It's all over the news at the moment - political blogger Cameron Slater, aka Whaleoil, has got his hands on a whole raft of Labour files, as well as the personal details of their online donors. In terms of a breach of data security, this is pretty much worse case scenario.
In Cameron's latest blog post, he outlines exactly how he got the data:
Quick summary of the video: using the online tool My-IP-Neighbors Cameron worked out the other sites running on the same IP address as Labour website lets-not.co.nz - one of those sites was healthyhomeshealthykiwis.org.nz, and with no index file and directory browsing switched on, it gives any visitor to it a complete file listing of every file and directory hosted on that site. It also contained a surprising amount of files that really shouldn't be there - MySQL database dumps, personal and credit card details, plus other sensitive files. To add insult to injury, the site has also been indexed by Google, meaning all the information on that site is now part of the Google cache.
Malicious hacking? Hardly. Epic fail on the part of Labour's web team? You bet.
The "real life" analogy of this happening is not WhaleOil breaking into a Labour car and retrieving a briefcase of private documents and taking copies - it is more similar to Labour leaving the files spread out on the footpath, and them complaining when someone discovers and reads them.
I'm not condoning what WhaleOil does with the information; what I do want to point out is how he obtained the data is not hacking, not by any stretch of the imagination. What has happened is the staff in charge of their websites have failed in the most basic steps to secure their websites, and it is not a design fault. Hopefully this experience also teaches them not to store sensitive files online, especially not backups from their main website's MySQL database. I also question why credit card details are being stored online - the industry standard is to use a third-party credit card processor who stores (if required) credit cards securely, removing this liability for your own website.
I would be asking some serious questions of the Labour staff, and how such a slipup could occur.
Other related posts:
Cyber attacks on NZ small business
How one database query can fix HOP cards
Review: Navman MiVUE680
comments powered by Disqus