Slashdot Mirror
Oxford Students Hack University Network
An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
This should be a valuable lesson to everyone, always get permission before "investigating". Surprisingly often, you can get permission--especially if you represent something like a campus newspaper, where they can assume you'll be responsible.
They could have asked for permission to attempt and hack into the network before actually doing it. At my university, there was a group of students who asked to test the network security and they got permission to try in the summer between a summer session block when not too many people were using the network. It also meant that when they printed their findings, not too many people were around to read it because it was obviously summer session. They didn't find many security lapses, heck if I remember correctly it was printed up on page 6 of the student newspaper.
University IT network wide open to hackers
Email passwords and MSN Messenger Conversations easily accessible.
CCTV networks can be compromised.
University says colleges' drive to cut costs could compromise security.
Computer networks across the University lie wide open to hackers, due to serious failings in IT security provision.
An investigation by The Oxford Student has learnt that CCTV cameras, email passwords and MSN Messenger conversations can be compromised with ease by members of the University with only a modicum of technical knowledge, jeapardising the privacy and safety of students and dons alike.
It is understood that by using software that is freely and easily accessible over the internet, every student has the power to snoop on the MSN Messenger conversations of others or infiltrate their Webmail account. More advanced users can even tap into college CCTV networks, with the possibility of disrupting the entire system, forcing colleges into total security blackouts.
A University spokesperson told The OxStu: "In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security." Just how low the security across the University has now become clear.
Access to the video-streaming of CCTV footage of College A was easily available, pictured right, and cameras across the College could be taken down at the touch of a button. One student who appeared in security footage accessed said: "As well as understanding the security implications, it was personally shocking and especially worrying."
As such networks are put in place to safeguard the security of College members, the fact that they can be easily bypassed should send a serious message to staff responsible for their upkeep.
An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."
The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.
It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."
Likewise at College C a first year student's Webmail password was obtained. The student told The OxStu: "I'm outraged. I've personal as well as employment and academic related information in my account, which is private." College B's IT Officer said: "There is a rolling programme to upgrade [the network]...If students are abusing it, it is a concern."
Similarly, conversations held over instant messenging programmes can be easily intercepted. A Human Sciences student said it was "insane and quite disturbing...not something you want others to see." Her conversation was eavesdropped upon as she told another member of the same College about her essay crisis. One student at College D, who declined to be named, told The OxStu the problem was "shady", as we recounted her conversation to her. College D refused to comment, on the basis that it felt the law had been broken in relation to these activities.
A University spokesperson said: "Security measures are constantly reviewed in order to minimize the security risks. Of course, anyone found to have breached security with ill intent would be subject to punishment."
At the time of going to press, The OxStu was in the process of handing over all the data given to the investigation to both the police and the University.
Quite apart from University Regulations students should be aware of 1(1) of the Computer Misuse Act 199
Relevantly, they managed to find and clamp down on compromised boxes (usually Win, or unpatched linux boxes) pretty quickly. They also had some very good techs (as well as some pretty nifty stuff, eg ADSM backup of private machines for all users).
Based on the info these guys say they got, it looks like at least partly what they were doing was just packet-sniffing. Not sure how the cctv stuff works, as I know the newest cctv gear has been installed since I left.
If it's just that, then there is at least one precedent at Oxford, as a number of passwords of POP users were captured by a compromised linux box (vanilla, unpatched RedHat 3 or 4, iirc) in about 98 or 99. OUCS detected the box, and then the sniffing, within one or two hours and froze all accounts, which I thought was pretty good going for such a huge place.
I'd have preferred if these guys had just told OUCS in private, instead of trumpeting about it in the papers. Wouldn't surprise me if they were charged ... I wonder if Thames Valley Police will run the investigation? :)
Here are a few:
http://www.freep.com/news/nw/pat14_20040714.htm
http://www.wcpo.com/news/2004/local/07/15/patriot_ act.html
http://www.wkyt.com/Global/story.asp?S=2041760
http://www.iht.com/articles/529347.html
Heh.
I ran a sniffer on the BBC Microcomputer network in grade 6 or 7 iirc. I had little idea what I was doing but I wanted "staff" privs so I could play the games (Rocket Raid was an awesome game!). When I - showing off like a little prick - told a teacher his password, he gave me a look like he was going to punch me in the face. =) I'll never forget it.
At uni a friend of mine ran some dodgy novell-cracking program that gives the current account admin privileges. To avoid identification he ran it on the student guest account. We knew there was a big problem when students all over the labs started talking about heaps of new files that they hadn't seen before. Some dudes even thought that *they* had hacked the system by simply typing "dir".
