Swipe Card Hack Prompts Complaint

[InfoSec News <isn () c4i org>]

http://www.thecrimson.com/article.aspx?ref=347623

[JYA's Cryptome has the Court-Banned Interz0nes Blackboard Attack        
Powerpoint presentation, CampusWide (Blackboard) Attack and the  
CampusWide (Blackboard) FAQ at: http://www.cryptome.org/   - WK]
                      

By KIMBERLY A. KICENUIK
Crimson Staff Writer 
April 16, 2003

The company that provides the technology for Harvard's Crimson Cash 
system filed a criminal complaint this week against two hackers who 
allegedly threatened to expose security flaws they said they found in 
the system.

The complaint alleges that a student at the Georgia Institute of 
Technology, which uses the same software as Harvard, broke into the 
system, posted information about it on his website, and claimed that 
he would publicly disclose his finding at an upcoming hacker 
conference.

According to Harvard University Dining Services spokesperson Alexandra 
McNitt, the security of Harvard's Crimson Cash is not in question.

"Our system is as secure as any other system. If anyone attempted to 
hack into it, they would be prosecuted for felony to the fullest 
extent of the law," McNitt said. 

The University processes $5 million in vending, laundry and 
photocopying transactions and five million meal counts annually with 
the system, created by Blackboard Inc.

The company, which supplies more than 400 colleges and corporations 
across the country with its electronic purchasing system, filed the 
complaint with the Superior Court of Dekalb County, Ga.

The complaint alleges that Billy Hoffman, a student at the Georgia 
Institute of Technology, broke into a switch box located in a campus 
laundry room to examine the wiring of the system. 

Hoffman then allegedly posted photographs and description of the 
system on his website www.yak.net, as well as claims that he would 
publicly disclose his findings at an upcoming hacker conference, the 
complaint says.

According to Blackboard spokesperson Michael Stanton, there is no 
threat of security flaws in the system. 

"This was not a cyberhack. It is a case of property damage, vandalism, 
and defrauding a university," Stanton said. "At no point was any 
financial information of our clients in danger. After Hoffman broke 
into the switch box, he could monitor transaction information but had 
no access to actual accounts." 

In the complaint, Blackboard alleges that Hoffman's actions were a 
violation of the consumer fraud and abuse act.

Hoffman's website stated that the "signals to and from several 
Blackboard readers have been captured, as well as how data is stored 
on the cards," according to the complaint.

Hoffman also claimed he would make replacement drop-in readers for the 
system at Georgia Tech, which, in effect, would give students free 
laundry service without compensating the university, Stanton said. 

On his website, Hoffman wrote that he would make compatible systems 
"and give them away" if Blackboard did not make the system more 
secure, the complaint says. 

Virgil Griffith, a student at the University of Alabama at New College 
who has a link to Hoffman's page on his website, is also named as a 
defendant in the complaint.

Blackboard also filed a cease and desist order this week, calling for 
Hoffman and Griffith to remove the Blackboard logo from their websites 
and cease from disclosing any information about the system or the card 
readers. 

The order came after the two hackers announced their plans to disclose 
their findings at the InterzOne II conference held in Georgia last 
weekend. 

Gregory Smith, an attorney representing Blackboard, said that Hoffman 
and Griffith have complied with the cease and desist order and have 
agreed to an extension of those restrictions for another 45 days.

Hoffman and Griffith could not be reached for comment.

Harvard installed Blackboard's system in 1994 when it created the 
Crimson Cash program.


- Staff writer Kimberly A. Kicenuik can be reached 
  kicenuik () fas harvard edu.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.