Labour’s malicious breach? No, human failure.
It's all over the news at the moment - political blogger Cameron Slater, aka Whaleoil, has got his hands on a whole raft of Labour files, as well as the personal details of their online donors. In terms of a breach of data security, this is pretty much worse case scenario.
In Cameron's latest blog post, he outlines exactly how he got the data:
Quick summary of the video: using the online tool My-IP-Neighbors Cameron worked out the other sites running on the same IP address as Labour website lets-not.co.nz - one of those sites was healthyhomeshealthykiwis.org.nz, and with no index file and directory browsing switched on, it gives any visitor to it a complete file listing of every file and directory hosted on that site. It also contained a surprising amount of files that really shouldn't be there - MySQL database dumps, personal and credit card details, plus other sensitive files. To add insult to injury, the site has also been indexed by Google, meaning all the information on that site is now part of the Google cache.
Malicious hacking? Hardly. Epic fail on the part of Labour's web team? You bet.
The "real life" analogy of this happening is not WhaleOil breaking into a Labour car and retrieving a briefcase of private documents and taking copies - it is more similar to Labour leaving the files spread out on the footpath, and them complaining when someone discovers and reads them.
I'm not condoning what WhaleOil does with the information; what I do want to point out is how he obtained the data is not hacking, not by any stretch of the imagination. What has happened is the staff in charge of their websites have failed in the most basic steps to secure their websites, and it is not a design fault. Hopefully this experience also teaches them not to store sensitive files online, especially not backups from their main website's MySQL database. I also question why credit card details are being stored online - the industry standard is to use a third-party credit card processor who stores (if required) credit cards securely, removing this liability for your own website.
I would be asking some serious questions of the Labour staff, and how such a slipup could occur.
Other related posts:
Vodafone voicemail-to-email for free
Vodafone’s Sure Signal upgrade
How to fix “Message rejected by Google Groups”
Comment by Matt, on 13-Jun-2011 21:12
Storing credit card details online? That's not PCI DSS compliant, I'd like to see them get the standard $500k per incident fine... but what's the bet that there's a loophole in there for just this scenario...
Comment by juha, on 14-Jun-2011 10:21
Slater wasn't authorised to access that data however, a simple fact that could land him in hot water. The video shows that the data access was no accident either.
Comment by eXDee, on 14-Jun-2011 18:09
I believe the site was designed by Boost New Media
See this blog post:
http://markhansen.co.nz/labour-party-leaks/
Comment by Ragnor, on 14-Jun-2011 21:06
Directory browsing turned on and backing up SQL to a folder in the web root is so epic fail.
Add a comment
Please note: comments that are inappropriate or promotional in nature will be deleted.
E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.
Comment by Dermott Banana, on 13-Jun-2011 18:57
In 1998, in the first week of the Federal election campaign, something similar happened here in Australia.
A Labor staffer emailed his friends giving the URL for a Liberal Party website. The URL ended in "secret.html", and that was the full extent of their security.
The site had a web-form, allowing candidates (or their staff) to update their profiles on the Liberal Party's election website.
The email sent by the Labor staffer (who worked in the office of then Opposition Leader Kim Beazley) became a chain-email (as these things do) and a few generations down the line was received by some university students who used the URL to amend the details of PM John Howard, and many of his high-profile ministers.
Several generations further down the email chain, the email was received by the media, who identified the source as a junior staff member in Beazley's office, who was immediately sacked.
As happened a lot back then, and still does, the media labelled the whole incident as 'hacking' when it was nothing of the sort.