Subscribe to our RSS feed
Follow us on Twitter
Former Sen. Norm Coleman Photo: WDCpix
Norm Coleman’s campaign spokesman Cullen Sheehan suggested in an e-mail sent to supporters this morning that Wikileaks.org’s publication of the campaign’s donor database — including donors’ credit card numbers and the three-digit security codes for those cards — is the work of politically motivated people who have “found a way to breach private and confidential information.”
Sheehan hinted that the leak might be a work of political sabotage: “We don’t know if last evening’s e-mail is a political dirty trick or what the objective is of the person who sent the e-mail.”
MinnPost’s Joe Kimball echoed Sheehan’s notion that the database was hacked, writing this morning that “some hackers (Web enthusiasts, [the Minnesota Independent] calls them), apparently discovered that list.”
But the database was not revealed by hackers, according to IT professional Adria Richards, who was the first to share news of the unprotected file in late January.
“It’s not hacking,” she said. “I didn’t use any hacking tools. A browser was my tool.”
Richards said she discovered the database by entering colemanforsenate.com, into OpenDNS’ cache-check tool, which gave her an IP address where the Web site lived.
Simply copying that address into a Firefox browser revealed the Web site directories for colemanforsenate.com.
Richards didn’t download the database herself, but she posted a screen capture of what she’d found online after she made the discovery. An IT consultant for 10 years, she published her findings on her blog to educate others about the risks of improperly managed websites, she said.
“All you needed was a Web browser,” she said. “It’s like I walked over to Norm Coleman’s house and saw his door was open, took a photo of the open door and posted it on the Internet.”
Richards began her digging when sites like MNpublius and the Minnesota Independent started questioning a Coleman campaign assertion that its Web site crashed because of a traffic overload on a searchable database of voters “disenfranchised” in the U.S. Senate election that pitted Coleman, the Republican incumbent, against Democrat Al Franken.
The campaign’s claims about the crash have been discredited, but Richards said she “noticed there was a bigger issue at hand than the site being down.”
She said she’s interested in Internet security, not in attacking Coleman, adding that she’d raise the same issues if anyone else, even a close friend, had the same type of Web security issues.
At least one local Web developer has downloaded the database from the Coleman site, which seems to contradict a Coleman campaign statement that no “unauthorized party” downloaded the database. That person won’t speak on record for fear of prosecution by the Coleman campaign.
I clicked on the link to the database, which was provided by an anonymous commenter (not Richards) at MnIndy, but didn’t proceed to download the contents.
What if I had? Would I be a hacker, to use Kimball’s term?
“That’s not hacking,” Richards said. “If you can download Firefox from Firefox.com — if you download a picture from your grandma, you’re downloading a file. Is that hacking? Five-year-olds can download files.”
Further, she said she wonders why the Coleman campaign brought in federal authorities to see if there was a security breach, as Sheehan told supporters in this morning’s e-mail.
“[Team Coleman's] traffic records should, could and would show if someone downloaded the file,” she said. “You don’t need the FBI to figure it out. Even Google Analytics show you what files people downloaded.”
She’s also skeptical about the campaign’s comment about federal authorities checking the Coleman site’s firewall. A firewall typically is used to grant or deny access to a server or network, not a database on a Web site.
The Coleman campaign has not yet responded to requests to clarify these issues.
Coleman donors express ‘extreme anger,’ fear, worry after breach
‘Crashgate’ reveals unprotected donor database on Coleman’s site
Leave a comment
Become a fan on Facebook
29 Comments »
Comment posted March 11, 2009 @ 1:47 pm
If you’ve watched any of the election contest at theuptake.org, you’d know that the Coleman team knows absolutely nothing about databases so it isn’t a stretch to realize they probably don’t know anything about firewalls and websites either.
Comment posted March 11, 2009 @ 2:05 pm
I’m very happy to read a news article that talks about technology in terms of facts, not uninformed scare tactics. Those ignorant about technology try to protect their ignorance by demonizing those who are even mildly competent with it. Thank you for this article and for open and honest discourse, MN Indy.
Comment posted March 11, 2009 @ 2:22 pm
Well what can they say? “It was our fault all of this sensitive info was so easily accesible. We admit full liability, please sue the living hell out of us?’
Comment posted March 11, 2009 @ 3:52 pm
I remember when that happened. I went to the site to look around. I’m no IT professional, but I was amazed at how little security there was on the site. I had access to view all their directories and contents.
Comment posted March 11, 2009 @ 4:04 pm
Probably they fired anyone who knew anything and only the lawyers and the stupid
were left. Thems the breaks pal, when you get rid of staff shut down your site,
don’t think the stuff runs itself.
Comment posted March 11, 2009 @ 4:05 pm
Joe Lieberman did something similar when he ran for re-election in 2006 claiming his democratic opponent had sabotagued his website when he in fact Lieberman knew that it crashed as a result of shoddy programing and poor maintainance.
Comment posted March 11, 2009 @ 4:07 pm
MN Post is a bunch of people trained to burp up the same old lies from the
corporate powers. How many big scandals have they broke? Oh yeah, none.
