WebApp Sec mailing list archives
RE: Web security breach changes the lives of 119 people
From: "Bill Nichols" <Bnichols () Cyveillance com>
Date: Fri, 11 Mar 2005 08:29:48 -0500
Actually, it appears that the exploit was on individual accounts that each required a separate login. Once (legally) logged into the application, users could then slightly modify the URL in the browser, and point to a page that only school officials were supposed to be able to access. In most cases, the result page was blank, since the schools had not yet posted their decision. Incredibly shoddy application design, but it makes it unlikely that one person performed multiple attempts. -----Original Message----- From: Jason Coombs [mailto:jasonc () science org] Sent: Wednesday, March 09, 2005 7:35 PM To: Richard M. Smith Cc: webappsec () securityfocus com Subject: Re: Web security breach changes the lives of 119 people Chances are that nobody at Harvard Business School or ApplyYourself Inc. bothered to contemplate the most obvious scenario: that somebody other than the 119 accused, or their friends and family, was responsible for the majority of (or all of) the attempts to access application records. What information of a personal nature would have been required in order to access the pending application? Social Security Number? Perhaps it was possible to browse any one of the pending applications once one had penetrated the ApplyYourself Inc. security perimeter. Are 118 applicants being accused of hacking because of the actions of a single applicant? This is more likely than is the scenario as it has been depicted. Unfortunately, even Harvard Business School now believes, in the current climate of mistrust and fraud in the U.S. Government and U.S. marketplace, that it is more likely that the 119 applicants just couldn't wait for their admission answers through proper channels. Common sense is dead. Long live the Internet. Regards, Jason Coombs jasonc () science org Richard M. Smith wrote:
http://www.boston.com/business/articles/2005/03/08/harvard_rejects_119_accus ed_of_hacking_1110274403?mode=PF Harvard rejects 119 accused of hacking Applicants' behavior 'unethical at best' By Robert Weisman, Globe Staff | March 8, 2005 Harvard Business School will reject the 119 applicants who hacked into the school's admissions site last week, the school's dean, Kim B. Clark, said yesterday. ''This behavior is unethical at best -- a serious breach of trust that can not be countered by rationalization," Clark said in a statement. ''Any applicant found to have done so will not be admitted to this school." A half dozen business schools were swamped by a wave of electronic intrusions Wednesday morning, after a computer hacker posted instructions on a BusinessWeek Online message board. Harvard is the second school to say definitively that it will deny the applications of proven hackers. The first was Carnegie Mellon's Tepper School of Business, where only one admission file was targeted. ... In most cases, applicants from around the world saw only blank screens when they hacked into their files, but some Harvard applicants glimpsed preliminary decisions about whether they would be admitted. Other business schools said they had yet to post any information in their applicants' files. Some business school administrators have said they were being cautious in their reaction because their software vendor, ApplyYourself Inc., can identify which admissions files were targeted but not who tried to access them. Theoretically, at least, a hacker might have been a spouse or parent who had access to the password and personal identification numbers given to a business school applicant. Clark, who said Harvard was working with ApplyYourself to determine the hackers' identifies, rejected that distinction. ''We expect our applicants to be personally responsible for the access to the website, and for the identification and passwords they received," he said. .
Current thread:
- Web security breach changes the lives of 119 people Richard M. Smith (Mar 09)
- Re: Web security breach changes the lives of 119 people christopher (Mar 09)
- Re: Web security breach changes the lives of 119 people Jason Coombs (Mar 09)
- RE: Web security breach changes the lives of 119 people Kim Dyer (Mar 13)
- <Possible follow-ups>
- RE: Web security breach changes the lives of 119 people Altheide, Cory B. (IARC) (Mar 09)
- RE: Web security breach changes the lives of 119 people Griffiths, Ian (Mar 13)
- RE: Web security breach changes the lives of 119 people Bill Nichols (Mar 13)
- Re: Web security breach changes the lives of 119 people El C0chin0 (Mar 18)
- Re: Web security breach changes the lives of 119 people Jeff Williams (Mar 20)
- RE: Web security breach changes the lives of 119 people roger . franks (Mar 18)
- Re: Web security breach changes the lives of 119 people ed . tracy (Mar 22)
- Re: Web security breach changes the lives of 119 people Peter Conrad (Mar 23)
- Message not available
- Re: Web security breach changes the lives of 119 people Ed Tracy @ Aspect Security (Mar 29)
- Re: Web security breach changes the lives of 119 people Cory Foy (Mar 29)
- Message not available
- Message not available
- Re: Web security breach changes the lives of 119 people Michael Silk (Mar 29)