Feeds

Website exposes sensitive details on military personnel

Required by law

Secure remote control for conventional and virtual desktops

Programming errors on a website that helps commuters carpool to work are exposing sensitive information of workers for hundreds of employers in Southern California, including at least one military installation.

The bugs, discovered last month on RideMatch.info, allow hackers access to a variety of personal information, including individuals' names, home addresses, phone numbers, the times they commute to and from work, and in some cases employee numbers. The SQL injection vulnerability remained active at time of writing, more than two weeks after it was reported to a developer who runs the website.

"There's sensitive data there that definitely shouldn't be on the internet," said Kristian Hermansen, a security researcher who identified the vulnerability after receiving an email from his employer saying he was required by law to provide the information. "The reason I am bringing this to your attention is that the issue is not being fixed by the admins and most companies don't even know that their employees' personal and corporate information, like employee ID [number and] login ID, may have been compromised."

The form Hermansen was required to complete asked for a wealth of personal information, including his typical work hours, the times he begins work on each workday, and his employee ID. "The state can impose monetary penalties on companies that fail to complete this survey," an email sent by Hermansen's employer warned.

The website is a joint project developed by transit authorities in five regional governments in Southern California. Individuals enter their work and home addresses and the time they leave from each, and the website pairs them up with others with home and office locations and commute times that are suitable for carpools. Hermansen said virtually all of the data is accessible to anyone who knows how to exploit the vulnerability.

His tests revealed that at least one military institution was among the employers that used the website. The Register agreed to withhold the institution' identity because of the potential sensitivity of the matter.

A spokesman for the Riverside County Transportation Commission, one of the agencies responsible for the website, said administrators are working to fix the problem with the help of Trapeze Group, an Ontario, Canada-based company that designed the carpool software.

"We're confident we should have a fix for this in the next few days," the spokesman, John Standiford, said. "Trapeze being the provider of that software, they're trying to work with us and I guess others to come to a solution and fix the security problem."

Trapeze spokeswoman Kim Emmerson said on Tuesday that she was unaware of any security bugs in the software but promised the company would fix any that are brought to its attention.

"If there's a vulnerability, we would definitely investigate it and take care of it," she said.

The security lapse on RideMatch.info is only the latest reminder of the perils of SQL injection vulnerabilities. Three weeks ago, federal prosecutors revealed that hackers who stole more than 130 million payment card numbers were able to penetrate the network defenses of Heartland Payment Systems and four other companies after exploiting the garden-variety bug.

The flaw is the result of web applications that fail to adequately scrutinize user-generated text entered into search boxes and other fields on websites. Hackers can exploit them to pass commands directly to a website's backend database. Once identified, they can often be fixed in a matter of minutes, by changing a line or two of code.

The other agencies responsible for the site are: The Los Angeles County Metropolitan Transportation Authority, the Orange County Transportation Authority, the San Bernardino Associated Governments and the Ventura County Transportation Commission. ®

Beginner's guide to SSL certificates

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?