Congressional Committee Web Site Exposed Internal Database

Newsbytes News Network
March 6, 2002  
By Brian McWilliams


Link(active as of 10/27/06):http://www.findarticles.com/p/articles/mi_m0NEW/is_2002_March_6/ai_83556905




The U.S. House of Representatives committee leading the investigation into 
Enron's collapse temporarily will take its Web site offline this evening to 
perform a security audit, a spokesman said.

The review follows the discovery today that an internal database owned by 
the House Energy and Commerce Committee was left exposed to anyone with a 
Web browser.

Prior to being locked down this afternoon by administrators, the improperly 
secured IBM Lotus Domino database contained documents such as correspondence, 
transcripts and staff directories dating back to 1998.

According to committee spokesman Ken Johnson, the exposed database did not 
contain any sensitive documents, such as those related to the Enron inquiry 
or to the committee's investigation of drug maker ImClone Systems, or to 
legislative matters such as the recent bioterrorism bill authored by 
committee Chairman W.J. "Billy" Tauzin, R-La., and Ranking Democrat John 
Dingell, D-Mich.

"Admittedly, we did have a glitch in the system, but to the best of our 
knowledge there were no serious privacy breaches," said Johnson. The exposed 
database was discovered by Kitetoa, a group of French computer security 
enthusiasts that has also identified glitches at Web sites operated by several 
high-profile companies including DoubleClick, Veridian, ChoicePoint and Groupe 
Bull.

Database vulnerabilities of the sort affecting the House committee site have 
been familiar to computer security experts for several years. In October 1998, 
a group of hackers known as the L0pht published an advisory describing how Web 
users can retrieve sensitive data in many Domino-based Internet applications.

Last month, a French court fined Kitetoa's leader, Antoine Champagne, 1,000 
euros (US$865) for probing and publicizing security holes he found at Tati.fr, 
the homepage of a Paris-based clothing retailer. The court suspended the fine 
on the condition that Champagne avoid any other convictions for the next five 
years.

Johnson said the committee "appreciated" Kitetoa's work in identifying the 
vulnerability at its site.

"This has been a learning process for us and we are going to tighten some of our 
security procedures. Fortunately it appears it was discovered by someone whose 
intent was to help us and not hurt us," Johnson said.

The committee's site recently received a Golden Mouse Award from Congress Online, 
a non-profit organization promoting Internet communication between for being 
members of Congress and the public.
main page ATTRITION feedback