SEATTLE - Internet Firm Exposes Clients' Private Data

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

[Fair use for education and research purpose only]

Title: Seattle Internet firm exposes clients' private data

EverGo Web site made vulnerable; sloppiness is blamed

Thursday, March 30, 2000 By DAN RICHMAN

SEATTLE POST-INTELLIGENCER REPORTER

For the past two months, a Seattle Internet service provider exposed some customers' private information -- including credit card numbers -- on its Web site.

At least 24 customers' personal information was exposed in a file that could be accessed from its Web site by anyone skilled in use of the most popular Web-authoring tool on the market.

The data remained accessible until a Seattle Post-Intelligencer reporter called the company this week. Yesterday, the company would not answer questions, so it is uncertain whether more of its 7,200 customers' data was exposed.

EverGo Internet, which offers Internet connections in 24 states and the District of Columbia, said yesterday the security hole in its Web site had been fixed.

The security breach, which experts told the P-I was caused by the company's careless programming, is the latest example of privacy compromises by Internet companies that have caused consumers to be wary of e-commerce.

EverGo's Web site allowed any user of the Netscape Navigator browser to type the name of a certain file after EverGo's Internet address and then read the contents of that file. The file contained the names, addresses, phone numbers, account passwords, and -- in some cases -- credit card numbers of 23 Seattle-area residents, and one New York resident who had signed up for service with EverGo between Feb. 2 and March 25.

EverGo called some, but not all, of those 24 customers Tuesday night and yesterday morning, telling them to change their passwords and cancel their credit cards. It said the security breach was the work of hackers, the customers told the P-I.

But a security expert said the problem had nothing to do with hackers and wasn't caused by any flaw in Microsoft Front Page, which was used to create the site. Rather, it likely resulted from EverGo's use of default file names and locations in Front Page to create its online registration form, said Elias Levy, chief technology officer of Internet computer security site SecurityFocus.com.

That procedure probably allowed visitors to the site to get personal information about every person who registered online for service with EverGo since it created the online registration form that allowed the breach, he said.

"Being hacked is how they see it, but it was their error, not someone else's," Levy said. "This used to be one of the easiest ways to get into sites" until most merchants started using the software more intelligently, he said.

"The person who created this problem probably didn't even know he was creating a problem," said a source with knowledge of e-commerce security who asked not to be named. Anyone with a solid knowledge of Front Page would have been able to exploit the breach, the source said.

Front Page itself isn't to blame, because it was simply used naively, he said.

EverGo didn't respond to repeated requests for comments and information. In an e-mail signed by Vice President Patrick Apodaca, the company said it had removed the online sign-up form and the file from its site.

"Our investigation into this situation is continuing," Apodaca's e-mail said. He said the company would have no further comment out of respect for customers' privacy.

Customers contacted by the P-I said they had not seen any unusual charges on their credit cards. And most weren't particularly upset.

"That's rather bad, really," said Simon Winder. "I normally never use a credit card online unless there's Secure Sockets Layer," a technology that encrypts data sent over the Net. "This time I went ahead. Still, one expects more from an ISP."

Rich Falconburg, another Seattle EverGo customer, said, "There's a lot of security holes in e-commerce. You've got to expect that."

Jason Sharkey, though, said the more he thought about the situation, the angrier he got.

"You know that to a certain degree you're not safe once you start entering keystrokes, but the fact that the information was that easy to get into is disconcerting," he said.

Preventing the loss of personal data can never be entrusted to merchants, said security expert Levy.

"This is probably not something that's going to go away soon, as there are always new merchants putting up Web sites and making these errors. So it's up to consumers to protect themselves."

http://www.seattle-pi.com/business/isp30.shtml

===========================================



-- (Dee360Degree@aol.com), March 30, 2000


Moderation questions? read the FAQ