Somehow someone accidently installed a virus on the network. It may have been a trojan built into the rootkit or an infection on one of the games our "privileged" group of friends had uploaded. We spent a good couple of hours tracking it down and stomping it. It's not a sport but boy were we sweating...
We wanted to have a bit of fun (well my mate did.. I wasn't particularly impressed by the whole exercise: I understood back then that _anyone_ can run a rootkit) but never meant to do any damage. So that's a bit of a cautionary tale for you young roister-doisters: if you hack a network you might find that you unintentionally damage it.
Ever since then I've been protecting networks. Hacking/cracking is brain-dead easy in most situations, especially if you're on a local LAN where policies are a lot more lax and many insecure/plain-text services are running (telnetd, anyone?). University LANs are known to be insecure: there's a certain amount of trust given to the students that they don't hack anything.
What were these two plonkers trying to prove? The bleedingly obvious?
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
Whitehats hack with permission. A security consultant you pay to check your network is a whitehat. Someone that hacks it on their own is a blackhat. There is NO right to obtain evidence through illegal means. You must ask permission first.
Let me turn it to the real world. Suppose I break in your house (something I'm sure I could easily do, 99.999% of houses have shitty physical security) look at your things to see what I could get at, then tell you about it later. Is that ok? I mean I didn't hurt anything, and I gave you a report, so it;s ok right? Wrong, it's not ok, I broke the law.
Same thing. You aren't allowed to hack systems without permission. I don't care why you are doing it, you still aren't allowed to. This isn't a matter up for debate, it's the law, and it directly relates to physical privacy and security laws.
Your stuff is your stuff, and the rest of the world is welcome to keep the fuck out.
From the Guardian article:
"The police referred the matter back to the university, saying it was best dealt with internally."
Emerald Astrology
I do IT part time for one of the colleges.
The story in the Oxford Student was partly right, in that since much of the network is on Hubs and not switches, the students found they could read unsecured traffic. The students happen to be at a college were very little of the traffic is switched. But in almost every other respect, the story is over-hyped rubbish. They cannot get "anyone's" email password, which is what they claim.
So stop-press: AOL and email over non-switched networks is not secure. Great work guys.
You're completely right. I was at Oxford when this incident occurred, and I'm appalled that the Guardian and BBC News have bought into this flagrant piece of self-promotion. From what I know of the story there was no attempt made to liaise with the University Computer Services to rectify this problem before they published the information in the paper. Unfortunately people involved in student journalism, particularly at Oxford in my experience, are only interested in bolstering their CV so that they can land a job at a British national newspaper. This means that they will do anything to promote themselves without any real thought for the consequences.
A genuine chance for an informed post! Good lord.
I've worked in student journalism in the UK, and, in fact, for this newspaper; I'm also a student at Oxford. I'm posting anonymously because I don't want *too much* feedback.
This was not a case of "freedom of the press", nor was it a legitimate exposure of university behaviour, for two reasons: first, the story was run badly and irresponsibly; second, because the university was not really involved at all!
Oxford University is made up of independent colleges, lots of them. These colleges handle their own admissions, administration, accommodation, and, importantly in this case, IT networks. These networks are small, and are each handled by a separate IT officer and staff; there is a central IT network, but this wasn't involved in the story. All the students did, as far as anyone I know can gather, is use a sniffer on an ethernet network from inside the college, probably from a cable in someone's bedroom. The story is complaining about the weaknesses in college security setups, knowing full well a) how bloody easy it is to break them, b) how understaffed and short-handed the college IT staff are and, c) that there's not much the university can do to change this - colleges are, after all, independent.
Even with this in mind, the story was badly run. The Oxford Student doesn't have a year-round editor, students take it in turns to edit it for eight weeks at a time, and its staff are, by the slim standards of student journalism, very inexperienced. The story as it was published was a cheap scare story, boosted to the front page on a slow week. There was no consultation beforehand with those whose privacy was being violated, nor do they seem to care what they did while "looking around".
I've covered stories like this, and helped to get them ready for publication, and this was not the way to do it. Put bluntly, they wanted a cheap "splash" (front page lead), and heard from a couple of their mates that you could easily hack into the odd college network - boasting in a student bar, essentially - and decided to dress it up as an exposé.
There's no ethical justification for this. It wasn't seriously trying to hold anyone accountable. It wasn't even legitimately run: you DO NOT break the law by accessing other people's personal data and then say "but look, how easy it is!". To have done this properly would have taken more time, consultation with the proper authorities, demonstration in their presence of the possible exploits, suggestions for how security could be strengthened, and THEN challenging them to respond properly. A far stronger and well researched piece of writing would have been the result; strong enough to make a genuine case, and a genuine front page lead.
