Coleman camp’s claim about January data breach is ‘bullshit,’ tech expert says
Friday, March 13, 2009 at 3:56 pm
- 7 Comments
- Bruce Schneier (Wikipedia)
Norm Coleman’s attorney, Fritz Knaak, stated Thursday that the campaign had “a high degree of confidence” that the late-January exposure of its unprotected donor database didn’t result in the loss of sensitive data. A day earlier, Knaak initially leveled the claim, noting that Secret Service investigators looking into the database breach “did not discover that any individual had been able to obtain confidential, personal financial information.”
But this week’s news that Wikileaks.org had obtained the 4.3 gigabyte database casts doubt on that statement — and so does Bruce Schneier, the Twin Cities-based technology expert dubbed a “security guru” by The Economist. Reached by phone at a Washington, D.C., technology conference late Thursday, Schneier characterized the campaign’s claim as “complete and utter bullshit.”
“It’s impossible to make that claim,” he said. “Either they misunderstood what the [Secret Service] said or they’re out-and-out lying. How can you determine the absence of something happening?”
The Secret Service has confirmed for the Minnesota Independent that an investigation is under way but said it couldn’t comment on ongoing cases.
Schneier said he didn’t know that IT professional Adria Richards had uncovered the security flaw with no advanced tools, but after learning it from the Minnesota Independent, he said of the Coleman campaign’s tech security: “It sounds like they didn’t have any, if what you’re saying is true. That seems pretty sloppy.”
He noted that it’s correct to call the exposure of the database a “breach,” as the campaign has done. “When someone who’s not authorized does it, we’d consider it a breach.”
But he wouldn’t call what Richards did — find and take a screen capture of an unprotected public Web directory — hacking.
“It’s not like it’s skilled hacking,” he said. “If I walk into an open door and steal a purse, am I cat burglar? … It’s not in the fine tradition of hacking because it took not a lot of skill. I wouldn’t use the term, but others might.”
He acknowledged that the law surrounding online security is “squirrely.” For instance, he said he’s unclear on whether viewing the unprotected Web directory where, for a few hours on Jan. 28, the directory existed could be considered a criminal act or whether this reporter could be prosecuted for clicking a direct link to the database that was left in comments in January at Minnesota Independent. (For the record, I didn’t download the file.)
“This law is still evolving, and some of it is really stupid,” he said. “People have been convicted for this. … It’s possible you would’ve been prosecuted.”
The exposure of the donor information, which included credit card numbers and three-digit security codes for them, is big news, he said, mainly because it involves a former U.S. senator who’s now locked in a political battle to regain his seat.
But he says such breaches — and mistakes about security for sensitive information — happen all the time.
“Companies do this, governments do this again and again and again,” he said. “While they definitely should know better, we’ve learned repeatedly that organizations don’t know better. It’s not, ‘Oh, God, look what they’ve done!’ It’s more: ‘Oh. It happened again.’”
“This couldn’ve happened to anybody – and it does.”
7 Comments
Comment posted March 13, 2009 @ 4:10 pm
If, as Schneier says, “People have been convicted for this. … It’s possible you would’ve been prosecuted.” with regards to simply clicking the file’s link and viewing it’s contents then Adria Richards might be at risk. Aaron Landry at MNPublius wrote a post on January 29th that included as an update this:
Adria Richards will broadcast the contents of Coleman’s database at 3:30 PM CT today.
Comment posted March 13, 2009 @ 5:48 pm
PJN2112-
I did post that, but I was incorrect. Adria Richards did not broadcast the contents — she just broadcasted what she did and the screenshots as described.
Comment posted March 13, 2009 @ 5:49 pm
Have you checked Coleman’s campaign FINANCE REPORTS for its web creator culprit?
By law, every expenditure made by a political campaign MUST BE ITEMIZED in their campaign finance reports.
HAS ANYBODY RESEARCHED what firm(s) were used to create the Coleman website as well as monthly monitoring of the Coleman server, etc. >????
Comment posted March 13, 2009 @ 6:17 pm
Aaron – Fair enough explanation. Since the link you provided in that update is 404 I assumed that nothing came of it. That won’t stop the partisans on the other side from giving Adria grief. She did mention that the database contained credit card info – So she either found this out via an unmentioned source who passed this revelation on to her or she did indeed open the file. Whatever the case, she kind of plopped herself into the spotlight by reporting what she found – Granted, she did it with a benevolent purpose (to bring the breach to light), she’ll still be an target. Republicans love to torment whistleblowers, especially ones who do their whistling on Progressive sites.
Comment posted March 13, 2009 @ 6:41 pm
Karen:
WHOIS shows that the registrant and admin for colemanforsenate.com has been Brandon Grey Internet Services (dba namejuice.com) since at least May 2008 (the last time the whois was updated).
WHOIS for namejuice.com lists the registrar, admin, and techincal contact as Brandon Grey who is located in Markham, Ontario, Canada.
Granted, just because the domain is registered to a Canadian doesn’t mean that the same individual is responsible for the maintenance of the website – Prior reporting on crashgate mentioned that Coleman’s name servers are located at Minneapolis-based VISI.com, so one could probably assume that Coleman’s website is hosted in VISI’s data center probably on one of their servers which also hosts sites for other VISI clients. VISI’s NOC would be responsible for the upkeep of the server but not for the website – Judging from the problems Norm’s had with his website I think it’s safe to say that he more than likely didn’t hire outside professionals to manage his site (assuming any professional worth paying wouldn’t be quite as careless and stupid about doing their jobs as to leave an archived site backup in the webroot) so it’s likely that someone working directly for the campaign handled the website admin chores. If it’s a salaried employee of the campaign, you wouldn’t find that out from a FEC report.
Comment posted March 14, 2009 @ 1:39 pm
Looks to me like Coleman canned his staff and just left the lights on in the website with no one
home. Reminds me of the MN Dept. of Vehicle Services doing the same thing, to save money
in a Pawlenty state worker cut all the admins at DVS were canned. When the leg. auditor came by no recommended security work was done to secure the credit card payment for car plate tabs. There were no people in charge. The site was shut down before any known breach. Made the front page of the old fashioned “newspapers” for a week.
Pawlenty recovered nicely by a no bid cost plus monopoly contract for all state credit card payments through US Bank. His pals all made out great and the campaign money flowed like a Red River flood.
Does not look like that will happen for Norm, just a kick in the pants and maybe jail.
Comment posted March 25, 2009 @ 12:14 pm
The question of whether the site was hacked or if any card data was published on the web is no longer the main point. This information discloses that the Coleman campaign retained the verification code numbers that are usually on the back of the card. The mere fact that they retained these code numbers is itself a violation of Minnesota law AND the agreement contracts with the credit card organizations. Forget about the possible hacking, forget about who might have done or not done it. The fact remains that the retention of these code numbers alone puts the Coleman campaign in violation of the law.
“No person or entity conducting business in Minnesota… shall retain the card security code data, the PIN verification code data, or the full contents of any track of magnetic stripe data,” says state statute 325E.64. “A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction.”
RSS feed for comments on this post.
Sorry, the comment form is closed at this time.
