Student grades vulnerabilities (continued)
- probably full transcript data for year's graduating EECS students
- data shouldn't have been accessible (Buckley Amendment)
- however, modifying that copy would not actually change grades
- another directory on the same server had various small text files
- one had employee's passwords to access master copy of grades
- three different passwords were involved in stages of access
- with passwords, intruder needn't directly attack hardened system
- solution: employee's supervisor did the three password changes
- often, multiple areas in which security practices are deficient
- files on vulnerable machines are useful for finding more problems
Note: it was not confirmed that knowing the three passwords would
be sufficient to change a grade, or to do so in a way that would
avoid later detection and reverting.
Copyright 2000, Massachusetts Institute of Technology.
All rights reserved.