Code goof mars FedWeb '97 site
- By Steve Graves
- Nov 10, 1997
Federal Web Consortium program manager Valerie Gregg, a National Science Foundation
employee, told the workshop attendees that a GCN reporter had notified FedWeb '97
organizers late last month that he had seen credit card numbers on the registration site.
Gregg said the organizers then investigated and found that sensitive information had
been posted on the site for about four hours.
"We do not know who, other than the GCN reporter, might have gained access to the
information," she said. "We do know that those
affected paid their registration fees between Aug. 7 and Sept. 4." No financial
loss has so far been attributed to the security lapse.
Most of the registrants paid with government IMPAC credit cards, but as many as 20 paid
with their personal cards. The consortium promised to notify the affected people by
An American Express Co. representative said the cardholders could cancel their cards,
place a hold on mail and phone orders, or simply watch for unauthorized charges. American
Express investigates such charges and does not make cardholders liable for fraudulent use.
The IMPAC card issuer, U.S. Bancorp of Minneapolis, can hold a cardholder liable for up
to $50, but even that likely would be waived in this case, a spokeswoman said.
Carlynn Thompson, chairwoman of the Federal World Wide Web Consortium, advised the
affected cardholders to contact their issuing banks for guidance even though exposure
apparently was limited.
The security breach came to light when a reporter, while browsing the FedWeb '97 site,
noticed some pages that appeared to be part of an intranet for registering and tracking
Several menu views let Web visitors look up registrant information organized by
categories such as confirmed attendance, speakers and payment actions.
Certain information seemed confidential, such as telephone numbers, addresses and
One menu view presented a list of registrant names, some of which were tagged with an
icon. Clicking on these tagged names revealed the payment and credit card records.
The GCN reporter immediately alerted the Council for Excellence in Government, the
organization that developed and hosted the Web site for the Federal Web Consortium.
A council staff member called GCN shortly afterward and said corrective measures had
been taken. The next morning, the private information was password-protected.
The council, which carried out the registration and fee collection, did not accept any
payments over the Internet. Instead, registrants faxed their credit card information.
Consortium managers speculated that the security breach began when a council staff
member modified a copy of a Lotus Notes database, designed to track registration activity,
to accept credit card numbers. The original database was for open Web publication.
The staff member said he considered it safe to enter the credit card information on his
system, which was not connected to the Internet. But he did not establish security
settings to protect the credit card database.
When he replicated or updated the database on the Web site, he copied the credit card
data along with the public information.
The Notes application was the work of a company called Cimtek, recently acquired by
Synetics Inc. of Wakefield, Mass. Stewart Larson, director of Synetics' Washington office,
said Lotus Notes has many layers of security.
"Databases can be password-protected down to field level," Larson said.
He said Lotus applications default to the most restrictive level, and the designer or
administrator must set permissions before data can be accessed. If new documents are added
to an application with open security, however, the new documents will be publicly
accessible unless the administrator sets more restrictive permissions, Larson said.
FedWeb '97 attendees were mainly government employees responsible for managing and
directing agency Web efforts. Several workshop sessions focused on security products and
break-in detection. The workshop was held at the National Institutes of Health.
Gregg received applause when she said, "We have learned firsthand how easy it is
to inadvertently compromise information security."
Audience reaction to her announcement was supportive. "There are two kinds of
systems administrators," one person said, "those who have failed to secure
sensitive information and those who will."