Security bungle exposes 450 NZ Labor supporters

By Darren Pauli on Jun 15, 2011 3:08 PM
Filed under Security

Backups, passwords exposed on public servers.

A furore has erupted across the Tasman after a right-wing blogger promised to release 452 names and 18,000 email addresses of New Zealand Labor Party supporters obtained through basic security failures in the party’s website donation portal.

Blogger Cameron Slater said he would release the names, addresses and donation information of the party supporters obtained through the holes “over the coming months” and said he is confident he had the legal authority to do so.

Slater discovered the Labor Party’s Civi Customer Relationship Management database, which operates on the open source Droopal platform, cached by Google search. With it he found unencrypted administrative passwords and backups located on public facing servers.

Worse, he said the administration passwords he obtained for the Labor Party website were also used to access the Party’s payment transaction facility, flo2cash.

Slater, a former change management head of a major bank, advised the Labor Party of the password bungle yesterday after it moved to reassure members that their financial details were safe and said it had changed the access credentials.

Labor Party President Moria Coatsworth was unavailable for comment today, but the party said the security flaws had been fixed and it had investigated the incident.

However Slater stressed that the incident revealed incompetence on a grand scae.

“They have left their data to be cached by Google. It doesn’t take Chinese hackers to obtain it,” 

“It was complete ineptitude. They had created backups in public directories.

“That is like putting your TV and video player out on the front lawn and wondering why it was stolen.”

Slater said despite his right wing stance, his efforts were not politically motivated because he “would do the same if it were the National Party”.

“It’s about bad security.”

The 452 names were collated through donations over a four-month period, and email addresses were harvested during social media campaigns used to subscribe members.

A staffer in the rival National Party had also obtained the names and email addresses but denied allegations by Coatsworth that it supplied the information to Slater.

“This is a politically motivated attack. The National Party had a choice to alert us to this vulnerability in our system. Instead they chose to exploit it and to download the material and pass the gap onto the blogger who they knew would reveal private information,” Coatsworth said in a statement.

Chris Gatford, director of penetration testing firm HackLabs said “default passwords and poor configurations and failure to patch” are key elements used to compromise web sites.

 
Follow us on Facebook and Twitter
 

Copyright © SC Magazine, Australia

Security bungle exposes 450 NZ Labor supporters Anna Cervova, public domain
 
 
 
 
 
Top Stories
Planet Tel buys Via IP in Aussie integration push
Telco provider talks up integration credentials.
 
Microsoft rides slight PC recovery
Uptick in PC sales after two years of decline.
 
NEC Australia to sell HQ, hints at possible job cuts
Another multimillion-dollar loss for local arm of Japanese giant.
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Polls
Which mobile device couldn't you live without?


Latest Comments
CRN Magazine

Issue: 328 | June 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.