Hacker says IU site still insecure

A student claiming to have breached the security of the IU Emergency Web site early Monday morning said the security hole in the site has yet to be fully plugged.\nSophomore Ben Brodsky said when he logged on to the site, http://emergency.iub.edu, he found he could log into the server and change information at will using only his University username and password.\n"I didn't forcibly gain access to the site," Brodsky said. "I merely logged in with the information the University had already given me."\nBrodsky said the same security flaw which allowed him to log in Monday was still not fixed Wednesday. In a meeting with the IDS, Brodsky logged on to a different secure section of the emergency Web site again, using only his IU username and password.\nMark Bruhn, the chief of security for Information Technologies at IU said the system was misconfigured so anyone with an IU network ID would gain access to the server. Bruhn also said he was told the problem had been fixed by Wednesday. Bruhn refused comment about Brodsky's story.\nBrodsky, a business major, said he sent an e-mail to University Information Technology Services, alerting them to the security problem Monday morning. He said he then used the access which he gained to the Web site to change the emergency status to "IUB is Under an Emergency Alert" and recommended students "call up your congressman and suggest the educational process at Indiana University be suspended Monday, Jan. 26, 2004."\nThe next morning, Brodsky said VP and Chief Administrative Officer of the Service Building, Loretta Hutchison contacted him via e-mail about his unauthorized log-in.\nBrodsky said when asked if he had been in the server and changed information, he replied by e-mail, "Yes, it was me. I was able to log on with my IU information and decided to inform the students there was a national weather advisory for our area. The security on that site was extremely lacking, if I had the motivation, I could have posted anything on the site ... I would suggest improving security on that site immediately." \nHutchinson did not return phone calls Wednesday. \nBrodsky said he would have been fully willing to turn himself in, had UITS not contacted him first. He said he didn't change the Web site to anything malicious, such as cancelling classes, because he didn't want to cause problems for students. \nIU spokeswoman Jane Jankowski said the University had disciplinary processes and she said the student who gained unauthorized access to the emergency Web site would be applied to those processes.\nShe said the University was not reviewing any of its network security policies. \nJankowski declined comment on whether Brodsky was the perpetrator or whether his story was accurate.\nDean of Students, Richard McKaig, said the "hacker" would likely be given a hearing so he could defend himself. And though he was unsure as to the intended punishment of the student, McKaig said the hacker had broken Indiana state law and the case would have to be pursued in that regard. \nBrodsky said a hearing would ultimately resolve the issue.\n"I hope they do (punish me)," he said. "Because if they do, then it will become a bigger issue and all their lapses in security will become obvious"