Re: Web security breach changes the lives of 119 people

[El C0chin0 <mr.nasty () ix netcom com>]

In-Reply-To: <63434C14F9A6F74CB36B85033E4C30CA0142C81C () hermes corp cyveillance com>

You all make very good points. All of which I'm sure (sarcasm) was taken into account by Harvard. Seriously, the issue 
here isn't what the candidates did to 'hack' into the system is what Harvard IT department did not do to prevent it in 
the first place.

We're talking Harvard here, one of the most prestigious business schools. They graduate some of the most highly sought 
after graduates in the country.

Was there a serious thought to SDLC in the process of acquiring the contract with ApplyYourself.inc? If so then 
"Security" should have been one of the prerequisites in the contract. If so, then it should have been documented.

Although it does appear that these students were a bit over zealous in trying to figure of weather they'd been accepted 
(human nature) the 'hack' was still there.

Had the 'hack' not been publicly posted then Harvard would have never known?

My point here is that Harvard is duly responsible for the breach. If there was no consideration for SECURITY during the 
SDLC then I hold them responsible.  And as a Security Professional my opinion is that they failed.

Now, just who would want to go to a school that can't practice what they teach?

Personally, Harvard should lick their wounds, audit the process of contract acceptance, determine if SECURITY was part 
of the SDLC, fix the problem, and go on. Not admitting these students as a fix to their problem looks a lot like our 
current political environment has influenced our character.

> From: "Bill Nichols" <Bnichols () Cyveillance com>
> To: <webappsec () securityfocus com>
>
> Actually, it appears that the exploit was on individual accounts that =
> each required a separate login.  Once (legally) logged into the =
> application, users could then slightly modify the URL in the browser, =
> and point to a page that only school officials were supposed to be able =
> to access.  In most cases, the result page was blank, since the schools =
> had not yet posted their decision. Incredibly shoddy application design, =
> but it makes it unlikely that one person performed multiple attempts. =20
>
> -----Original Message-----
> From: Jason Coombs [mailto:jasonc () science org]
> Sent: Wednesday, March 09, 2005 7:35 PM
> Subject: Re: Web security breach changes the lives of 119 people
>
> Chances are that nobody at Harvard Business School or ApplyYourself Inc. =
>
> bothered to contemplate the most obvious scenario: that somebody other=20
> than the 119 accused, or their friends and family, was responsible for=20
> the majority of (or all of) the attempts to access application records.
>
> What information of a personal nature would have been required in order=20
> to access the pending application? Social Security Number? Perhaps it=20
> was possible to browse any one of the pending applications once one had=20
> penetrated the ApplyYourself Inc. security perimeter.
>
> Are 118 applicants being accused of hacking because of the actions of a=20
> single applicant? This is more likely than is the scenario as it has=20
> been depicted.
>
> Unfortunately, even Harvard Business School now believes, in the current =
>
> climate of mistrust and fraud in the U.S. Government and U.S.=20
> marketplace, that it is more likely that the 119 applicants just=20
> couldn't wait for their admission answers through proper channels.
>
> Common sense is dead. Long live the Internet.
>
> Regards,
>
> Jason Coombs
> jasonc () science org