, SecurityFocus 2006-09-06
Security professional Eric McCarty plead guilty in United States District Court in Los Angeles on Tuesday, admitting that he intentionally exploited a flaw in the online student application Web site of the University of Southern California, federal prosecutors said.
The charge stems from McCarty's unauthorized investigation of the Web site's security in June 2005, during which he discovered that a simple database injection attack resulted in full access to the applicant database. He notified SecurityFocus, which published an article after first reporting the issue to the University of Southern California and allowing them time to plug the hole.
The case should send a message to vulnerability researchers that they must obey the law when looking for flaws in Web sites, said Michael C. Zweiback, Assistant U.S. Attorney for the Central District of California.
"There is a right way to do penetration testing, and there is a wrong way," Zweiback said. "And Mr. McCarty's way was the wrong way, and hopefully this plea sends that message."
McCarty discovered the vulnerability in the university's Web site in June 2005 and reported the issue to SecurityFocus days later. The flaw could have been used by an attacker to access the university's database of 275,000 student and applicant records. In court filings, the FBI claimed that McCarty appeared to have accessed seven of the records. The 24-year-old San Diego resident works as a network security analyst and has found and analyzed a number of vulnerabilities, according to his Web site.
The case comes to a close amidst continuing reports that data breaches against corporations and universities are on the rise. In April, the University of Texas at Austin stated that a data thief attacking from an Internet address in the Far East likely copied 197,000 personal records, many containing social security numbers. Regular leaks of data on servicemen and women have also plagued the U.S. government, with the U.S. Navy acknowledging in July that information on 100,000 sailors and aviators had leaked to the Web.
Many security professionals worry that prosecuting researchers that attempt to report vulnerabilities in Web sites will result in reducing the overall security of the Web. The trend becomes increasingly important as business functions and software applications move onto the Web and are hosted by third parties, said Marc Maiffret, chief technology and hacking officer for eEye Digital Security, a software and services firm.
"It's illegal and the laws are there for a reason, but in specific cases like this, the law is working against these people that honestly think they are just doing something to help out," Maiffret said in an interview with SecurityFocus. "It's another case of where nice guys finish last sometimes."
While researchers are allowed to purchase and install any software application and check its security, there are no analogous rights to test the security of a hosted Web application because the researcher would be trespassing on another company's server.
"You end up creating an environment where the 'bad guys' are still finding vulnerabilities, however the 'good guys' are not," Maiffret wrote in a December 2005 informal analysis of the software security landscape. "Unless of course they work for the company in question."
While McCarty has claimed in interviews that he intended only to bring attention to the flaw, prosecutors pointed to an e-mail found on his computer that indicated he focused on USC because the school denied him admission.
"All they had to do was admit me into their school.. but nooooooooooooo.... they had to make it all complicated...," he bragged in an e-mail to one friend after the original SecurityFocus article was published, according to an FBI affidavit filed with the court.
The potential felony plea should serve as a lesson to others that revenge is not a good reason for penetration testing, said Zweiback of the U.S. Attorney's Office.
"I think the importance of the plea is that large institutions should not be viewed as targets for bragging rights by individuals with skills like Mr. McCarty's," he said.
McCarty could not immediately be reached for comment.
The plea agreement stipulates that McCarty agrees to serve three years of probation with a condition of six months of home detention. McCarty will also be responsible for paying the university for almost $36,800 in damages, under the agreement. The federal judge in the case has to sign off on the agreement at the next court date, scheduled for December 4, before the plea becomes binding. The judge could also impose restrictions on computer usage, a common requirement of probation.
CORRECTION: The article did not include the e-mail evidence backing up statements that McCarty may have targeted USC because they refused to admit him to the school. The article was also updated on Thursday at 4 am PST with information on McCarty's qualifications as a security professional. The original article was posted at 5 pm PST on Wednesday.