Names, credit card numbers found via city's Web site

[InfoSec News <isn () c4i org>]

http://www.cjonline.com/stories/042002/com_security.shtml

Last Modified:
1:09 a.m. 4/19/2002 

By Mike Hall 
The Capital-Journal 

For more than two years, a list of Topekans and their credit card
numbers was available to savvy computer users through the city's Web
site.

When notified Friday, Bill Stephens, the city's Webmaster, removed the
file from the computer that hosts the city Web site.

Stephens was baffled by how the file got onto the computer and even
more baffled by how a man in Redmon, Wash., stumbled onto it.

He said the incident technically would be called a security breach,
but no one browsing the city's Web site would have ever happened onto
the file.

The only way it could be seen via the Internet was for someone to know
the exact name of the file and where to find it on the particular
computer.

Still, the fact that someone did find it proves it was possible.

In fact, the man who found it and reported it to The Topeka
Capital-Journal described the remarkably simple procedure he used and
said others surely have found the file by now, too.

The problem came to light Friday when The Capital-Journal received an
e-mail from Artak Kalantarian, of Redmon.

He provided the exact address of the file, which the newspaper was
able to access. As he said, it was a listing of 500 people, apparently
young people who had at some time signed up for city recreation
programs. Other columns in the table provided the parents' names and
addresses. Another contained four sets of four numbers, a typical
arrangement for credit card numbers.

Sixty-six of the 500 individuals on the list had numbers listed in
that column.

Stephens said those numbers appear to be credit card numbers, but he
couldn't be sure because he didn't know where the file came from.

Stephens was able to determine that the file had been on the computer
since Jan. 3, 2000. He guessed it was a file from another city
computer and appeared to be a list of participants in city recreation
programs. His guess was that, in moving files from an old computer to
a new one, the file might have been misdirected to the computer
hosting the city's site.

Stephens said it was fortunate that the error was found by a man as
conscientious as Kalantarian.

"We need more people who handle information that they stumble upon
like that to handle it in a responsible manner rather than people who
may have come upon some sensitive information and try to take
advantage of it," Stephens said. "I wish there were more folks as
conscientious as that."

Interviewed by telephone Friday afternoon, Kalantarian said finding
the file "was actually pretty easy."

He described a procedure that just about anyone could use with no more
sophisticated software than a Web search engine that many Web browsers
know how to use and are free for use on the Web.

Asked if he thought it was likely that others might have found the
file before he did, he replied, "I'm pretty sure somebody else already
has it."

He described in general some techniques and special software used by
sophisticated computer hackers that would be able to find the same
file.

Mike Hall can be reached at (785) 295-1193 or mhall () cjonline com.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.