CrYpTiC MauleR wrote:
After reading http://www.securityfocus.com/news/11389 it made me think twice
about actually going public with my school's security hole by having school
notify students, parents and/or faculty at risk due to it.
I mean I didnt access any records, just knew that it was possible for someone
to access my account or anyone elses. I did not even exploit the hole to steal,
modify etc any records. Does this still put me in the same boat at the USC guy?
If so I am really not wanting to butt heads with the school in case they try to
turn around and bite the hand that tried to help them. Even if my intentions
were good, they might even make something up saying I accessed entire database
or something. I have nothing to prove me otherwise since they have access to
the logs. Already it seems like the school is trying to sweep the incident
under the rug, so very wary as to what they might do if they were pushed into a
corner and forced to go public. Anyone has any idea what I can do or should I
just let this slide? I am already putting my credit report and such on fraud
alert just in case, and definelty do not plan on attending this school after my
degree or school year is over. A transfer is better than having me risk my data.
I think you're probably jumping the gun a little bit here.
From what I gather, you approached people about the issue, you got some
resolution on it. Switching schools is not necessarily going to help
you because, believe me, every institution has problems with regard to
information leakage. If it's not technical, it's social leakage. If
you're concerned about possible problems to yourself, then maybe full
disclosure may not be appropriate.
Think about it for a second. Holes in both software and procedures are
fixed daily in any given institution. The *vast* majority of it is never
reported. And what would we really gain if it was? School A fixes an
XSS bug in their web app. Woopty freaking doooo... School B patches
their servers 2 months late, but are now up to date... School C fires a
registrar for giving out SS numbers over the phone to unknown contacts,
but not necessarily known to be malicious... etc
Without proof of a violation of security or privacy, it doesn't really
mean much. Just having a social security number these days is grounds
for people to be concerned. This is why it was originally against
mandate for it to be used as a national ID system.
In fact, let's take that one step further and look at the whole
financial infrastructure. It's a shambles. Not secure at all. Anyone
with the right contract can pull your credit report and start adding
accounts to your name.
Be afraid, be very afraid. But, be afraid for the right reasons.
Really, the only reason you should be thinking full disclosure now is if
they didn't fix the bug, which IIRC they did. If you're really
concerned about your privacy, that should be where it stops. Full
disclosure after fixes works with software components, not necessarily
organizations. Society as a whole is not necessarily going to learn
anything from relatively generic examples of institutions having a
security issue (which we don't even have proof of any exploit of those
issues).
So best thing to do is back off for a bit, lay low... you got a
response, why keep putting yourself in the spotlight and drawing them to
you? Organizations threaten legal action, more often than not, to shut
people up. Just consider that if that's what you're concerned about.
Be subtle.
-bkfsec
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
