COLUMN

Ultimate job casualty: Online embarrassment

By Zach Church 21 Feb 2008 | SearchCIO-Midmarket.com Digg This!     StumbleUpon     Del.icio.us

I'd like to tell you something about graduate cultural anthropology courses at Harvard University, but I can't.

That's because staff at the Harvard Graduate School of Arts and Sciences (GSAS) haven't seen fit to fire up its website server again, what with it being the target of a rather embarrassing hacking last weekend.

SearchCIO-Midmarket Expert Podcast Want a copy of this column on the go? Download it as a podcast.

In a move that likely lacked true technical brilliance, someone waltzed right in and basically stole the GSAS website. Sometime Saturday a 125 MB file titled "harvard's hack.zip" made its way onto a Torrent site.

The compressed file apparently contains the entire directory structure from the website, as well as database files from the site, including a database of contacts and something labeled "some other minor thing" by whoever uploaded the torrent, according to a breakdown of the contents at Torrentfreak.com.

Oh, and there's another file labeled "password.txt." It's not as nefarious as it sounds. The file isn't going to help users unlock admissions and billing records or catch a preview of a work-in-progress thesis.

But it does contain this one tough-talk line: "Thomas gatton….stupid people, you don't use a secure password."

The .txt file also contains usernames and passwords for Gatton, a systems administrator, and another staffer. The complete compressed file also includes an .nfo file that reads in part: "Maybe you don't like it but this is to demonstrate that persons like tgatton(admin of the server) in they don't know how to secure a website."

Now imagine you're Thomas Gatton. And you get the call that the site you work on has been hacked and that the hacker is actually blaming you – by name – for making it so easy for him.

Humiliating.

Far be it from me to say if Gatton knows his security. Maybe he didn't have the resources. Maybe he thought it was secure enough. Not everyone needs to be wrapped up like the Department of Defense (wait, they get hacked, too). Maybe securing the GSAS site wasn't even Gatton's job. Maybe this isn't his fault.

More on password security Looking ahead to life without passwords What is the best way to securely change the local administrator password in a domain?

There's not much justification for the spiteful manner of calling Gatton out by name. The whole "I'm just showing you how weak your security is" bit is hardly in league with the public service Slate.com writer Andy Bowers performed in 2005 when he made his own terrorist airplane boarding pass. Whoever saw fit to go after Harvard students here clearly hasn't gotten over not making National Honor Society in high school (I have, I think). I know this taunting on my own part somewhat misses the point. I can empathize with and understand the anger embedded in the attack, as well as the joy in mischievous and anonymous fame the hacker must be feeling.

And being the poster child for a snooty, privileged Ivy League education certainly makes Harvard a tasty target. Others might claim moral victories for messing with Wal-Mart, The New York Times or Philip Morris.

But calling someone out by name while rendering yourself anonymous?

The running theory from Harvard Client Technology Advisor Noah Selsby, via student paper The Harvard Crimson, is that the hacker took advantage of a "computer that had been hijacked, in order to attack our server from [his own] computer." That covered the hacker's identity and allows "no way to get a definitive IP address," Selsby told the Crimson. He also blamed weak passwords as the cause of the break-in. John Palfrey Jr., executive director of Harvard's Berkman Center for Internet and Society told the Crimson that "harder password combinations are something that human beings as a race should pursue."

Gatton didn't return a call for comment here. I don't blame him. Selsby shuffled me off to Harvard public affairs, saying he speaks only with internal media, though I seriously doubt the Crimson staff considers itself in league with the university.

Then again, the daily paper does print that little two-digit graduation year after Selsby's name, which probably doesn't help with the whole image-of-entitlement thing that made stealing Harvard such a catch in the first place.

Tags: Information security management for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Test your knowledge: IT quizzes for midmarket CIOs Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary