The Norm Coleman Web crash and full disclosure

How do we make ethical decisions? It is surely not by announcing preferences as if we were choosing a flavor of ice cream. There are guidelines we can follow in making ethical decisions, as Professor John Orlando, PhD described in an earlier series in this column in 2007 on social engineering in penetration testing.

This column is the first of two articles written in close collaboration with MSIA student Becki True, CISSP examining the ethical questions raised by the actions taken by people who discovered a vulnerability on the Norm Coleman for Senate Web site and made it public. True began with her initial essay and we worked together in adapting and extending it for this series.

Before we go on any further, we want to make it clear that although we identify a specific blogger in these essays, our interest is not in character assassination; we are interested in using the incident as an opportunity for teaching.

* * *

In January 2009, there was a problem with the colemanforsenate.com Web site. The site was unavailable and the Coleman people made a statement to the press stating that the site crashed due to "a flood of info-seeking disenfranchised voters." That statement led people to investigate and they found the site in a vulnerable state. Those who found the vulnerability publicized it on the Web using blogs, sent out messages via Twitter, and posted screenshots to Flicker. Ultimately, a donor database containing personally identifiable information (PII) such as names and associated credit-card numbers was downloaded and excerpts were posted on a Web site.

Former Senator's donor database exposed on Wikileaks

This story is particularly interesting given the back-story. In the 2008 general election, Norm Coleman, a Republican, was the incumbent U.S. senator from Minnesota. The November 2008 election between him and his rival, Al Franken, the Democratic contender, was so close that it required a mandatory recount ultimately favoring Franken. Coleman disputed the election and took the fight to the courts but ultimately lost his appeal in the Minnesota Supreme court.

Here is a timeline of events relating to the breach of the colemanforsenate.com Web site:

2009-1-28: 2:18 p.m.: Minnesota Independent posts an article titled, "Did Coleman campaign fake Website crash?" 

2009-1-28: 4:55 p.m.: Twitter user @chuckmentary posts a Tweet commenting on the Coleman article and includes a link to the news story. Information technology consultant Adria Richards, MCSA, MCDST, A+  reads the Tweet and the article and decides to investigate.

2009-1-28: Sometime after 5 p.m.: Richards uses OpenDNS.com to find IP address of the colemanforsenate.com Web site. OpenDNS returns 208.42.168.251. Richards enters IP address in her browser and begins her investigation. Instead of the expected content, Richards sees the directory listing of the file system. Richards knows something is wrong with the site.

At this point Richards had several choices. She could have:
• Attempted to find the site administrator using the DNS registrars and tried to contact the administrators.
• Attempted to contact the Coleman office to notify them of the problem.
• Attempted to contact the hosting company to have them take action.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.