[ISN] Hacker Tips Off B-School Applicants

From: InfoSec News (isn@private)
Date: Wed Mar 02 2005 - 23:50:36 PST


http://www.thecrimson.com/today/article506140.html

By DANIEL J. T. SCHUKER
Crimson Staff Writer 
March 03, 2005

Tipped off by an online hacker, applicants to several of the nation's
top business schools, including Harvard Business School (HBS), could
access internal files on the schools' websites and ascertain their
admissions status a month early.

The admissions websites were vulnerable for over nine hours yesterday
before the hacker's instructions and the admissions letters were taken
down.

But during the narrow time window, according to a thread on Business
Week Online's technology forum, several applicants managed to follow
the hacker's directions and read the admissions office's response
letter.

HBS requires students to submit their applications and recommendations
electronically using ApplyYourself, an online application and decision
notification system.

An anonymous hacker known as "brookbond," who defined himself as a
male who specializes in information technology and software security,
posted the instructions on Business Week Online's technology forum at
12:15 a.m., early yesterday.

"I know everyone is getting more and more anxious to check [the]
status of their apps to HBS," he wrote. "So I looked around on their
site and found a way."

Steven R. Nelson, executive director of HBS's Master of Business
Administration (MBA) program, said the letters were taken off the site
early yesterday.

"These were just internal administrative devices," Nelson said.

Len Metheny, chief executive officer of ApplyYourself told The Crimson
that his company notified the half-dozen schools that were affected
and put them on alert yesterday morning.

"The problem has been resolved since 9:45 this morning," he said. "We
made some changes to the system to prohibit access to that
information."

Metheny also noted that individuals could only access their own
personal admissions responses - not those of other applicants.

Business Week officials set out to expunge the hacker's comments from
the website yesterday morning, said Kimberly Quinn, Business Week's
director of communications.

"As soon as we were informed of the situation, we deleted the post
immediately," she said. "And any other directions that anybody else
posted...we deleted those right away, too."

Nelson said HBS and Business Week did not contact each other about
taking the posts down.

Before the online discussion on Business Week's forum was deleted,
other students reported that they had also accessed admissions
decisions from MIT's Sloan School of Management, the Stanford Graduate
School of Business, and Duke University's Fuqua School of Business.

Managing Director of MBA Admissions and Financial Aid at HBS Brit K.  
Dewey posted a statement on Business Week's online forum last night
directed to current applicants.

"HBS decision information housed within ApplyYourself is neither
complete nor final until our application notification dates," she
wrote.

Dewey also emphasized in her online post that students' applications
and recommendations have remained secure.

"Such behavior is unethical and inconsistent with the behavior we
expect from high-potential leaders we seek to admit to our program,"
she added.

Nelson said that HBS has not decided how to deal with applicants who
accessed the site yesterday, nor would he confirm whether HBS knew the
identities of these applicants.

"This is a matter we're taking very seriously," he said.

HBS offers students three application rounds, with deadlines in
October, January, and March. The admissions office sends out responses
in January, March, and May, respectively.

Applicants who could access the website using the hacker's technique
expected to hear a decision from HBS on March 30.

Quinn said that Business Week does not know the identity of
"brookbond," who told the online forum yesterday that he had used his
own techniques to find out his own admissions status at HBS.

Sanford Kresiberg, a business school admissions consultant who follows
developments at HBS closely, said that "this was probably not HBS's
fault, but the software vendor's."

Kresiberg added that the Wharton School at the University of
Pennsylvania, as well as Cornell College, had experienced problems
with online admissions programs in recent years.

"Things could be worse," he said.

- Staff writer Daniel J. T. Schuker can be reached at  
  dschuker @ fas.harvard.edu



_________________________________________
Bellua Cyber Security Asia 2005 -
http://www.bellua.com/bcs2005



This archive was generated by hypermail 2.1.3 : Thu Mar 03 2005 - 01:07:09 PST