From: InfoSec News (isnc4i.org)
Date: Thu Apr 17 2003 - 02:40:08 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.thecrimson.com/article.aspx?ref=347623

[JYA's Cryptome has the Court-Banned Interz0nes Blackboard Attack
Powerpoint presentation, CampusWide (Blackboard) Attack and the
CampusWide (Blackboard) FAQ at: http://www.cryptome.org/ - WK]
                      

By KIMBERLY A. KICENUIK
Crimson Staff Writer
April 16, 2003

The company that provides the technology for Harvard's Crimson Cash
system filed a criminal complaint this week against two hackers who
allegedly threatened to expose security flaws they said they found in
the system.

The complaint alleges that a student at the Georgia Institute of
Technology, which uses the same software as Harvard, broke into the
system, posted information about it on his website, and claimed that
he would publicly disclose his finding at an upcoming hacker
conference.

According to Harvard University Dining Services spokesperson Alexandra
McNitt, the security of Harvard's Crimson Cash is not in question.

"Our system is as secure as any other system. If anyone attempted to
hack into it, they would be prosecuted for felony to the fullest
extent of the law," McNitt said.

The University processes $5 million in vending, laundry and
photocopying transactions and five million meal counts annually with
the system, created by Blackboard Inc.

The company, which supplies more than 400 colleges and corporations
across the country with its electronic purchasing system, filed the
complaint with the Superior Court of Dekalb County, Ga.

The complaint alleges that Billy Hoffman, a student at the Georgia
Institute of Technology, broke into a switch box located in a campus
laundry room to examine the wiring of the system.

Hoffman then allegedly posted photographs and description of the
system on his website www.yak.net, as well as claims that he would
publicly disclose his findings at an upcoming hacker conference, the
complaint says.

According to Blackboard spokesperson Michael Stanton, there is no
threat of security flaws in the system.

"This was not a cyberhack. It is a case of property damage, vandalism,
and defrauding a university," Stanton said. "At no point was any
financial information of our clients in danger. After Hoffman broke
into the switch box, he could monitor transaction information but had
no access to actual accounts."

In the complaint, Blackboard alleges that Hoffman's actions were a
violation of the consumer fraud and abuse act.

Hoffman's website stated that the "signals to and from several
Blackboard readers have been captured, as well as how data is stored
on the cards," according to the complaint.

Hoffman also claimed he would make replacement drop-in readers for the
system at Georgia Tech, which, in effect, would give students free
laundry service without compensating the university, Stanton said.

On his website, Hoffman wrote that he would make compatible systems
"and give them away" if Blackboard did not make the system more
secure, the complaint says.

Virgil Griffith, a student at the University of Alabama at New College
who has a link to Hoffman's page on his website, is also named as a
defendant in the complaint.

Blackboard also filed a cease and desist order this week, calling for
Hoffman and Griffith to remove the Blackboard logo from their websites
and cease from disclosing any information about the system or the card
readers.

The order came after the two hackers announced their plans to disclose
their findings at the InterzOne II conference held in Georgia last
weekend.

Gregory Smith, an attorney representing Blackboard, said that Hoffman
and Griffith have complied with the cease and desist order and have
agreed to an extension of those restrictions for another 45 days.

Hoffman and Griffith could not be reached for comment.

Harvard installed Blackboard's system in 1994 when it created the
Crimson Cash program.

- Staff writer Kimberly A. Kicenuik can be reached
  kicenuikfas.harvard.edu.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]