1. Industry
Send to a Friend via Email

Your suggestion is on its way!

An email with a link to:

http://bizsecurity.about.com/b/2009/03/17/norm-coleman-v-adria-richards.htm

was emailed to:

Thanks for sharing About.com with others!

Norm Coleman v. Adria Richards

By March 17, 2009

Follow me on:

Your Business Security Guide has no interest in taking political sides on this issue; that task will be willingly shouldered by an army of bloggers and reporters from left to right. However, I will continue to follow this story from a security standpoint, as it raises some interesting, critical issues about security, law, and ethics. To bring you up to date, here is a quick review of the situation as it now stands.

The Players

Norm Coleman: Former Minnesota Senator, currently embroiled in a legal battle over his apparent photo finish election loss to Al Franken.

Adria Richards: IT pro who exposed an unprotected donor data base stored on Norm Coleman's website. But says she did not download any information.

Wikileaks: A website devoted to "untraceable mass document leaking," which posted a copy of the donor database on its website (with credit card numbers partially removed).

On-line Donors to Coleman's Campaign: The big losers in this story. 4,700 of them have had their financial data strewn around the Internet since January.

The Story So Far ...

January 28: The Norm Coleman campaign reports a website crash. They claim that a spike in traffic, caused by a rush of voters seeking information about the contested election, brought the site to its knees.

On the same day, IT consultant Adria Richards, suspicious that the crash may have been faked, pokes around the Coleman website for information. She claims to have reached an unprotected database through her web browser. To substantiate her claims she captures screen shots of the directory and posts them to her blog and Flickr page. She maintains that she did not download any information from the site.

Meanwhile, the Coleman campaign suspects that their website has been hacked, and initiates an investigation. They claim to find no evidence of files being downloaded, and decide not to alert anyone on their donor list.

March 10: Coleman donors receive emails from Wikileaks, telling them that

“We have discovered that all on-line Coleman contributors had their full credit card details released onto the Internet on 28 of [January], 2009, by Coleman’s staff.”

They further allege that the Coleman campaign knew about the leak, but failed to act.

March 11: In an email, Campaign Manager Cullen Sheehan responds as follows:

"We contacted federal authorities at that time, and they reviewed logs from the server in question as well as additional firewall logs. They indicated that, after reviewing those logs, they did not find evidence that our database was downloaded by any unauthorized party.

Let me be very clear: At this point, we don’t know if last evening’s e-mail is a political dirty trick or what the objective is of the person who sent the e-mail.

What we do know, however, is that there is a strong likelihood that these individuals have found a way to breach private and confidential information."

The Moral of the Story (So Far ...)

Nothing is private on the Internet.

Comments

March 25, 2009 at 6:24 pm
(1) Jon B. - Minneapolis MN says:

Stating that they reviewed the logs and determined that no one downloaded the database is either a bold faced lie, or gross incompetence on the part of the Coleman campaign. At that point, Wikileaks had already downloaded the database in its entirety and checking the logs for something like that is extremely simple. They were using a PHP based site running on an apache server which logs requests of EVERY file in a log. Simply opening this file in a txt editor and searching for “database.tar.gz” would have shown them everyone who downloaded it and when.

February 23, 2012 at 2:43 am
(2) Padman says:

So Richards publicized a security hole instead of contacting the site. How dare she call herself an IT professional. If this wasn’t a political site, but a site for helping orphans would she have done the same thing?

Leave a Comment


Line and paragraph breaks are automatic. Some HTML allowed: <a href="" title="">, <b>, <i>, <strike>

©2014 About.com. All rights reserved.