| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4231F829.7090202@science.org> Date: Sat, 12 Mar 2005 08:57:29 +1300 From: Jason Coombs <jasonc@...ence.org> To: bugtraq@...urityfocus.com Cc: full-disclosure@...ts.grok.org.uk, "Richard M. Smith" <rms@...puterbytesman.com> Subject: [Fwd: Re: Web security breach changes the lives of 119 people] Once again, securityfocus.com refuses to post the truth. Anyone who has been following the story of the Harvard Business School applicants and others who allegedly hacked a Web site operated by ApplyYourself Inc. will find the following information valuable. And you can't get it on securityfocus.com. Why is that, exactly? Regards, Jason Coombs jasonc@...ence.org -------- Original Message -------- Subject: Re: Web security breach changes the lives of 119 people Date: Thu, 10 Mar 2005 21:21:13 +1300 From: Jason Coombs <jasonc@...ence.org> Reply-To: jasonc@...ence.org To: Richard M. Smith <rms@...puterbytesman.com> CC: webappsec@...urityfocus.com References: <E1D8hZR-000510-00@...p01.mrf.mail.rcn.net> <422F963A.2030908@...ence.org> Here's a description of the hack: http://tinyurl.com/63znp ... the gist of which is ... ApplicantDecision.asp?AYID=GUID&mode=decision&id=1234567 My point is that once your browser has been assigned the GUID of a valid/active session, an application status is obtained simply by entering a seven-digit number and tweaking the URL name/value pairs. Chances are, the "applicants" who looked at their own application status were predominantly script kiddies who were having fun poking around by exploiting the hole. In case Harvard isn't aware of this, a seven digit number is not difficult to guess, and if you know your own (or somebody else's) valid seven digit number, and if the numbers are assigned sequentially, then, well, there's nothing even to guess... As Richard M. Smith points out, this could very well be a simple Web security breach -- but where's the proof that the 119 people actually did this thing? There is none, and chances are very good that the security flaw in the Web site allowed anyone to poke around and look at anyone else's application status just by inserting a seven digit number. Let's throw out all of the applicants for this year and leave the Harvard Business School empty to memorialize the dramatic decline in business intelligence that is caused by computers and the Internet. Regards, Jason Coombs jasonc@...ence.org -------- Original Message -------- Subject: Re: Web security breach changes the lives of 119 people Date: Thu, 10 Mar 2005 13:35:06 +1300 From: Jason Coombs <jasonc@...ence.org> Reply-To: jasonc@...ence.org To: Richard M. Smith <rms@...puterbytesman.com> CC: webappsec@...urityfocus.com References: <E1D8hZR-000510-00@...p01.mrf.mail.rcn.net> Chances are that nobody at Harvard Business School or ApplyYourself Inc. bothered to contemplate the most obvious scenario: that somebody other than the 119 accused, or their friends and family, was responsible for the majority of (or all of) the attempts to access application records. What information of a personal nature would have been required in order to access the pending application? Social Security Number? Perhaps it was possible to browse any one of the pending applications once one had penetrated the ApplyYourself Inc. security perimeter. Are 118 applicants being accused of hacking because of the actions of a single applicant? This is more likely than is the scenario as it has been depicted. Unfortunately, even Harvard Business School now believes, in the current climate of mistrust and fraud in the U.S. Government and U.S. marketplace, that it is more likely that the 119 applicants just couldn't wait for their admission answers through proper channels. Common sense is dead. Long live the Internet. Regards, Jason Coombs jasonc@...ence.org Richard M. Smith wrote: > http://www.boston.com/business/articles/2005/03/08/harvard_rejects_119_accus > ed_of_hacking_1110274403?mode=PF > > Harvard rejects 119 accused of hacking > Applicants' behavior 'unethical at best' > By Robert Weisman, Globe Staff | March 8, 2005 > > Harvard Business School will reject the 119 applicants who hacked into the > school's admissions site last week, the school's dean, Kim B. Clark, said > yesterday. > > ''This behavior is unethical at best -- a serious breach of trust that can > not be countered by rationalization," Clark said in a statement. ''Any > applicant found to have done so will not be admitted to this school." > > A half dozen business schools were swamped by a wave of electronic > intrusions Wednesday morning, after a computer hacker posted instructions on > a BusinessWeek Online message board. Harvard is the second school to say > definitively that it will deny the applications of proven hackers. The first > was Carnegie Mellon's Tepper School of Business, where only one admission > file was targeted. > > ... > > In most cases, applicants from around the world saw only blank screens when > they hacked into their files, but some Harvard applicants glimpsed > preliminary decisions about whether they would be admitted. Other business > schools said they had yet to post any information in their applicants' > files. > > Some business school administrators have said they were being cautious in > their reaction because their software vendor, ApplyYourself Inc., can > identify which admissions files were targeted but not who tried to access > them. Theoretically, at least, a hacker might have been a spouse or parent > who had access to the password and personal identification numbers given to > a business school applicant. > > Clark, who said Harvard was working with ApplyYourself to determine the > hackers' identifies, rejected that distinction. ''We expect our applicants > to be personally responsible for the access to the website, and for the > identification and passwords they received," he said. > > > > > . > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Powered by blists - more mailing lists