Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Should I Be Worried?
From: "CrYpTiC MauleR" <crypticmauler () linuxmail org>
Date: Wed, 26 Apr 2006 14:27:01 -0500

Forgot to say that the VP of Software Dev who is in charge of the site said he would do an emergency fix in 6 hours to 
fix the problem. As I expected the problem is still there. Either he is a moron and didn't understand me or they just 
tried to give the impression they were fixing it. So sad to say site is still vuln, reason thinking public spotlight 
will make them get off their ass and actually do something productive to protect student information. At this point I 
can not trust the IT staff because on 2 occasions the VPs of 2 departments lied to me about fixing the hole. I've 
contacted the Department Of Higher Education and will be filing a complaint against the school. Not only is their lack 
of concern about the problem disturbing, their IT administration seems to be unqualified to deal with it either.


----- Original Message -----
From: bkfsec <bkfsec () sdf lonestar org>
To: "CrYpTiC MauleR" <crypticmauler () linuxmail org>
Subject: Re: [Full-disclosure] Should I Be Worried?
Date: Wed, 26 Apr 2006 15:04:04 -0400


CrYpTiC MauleR wrote:

After reading http://www.securityfocus.com/news/11389 it made me 
think twice about actually going public with my school's security 
hole by having school notify students, parents and/or faculty at 
risk due to it.

I mean I didnt access any records, just knew that it was possible 
for someone to access my account or anyone elses. I did not even 
exploit the hole to steal, modify etc any records. Does this 
still put me in the same boat at the USC guy? If so I am really 
not wanting to butt heads with the school in case they try to 
turn around and bite the hand that tried to help them. Even if my 
intentions were good, they might even make something up saying I 
accessed entire database or something. I have nothing to prove me 
otherwise since they have access to the logs. Already it seems 
like the school is trying to sweep the incident under the rug, so 
very wary as to what they might do if they were pushed into a 
corner and forced to go public. Anyone has any idea what I can do 
or should I just let this slide? I am already putting my credit 
report and such on fraud alert just in case, and definelty do not 
plan on attending this school after my degree or school year is 
over. A transfer is better than having me risk my data.




I think you're probably jumping the gun a little bit here.

 From what I gather, you approached people about the issue, you got 
some resolution on it.  Switching schools is not necessarily going 
to help you because, believe me, every institution has problems 
with regard to information leakage.  If it's not technical, it's 
social leakage.  If you're concerned about possible problems to 
yourself, then maybe full disclosure may not be appropriate. Think 
about it for a second.  Holes in both software and procedures are 
fixed daily in any given institution. The *vast* majority of it is 
never reported.  And what would we really gain if it was?  School A 
fixes an XSS bug in their web app.  Woopty freaking doooo...  
School B patches their servers 2 months late, but are now up to 
date... School C fires a registrar for giving out SS numbers over 
the phone to unknown contacts, but not necessarily known to be 
malicious... etc

Without proof of a violation of security or privacy, it doesn't 
really mean much.  Just having a social security number these days 
is grounds for people to be concerned.  This is why it was 
originally against mandate for it to be used as a national ID 
system.

In fact, let's take that one step further and look at the whole 
financial infrastructure.  It's a shambles.  Not secure at all.  
Anyone with the right contract can pull your credit report and 
start adding accounts to your name. Be afraid, be very afraid.  
But, be afraid for the right reasons.  Really, the only reason you 
should be thinking full disclosure now is if they didn't fix the 
bug, which IIRC they did.  If you're really concerned about your 
privacy, that should be where it stops.  Full disclosure after 
fixes works with software components, not necessarily 
organizations.  Society as a whole is not necessarily going to 
learn anything from relatively generic examples of institutions 
having a security issue (which we don't even have proof of any 
exploit of those issues). So best thing to do is back off for a 
bit, lay low... you got a response, why keep putting yourself in 
the spotlight and drawing them to you?  Organizations threaten 
legal action, more often than not, to shut people up.  Just 
consider that if that's what you're concerned about.  Be subtle.

                -bkfsec




-- 
_______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]