This was a bit of cheap, unethical, shitty reporting, not high-minded whistleblowing, and all they deserve is a kick in the bum.
Good lord, I can't read this thread any longer.
.ox.ac.uk DNS, herald email, HFS backup, site-license software, training, etc. etc. etc. OUCS also run the University level (ox.ac.uk) firewall. They also advise the colleges on network security.
I'm here, I've been a student at Oxford (postgraduate and undergraduate) for 5 years, and I know the OUCS network well.
There are 3 important points that most people have failed to recognise. Many of the have to do with the fact that the colleges are more or less partly-autonomous entities.
1) There are college LANs, supervised by a college IT officer. These (usually) sit behind a college firewall.
1a) same goes for the departments and faculties.
2) there is the OUCS network, linking the colleges and departments to each other and JANET
3) oucs also provides services, e.g.
Now, of the various problems observed here, three are pulled out as particularly noteworthy.
1) email passwords stolen.
Herald, oucs's email system, has both plaintext and encrypted authentication modes. Although some use pop3 or imap, most users connect via webmail. This used to live at herald.ox.ac.uk, and users were recommended to login via https protocol. Of course, few users did. They just typed herald.ox.ac.uk in their browser bar. So oucs began to fix this by introducing webamil.ox.ac.uk which requires https. They kept herald on as a lecacy service for a month or two to allow people to trnsition. It was at this point the report was published, as the accounts were opened. The falw was being fixed, and a big education campaign was in place about the new secure service. In addition, herald has always required very strong passwords (one of the main complaints about the oucs systems among users, in fact, is the password requirements).
2) msn messenger conversations listened to
MSN is not an OUCS provided service, they don't control the protocol, or the software. Student personal machines connect to the network, and these nowadays come with msn. If users use software without understanding how secure it is, it's no the university's fault. This is made clear here. These same students ALREADY have pretty private/personal/embarrasing comversations shouted at 3am in the morning in Radcliffe Square!
3)CCTV. Only one college has this problem, and it was due to poor installation by a service engineer of the company. It was a black box solution, selected more by the governing body of the college than the IT office, and the only way to run the cables in a mediaeval college is to use existing networks. Really, the CCTV traffic should have been encrypted, but if the company who installs the solution fails to do this, then the college (i'm sure) will be dealing with the company.
Meanwhile, the important thing to remember is that all students who gain a network address and network access have to sign a contract and code of conduct not to do anything bad
So we have three problems. 1 was in the process of being addressed, and user inertia was the problem. The problem is now solved. 2 is nothing to do with the university. 3 was a localised failure of solution affecting a single college, and has now been addressed.
Move along please, nothing to see..
I work at the university, and the essential facts of this case have been reasonably well known here since it happened several weeks ago.
:-) but suspending them, essentially for having no common sense, is a bit harsh. It would have been straightforward for them to obtain most of the facts they needed for the story without breaking the law and violating people's privacy (restrict the packet sniffer to specific computers where the owners had agreed in advance), but they chose not to or failed to think about it or do some basic research first.
The structure of the university means that the many parts of the university (the 'colleges') have independently run networks, all connected to the same university backbone. Many college networks aren't switched, either because of lack of time or resources, or because there's not all that much point - if you know what you're doing you can MAC flood the switches anyway from any port that is set to learn new computers (pretty much essential in libraries).
What the 'reporters' did was simply to run a packet sniffer on various unswitched networks. I think they managed to watch some CCTV coverage, read someone random's MSN conversation, and possibly pick up a few passwords. They then went and told the people they'd sniffed what they'd done, and wrote a rather over-sensationalised article about the security flaws.
This kind of thing (someone noticing the network is insecure and making a really big deal of it) happens every few years in Oxford, and usually it doesn't generate quite this much publicity. The university has gradually been developing a tougher line on computer misuse, which may explain their desire to throw the book at the journalists.
