Harvard database shared via BitTorrent

Author: Gareth Halfacree
Published: 14th March 2008
Comments (13) Stumble
The Harvard University Graduate School of Arts and Science's website was vulnerable to data theft.

The Harvard University Graduate School of Arts and Science's website was vulnerable to data theft.

An anonymous cracker has downloaded copies of three databases from Harvard University containing information on around ten thousand applicants to the Graduate School of Arts and Sciences from 2007, and has made the files available to all via BitTorrent.

The databases – joomla.sql, contacts.sql, and hgs.sql – contain information including Social Security numbers, names, dates of birth, and addresses both real and electronic. The security breach occurred some time in February according to a press release by the department concerned, but it is only since the cracker made the data available on a peer-to-peer network that the university has realised the full extent of the damage.

The person responsible for the breach – or at least the uploading of the data to BitTorrent – included a note with the 125MB archive claiming the attack was carried out “to demonstrate that persons like tgatton [server administrator] [...] they don't know how to secure a website.

Although the original reason for the attack may have been to prove a point, making the data available publicly changes things for the worse. Not every criminal who is capable of making use of the information included in the database is smart enough to be able to retrieve it from the improperly secured server, but the vast majority of them will be able to use a BitTorrent client.

Harvard University has written to all those affected apologising for the breach, and will provide credit monitoring and identity theft recovery services free of charge. The site affected has also been secured – at least against this particular exploit.

Do you think the cracker had a valid point to make about the security of the website, or did he cross the line when he uploaded the data unmunged to BitTorrent? Share your thoughts over in the forums.
Newsletter

Register for the bit-tech newsletter to receive the latest news and reviews in your inbox.



Quote 1ad7 14th March 2008, 07:46
The point he is making is inherently flawed. If someone wants data, they can and will take data. Now to do this for a bunch of idiots that take social's and ruin peoples credit, well thats just wrong. He proved a point alright, he for sure didn't apply to Harvard I guess that narrows the list of suspects.
Quote Burnout21 14th March 2008, 08:30
the point he made has interesting. If he noticed that there was a weakness in the website sercurity surely an email to the admin would have been better, made attaching a list of file names so they dont think your joking.

he definatly went about it the wrong way thats all i can say! and you dont torrent peoples personal infomation like that, 1000's of students are now living a paranoid life waiting for the cerdit cards to suddenly max out due to fraud.
Quote mmorgue 14th March 2008, 09:02
He could have done them a favour and illustrated to them the inherent security flaws in their system, thereby gain credit for himself and helping out a bunch of people. He could have emailed the web admin with PoC code and examples showing how easy it was, etc. At worse, he could have 'added' a few fake but obvious records to let the security people know he had cracked it.

He didn't have to jeopardise the personal data of thousands of people to prove it. He's not smart -- he's just an idiot.
Quote sotu1 14th March 2008, 11:26
it's pretty clear that there seems to be an ulterior motive. The hack is one thing, to then release highly sensitive details of 10,000 people is malicious.
Quote EmJay 14th March 2008, 16:45
Quote:
the attack was carried out "to demonstrate that persons like tgatton [server administrator] [...] they don't know how to secure a website."

I spy a personal grudge. He's an idiot to drag thousands of other people into it, tbh - now everyone hates the hacker, instead of hating the admin. He'd have been better off sending all the info to the admin's boss, if he really wanted to cause trouble for him.
Quote DarkLord7854 14th March 2008, 19:50
Guy probably got booted out of Harvard lol
Quote Dorte 14th March 2008, 20:39
Not so good
Quote Cthippo 14th March 2008, 22:55
Depends on hos motivations. He's going to generate negative publicity for Harvard and specifically the IT department with this. If his goal was to hurt the uni's reputation in the media he has succeeded.

And a minor point, he's undoubtably an ass, but I don't think he's an idiot.
Quote dyzophoria 15th March 2008, 01:25
i hate people like these, its good that he found the flaw, but he should have just emailed the admins or contacted harvard itself, but exposing all the data of innocent people?
Quote Bluephoenix 15th March 2008, 17:20
this guy's actions are downright shameful.

being an LPT (licensed penetration tester) and a CISSP, I think the # of laws he's broken are somewhere in the neighborhood of 40-50 depending on his location, I'd estimate the jail sentence he's likely to get if caught and charged with the offenses would be somewhere in the neighborhood of 30 years minimum mandatory.
Quote zero0ne 15th March 2008, 23:04
Of course his follow through was the wrong method, did it ever occur to any of you that he DID contact the Admin?

who knows maybe the admin gave him a royal "**** you, my servers are secure"
(there are server/network admins that are arrogant enough to think the stuff they do is 100% secure all the time)

of course sharing all the info wasn't the right method, but why does harvard have this type of data in a SQL database unencrypted?
AND WHY ARE THEY USING JOOMLA?
(WTF)
Quote HandMadeAndroid 16th March 2008, 16:25
Hey thumbs up to bit-tech for sharing the file names with the world
Quote B3CK 17th March 2008, 02:25
Quote:
Originally Posted by zero0ne
Of course his follow through was the wrong method, did it ever occur to any of you that he DID contact the Admin?

who knows maybe the admin gave him a royal "**** you, my servers are secure"
(there are server/network admins that are arrogant enough to think the stuff they do is 100% secure all the time)

Albeit sounding a little harsh,, I would think this is probably what happened. Contacting the council for the college would have been a more appropriate action. While trying to make a tough example of the Sys Admin is one thing, I would think this person is in for a rough ride if caught.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Foxconn Blackops Motherboards
Affordable hosting at TSOhost

MSI P45 Series Motherboards
Stats: 0.093 seconds