tag:blogger.com,1999:blog-16750015.post4246541925519971367..comments2024-01-24T20:01:37.600-05:00Comments on slight paranoia: FOIA Fun. Or. How Phishers hacked into IUChristopher Soghoianhttp://www.blogger.com/profile/08950937382104783909noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-16750015.post-72370898140557239062010-01-14T01:12:29.343-05:002010-01-14T01:12:29.343-05:00that's why it is important that your don't...that's why it is important that your don't just use you credit card without verifying the legibility of your transaction.students credit card articleshttp://www.buildingcreditforstudents.com/noreply@blogger.comtag:blogger.com,1999:blog-16750015.post-90871229697748133072007-05-31T02:36:00.000-04:002007-05-31T02:36:00.000-04:00There's places other than /etc/passwd on steel to ...There's places other than /etc/passwd on steel to find harvestable public directory information. LDAP servers contain a treasure trove of data. Go figure, they're directory servers. That's what they do.<BR/><BR/>Keep in mind... All this information is considered public directory information (in the eyes of Buckley/FERPA).<BR/><BR/>http://en.wikipedia.org/wiki/FERPA<BR/><BR/>If a student is concerned *any* information about them is contained in the University public directory (for any reason whatsoever), he/she can request a partial or total directory exclusion from the Registar's office.<BR/><BR/>It's a great way to become "invisible" on campus, though beware it could come back to haunt after graduation (especially when background checks are performed by potential employers). I think the stock wording by the registrar's ofice (when asked if they can confirm enrollment and/or conferral of a degree) is "there is no record for that student we can provide to you" (or something to that effect which is intentionally ambiguous).<BR/><BR/>Be sure to lift the exclusion before you graduate!! :^)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-75627487448111312062007-04-20T10:41:00.000-04:002007-04-20T10:41:00.000-04:00This site has an SQL insertion vulnerability, whic...This site has an SQL insertion vulnerability, which would make it pretty easy to steal the database of user info anyway... <BR/><BR/>http://www.informatics.indiana.edu<BR/>/people/profiles.asp?u='--<BR/><BR/>500 Page Error<BR/>Category=Microsoft OLE DB Provider for ODBC Drivers<BR/>Number=(0x80040E14)<BR/>Description=[MySQL][ODBC 3.51 Driver][mysqld-4.1.20]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1<BR/>Filename=/people/profiles.asp<BR/>Number=27Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-78672620782771037942007-04-18T11:34:00.000-04:002007-04-18T11:34:00.000-04:00For a case like this, I really don't see the advan...For a case like this, I really don't see the advantage of disclosure of a breach like this. How many students would even have the knowledge you have of mail address propagation information that you do that would enable them to trust mail to that address more than they would otherwise if they didn't know that all and sundry had it? What if the university had told each of these users, in and amongst all the other informtion they no doubt got about their accounts, "treat e-mail to this address as you would that to any other address that is public information?" Would that have reduced the number of people who responded to the phishing attack?<BR/><BR/>I think it's much easier for users simply to assume that any e-mail they receive, to any account, could be from a phisher than to try to make determinations based on probability of e-mail address propagation of whether or not that message is valid. Potential propagation of an e-mail address is of rather low value for the amount of work you have to do, when determining whether an e-mail is valid: stick to the better methods that you ought to be using anyway.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-34952937371620866552007-04-17T17:24:00.000-04:002007-04-17T17:24:00.000-04:00While I get your gist behind the legal disclosure ...While I get your gist behind the legal disclosure requirements, one should wonder why it would take even this. IU could simply make an IT policy requiring disclosure of hacking attempts that resulted in inappropriate access of user information. <BR/><BR/>I would surmise that security personnel would recognize the benefits of informing people whose email addresses were obtained, and that they should be extra cautious with any email that was received. If this policy was properly publicized it would be a disincentive to hack any of IU's systems for this purpose.<BR/><BR/>Also looking at this if the Credit Union had been informed of the hack (not sure if they were or not before, or even if this would have been possible) they could've excised any hyperlinks in emails that they sent, and informed their members not to click on any links in emails. (not that they shouldn't already be doing this.)<BR/><BR/>The bottom line of my comment is that while there should be a law requiring disclosure, just because there isn't one doesn't mean that the disclosure couldn't have or shouldn't have happened.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-12862146084167406032007-04-17T08:18:00.002-04:002007-04-17T08:18:00.002-04:00chris,i think the more direct problem here, as you...chris,<BR/><BR/>i think the more direct problem here, as you note, is the availability of the /etc/passwd file, and the automatic connection between unrequested user accounts and email addresses. yes, the law doesn't impose enough reporting requirements, but i'm more concerned about the technical issues.<BR/><BR/>i am really not sure what a better law would look like. if it required IU to announce to you when your email address was taken, it still wouldn't apply in these particular circumstances. if it required disclosure of a breach of information that could be used to determine an email address, that's the sort of rule that leads to a lot of confusion and messy litigation. now if it required IU to announce the breach of and access to any individualized information, or any individual account information, that might capture what you're searching for, but it seems like it might place a huge, huge cost on corporations and organizations. of course, they're the ones whose systems were breached, and they're already paying a high cost to patch the systems up - why not add to the disincentive, which would then create an even bigger incentive to secure the systems as much as possible in the first place?<BR/><BR/>email/facebook msg me if you want to respond; i never remember to check blog comments afterwards.MCRhttps://www.blogger.com/profile/04774419612540874278noreply@blogger.comtag:blogger.com,1999:blog-16750015.post-42033449646475352272007-04-17T03:01:00.000-04:002007-04-17T03:01:00.000-04:00Your email address is public knowledge and any ass...Your email address is public knowledge and any assertion that there should be a law requiring the university notify you if it may have been "stolen" is nonsense because it can't be "stolen;" one cannot steal something you give away freely:<BR/><BR/>http://www.informatics.indiana.edu/people/profiles.asp?u=csoghoia<BR/><BR/>I find it just as upsetting as you that they university had to be compelled to report on the incident.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-16750015.post-34783303915354615342007-04-17T02:58:00.000-04:002007-04-17T02:58:00.000-04:00Very interesting post.While it may be true that st...Very interesting post.<BR/><BR/>While it may be true that students would answer affirmatively to that last question, it is also probably true that the vast majority wouldn't know what to do with that information.<BR/><BR/>Those who would recognize the signs of a phishing effort might know to be extra vigilant about possible attacks or anticipate more spam showing up but what else can one do? Those inclined to respond to such an attack likely wouldn't know what to do with the information either.<BR/><BR/>While I agree with the idea behind your concluding statements, I just don't see the practicality of it.Kevin Makicehttps://www.blogger.com/profile/10567480687265854009noreply@blogger.com