They are threatened with a 500 pound fine and being suspended for a year. Personally I think the fine is justified (the university could use it to buy some more switches
Disclaimer: These are my own views, and do not necessarily represent the views of either the college I work for, nor Oxford University. Right, that's out the way, then. I work for the college that one of these students attend. So far there's been very little said by the IT staff on this matter - it's all been done by the official channels of the university. But this seems to be a good place to set the record straight on a few things. These students didn't hack anything. All they did was sniff some tcp/ip traffic. That they could only do because it was the last hub left to upgrade in college. I'm fairly certain they wouldn't have had the intelligence to bypass a proper switch, but even then, it's hardly a massive security failure. None of the college's administration systems were compromised in any way. None of the student servers were compromised. The emails and passwords they compromised were not the official university ones, and if they were, it is because the email clients were not configured properly. The new webmail interface (unpopular for a reason that's beyond me) is through https: and therefore secure. They only got these passwords at all because email passwords under pop, as well as imap if you don't use ssl, are transmitted through clear-text, people. Just like msn messenger and the internet. Somehow we are being held accountable for how the internet works. Maybe it's because Tim Berners-lee attended here. There is no real problem here, except the issue of user awareness. And that was in no way raised by the article these two hacks wrote - rather people are more paranoid (not a bad thing in itself) yet further misled in their understanding of the university networks. It is not journalism to create a story. It is journalism to report a story in a fair and unbiased manner. Out of the article printed by these two in the Oxford Mail, the various editorials in both the above and the other Oxford Student paper, the Guardian and the BBC, the only unbiased report I've seen is from the BBC. And even then it's because you get the impression they're too lazy to get involved ;op
No, that's not journalism. That's scare-mongering.
I agree with those people who say this should not have gone to the police - but by that time it was being handled by people who didn't understand the technicalities of what these people did.
The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network
Yeah, exactly. That wasn't us, btw. But even so, I'd like to point out that being able to access a security camera in a public area is not exactly a breach of privacy. Just a bit dumb of whoever put it in. Probably someone going over the head of the IT admin , if I know oxford...
Somebody fire this person (re: the comments by IT officer A)
It's better to stay quiet and be suspected a fool than open one's mouth and remove all doubt.
These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities
Uh.. I don't see it as the duties of the free press to break the law in order to create a story - or even to report one. As for the failing of responsibilities - it should be obvious by now that this hasn't happened.
Have you heard of Whistleblowing
Have you heard of Shit-stirring?
[I am an IT professional at University of Oxford, but I'm not associated with the College concerned - just passing on what I've heard locally].
One thing that doesn't come out very clearly in the Oxford Student article, or the subsequent press coverage, is the nature of the "hack".
As I understand it, the college that the students attend uses still uses some ethernet hubs, rather than switches (this is where the quote about the "cost" of security comes from), and the students just packet-sniffed the traffic that was going past on their local network segment. They found exactly what anyone who knows a bit about networks would expect to find.
The problem (as so often!) is more social than technological: the users of the network have expectations of privacy which the implementation doesn't provide.
The failing on the part of the University not so much in the area of technology and IT security, is more in the area of user education: people using the facilities need to be made aware that the ethernet that you share with a couple of hundred other students is in no way private, any more than a conversation held in the JCR (college bar) is ...
The University is on the whole, very security concious. The mail servers, shell machines, web servers, etc, provided by the central Computing Service all provide access via SSH or SSL encrypted connections (and frequently for anything that requires a username and password, only via such connections).
One thing that does puzzle/concern me is the allegation that a CCTV feed was accessed. So far as I know, all the CCTV systems operated by the University security service run over seperate fibre optics and are kept strictly segregated from the general purpose data network.
With the entire event being isolated to a university campus...
Campus? My dear sir, you clearly don't know what you're talking about. Oxford University doesn't have a campus. Most of the place was built before the word had even been invented, and if anything can be identified as "the campus", it is the centre of the city of Oxford itself. The university is a federation of various colleges, faculties, and libraries, dating from all periods of the last eight or nine hundred years, which are scattered across the ancient city.
Suppose in America the majority begins to infringe on the free speech or exercise of religion rights granted by the Constitution. Does that make it right?
At the heart, you're advocating a "might makes right" system. Do you really want to live under the "law of the jungle"?
Oxford University actually has its own magistrate's court which only tries students and fellows. And they have their own police. The Proctors, or something. I think they've got a few of their own laws, too. They're like some autonomous Burbclave in that Neal Stevenson book. They kick butt. In other words, don't mess with Oxford! I know this because a mate of mine was an undergraduate there and got fined for making prank calls.
Please note, I'm only saying what is. I'm making no comment, either way, on the way things should be. So don't complain to me if you think this sounds like some kind of evil conspiracy ore something.
evil math within Nature's Cubic Creation!
I believe that it is the law in England (and Wales) that if you know of a criminal act taking place then if you do not report it to the police then you are deemed to be an accessory after the fact and have hence committed a criminal act yourself.
