)
Site is down again
So, the site is being reported by OpenDNS.com as down again and I am getting the same info at DNSStuff.com too.
The moral of the story is that you should hire computer and website professionals who understand technology. You should plan and develop a strategy for downtime and problems. Don’t put all your eggs into one basket with one website programmer. If he or she is hit by a truck (or something goes wrong on the website and they have no recourse to help you.
Resources to protect your data
Minnesota Law on Data Security Breach Notification, Statute 325E.61 – This describes what needs to be lost for a company to notify you and how they must go about doing it. Unfortunately, it seems a company can lose your full name, address, income, number of children and previous purchases BUT not be required to tell you. (Disclaimer: I am not a lawyer)
Data Security Breaches in the US 2005, 2006, 2007, 2008, 2009 – Check to see if a school you attended, a doctor you saw, an employer, your local Veterans office, your bank, your utility company, your library or even a hotel you stayed at is listed here.
Resources for website security
The Importance of Web Application Scanning – Acunetix makes an application that can scan websites for vulnerabilities. There is a free version that will check for XSS (Think back to when Barack Obama’s website redirected to Hillary Clinton’s).
3 Common Website Security Problems – This article from Georgetown University summarizes how issues on Norm Coleman’s site could have been addressed before “Crashgate”, especially this one on unsecured files and databases:
Unsecured files and databases
When setting up your web site or application, make sure that any files that contain data that is not intended to be public (such as information about people) are not located in public web folders. Do not place such files in folders with the belief that because you are not linking to them, a user cannot find them.
- Files (such as Access databases) that are datasources for your application must be located in a non-web-accessible folder (the web_datasources folder in your hosting account).
- Other files that contain data used by the application should also be located in a non-web-accessible folder.
- Other files that contain non-public information should be placed in a folder that is access restricted using a .htaccess file or other web server access restriction.
Update 12:12am 1/29/2009
Folks, the directory listing for colemanforsenator.com has been replaced with a login box. But…we know what’s behind the curtain now.
Update 5:40pm 1/29/2009
Stay tuned for video posting from the 1/29/2009 lifestream:
“Norm Coleman’s Database”
- why the database was available
- what it contained
- how website developers and companies can work to prevent this from happening
- and take questions from viewers
Update 11:11pm 1/29/2009
Number of hits to the post 54
Photo stats for the post
I wonder how much user information is in this database at colemanforsenate.com? 1,458 views
You can become Norm Coleman’s Website Administrator at colemanforsenate.com 290 views
The database contains social security numbers
The database contains credit card information (POST data)
Update 6:54pm 1/30/2009
Number of hits to the post 610
In-Progress Video of “Norm Coleman’s Database: What Happened and Why”
Post picked up on:
Politics in Minnesota – Epic recount website fail: One Dot One Dot One Dot One
Thanks to Ben for picking out the incorrect use of “then” when I should have used “than” in the header “What’s worse than losing a Minnesota Sentate race?”
FYI: If you enter a fake looking email address with your comment, I will probably not approve it. If you want to share something with me offline, use the contact page. Thanks!
Question from Dennis
What does “Awaiting Moderation Mean? Where’s my comment?
I did not publish your comment because there was NOTHING technical in it. I have published comments that:
* indicate how they feel about the info being released
* indicate how they feel about what I did as an IT person doing this
* ask questions related to the technology aspect of the Norm Coleman database
* share personal stories on how this affected them
* thank me for my efforts
* support me for taking initiative
* judge, criticize and blame me for making the wrong choice
If you just want to harp on Democrats vs Republicans and Norm Coleman vs Al Franken, you should go to a political blog and do that.
Did interview with PJTV, conservative focused online media site (PajamasTV)
Article at ChannelWeb, Serious Security Flaw Discovered In Less Than 2 Minutes On U.S. Senator’s Web Site
Excerpt from resume of website developer who created Colemanforsenate.com website:
* Developed a custom content management system from the ground up in PHP
New Video is up! Live: Coleman Question and Answer after The Rachel Maddow Show 3/14/2009 12:45am CST
Blog Post MN Independent Coleman donors express ‘extreme anger,’ fear, worry after breach
YouTube video: How I Found Norm Coleman’s Website Database in 2 Minutes
Best quote to me on the phone: “I just hung on the secret service to talk to you” — unnamed reporter
Lifestream video : I explain what went wrong and answer questions about the Norm Coleman’s website