Congressional Committee Web Site Exposed Internal Database

Newsbytes News Network March 6, 2002 By Brian McWilliams Link(active as of 10/27/06): The U.S. House of Representatives committee leading the investigation into Enron's collapse temporarily will take its Web site offline this evening to perform a security audit, a spokesman said. The review follows the discovery today that an internal database owned by the House Energy and Commerce Committee was left exposed to anyone with a Web browser. Prior to being locked down this afternoon by administrators, the improperly secured IBM Lotus Domino database contained documents such as correspondence, transcripts and staff directories dating back to 1998. According to committee spokesman Ken Johnson, the exposed database did not contain any sensitive documents, such as those related to the Enron inquiry or to the committee's investigation of drug maker ImClone Systems, or to legislative matters such as the recent bioterrorism bill authored by committee Chairman W.J. "Billy" Tauzin, R-La., and Ranking Democrat John Dingell, D-Mich. "Admittedly, we did have a glitch in the system, but to the best of our knowledge there were no serious privacy breaches," said Johnson. The exposed database was discovered by Kitetoa, a group of French computer security enthusiasts that has also identified glitches at Web sites operated by several high-profile companies including DoubleClick, Veridian, ChoicePoint and Groupe Bull. Database vulnerabilities of the sort affecting the House committee site have been familiar to computer security experts for several years. In October 1998, a group of hackers known as the L0pht published an advisory describing how Web users can retrieve sensitive data in many Domino-based Internet applications. Last month, a French court fined Kitetoa's leader, Antoine Champagne, 1,000 euros (US$865) for probing and publicizing security holes he found at, the homepage of a Paris-based clothing retailer. The court suspended the fine on the condition that Champagne avoid any other convictions for the next five years. Johnson said the committee "appreciated" Kitetoa's work in identifying the vulnerability at its site. "This has been a learning process for us and we are going to tighten some of our security procedures. Fortunately it appears it was discovered by someone whose intent was to help us and not hurt us," Johnson said. The committee's site recently received a Golden Mouse Award from Congress Online, a non-profit organization promoting Internet communication between for being members of Congress and the public.

main page ATTRITION feedback