http://www.thecrimson.com/today/article506140.html By DANIEL J. T. SCHUKER Crimson Staff Writer March 03, 2005 Tipped off by an online hacker, applicants to several of the nation's top business schools, including Harvard Business School (HBS), could access internal files on the schools' websites and ascertain their admissions status a month early. The admissions websites were vulnerable for over nine hours yesterday before the hacker's instructions and the admissions letters were taken down. But during the narrow time window, according to a thread on Business Week Online's technology forum, several applicants managed to follow the hacker's directions and read the admissions office's response letter. HBS requires students to submit their applications and recommendations electronically using ApplyYourself, an online application and decision notification system. An anonymous hacker known as "brookbond," who defined himself as a male who specializes in information technology and software security, posted the instructions on Business Week Online's technology forum at 12:15 a.m., early yesterday. "I know everyone is getting more and more anxious to check [the] status of their apps to HBS," he wrote. "So I looked around on their site and found a way." Steven R. Nelson, executive director of HBS's Master of Business Administration (MBA) program, said the letters were taken off the site early yesterday. "These were just internal administrative devices," Nelson said. Len Metheny, chief executive officer of ApplyYourself told The Crimson that his company notified the half-dozen schools that were affected and put them on alert yesterday morning. "The problem has been resolved since 9:45 this morning," he said. "We made some changes to the system to prohibit access to that information." Metheny also noted that individuals could only access their own personal admissions responses - not those of other applicants. Business Week officials set out to expunge the hacker's comments from the website yesterday morning, said Kimberly Quinn, Business Week's director of communications. "As soon as we were informed of the situation, we deleted the post immediately," she said. "And any other directions that anybody else posted...we deleted those right away, too." Nelson said HBS and Business Week did not contact each other about taking the posts down. Before the online discussion on Business Week's forum was deleted, other students reported that they had also accessed admissions decisions from MIT's Sloan School of Management, the Stanford Graduate School of Business, and Duke University's Fuqua School of Business. Managing Director of MBA Admissions and Financial Aid at HBS Brit K. Dewey posted a statement on Business Week's online forum last night directed to current applicants. "HBS decision information housed within ApplyYourself is neither complete nor final until our application notification dates," she wrote. Dewey also emphasized in her online post that students' applications and recommendations have remained secure. "Such behavior is unethical and inconsistent with the behavior we expect from high-potential leaders we seek to admit to our program," she added. Nelson said that HBS has not decided how to deal with applicants who accessed the site yesterday, nor would he confirm whether HBS knew the identities of these applicants. "This is a matter we're taking very seriously," he said. HBS offers students three application rounds, with deadlines in October, January, and March. The admissions office sends out responses in January, March, and May, respectively. Applicants who could access the website using the hacker's technique expected to hear a decision from HBS on March 30. Quinn said that Business Week does not know the identity of "brookbond," who told the online forum yesterday that he had used his own techniques to find out his own admissions status at HBS. Sanford Kresiberg, a business school admissions consultant who follows developments at HBS closely, said that "this was probably not HBS's fault, but the software vendor's." Kresiberg added that the Wharton School at the University of Pennsylvania, as well as Cornell College, had experienced problems with online admissions programs in recent years. "Things could be worse," he said. - Staff writer Daniel J. T. Schuker can be reached at dschuker @ fas.harvard.edu _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Thu Mar 03 2005 - 01:07:09 PST