Slashdot Mirror
Oxford Students Hack University Network
An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
This should be a valuable lesson to everyone, always get permission before "investigating". Surprisingly often, you can get permission--especially if you represent something like a campus newspaper, where they can assume you'll be responsible.
They could have asked for permission to attempt and hack into the network before actually doing it. At my university, there was a group of students who asked to test the network security and they got permission to try in the summer between a summer session block when not too many people were using the network. It also meant that when they printed their findings, not too many people were around to read it because it was obviously summer session. They didn't find many security lapses, heck if I remember correctly it was printed up on page 6 of the student newspaper.
Relevantly, they managed to find and clamp down on compromised boxes (usually Win, or unpatched linux boxes) pretty quickly. They also had some very good techs (as well as some pretty nifty stuff, eg ADSM backup of private machines for all users).
Based on the info these guys say they got, it looks like at least partly what they were doing was just packet-sniffing. Not sure how the cctv stuff works, as I know the newest cctv gear has been installed since I left.
If it's just that, then there is at least one precedent at Oxford, as a number of passwords of POP users were captured by a compromised linux box (vanilla, unpatched RedHat 3 or 4, iirc) in about 98 or 99. OUCS detected the box, and then the sniffing, within one or two hours and froze all accounts, which I thought was pretty good going for such a huge place.
I'd have preferred if these guys had just told OUCS in private, instead of trumpeting about it in the papers. Wouldn't surprise me if they were charged ... I wonder if Thames Valley Police will run the investigation? :)
Heh.
I ran a sniffer on the BBC Microcomputer network in grade 6 or 7 iirc. I had little idea what I was doing but I wanted "staff" privs so I could play the games (Rocket Raid was an awesome game!). When I - showing off like a little prick - told a teacher his password, he gave me a look like he was going to punch me in the face. =) I'll never forget it.
At uni a friend of mine ran some dodgy novell-cracking program that gives the current account admin privileges. To avoid identification he ran it on the student guest account. We knew there was a big problem when students all over the labs started talking about heaps of new files that they hadn't seen before. Some dudes even thought that *they* had hacked the system by simply typing "dir".
Somehow someone accidently installed a virus on the network. It may have been a trojan built into the rootkit or an infection on one of the games our "privileged" group of friends had uploaded. We spent a good couple of hours tracking it down and stomping it. It's not a sport but boy were we sweating...
We wanted to have a bit of fun (well my mate did.. I wasn't particularly impressed by the whole exercise: I understood back then that _anyone_ can run a rootkit) but never meant to do any damage. So that's a bit of a cautionary tale for you young roister-doisters: if you hack a network you might find that you unintentionally damage it.
Ever since then I've been protecting networks. Hacking/cracking is brain-dead easy in most situations, especially if you're on a local LAN where policies are a lot more lax and many insecure/plain-text services are running (telnetd, anyone?). University LANs are known to be insecure: there's a certain amount of trust given to the students that they don't hack anything.
What were these two plonkers trying to prove? The bleedingly obvious?
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
Whitehats hack with permission. A security consultant you pay to check your network is a whitehat. Someone that hacks it on their own is a blackhat. There is NO right to obtain evidence through illegal means. You must ask permission first.
Let me turn it to the real world. Suppose I break in your house (something I'm sure I could easily do, 99.999% of houses have shitty physical security) look at your things to see what I could get at, then tell you about it later. Is that ok? I mean I didn't hurt anything, and I gave you a report, so it;s ok right? Wrong, it's not ok, I broke the law.
Same thing. You aren't allowed to hack systems without permission. I don't care why you are doing it, you still aren't allowed to. This isn't a matter up for debate, it's the law, and it directly relates to physical privacy and security laws.
Your stuff is your stuff, and the rest of the world is welcome to keep the fuck out.
From the Guardian article:
"The police referred the matter back to the university, saying it was best dealt with internally."
Emerald Astrology
You're completely right. I was at Oxford when this incident occurred, and I'm appalled that the Guardian and BBC News have bought into this flagrant piece of self-promotion. From what I know of the story there was no attempt made to liaise with the University Computer Services to rectify this problem before they published the information in the paper. Unfortunately people involved in student journalism, particularly at Oxford in my experience, are only interested in bolstering their CV so that they can land a job at a British national newspaper. This means that they will do anything to promote themselves without any real thought for the consequences.
Good lord, I can't read this thread any longer.
.ox.ac.uk DNS, herald email, HFS backup, site-license software, training, etc. etc. etc. OUCS also run the University level (ox.ac.uk) firewall. They also advise the colleges on network security.
I'm here, I've been a student at Oxford (postgraduate and undergraduate) for 5 years, and I know the OUCS network well.
There are 3 important points that most people have failed to recognise. Many of the have to do with the fact that the colleges are more or less partly-autonomous entities.
1) There are college LANs, supervised by a college IT officer. These (usually) sit behind a college firewall.
1a) same goes for the departments and faculties.
2) there is the OUCS network, linking the colleges and departments to each other and JANET
3) oucs also provides services, e.g.
Now, of the various problems observed here, three are pulled out as particularly noteworthy.
1) email passwords stolen.
Herald, oucs's email system, has both plaintext and encrypted authentication modes. Although some use pop3 or imap, most users connect via webmail. This used to live at herald.ox.ac.uk, and users were recommended to login via https protocol. Of course, few users did. They just typed herald.ox.ac.uk in their browser bar. So oucs began to fix this by introducing webamil.ox.ac.uk which requires https. They kept herald on as a lecacy service for a month or two to allow people to trnsition. It was at this point the report was published, as the accounts were opened. The falw was being fixed, and a big education campaign was in place about the new secure service. In addition, herald has always required very strong passwords (one of the main complaints about the oucs systems among users, in fact, is the password requirements).
