Re: [Full-disclosure] Should I Be Worried?

[Sol Invictus <sol@xxxxxxxxxxxxxxxxxxxxx>]

CrYpTiC MauleR wrote:

> Forgot to say that the VP of Software Dev who is in charge of the site said he 
> would do an emergency fix in 6 hours to fix the problem. As I expected the 
> problem is still there. Either he is a moron and didn't understand me or they 
> just tried to give the impression they were fixing it. So sad to say site is 
> still vuln, reason thinking public spotlight will make them get off their ass 
> and actually do something productive to protect student information. At this 
> point I can not trust the IT staff because on 2 occasions the VPs of 2 
> departments lied to me about fixing the hole. I've contacted the Department Of 
> Higher Education and will be filing a complaint against the school. Not only is 
> their lack of concern about the problem disturbing, their IT administration 
> seems to be unqualified to deal with it either.
>
>
>  
>
> > ----- Original Message -----
> > From: bkfsec <bkfsec@xxxxxxxxxxxxxxxx>
> > To: "CrYpTiC MauleR" <crypticmauler@xxxxxxxxxxxxx>
> > Subject: Re: [Full-disclosure] Should I Be Worried?
> > Date: Wed, 26 Apr 2006 15:04:04 -0400
> >
> >
> > CrYpTiC MauleR wrote:
> >
> >    
> >
> > > After reading http://www.securityfocus.com/news/11389 it made me 
> > > think twice about actually going public with my school's security 
> > > hole by having school notify students, parents and/or faculty at 
> > > risk due to it.
> > > I mean I didnt access any records, just knew that it was possible 
> > > for someone to access my account or anyone elses. I did not even 
> > > exploit the hole to steal, modify etc any records. Does this 
> > > still put me in the same boat at the USC guy? If so I am really 
> > > not wanting to butt heads with the school in case they try to 
> > > turn around and bite the hand that tried to help them. Even if my 
> > > intentions were good, they might even make something up saying I 
> > > accessed entire database or something. I have nothing to prove me 
> > > otherwise since they have access to the logs. Already it seems 
> > > like the school is trying to sweep the incident under the rug, so 
> > > very wary as to what they might do if they were pushed into a 
> > > corner and forced to go public. Anyone has any idea what I can do 
> > > or should I just let this slide? I am already putting my credit 
> > > report and such on fraud alert just in case, and definelty do not 
> > > plan on attending this school after my degree or school year is 
> > > over. A transfer is better than having me risk my data.
> > >
> > >
> > >      
> > I think you're probably jumping the gun a little bit here.
> >
> > From what I gather, you approached people about the issue, you got 
> > some resolution on it.  Switching schools is not necessarily going 
> > to help you because, believe me, every institution has problems 
> > with regard to information leakage.  If it's not technical, it's 
> > social leakage.  If you're concerned about possible problems to 
> > yourself, then maybe full disclosure may not be appropriate. Think 
> > about it for a second.  Holes in both software and procedures are 
> > fixed daily in any given institution. The *vast* majority of it is 
> > never reported.  And what would we really gain if it was?  School A 
> > fixes an XSS bug in their web app.  Woopty freaking doooo...  
> > School B patches their servers 2 months late, but are now up to 
> > date... School C fires a registrar for giving out SS numbers over 
> > the phone to unknown contacts, but not necessarily known to be 
> > malicious... etc
> > Without proof of a violation of security or privacy, it doesn't 
> > really mean much.  Just having a social security number these days 
> > is grounds for people to be concerned.  This is why it was 
> > originally against mandate for it to be used as a national ID 
> > system.
> > In fact, let's take that one step further and look at the whole 
> > financial infrastructure.  It's a shambles.  Not secure at all.  
> > Anyone with the right contract can pull your credit report and 
> > start adding accounts to your name. Be afraid, be very afraid.  
> > But, be afraid for the right reasons.  Really, the only reason you 
> > should be thinking full disclosure now is if they didn't fix the 
> > bug, which IIRC they did.  If you're really concerned about your 
> > privacy, that should be where it stops.  Full disclosure after 
> > fixes works with software components, not necessarily 
> > organizations.  Society as a whole is not necessarily going to 
> > learn anything from relatively generic examples of institutions 
> > having a security issue (which we don't even have proof of any 
> > exploit of those issues). So best thing to do is back off for a 
> > bit, lay low... you got a response, why keep putting yourself in 
> > the spotlight and drawing them to you?  Organizations threaten 
> > legal action, more often than not, to shut people up.  Just 
> > consider that if that's what you're concerned about.  Be subtle.
> >                -bkfsec
> >    
Go FD Young Man!!!!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/