Misconfiguration

Norm Coleman, a former senator from Minnesota, is going through a legal battle to try to win back his seat in the senate. If the way he manages his web site security and the crises it created are an indicator, I am not sure that he has a place there.

The Register reports that the online shop of Psystar, a maker of Mac compatible equipment is heavily leaking technical information that can  be expoited to hack the site.

Updated (Feb 22^nd 2009) - the Washington Post updates that the hack exploited a problem with the default configuration of the authentication module used for authenticating remote administrators. As a result we categorized this incident under "insufficient authentication" and "misconfiguration".

While moving to a new hosting provider, a system by Princeton Review used by student to prepare for a state assessment program exposed due to misconfiguration approximately 34,000 students from 2^nd to 10^th grade. The information included names, Florida ID (which is nearly identical to the US social security number) and the students exam report.

The information was available for available online from late June to early August.

Additional information:

• Competitor Tells Paper, Not Rival, About Security Flaw [Security Pro News, Aug 19 2008]
• Student Files Are Exposed on Web Site [New York Times, Aug 18 2008]

Misconfiguration of a webmail system at a British hosting provider led to leakage of the entire user's database including all e-mails. The e-mail addresses where actively used for sending spam. Additionally the exploit was used to plant malware on some of the customers' web sites.

This incident is unique since PlusNet has published a very interesting and revealing report about the incident that shed a lot of light on real world state of life application security. A must read.

Additional information:

An open source developer virtually defaced John McCain's MySpace page. He did not have to commit any crime, because the page pulled an image directly from the open source developer's site.

Additional information:

• Hacking John McCain [, Mar 27 2007]
• Oops! John McCain's MySpace page gets pranked [CNet, Mar 27 2007]

Sensitive files were left in a publicly accessible directory during a maintenance window

Additional information:

• Western Union Web site hacked [CNet, Sep 10 2000]