Therefore, once the University was informed of the criminal acts (breach of the Computer Misuse Act) they had to inform the police. They had no choice in the matter.
Agrajag: "Oh no, not again!"
You obviously haven't.
Sending confidential information across any network unencrypted is idiotic, and if you choose to do it, that's your look out. That deals with the secure transmission of your data bit.
As for any information about you that should remain confidential, anyone in the UK holding personally identifiable information must take reasonable steps to ensure it is stored and processed securely under the Data Protection Acts (unless they are exempt, and there's no reason university administrations would be AFAICS). If that's not happening, the Information Commissioner can make their life very unpleasant on your behalf. This does not require the information actually to be compromised, only the steps taken to protect it not to be sufficient.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
For example, it would be nice if I could get to my campus email through a secure POP link. But the server doesn't have one enabled. Well then, say hello to PINE, via ssh
If you have a full shell account on the remote end (i.e. pine doesn't start automatically upon login, and you don't exit when exiting pine), read this to learn how to automatically pull down your email with pop3 over ssh without entering passwords. Works great.
Intelligent Life on Earth
Why? because we need it. (ok I work for a different univ. and not much for CCTV but we have swipe cards here and there).
The thing is Universities are great targets for small time criminals. Lots of people going in and out, many faces, unattended equipment. At least with swipe card access, you can be somewhat sure that people in the area are suposed to be there. It helps.
It doesn't stop door jacking of course, which was one of my favorite techniques at a previous job (wouldn't give me card access to some areas before 9 am, even though I started at 8 and often had jobs to do in there, so I would just door jack my way in, and get my work done)
Youd be amazed at the things that can go on on a campus. Some amount of security is important, theres basically 3 types of areas they need to secure. 1) places where people live (dorms... Frats are generally completly open and the U doesn't give a fuck), 2) places with lots of expensive computer equipment 3) Dangerous labs.
Just ask some student friends of mine who rented a house off campus last year. They threw some great parties, and had 11 people living in the house. There was so much in and out foot traffic that they had problems with people walking in off the street and stealing things.
Its easy for places with alot of people traffic to get a high profile and become a target.
-Steve
"I opened my eyes, and everything went dark again"
Not true. A well designed firewall has multiple segments amongst which one should be where public servers and servers only are positioned. The access rules to them applies the same to the inside as well as the outside with the exception to network services which should be on their own segment and have only inside access with potentially its own firewall in case the public one is compromised.
Firewalling is not insufficient if done correctly.
You state that as if it were an easily proved result, rather than the subject of many of the most heated debates of modern philosophy.
Correct. I take a Kantian approach to ethics though.
The general concensus is that morality is at least partially subjective. It is certainly true that there are many different moral systems throughout the world and the question of who can say which are 'right' and which are 'wrong' with authority is at least a difficult one to answer convincingly.
An over-simplification of the argument would be that if you believe one absolute moral principle you're a moral absolutist. To be a relativist, everything has to be relative. Basically, yes, other cultures can be morally wrong. I don't remember the entire argument but I'll point to Peter Kreeft's "A Refutation of Moral Relativism".
You also assert that the laws against trespass are a fundamental moral principle, while many cultures do not in fact have such a principle. In fact, the closest there is to a fundamental moral principle is "don't kill your friends (unless they want you to)", and I believe that even that isn't universally applied.
It goes back to my support of Kant and his deontological moral theory. Again, to over-simplify, Kant asks, "Can you act in such a way that if everyone acted that way it'd still work?" For instance, take the ancient Inca-type cultures of South America. I think it's difficult to say that it was ok for them to commit human sacrifices.
That said, the law is absolute (at least in most respects). This means that it is an attempt to write regulations that enforce "moral" behaviour (for some particular value of "moral" that is quite hard to decide). Of course, it is imperfect, as all such attempts must be -- at the very least the people deciding what is "moral" will change, and with them the definition of morality that is being used as the guide. In any modern society there is a very wide range of different moral beliefs. The law cannot encompass all of them.
I just got done studying Levi's circularity of law idea. Laws can be based on either previous cases or fundamental principles. Those based on cases are circular and will break down over time while those based on principles are far more robust. And the law shouldn't be made to encompass everyone's moral beliefs because not everyone is morally right. I don't want the laws I live under to be accepting of the John Wayne Gaceys or Ted Bundys of the world.
One thing that stood out to me in this article...the high security they have on campus. CCTV cameras everywhere? Having to swipe access cards to get in any building, etc...
Cambridge, Oxford and Durham aren't campus universities.
The colleges and departments are spread throughout the city.