Hacker info shuts down Comcast site

A hacker found exposed data from a list of potential corporate customers of Comcast Business Communications, forcing the company...

A hacker found exposed data from a list of potential corporate customers of Comcast Business Communications, forcing the company to shut down its Web site.

According to Sherrie Walters, a spokeswoman for Comcast (CBC), the hacker discovered a test page for a database, called the @Work Leads Database, which had company names, contacts, addresses and phone numbers on it.

The test Web page was created within the site, but was not linked to other pages.

"We thought our sites were secure and that our databases were secure," Walters said. "We're investigating how we can make our system more secure."

CBC shut the site down after being advised of the incident, Walters said.

The vulnerability was exposed by a hacker who identified himself as Russell Handorf in a security forum.

Handorf said he found the unlinked Web page while looking through the CBC site in December.

What he found, he said, were Web servers that he could access by using common user names and passwords such as "user" and "test." The vulnerabilities are there, he said, because administrators have a massive amount of work, and are apparently prone to "simple oversights."

"My intent was to find something and tell them about it," said Handorf, a computer security researcher.

Handorf said he notified Comcast of the problem, but the company denied any vulnerabilities. On 6 February, he posted a message on the SecurityForum list. After that, Handorf said, Comcast thanked him for finding the problem and telling them about it. "My intentions are good," he insisted.

Security analysts said scenarios of barely-hidden corporate Web pages are not uncommon.

"It's amazing what is unlinked in a Web page," said Charles Kolodgy, an analyst at IDC. Kolodgy claimed he is frequently successful when he tries different combinations of words following Web site names to try to find buried information. What should have been done, he said, is that if this were only a test page, only dummy information should have been included and not live sales leads.

Eric Hemmendinger, an analyst at Aberdeen Group, said the incident underscores the fact that most businesses think of security long after they think about other parts of their operations.

"The reality is that there are not too many people who get paid to pay attention to this except in the very largest corporations," Hemmendinger said. "The honest truth is that not too many people listen to them.

Read more on Business applications