Comment On Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back. [expand full text]
« PrevPage 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6Next »

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 10:52 • by Jordan (unregistered)
Guys, guys, you're all missing the point! These are evil *SEX OFFENDERS*! They commit crimes ranging from rape to the equally heinous crimes of being a 17 year old getting a hummer from their 16 year old girlfriend, to public urination!

They all DESERVE to have their identities stolen. PUBLIC URINATORS NEED TO BE PUNISHED, FOREVER!!!!

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 10:56 • by vt_mruhlin
189799 in reply to 189741
KNY:
I just want to congratulate everyone involved with this story on bringing about a fix for the problem. If only there were more well-behaved developers pointing out (rather than exploiting) security holes, and companies being receptive to said notifications (instead of being defensive and accusatory).

Again, well done.


Yes, it's definitely a good thing in this case. Even if there were further failures to fix the site, I would have advocated a vigilante removal of all social security numbers from the database, though that would most certainly land you in jail.

Really, there need to be criminal negligence laws established for foolish programmers like this. If you hire an engineer who doesn't know what he's doing and the bridge collapses, you're in a world of hurt. Insecure applcations should work the same way.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 10:59 • by DeLos
189800 in reply to 189748
MadJo@Work:
Euhm, Alex, the blurring of the email addresses in that last picture doesn't really work, I can figure almost all of them out. Might want to use a black pen next time instead of blurring. The Social Security numbers are blurred a bit better, but still it would be better still to use a black pen in whatever photo editing program you are using,


This is definitly subpar blurring, Even without trying I can see that yahoo.com address. Didn't we already cover the anonymising issue? You are punishing other people for a software guys mistake. Not real fair.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:01 • by knarf (unregistered)
The real WTF is that they have a column called "Race".

Images not blurred enough

2008-04-15 11:04 • by Todd (unregistered)
Some of those images, especially the last one, aren't blurred enough. I can clearly read many of those email addresses.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:06 • by micksam7 (unregistered)
The Daily WTF about to get slashdotted.

Article was put up on slashdot, brace for impact. :p

Wow at this. And dude, you need to BLACK OUT the ssns on the images. Really.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:08 • by webrunner
So normally, when we could actually use the name of the company and stuff in order to avoid them for our own safety, they're anonymized the point of the story itself suffering.

But here, you're willing to give random people's full names and barely-blurred email addresses.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:11 • by luke (unregistered)
189810 in reply to 189785
maniek:
http://www.google.pl/search?q=allinurl:+select+from+and
There are some interesting hits (especially a few pages further into the search results)


Perhaps even more interesting:
http://www.google.com/search?hl=en&q=allinurl%3AsqlString+select

And those are just the geniuses that named the variable sqlString...

I believe we're observing a paradigm shift from "Haha, WTF" to "WTF!!!"

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:11 • by moola (unregistered)
189811 in reply to 189785

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:16 • by maniek (unregistered)
189813 in reply to 189811

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:18 • by Herr Killjoy (unregistered)
TRWTF is how you anonymized some of the email addresses.

I wonder who "jaa262@ya#######" could be. Or "rfm0527@ya#######"

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:20 • by Alan (unregistered)
189815 in reply to 189789
ThePants999:
Martin Dreier:
ptomblin:
They better hope that Little Bobby Tables never commits a crime.


Sorry, but you forgot the obligatory XKCD reference ;).

...because we all knew where it came from anyway!

I have that one on the wall next to me.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:21 • by DeLos
slashdot is going to ruin these comments ...

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:31 • by J (unregistered)
And you should know better not to blur sensitive data but cut out...

Re: Please!!!

2008-04-15 11:42 • by elias
189822 in reply to 189764
EPE:
Please, do not go to "Advanced Search" at Goolge, and do not look for pages containing SELECT FROM WHERE in the URL... Please, do not do it, oh please!

Thanks. I pressed your "Do Not Press" button, and now my faith in humanity is at an all-time low.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:44 • by Eam (unregistered)
I guess someone skipped Common Sense 102?

Don't blur text you want to anonymize. Period.

There's no "subpar" blurring going on here as other posters have suggested. There are only two types of blurred text: one where the original text is completely and accurately recoverable, and one where it's not. All we have here is the former.

One needs to keep in mind that obscuring text is not the same as obscuring facial details. Assuming all numbers and letters are used in a string, there are only 36 different characters, each with its own distinct blur pattern. All one needs to do is approximate the original font and the blur settings Alex used and do some trivial matching.

Come on, this should be obivous.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 11:51 • by You (unregistered)
This one looks nice too...

Alcoholic Beverage Regulation Administration, Suspended and Revoked Licenses

http://app.abra.dc.gov/services/suspended_licenses.asp?p=3&ps=&q=SELECT+S.business_id+AS+id%2C+S.id+AS+sus_id%2C+S.comment+AS+comment%2C+B.applicant_name%2C+B.trade_name%2C+B.bus_address_f_no%2C+B.bus_street%2C+B.bus_quad%2C+S.effective_date%2C+S.effective_end_date+FROM+abra_rw.tblLicense_hold+AS+B%2C+abra_rw.suspended_licenses+AS+S+WHERE+B.id+%3D+S.business_id+AND+applicant_name+LIKE+%27%25%25%27+ORDER+by+B.applicant_name%3B

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:16 • by tezoatlipoca (unregistered)
oh no! The Daily WTF front page on Slashdot and no BustedTees ad? How are we going to generate enough click-throughs to get Irish Girl back?
oh the humanity!

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:16 • by Tyler (unregistered)
The real WTF is when you get v& over this

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:22 • by DAMN (unregistered)
Real WTF:
http://dheera.net/projects/blur.php

*facepalm*

2008-04-15 12:23 • by Rob Speed (unregistered)
189830 in reply to 189722
Sean Ellis:
The real WTF is you publishing a screenshot without anonymizing their names and addresses...

I imagine the residents of Merland Drive, Cindy Road, Lee Avenue, and so on are gathering up their torches and pitchforks as we speak.


You're the real WTF.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:29 • by Ben (unregistered)
189832 in reply to 189789
I didn't.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:30 • by Huh (unregistered)
I wonder if the programmer has been terminated given the lack of technological knowledge in upper divisionary levels of government (and elsewhere). Seems "George" didn't really think too much of it - more of a, "Hey there Tad, got some email you might wanna look at." According to the first fix this is exactly what happened. This story going to go to major media outlets?

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:37 • by Former Jr. Programmer (unregistered)
Wow.

WOW.

That's not even SQL Injection. That's just piss-poor programming.

BTW, /. picked it up! Now for the AP.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:38 • by Craig (unregistered)
I am simply stunned ..stunned that Oklahoma has the audacity to have a county called 'Canadian'. I think this is all an attempt to make Canadian's look like a country full of sexual offenders ;)

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:40 • by Anon Sam (unregistered)
189836 in reply to 189824

http://app.abra.dc.gov/services/suspended_licenses.asp?p=1&ps=&q=SELECT S.business_id AS id, S.id AS sus_id, S.comment AS comment, B.applicant_name, B.trade_name, B.bus_address_f_no, B.bus_street, B.bus_quad, S.effective_date, S.effective_end_date FROM abra_rw.tblLicense_hold AS B, abra_rw.suspended_licenses AS S WHERE B.id = S.business_id AND applicant_name LIKE '%%' ORDER by B.applicant_name;


There, that's a lot easier to edit.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:41 • by Brock (unregistered)
189837 in reply to 189811
I can't believe how many wide-open phpMyAdmin installs there are!

Oh wait, maybe I can.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:42 • by KG (unregistered)
189838 in reply to 189810
luke:
maniek:
http://www.google.pl/search?q=allinurl:+select+from+and
There are some interesting hits (especially a few pages further into the search results)


Perhaps even more interesting:
http://www.google.com/search?hl=en&q=allinurl%3AsqlString+select

And those are just the geniuses that named the variable sqlString...

I believe we're observing a paradigm shift from "Haha, WTF" to "WTF!!!"



OMG!!!!!
I would never have thought of that. I would never have assumed people could be so stupid! I've been a frequent visitor of this site for months now (discovered it when it was named "worse than failure" - stupid name to be sure), but this... this is a new low.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:45 • by Former Jr. Programmer (unregistered)
OK.

Called the Oklahoma AP wire and they were VERY interested. :)

You better get your server ready for some hits.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:48 • by Bob N Freely (unregistered)
189840 in reply to 189797
Jordan:
Guys, guys, you're all missing the point! These are evil *SEX OFFENDERS*! They commit crimes ranging from rape to the equally heinous crimes of being a 17 year old getting a hummer from their 16 year old girlfriend, to public urination!

They all DESERVE to have their identities stolen. PUBLIC URINATORS NEED TO BE PUNISHED, FOREVER!!!!


While I know that was meant to be sarcastic, I think it's worth pointing out that only the original query limited the results to people on the sex offenders registry. Switching things up a bit allowed access to the ENTIRE DOC database system, including (I'm assuming) records of anyone who had been previously incarcerated for any crime, as well as employees of the DOC (see the last screen shot with employee logins and email addresses).

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:50 • by kzoo (unregistered)
Why don't you take down those screen shots. It would take me all of about two minutes to unfuzz the social security numbers you have posted. Why are you doing just as bad a job as the people that you are complianing about?

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:54 • by RandomGuy (unregistered)
and counting ...

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:56 • by genelisp (unregistered)
Maybe the same 'developers' wrote this page too:

http://megis.maine.gov/metaweb/results.asp?whichpage=2&pagesize=5&sqlQuery=SELECT+CI.TITLE%2CID.Abstract%2CID_Web_Publish.WebPublish+FROM+CI%2CID%2CID_Web_Publish++WHERE+CI.Citation_ID+%3D+ID.Citation_ID++AND+ID.Dataset_ID+%3D+ID_Web_Publish.Dataset_ID++AND+NOT+ID_Web_Publish.WebPublish+%3D+0+AND+NOT+ID.Dataset_Type+%3D+2++AND+(++EXISTS+(SELECT+ID.Dataset_ID%2C+ID_Thesaurus_Keyword.Keyword_Name++FROM+ID_Thesaurus%2C+ID_Thesaurus_Keyword++WHERE+ID.Dataset_ID+%3D+ID_Thesaurus.Dataset_ID+AND+ID_Thesaurus.Thesaurus_ID+%3D+ID_Thesaurus_Keyword.Thesaurus_ID+AND+UPPER(ID_Thesaurus_Keyword.Keyword_Name)+LIKE+'%25HEALTH%25')+)+ORDER+BY+CI.Title

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 12:59 • by Mike (unregistered)
Search for google "select from where" is for wimps. Real h4k0rz search for "delete from where" ...

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:01 • by Former Jr. Programmer (unregistered)
Black-box the social security numbers and CHANGE THE NAME OF THE IMAGE REFERENCE to defeat caching.

Here.

Don't use these as permanent links. Bring them down, then replace. Rename the image reference in the anchor tag.

http://img518.imageshack.us/img518/702/ok2hn1.gif

http://img293.imageshack.us/img293/513/ok1pw3.gif

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:05 • by mG (unregistered)
189849 in reply to 189739
anon:
Wow, and I live in Oklahoma... thankfully I've never had a reason to be registered in such a database...



That doesn't mean that you aren't in such a database...

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:08 • by Moonrock (unregistered)
I stumbled across something like this when researching one of the oodles of microsoft "dbconnect string" keywords once. Google found > 250,000 websites that contained 'password' and 'uid' strings for logging into SQL server and access databases. I went to one, curious if it was what it appeared to be...sure enuf, it was similar to this, but exposed *all* data on county employees for a county in Ohio. I considered sending an email, thought: They're obviously outstandingly ignorant of website security; They're going to be surprised to find out someone KNOWS their password; They're going to take SOME kind of action; Gov'ts often take action by destroying people's lives. I closed the browser window, and went on my way. That county's data may still be exposed, for all I know.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:12 • by Xaox
I think somebody may have already been messing with there data:



Unless there is some state named Chihuahua...

Check it out here:

http://docapp8.doc.state.ok.us/servlet/page?_pageid=426&_dad=portal30&_schema=PORTAL30&id=regid

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:18 • by x (unregistered)
189853 in reply to 189852
Xaox:

Unless there is some state named Chihuahua...
.doc.state.ok.us/servlet/page?_pageid=426&_dad=portal30&_schema=PORTAL30&id=regid[/url]

Yes, genius, and it is in Mexico.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:22 • by Michael Day (unregistered)
189854 in reply to 189722
Amen to that. WTF? By the way, blurring the image doesn't help either. This is easily overcome with run-of-the-mill sharpening filters one can learn in Digital Image Processing 101.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:23 • by anon (unregistered)
You should give yourself a WTF award. How stupid could you possibly be posting the screen shots with the poorly obscured data. They were just presenting the data out of lack of good programming experience. You are posting data that you know shouldn't be posted, and doing next to nothing to prevent it from being stolen again.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:23 • by Anon Sam (unregistered)
Using GET requests to run side-effects is super-awesome.

It means all you have to do is publish this on some blog:

<img src="http://app.abra.dc.gov/services/suspended_licenses.asp?p=1&ps=&q=DELETED+FRO+abra%5Frw%2EtblLicense%5Fhold">

and, poof! Sayonara!

(That URL won't exactly work, but inspection should tell you how to change it.)

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:27 • by 5|i(3_x (unregistered)
189857 in reply to 189759
ptomblin:
<i>and remember many people are in favor of having the government run healthcare. wtf indeed.</i>

Yes, because private companies never leak data.


A private company that engages in negligence this gross isn't likely to be in business very long. More importantly, if a private company fails in this or any other way, you are not compelled to continue to do business with them.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:31 • by Dvnt (unregistered)
189859 in reply to 189797
Jordan:
Guys, guys, you're all missing the point! These are evil *SEX OFFENDERS*! They commit crimes ranging from rape to the equally heinous crimes of being a 17 year old getting a hummer from their 16 year old girlfriend, to public urination!

They all DESERVE to have their identities stolen. PUBLIC URINATORS NEED TO BE PUNISHED, FOREVER!!!!


You know, you jest, but that's how most people would probably react. Also, the ignorant will likely say, "So what? Who'd want to steal the identity of a sex offender?"

Of course, if you stop and think about it, they're one of the best possible targets for identity theft. If they're in prison, it's going to be a long time coming before they get word that credit cards have been taken in their name, and if they're not, convicted felons are probably least likely to run to the police for help and even less likely to be helped. Many people will think they 'deserve it' and it's God's vengeance upon them. They'll be unlikely to receive a lot of sympathy.

Not to mention the strong possibility that someone buying stuff using their stolen identity needs only purchase items that would cause them parole violations and who are the cops going to believe? Convicted pedophile saying his identity was stolen or a credit card company who says Johnny Pervo bought a bunch of toys, children's clothing, and a box of condoms?

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:33 • by Xaox
189862 in reply to 189853
x:
Yes, genius, and it is in Mexico.


Nevermind. Seeing that and "Distro Federal (Me" with some county names and I thought that they were pulling the state list from the database. It dosen't help that searching for people based on those states returns the entire list. Then again a little more testing reveals that it does not matter what state I pick, the entire list is still retreived.

At this point a broken search is the least of their problems.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:35 • by Anon Sam (unregistered)
189863 in reply to 189859
Dvnt:
and who are the cops going to believe? Convicted pedophile saying his identity was stolen or a credit card company who says Johnny Pervo bought a bunch of toys, children's clothing, and a box of condoms?

10 Points to whomever can craft a CSRF attack that will make this purchase come directly from the pedo's computer.

Blurring Not Cool

2008-04-15 13:36 • by Adam DiCarlo (unregistered)
Dude, Alex, like everyone else has said:

You need to blacken out the "blurred" parts.

Blurring can be undid, homeskillet!

Excellent article, though.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:36 • by Dorkquemada (unregistered)
This is the sound of job security

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:37 • by Mark (unregistered)
189866 in reply to 189862
Guess what, it's still vulnerable to SQL injection. Try putting in apostrophes into the search field.

Re: Oklahoma Leaks Tens of Thousands of Social Security Numbers, Other Sensitive Data

2008-04-15 13:41 • by Slashdot hater, but Slashdot READER (unregistered)
DUDE!!!!

YOU MADE THE FRONT PAGE OF SLASHDOT! I don't know if that's GOOD or not, but hey, pub is awesome, no?

http://it.slashdot.org/article.pl?no_d2=1&sid=08/04/15/1414223

By the way, I HATE Slashdot and most of the zealots that post there, however, I still feel the need to read that piece of garbage if only to see the lies being told by the OSS community.

Take care, Alex.

By the way, I live in the Cleveland area too. This weather BLOWS!
« PrevPage 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6Next »

Add Comment