http://www.thecrimson.com/article.aspx?ref=347623 [JYA's Cryptome has the Court-Banned Interz0nes Blackboard Attack Powerpoint presentation, CampusWide (Blackboard) Attack and the CampusWide (Blackboard) FAQ at: http://www.cryptome.org/ - WK] By KIMBERLY A. KICENUIK Crimson Staff Writer April 16, 2003 The company that provides the technology for Harvard's Crimson Cash system filed a criminal complaint this week against two hackers who allegedly threatened to expose security flaws they said they found in the system. The complaint alleges that a student at the Georgia Institute of Technology, which uses the same software as Harvard, broke into the system, posted information about it on his website, and claimed that he would publicly disclose his finding at an upcoming hacker conference. According to Harvard University Dining Services spokesperson Alexandra McNitt, the security of Harvard's Crimson Cash is not in question. "Our system is as secure as any other system. If anyone attempted to hack into it, they would be prosecuted for felony to the fullest extent of the law," McNitt said. The University processes $5 million in vending, laundry and photocopying transactions and five million meal counts annually with the system, created by Blackboard Inc. The company, which supplies more than 400 colleges and corporations across the country with its electronic purchasing system, filed the complaint with the Superior Court of Dekalb County, Ga. The complaint alleges that Billy Hoffman, a student at the Georgia Institute of Technology, broke into a switch box located in a campus laundry room to examine the wiring of the system. Hoffman then allegedly posted photographs and description of the system on his website www.yak.net, as well as claims that he would publicly disclose his findings at an upcoming hacker conference, the complaint says. According to Blackboard spokesperson Michael Stanton, there is no threat of security flaws in the system. "This was not a cyberhack. It is a case of property damage, vandalism, and defrauding a university," Stanton said. "At no point was any financial information of our clients in danger. After Hoffman broke into the switch box, he could monitor transaction information but had no access to actual accounts." In the complaint, Blackboard alleges that Hoffman's actions were a violation of the consumer fraud and abuse act. Hoffman's website stated that the "signals to and from several Blackboard readers have been captured, as well as how data is stored on the cards," according to the complaint. Hoffman also claimed he would make replacement drop-in readers for the system at Georgia Tech, which, in effect, would give students free laundry service without compensating the university, Stanton said. On his website, Hoffman wrote that he would make compatible systems "and give them away" if Blackboard did not make the system more secure, the complaint says. Virgil Griffith, a student at the University of Alabama at New College who has a link to Hoffman's page on his website, is also named as a defendant in the complaint. Blackboard also filed a cease and desist order this week, calling for Hoffman and Griffith to remove the Blackboard logo from their websites and cease from disclosing any information about the system or the card readers. The order came after the two hackers announced their plans to disclose their findings at the InterzOne II conference held in Georgia last weekend. Gregory Smith, an attorney representing Blackboard, said that Hoffman and Griffith have complied with the cease and desist order and have agreed to an extension of those restrictions for another 45 days. Hoffman and Griffith could not be reached for comment. Harvard installed Blackboard's system in 1994 when it created the Crimson Cash program. - Staff writer Kimberly A. Kicenuik can be reached kicenuikat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 04:18:51 PDT