[ISN] USC admissions site cracked wide open

[InfoSec News]

http://www.theregister.co.uk/2005/07/06/usc_site_cracked/

By Robert Lemos
SecurityFocus
6th July 2005

A programming error in the University of Southern California's online
system for accepting applications from prospective students left the
personal information of users publicly accessible, school officials
confirmed this week.

The flaw put at risk "hundreds of thousands" of records containing
personal information, including names, birth dates, addresses and
social-security numbers, according to the person who discovered the
vulnerability. The Web programming error allowed the discoverer, who
asked only to be identified by the alias "Sap," to slip commands to
the site's database through the log-in interface.

"The authentication process can be bypassed, and you can find the
information for any student who has filled out an application online,"  
said the discoverer, who claimed to be a security-savvy student who
found the flaw during the process of applying to USC, stated in an
email to SecurityFocus. "From there, you can view or change profile
info, (and get) the person's user name and password combo. Entire
tables can be exposed, remote command execution, you name it.  
Basically, they are owned."

USC's Information Services Division confirmed the problem and
shuttered the site this week as a precaution, but did not confirm the
size of the potential data leak or whether the university plans to
tell applicants of the issue.

SecurityFocus notified the university of the issue two weeks ago after
being tipped off by the discoverer. The university initially removed
the log-in functionality from the site for several days, but allowed
applicants to log in for most of last week. USC completely blocked
access to the site this week.

"We are investigating the matter and will have more information
available soon," USC spokeswoman Usha Sutliff said on Tuesday.

The potential privacy issues come as other high-profile data leaks
among financial institutions has focused attention on organizations'
general failures in securing customer information. In the most recent
case, MasterCard International outed credit-card processor
CardServices Solutions for failing to secure transactions, leading to
tens of thousands of cases of fraud and potentially putting as many as
40 million credit-card accounts at risk.

"Companies and organizations still don't understand the value of what
they are protecting, and as a result they are not putting adequate
resources towards that protection," said Richard Purcell, CEO of
independent privacy consultancy Corporate Privacy Group.

For example, many colleges and universities used a student's social
security number as their primary student identifier, until recently,
he said. Some schools still have not stopped the practice.

"They are printing social-security numbers on ID cards, transcripts
and reports," Purcell said.

The University of Southern California is the latest college in the
United States to discover flaws in its online systems. The University
of Connecticut notified its students, staff and faculty last week that
a computer hacking tool had been found on a server containing 72,000
personal records, including social security numbers, dates of birth,
phone numbers, and addresses, according to published reports. In
March, Boston College acknowledged that 100,000 records from its
alumni database may have been copied, while a laptop owned by a
researcher at the University of California at Berkeley and containing
personal information on 1.4 million Californians was found to be
compromised last October.

Incidents at many other colleges - including the Georgia Institute of
Technology, University of Texas at Austin, George Mason University,
and the University of California at Los Angeles - have also put
personal information at risk.

The vulnerability in USC's online Web application system is a
relatively common and well-known software bug, known as database
injection or SQL injection. A lack of security checks on user input
allows a hostile user to submit a database command rather than a
log-in name. The command could cause the database to send its
information back to the attacker or aid the attacker in compromising
the computer system hosting the database.

"All this stuff gets back to the fact that we are still building this
thing called the internet and security varies all over the map," said
Richard Smith, an independent privacy and security consultant based in
Boston. "Some people understand it very well and others don't."

The person who discovered the flaw was able to access at least four
database records using the vulnerability. The exploit information and
the records were forwarded to USC officials two weeks ago by
SecurityFocus.

The issue is still being investigated, but under California's Security
Breach Information Act, also know as S.B. 1386, organizations that may
have disclosed sensitive personal information, including social
security numbers, must notify the people affected of the potential
breach. USC has not said when, or even if, the school intends to
notify applicants who used the system that their data may have been at
risk.

Copyright © 2004