I believe hacking to unveil security flaws in a system is OK as long as you don't use the flaw maliciously. Inform the administrator of his errors and move on. If he choose to ignore the information so be it.

Posting the info you find on the internet is not a very nice thing to do. It affects thousands of innocent people in a very negative way. To the people posting this info - shame on you! You give hackers a bad name!

The common point between mafia and hackers of this sort is they both desperately try to justify their actions by a reference to superior aims. Sick brains.

According to the host of the file, the hack was executed to show that the server's admin does not know how to secure a Web site.

this statement is confusing, was it the website that was hacked, or the database server, because by distinction there usually seperate,

or does this mean, the website, was hacked, then the database (SQL, ORACLE) Ect. meaning the database server thought it was the website system asking for info, when in fact it was a user copying all the info,

reason i'm confused, most database files are not located on the same system as the website is running, not just for security, but for longterm maintinence and resource efficiency.

still i'm shocked either way, another case where Encryption is not being used effectively, don't tell me.... they used just the one password for all the data, no excuses for stupidity.

SQL Injection is most likely.

That's done via the website, possibly through the URL, or maybe through some imput box or other.

Most schools have niche projects which follow absolutely no rhyme or reason pertaining neither proper nor academic security procedures. These rogue setups are part of the 'underbelly' and 'never trust IT in academia' remarks stated earlier.

That said, they probably ran everything on the same machine! Get in via a vulnerable port (especially within the network) and you can copy the db files directly.

That's the most common issue yes. It happens to many firms and groups frequently. Unless you have a good DB admin that watches for such things in the logs its hard to catch at times.

Unfortunately IT employment is lacks worldwide. Indeed a very large majority of it is outsourced to contractors. Having an IT staff full time is part of what keeps companies safe from such things. Problem is most places don't see how to justify paying a person or persons to do so unless there is a problem. Thing is IMHO an IT staff is suppose to be on hand to prevent such things, not have to clean up the mess. Its very hard to explain that to executives sometimes though.

Im taking the Certified Ethical Hackers course. One of the first things I learned is if you want to cover your tracks is to proxy thru the soft underbelly of any given .edu. Colleges are notorious for lax IT security, and the bad people know it.

I know there is a flaw in my old Uni's payment system whereby I can retrieve bank details without the need to log in.

I just can't be bothered to let them know about it.

Never trust the skills of I.T. staff of an educational facility.

Well, you know what they say:

"Those who can't do, TEACH."