Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Gag Orders & Jail Time for Whistle Blowers

Gag Orders & Jail Time for Whistle Blowers

by Blake Wiedman on February 25th, 2003 Upon telling the company that they were not actually making those charges, Citibank informed them that they must have, since it was impossible for the security encryption placed on the ATM PINS to be broken.


After a couple from South Africa noticed 50,000 british pounds of withdrawals from their dining club card they contacted Citibank. Upon telling the company that they were not actually making those charges, Citibank informed them that they must have, since it was impossible for the security encryption placed on the ATM PINS to be broken. Hence, Citibank was going to hold them liable for the withdrawals from their account.

In response to the charges network security researchers were called to determine if such a vulnerability was possible. During their research they discovered an extremely alarming vulnerability in the encryption format used to protect the PIN numbers. For their successful research they were awarded with gag orders issued by the British courts to prevent them form releasing there findings.

Once again we have a major corporation feeling High and Mighty about the level of security on their systems. Perhaps instead of immediately dismissing the impossible we should begin to realize today’s impossibility is tomorrow’s discovery. Once we fall into the complacency of believing the ridiculous notion, that a system is unbreakable. We immediately open ourselves up to a criminal who believes nothing is secure. Perhaps, instead of issuing a gag order on the researchers, the British courts should issue criminal negligence charges on Citibank for not placing a higher priority on the financial information of their customers.

We run into the same sort of pompous “higher than thou” attitude in the U.S. with the recent arrest of a student who apparently broke into his schools network. Now yes, at first glance it seams as if this student did break the law. But, if we take a look at they rest of the story a new angle comes to light.

The student informed his computer teacher of the possibility that a dire network vulnerability existed. Now the teacher took the right attitude and informed the network administrator. When the network administrator heard what the student said he merely laughed and said, “It’s impossible.” . (There’s the ugly head of hubris poking out again!).

Well the young student did what any pure-blooded American teenager would have done; He set out to prove them wrong! Boy did he prove them wrong. According to the article at http://bayarea.com he downloaded an encrypted file that contained the entire database of teachers usernames and passwords. (This sounds like he downloaded the windows SAM database) He then decrypted the file at home.

The next day he brought in the information to prove his point. Low and behold, what do they do? They arrest him and press criminal charges. Once again, was the teenager the criminal? Not at all, the administrator should lose his job. The administrator should have taken the students warning and investigated further. Plus, if the student did merely download the SAM database, the administrator must have not been worth his a grain of salt. Every administrator knows of a multitude of ways to protect the SAM database from prying eyes. ( I won’t go into detail now, but it will be a future article)

So, instead of this student’s talent being noticed and perhaps polished, he will now be a criminal. Forever scared with a blemish on his permanent record. Once again the teachers and administrator failed this student. The student was the victim not the school.

Ok, now to bring this rant to a close. Perhaps we have placed the blame for the media’s “Hacker Outbreak” on the wrong party. Maybe, we should ask the question, “How was this even possible?” If we look at the issue in that light, the guilty party becomes painfully obvious: “The pompous attitude of corporations and educators.”

by Blake Wiedman for Xatrix Security
GSecur Founder
[email protected]

Sources:
“Citibank gags crypto researchers” http://theregister.com/content/55/29446.html

“Student arrested for breaking into school network” http://www.bayarea.com


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »