Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

USC Hacker Case Pivotal To Future Web Security

Eric McCarty, a 25-year-old San Diego resident, in April was charged with hacking into the University of Southern California's computer system and accessing confidential information submitted by students applying to the school. The case, in which McCarty claims he was simply trying to warn USC of possible security flaws in its Web site, will likely be a watershed event in the area of security research, particularly if McCarty is convicted to the full extent of the law and forced to serve 10 years in a federal prison.

McCarty's case lifts the hood on Web security, exposing a number of legal, ethical, and technical questions that to date have no easy answers. No one disagrees that McCarty broke the law. Whether McCarty was wrong or unethical is an altogether different question. And then there's the matter of the penalty for his indiscretion. A decade in a federal prison comes across as a bit extreme to many IT security pros, particularly considering McCarty's willingness to cooperate with the FBI once the bureau began its investigation.

The SQL database connected to USC's online applicant Web site contains Social Security numbers, birth dates, and other information for more than 275,000 applicants since 1997. After finding a vulnerability in the site's login system, McCarty staged an SQL injection attack to gain access to the database. An SQL injection takes place when a hacker enters instructions into an improperly secured Web data field in order to gain control of that application. USC's site was subsequently shut down for two weeks during June 2005 as the university addressed the issue. McCarty made his initial appearance in U.S. District Court in Los Angeles on April 28.

Many security pros agree that McCarty's intention of improving the security of USC's Web site was commendable, and that USC should acknowledge this. But these same security pros are negative on McCarty's move to hack the site without first getting permission from the university.

"McCarty was trying to prove a point," says Rick Fleming, VP of security and risk management consulting for Digital Defense Inc., which offers penetration testing services. "Part of me commends him for saying, 'Hello, wake up.' But he crossed an ethical boundary because he didn't have permission to test that system, and he broke the law."

  • 1