Cryptosmith

The election may have been last year, but the race for Minnesota’s US Senate seat drags on. Back in January, Minneapolis techie and consultant Adria Richards went to visit the web site belonging to former Sen. Norm Coleman’s campaign – he’s shy about 200 votes and hanging on through court challenges.

What Richards found was a mess. Especially bad: the site did not prevent browsers from listing site directories – a huge security snafu. Richards navigated through the directories and found one with the intriguing title “db” – suggesting database. Sure enough, the directory contained a database that apparently lists Coleman’s political donors.

Richards documented her visit via photos and screen captures and has posted a tour of Coleman’s web site on her blog.

The database was subsequently posted on Wikileaks. The original database contained full names, addresses, phone numbers, and contributed amounts. There were also a ton of credit card numbers, many including the CVV2 numbers.

Many, astonishingly, also included Social Security numbers. This makes me wonder about this database – I have never provided a SSN when sending money to anyone. Why did Coleman’s office have these SSNs?

Wikileaks has posted a redacted version of the files – SSNs are truncated to the last 4 digits, and credit card numbers are omitted. But this seems to be a typical risk of today’s technology: all that information gets tossed about and handled carelessly.

Posted under Security | No Comments »