|
||
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: |
AN ASTONISHING SECURITY BREACHColumnist talks about his role in the uncovering of a Web page that contained personal information on 1,000 Toronto-area Internet usersSource: K.K. Campbell, www.kkc.netPosted on April 21, 2000 There it sat on my Web browser. A list of 1000 credit card numbers. And the name of the owner, where he or she lived, and their phone number. I've written about these kinds of things for a decade. But never did it hit so close to home. Almost all these people lived in my home town -- Toronto. They were customers of local ISP Internet Direct. It was so blatant, so open, I suspected the file might be a hoax. If the names and data were real, surely I'd be able to scan that list and find someone in there I knew. So I started slogging through it. And, sure enough, the names started popping up. A person I knew from business. Then a writer I know. And then a name jumped right out at me: Jack Layton. The Toronto city councilor. He had once been a client of mine -- I had helped a running mate of his (Peter Tabuns) track down an Internet death threat. I knew Layton used Internet Direct. So I called the number listed. I got an answering machine, with the voice of his partner, Olivia Chow (another Toronto city councilor). Yep, this was a real list. This wasn't something to hold for a weekly column, this was breaking news. I passed it along to the Toronto Star news desk. The story hit the streets on Tuesday, April 11. Star reporter Kelly Gillespie quoted a clearly-shocked Internet Direct VP. I felt sorry for the guy, but what are you going to do? I was tipped off to the unbelievably glaring security breach by Toronto-resident Vito Riccio, 26. Riccio attends Sheridan college and is in his third year of computer systems analysis. It's important to note that his studies have nothing at all to do with security analysis. This wasn't some hacker-wiz-kid showing off. What Riccio stumbled upon didn't come through arcane knowledge of computers and networks, but simply the intuitive tricks and tactics of mature Web searching. Things a regular user might try. And there are tens of millions of them out there. "I had got a new laptop and I was thinking of going away to Hawaii this summer," Riccio says. "I wanted to be able to still connect to my Toronto ISP." His ISP was Internet Direct and Riccio was happy with its service, regularly recommending it to friends. Internet Direct is now owned by Look Communications. On October 31, 1999, the two merged under the name Look. The stock is traded on the Vancouver exchange. (There are still some confusing branding issues around the merged entity, as in what to call the ISP, etc.) Riccio had heard that Internet Direct had a "global roaming" connection, called Ipass. It allows subscribers to connect from around the world and keep up on email, etc. -- all at a reasonable price. "But, I went to the site and had a lot of trouble finding anything," Riccio says. "That's probably because of Internet Direct's merger with Look. It's very confusing." Frustrated at not being able to find anything, Riccio tried the site's own internal search engine. He tried a couple search terms and ended up on the signup page -- signup.idirect.com. "But there wasn't a connection to Ipass there," Riccio says. "So, on a hunch, I added /ipass/ to that URL, hoping that would get me the info I needed. It didn't." He stared at the screen, puzzled. It was an "open directory." An open directory, in a Web browser, shows a listing of the files used to build a Web page. It doesn't automatically "load" them so the user sees a graphical interface. Most directories to that. You never get to see the files "behind the screen." This directory showed a bunch of html files with names like error.htm, mydirectsignup2.htm and response.htm. Nothing about Ipass signup. There was one sub-directory called "admin." Riccio clicked on it, hoping a default HTML page would finally pop up. Instead, he found another open directory, this one with only a single file in it. The file was called ipass.txt. It was 188k in size and last updated on April 4. It contained a text list of some 1000 names -- along with their home addresses, their phone numbers, and their credit cards. Presumably, these were Ipass subscribers. Riccio puzzled over what to do, but acted responsibly by emailing the company about the problem. He sent the company an email late April 05. It read, in part: "Recently while surfing your web site I came across an a file containing over *one thousand* names, addresses, telephones numbers and credit card numbers. I am really quite disturbed that this information is available in a publicly accessible area of your web site. The last time I checked it was still there. This is a quote from your Privacy Policy: 'Your privacy is important to us... We will keep your personal information in secure data storage in order to safeguard it from unauthorized access.' "Having regularly purchased online merchandise and never questioning the security of my personal information, I am quite disturbed that an ISP -- one that hosts and develops "secure" e-commerce websites for their clients, does not have a secure site of their own. Please advise me on how you plan to correct this problem." He sent it to pr@idirect.com. That bounced. So he sent it to business-security@idirect.com. That didn't bounce. So he assumed someone got it. And, the next day, something changed. The signup.idirect.com/ipass/ directory was still open -- that is, a default html page didn't automatically load in the browser. But, now the admin directory was inaccessible. No one could get in. Riccio was disappointed no one had replied to him, but figured someone was working on the case. Then, on Monday, the admin directory was open to the world again. This time, Riccio contacted me, asking for advice on what to do. My first thing was to warn him to be careful. Corporate lawyers have been known to attack the messenger bearing this kind of news, sometimes attempting to make it look like he or she is a hacker, etc. However, something had to be done. These kinds of security gaffes are all too common and they are usually swept under the carpet, away from media and public scrutiny. This kind of "security as an afterthought" mentality isn't going to stop unless these instances are made brutally public. I'm sorry to see the Look-Idirect gang caught in such a mess, but it doesn't mean they shouldn't act as a local lightning rod for public disgust with the ongoing, shoddy security practices surrounding ecommerce. These things just keep setting ecommerce back. That data should not have been even sitting on a public Web server at all, let alone left wide open like that. And think about the value of that list. These are people who travel in business and pay for the luxury of global roaming. Those credit cards undoubtedly had some heavy credit limits. That one file probably held $1 million in credit. If Riccio was not an ethical person, that list of home phone numbers and credit cards would be circulating through underground email lists right now, a permanent part of its "data inventory." Audit your systems for security, damn it. Before you become the next "example."
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
ALERT WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |