Serious Security Flaw Discovered In Less Than 2 Minutes On U.S. Senator's Web Site

She simply used her Web browser.

As owner of Minneapolis-based Aden Networks and self-proclaimed "Organic Technology Consultant," Richards' techie curiosity led her to the Web site of U.S. Sen. Norm Coleman (R-Minn.) after a much-publicized accusation by Coleman's campaigners, (Coleman is currently campaigning to retain his Senate seat against challenger Al Franken) that Coleman's Web site had been hacked for political purposes.

Richards, however, discovered that Coleman's Web site was woefully lacking in security, and was not hacked as his campaigners indicated.

Richards used OpenDNS' CacheCheck tool to find the current ip address of the domain name, colemanforsenate.com. She then pointed a browser to that IP address, and that's when she found a list of directories. She was able to browse through the directories and found database files and other files sitting unprotected in the webroot directory.The files were in a public folder with no restrictions set on them and no authentication requirements.

Reports have said that the database file on the site contained sensitive information, such as the credit-card numbers of donors to Coleman's campaign.

Richards said she did not, of course, download any of the files. However, she did go public with her findings on her blog: butyoureagirl.com and appeared on MSNBC's The Rachel Maddow Show. Since then, she has been in the media spotlight and has attracted, in particular, the attention of those involved in the business of IT security.

When asked via phone interview about both the praise and criticism she has received for going public about the security-lax site, Richards said her "focus was on security folks and business owners" and on heightening awareness about security. She made the claim that security is often neglected when it comes to implementing technology, like Web sites, likening that neglect to "someone [making] a car without a seatbelt."

There are those who have commented that Richards did a good service by going public with this. Others have lambasted her for the same reason. Controversy aside, the discovery has led to increased business opportunities for her. She has been acting as a liaison between business owners and their in-house IT People. She also has a desire to establish a "list of security and penetration testers in each state." Richards feels this would be an invaluable resource for those wanting to ensure maximum security when deploying Web sites and other technologies.

She would also like to see a public repository of information on developers who offer their services for hire, with references about their work. Richards' sentiment is that the public should be made aware of those developers who create sites and code that is subject to compromise. "There should be more penalties for those programmers," she said.

Her advice to VARs and any IT professionals responsible for the security and or Web content of their clients' data?

"If customer's collect any information on the Internet" she advises, "reach out to a Web site security consultant." Even if that IT professional or VAR specializes in security, cross-referencing with another security professional is good practice.

Richards also emphasizes the necessity of obtaining "regular audits, regular monitoring." She also advises business owners and executives to ask this question: "What is our process to be notified [in the event of a security breach such as] if the admin login page was accessed 400 times in the last hour?"

Good advice. Yet, we still had one last question. Just what exactly is an Organic Technology Consultant? She pointed us to an excerpt of her definition on her Web site:

I use nature as a guide for computer networks and technology planning. Organic technology is founded on the principals of organic farming. Business technology is selected based on what fits your company. Your business will be better off than where it started from. You always have flexibility to adjust based on where you're at.