Comment posted March 11, 2009 @ 4:35 pm
@cliff Um… yeah.
Comment posted March 11, 2009 @ 5:29 pm
Google Analytics couldn’t tell you if the file had been downloaded, it can only tell you if pages on the site with the analytics code on them (as Javascript) have been accessed.
However, a review of the sites web server logs would reveal the information, so the comment is basically correct.
Also, if it is true that the credit card numbers and 3 digit codes were exposed in plaintext that is a huge violation of PCI compliance rules and they should be in hot water with their credit card processor.
Pingback posted March 11, 2009 @ 6:45 pm
[...] MN: Coleman’s site wasn’t ‘hacked,’ says IT pro who discovered donor breach http://minnesotaindepend…-discovered-donor-breach [...]
Comment posted March 11, 2009 @ 8:51 pm
COLEMAN *CYA/coward — leaves loyal donors in the DARK (& in the LURCH!)
Coleman has the moral rectitude of a flea (apologies to fleas). He could have alerted his donors (by private email) back in JAN when the hack was first suspected; or he could have issued a public press release alerting EVERYONE of the campaign’s concerns. BUT: (per usual) he was more concerned with CYA (his own) than with the thousands of HIS loyal donors. Coleman has a new moniker (COWARD). Once again, instead of alerting his donors PRIVATELY (by email) since he now NEEDS a DISTRACTION, Coleman comes public BLAMING his opposition. (Like Franken needs Coleman donors to make a buck). It’s worth noting that Coleman donors (*those STILL supporting the coward after THIS latest fiasco) DESERVE whatever happens to their financial data. Imagine if people all over MINNESOTA began ORDERING PIZZAS, CABS, SNOW PLOWING, etc … You’d HAVE to be a conservative Republican NOT to find all this amusing. Maybe Rush will make-up for any losses out of the generosity of his OVERLY-Large HEART.
Comment posted March 11, 2009 @ 11:00 pm
Target Corporation Chief Financial Officer Douglas Scovanner contributed $2,300 on 12/26/2008 – Merry Christmas Norm.
Comment posted March 12, 2009 @ 12:40 am
I remember when this was first posted to her blog, anybody could see the list… but then it got blocked. The Coleman Team simply set up some unknown DNS while simultaneously ‘making-up’ some story, although they probably thought they were being truly being hacked!
Comment posted March 12, 2009 @ 12:47 am
The stink from Coleman’s actions is starting to be smelled from a long way away now. Not only is he (and the Republican party) using every dirty trick in the book to stop an elected senator from taking his seat, he’s now guilty of attempting to hide a serious data breach. Of course, being a well heeled and well connected Republican, I doubt anything will happen.
Comment posted March 12, 2009 @ 3:13 am
@busse
I disagree, Google Analytics can track file downloads
http://www.google.com/support/googleanalytics/bin/answer.py?hl=en&answer=55529
“Google Analytics provides an easy way to track clicks on links that lead to file downloads.”
That link is a bit technical so here are some more “lay” explanations of how to track downloaded files with Google Analytics:
http://www.goodwebpractices.com/roi/track-downloads-in-google-analytics-automatically.html
http://www.advanced-web-metrics.com/blog/2008/06/08/updated-tracking-script-for-gajs/
In addition to Google Analytics, there are many visitor traffic log utilities you can run on a webserver including Urchin, Awstats and several others will suffice.
Comment posted March 12, 2009 @ 7:32 am
So it’s OK to steal if it is easy? Nice.
Pingback posted March 12, 2009 @ 9:05 am
[...] Coleman is calling it “chilling” and “scary,” a closer look shows that the disclosure of names and credit card information of Coleman campaign donors on the internet is the fault of no one but … the Coleman campaign, which violated basic on-line security [...]
Comment posted March 12, 2009 @ 9:05 am
I see only two ways to interpret this:
1. The Coleman folks are technically retarded, and should not be allowed near any sensitive security related situations, i.e. the U.S. Senate.
2. This is a classical Republican/Karl Rove tactic. Rove is known for faking a break-in at one of his politician’s offices to help his candidate win a close race.
Comment posted March 12, 2009 @ 9:38 am
Very interesting article. The part of the story (other than the Google Analytics bit which has been mentioned) that seems a little strange is the part about the OpenDNS cache-check tool. I don’t know what using that tool would have to do with getting the IP address of the website. Would a simple PING have worked?
I’m amazed at how many mistakes would have to be made to allow this kind of security breach. Just off the top of my head they must have:
Misconfigured the web server so it only served the page when requested by domain name, not IP.
Misconfigured the web server to allow anonymous directory browsing.
Misconfigured the web server root in such a way that the database was underneath it
Comment posted March 12, 2009 @ 9:40 am
Mr Colman looks sick to me,if he cant control credit cards he shoud shut his mouth even MN people say he is sorry loser and he still is a fraud on $75000 he got from tx wrong afgainst the law he will be charged with that as soon as thsi BS is over with,He is usless and a abig cry baby if talbes were turned he would still be a TOP jerk dont nedd that in senate have enough JERKS hahah
Comment posted March 12, 2009 @ 10:24 am
What is the funniest about the campaign making a HUGE deal out of this, is that it appears the database included the 3 digit security codes. This is flatly against the PCI-DSS (3.2.2) standards for credit card processing. These 3 digits are supposed to only be transitory and NEVER retained by any application processing credit cards. They have opened themselves to significant fines by VISA, MC, etc, as well as, MN statute restitution for anyone who’s card was breached. Someone should be shining the light on THAT incompetence, as well as, the web security aspect.
