Flaw in GSAS Site Security Exposed

It used to be that the only hacks Harvard students had to worry about were the less-than-humorous antics from their peers at the Harvard Lampoon, a semi-secret Sorrento Square social organization that used to occasionally publish a so-called humor magazine.

That idyllic thought was shaken this weekend when a hacker accessed the Web site of the Graduate School for Arts and Sciences (GSAS) and made its secure server available for download through the popular BitTorrent peer-to-peer file sharing site, “The Pirate Bay,” where users can easily obtain large files.

Among the contents exposed were a list of contacts, a backup of the public Web site, and additional files which went to support the site’s infrastructure.

The file also included a note from the hacker, self-identified as “kaboom73,” apparently deriding the vulnerability of the GSAS site’s server.

“We want demonstration the insecurity of harvard’s server,” the note proclaimed in broken English.

“This is to demonstrate that persons like [server administrator] in they don’t know how to secure a Web site,” the note added, singling out Thomas Gatton, one of the site’s administrators.

Client Technology Adviser Noah S. Selsby ’94 stressed that no personal information was contained on the server and that the only affected individuals were the site’s administrators.

The attack on the site was discovered Sunday at around 2 p.m., and the GSAS site was quickly deactivated to prevent further intrusion, Selsby said.

As of this printing, the GSAS Web site was not back up.

“We take this incident very seriously, which is why we brought the server down,” Selsby said, adding that the GSAS Information Technology department and Sametz, Harvard’s third-party web developer, were currently working to find a solution to the vulnerability.

The hacker was able to gain access to the server by exploiting a “computer that had been hijacked, in order to attack our server from [his own] computer,” Selsby explained. Doing so allowed the hacker to mask his identity, and there would be “no way to get a definitive IP address” that the hacker used.

Asked about the mention of Thomas Gatton in the hacker’s note, Seslby replied, “given that there are so many people involved in security, singling him out does not seem very fair.... It’s impossible to think of a system that’s absolutely perfect.”

Selsby also mentioned that weak passwords were responsible for the hacker’s ability to access the server, and implored users to go to Harvard’s Information Security and Privacy Web site for additional information.

John G. Palfrey, Jr. ’94, the executive director of the Berkman Center for Internet and Society, agreed with Selsby, saying that “digital security very often comes down to people...[and] the best thing in computer security is to educate users.”

He added, “harder password combinations are something that human beings as a race should pursue.”