[ISN] Swipe Card Hack Prompts Complaint

From: InfoSec News (isnat_private)
Date: Thu Apr 17 2003 - 00:40:08 PDT

  • Next message: InfoSec News: "[ISN] Commit a crime, no network time?"

    http://www.thecrimson.com/article.aspx?ref=347623
    
    [JYA's Cryptome has the Court-Banned Interz0nes Blackboard Attack        
    Powerpoint presentation, CampusWide (Blackboard) Attack and the  
    CampusWide (Blackboard) FAQ at: http://www.cryptome.org/   - WK]
                          
    
    By KIMBERLY A. KICENUIK
    Crimson Staff Writer 
    April 16, 2003
    
    The company that provides the technology for Harvard's Crimson Cash 
    system filed a criminal complaint this week against two hackers who 
    allegedly threatened to expose security flaws they said they found in 
    the system.
    
    The complaint alleges that a student at the Georgia Institute of 
    Technology, which uses the same software as Harvard, broke into the 
    system, posted information about it on his website, and claimed that 
    he would publicly disclose his finding at an upcoming hacker 
    conference.
    
    According to Harvard University Dining Services spokesperson Alexandra 
    McNitt, the security of Harvard's Crimson Cash is not in question.
    
    "Our system is as secure as any other system. If anyone attempted to 
    hack into it, they would be prosecuted for felony to the fullest 
    extent of the law," McNitt said. 
    
    The University processes $5 million in vending, laundry and 
    photocopying transactions and five million meal counts annually with 
    the system, created by Blackboard Inc.
    
    The company, which supplies more than 400 colleges and corporations 
    across the country with its electronic purchasing system, filed the 
    complaint with the Superior Court of Dekalb County, Ga.
    
    The complaint alleges that Billy Hoffman, a student at the Georgia 
    Institute of Technology, broke into a switch box located in a campus 
    laundry room to examine the wiring of the system. 
    
    Hoffman then allegedly posted photographs and description of the 
    system on his website www.yak.net, as well as claims that he would 
    publicly disclose his findings at an upcoming hacker conference, the 
    complaint says.
    
    According to Blackboard spokesperson Michael Stanton, there is no 
    threat of security flaws in the system. 
    
    "This was not a cyberhack. It is a case of property damage, vandalism, 
    and defrauding a university," Stanton said. "At no point was any 
    financial information of our clients in danger. After Hoffman broke 
    into the switch box, he could monitor transaction information but had 
    no access to actual accounts." 
    
    In the complaint, Blackboard alleges that Hoffman's actions were a 
    violation of the consumer fraud and abuse act.
    
    Hoffman's website stated that the "signals to and from several 
    Blackboard readers have been captured, as well as how data is stored 
    on the cards," according to the complaint.
    
    Hoffman also claimed he would make replacement drop-in readers for the 
    system at Georgia Tech, which, in effect, would give students free 
    laundry service without compensating the university, Stanton said. 
    
    On his website, Hoffman wrote that he would make compatible systems 
    "and give them away" if Blackboard did not make the system more 
    secure, the complaint says. 
    
    Virgil Griffith, a student at the University of Alabama at New College 
    who has a link to Hoffman's page on his website, is also named as a 
    defendant in the complaint.
    
    Blackboard also filed a cease and desist order this week, calling for 
    Hoffman and Griffith to remove the Blackboard logo from their websites 
    and cease from disclosing any information about the system or the card 
    readers. 
    
    The order came after the two hackers announced their plans to disclose 
    their findings at the InterzOne II conference held in Georgia last 
    weekend. 
    
    Gregory Smith, an attorney representing Blackboard, said that Hoffman 
    and Griffith have complied with the cease and desist order and have 
    agreed to an extension of those restrictions for another 45 days.
    
    Hoffman and Griffith could not be reached for comment.
    
    Harvard installed Blackboard's system in 1994 when it created the 
    Crimson Cash program.
    
    
    - Staff writer Kimberly A. Kicenuik can be reached 
      kicenuikat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 04:18:51 PDT