The 12 aspects of the PCI-DSS (with violations highlighted) are:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data (VIOLATED)
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters (password? What password? VIOLATED)
Protect Cardholder Data
Requirement 3: Protect stored cardholder data (VIOLATED)
3.2.2 Do not store the card-verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transations.
Requirement 4: Encrypt transmission of cardholder data across open, public networks (not having seen the data, I cannot state absolutely, however, it does appear VIOLATED)
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications (VIOLATED)
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know (VIOLATED)
Requirement 8: Assign a unique ID to each person with computer access (VIOLATED)
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data (clearly VIOLATED)
Requirement 11: Regularly test security systems and processes (again, clearly VIOLATED)
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security (again, VIOLATED)
Comment posted March 12, 2009 @ 11:51 am
Oh wow another republican that doesnt know anything about the internet???? Didnt see that one coming
Pingback posted March 12, 2009 @ 6:19 pm
[...] Imagine if Al Franken’s campaign, as opposed to Norm Coleman’s, had now been found to have disclosed the names and credit card numbers of their donors on their own website, where they also inappropriately stored the unencrypted three-digit security codes of contributor credit cards, violated state law by failing to notify anybody about it, and then lied about it. [...]
Pingback posted March 13, 2009 @ 5:56 pm
[...] IT and web-security professionals interviewed by The Minnesota Independent and other media outlets, the site wasn’t hacked. Minneapolis-based IT consultant Adria Richards, who first discovered the database Jan. 28, said [...]
Comment posted March 15, 2009 @ 12:09 am
So, Coleman and his campaign are not lying, just speaking about things they don’t know enough about to state the truth? That does not explain their paranoia and false accusations though.
Comment posted March 16, 2009 @ 12:14 am
I have been following the Coleman/Franken action for months now. This paper’s news item (above) turned up in a link on theregister.co.uk; see http://www.theregister.co.uk/2009/03/12/colman_database_leaked/ for a full IT-angled POV+frame-of-reference.
Occasionally salty comments too. Modern Brits can be right ascerbic with both grace and style when pressed/exasperated.
The thing that strikes me with this particular chain of events is all the comments I have read to the effect that “Republicans Just Don’t GET InfoTech”, “They just don’t understand computers” etc. This is a sharp contrast from thirty-odd years back. Remember Reagan’s upset taking of the White House, anyone? At *THAT* time, it was bruited about in the (still non-consolidated American news press, pre-Internet) that the Repubs had taken the field because they were “good with computers while the Democrats are still stuck on recipe cards for their contact lists” and similar punditry to that effect.
One thinks of petards and the hoisting of their owner(s) thereon. Also of hubris – have not the Gods made this Coleman fellow and quite some few others of his high-handed ilk more than a little mad, of late?
BTW, http://www.politicalcompass.org will help one to QUICKLY understand the *entire* sociopolitical “leadership spectrum” as wel as where one fits on it ones’ self. World leaders are mapped-out by laftright (”X” Axis) and libertarian/anarchistAuthoritarian (”Y” Axis) on a gridded color-keyed background.
I took the test. IMHO, we NEED MORE GANDHIS and DALAI LAMA TYPES for the sake of BALANCE; the site’s distribution-map makes that much quite objectively clear at last. But once there, one notices very quickly that there is (thus far) no such animal as a “Libertarian NeoLiberal”(!) Heaven help us all, should any indeed start to show up and THANK YOU CREATOR that we have none of those today. (NO, Norm! Do NOT rebrand yourself that way!)
Comment posted March 16, 2009 @ 12:18 am
Oops. Double out-facing angle brackets do not render as text here. Apologies. Should read “left/right and Libertarian/Authoritarian, not all run together like it came out. (Just go there anywho…)
Comment posted March 17, 2009 @ 10:41 pm
Ahh, poor Norm Coleman, the eternal victim. Those evil techno-hacks are interfering with his noble effort to keep the winner of an election from receiving an election certificate and (God forbid) voting with the Democratic majority in the United States Senate.
Wasn’t noble Norm the guy who turned his campaign into a war against the working class with his “card check” commercials and all the financial help from those right-wing lobbying groups? The same Norm whose handlers manufactured the phony “Enraged Franken” commercial that was actually Al speaking at the Wellstone memorial service?
It’s all about karma, Norm. You’re finally getting yours.
Comment posted March 31, 2009 @ 9:24 am
With a breach this serious, in this day and age, I am left with 2 exceedingly simple questions:
1) Isn’t this a violation of the USA-Patriot Act? (EVERYTHING ELSE SEEMS TO BE)
and… Wait for it…
2) Norm Who??
RSS feed for comments on this post. TrackBack URL
Leave a comment