2) msn messenger conversations listened to
MSN is not an OUCS provided service, they don't control the protocol, or the software. Student personal machines connect to the network, and these nowadays come with msn. If users use software without understanding how secure it is, it's no the university's fault. This is made clear here. These same students ALREADY have pretty private/personal/embarrasing comversations shouted at 3am in the morning in Radcliffe Square!
3)CCTV. Only one college has this problem, and it was due to poor installation by a service engineer of the company. It was a black box solution, selected more by the governing body of the college than the IT office, and the only way to run the cables in a mediaeval college is to use existing networks. Really, the CCTV traffic should have been encrypted, but if the company who installs the solution fails to do this, then the college (i'm sure) will be dealing with the company.
Meanwhile, the important thing to remember is that all students who gain a network address and network access have to sign a contract and code of conduct not to do anything bad
So we have three problems. 1 was in the process of being addressed, and user inertia was the problem. The problem is now solved. 2 is nothing to do with the university. 3 was a localised failure of solution affecting a single college, and has now been addressed.
Move along please, nothing to see..
I work at the university, and the essential facts of this case have been reasonably well known here since it happened several weeks ago.
:-) but suspending them, essentially for having no common sense, is a bit harsh. It would have been straightforward for them to obtain most of the facts they needed for the story without breaking the law and violating people's privacy (restrict the packet sniffer to specific computers where the owners had agreed in advance), but they chose not to or failed to think about it or do some basic research first.
The structure of the university means that the many parts of the university (the 'colleges') have independently run networks, all connected to the same university backbone. Many college networks aren't switched, either because of lack of time or resources, or because there's not all that much point - if you know what you're doing you can MAC flood the switches anyway from any port that is set to learn new computers (pretty much essential in libraries).
What the 'reporters' did was simply to run a packet sniffer on various unswitched networks. I think they managed to watch some CCTV coverage, read someone random's MSN conversation, and possibly pick up a few passwords. They then went and told the people they'd sniffed what they'd done, and wrote a rather over-sensationalised article about the security flaws.
This kind of thing (someone noticing the network is insecure and making a really big deal of it) happens every few years in Oxford, and usually it doesn't generate quite this much publicity. The university has gradually been developing a tougher line on computer misuse, which may explain their desire to throw the book at the journalists.
They are threatened with a 500 pound fine and being suspended for a year. Personally I think the fine is justified (the university could use it to buy some more switches
Disclaimer: These are my own views, and do not necessarily represent the views of either the college I work for, nor Oxford University. Right, that's out the way, then. I work for the college that one of these students attend. So far there's been very little said by the IT staff on this matter - it's all been done by the official channels of the university. But this seems to be a good place to set the record straight on a few things. These students didn't hack anything. All they did was sniff some tcp/ip traffic. That they could only do because it was the last hub left to upgrade in college. I'm fairly certain they wouldn't have had the intelligence to bypass a proper switch, but even then, it's hardly a massive security failure. None of the college's administration systems were compromised in any way. None of the student servers were compromised. The emails and passwords they compromised were not the official university ones, and if they were, it is because the email clients were not configured properly. The new webmail interface (unpopular for a reason that's beyond me) is through https: and therefore secure. They only got these passwords at all because email passwords under pop, as well as imap if you don't use ssl, are transmitted through clear-text, people. Just like msn messenger and the internet. Somehow we are being held accountable for how the internet works. Maybe it's because Tim Berners-lee attended here. There is no real problem here, except the issue of user awareness. And that was in no way raised by the article these two hacks wrote - rather people are more paranoid (not a bad thing in itself) yet further misled in their understanding of the university networks. It is not journalism to create a story. It is journalism to report a story in a fair and unbiased manner. Out of the article printed by these two in the Oxford Mail, the various editorials in both the above and the other Oxford Student paper, the Guardian and the BBC, the only unbiased report I've seen is from the BBC. And even then it's because you get the impression they're too lazy to get involved ;op
No, that's not journalism. That's scare-mongering.
I agree with those people who say this should not have gone to the police - but by that time it was being handled by people who didn't understand the technicalities of what these people did.
The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network
Yeah, exactly. That wasn't us, btw. But even so, I'd like to point out that being able to access a security camera in a public area is not exactly a breach of privacy. Just a bit dumb of whoever put it in. Probably someone going over the head of the IT admin , if I know oxford...
Somebody fire this person (re: the comments by IT officer A)
It's better to stay quiet and be suspected a fool than open one's mouth and remove all doubt.
These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities
Uh.. I don't see it as the duties of the free press to break the law in order to create a story - or even to report one. As for the failing of responsibilities - it should be obvious by now that this hasn't happened.
Have you heard of Whistleblowing
Have you heard of Shit-stirring?
[I am an IT professional at University of Oxford, but I'm not associated with the College concerned - just passing on what I've heard locally].
One thing that doesn't come out very clearly in the Oxford Student article, or the subsequent press coverage, is the nature of the "hack".
As I understand it, the college that the students attend uses still uses some ethernet hubs, rather than switches (this is where the quote about the "cost" of security comes from), and the students just packet-sniffed the traffic that was going past on their local network segment. They found exactly what anyone who knows a bit about networks would expect to find.
The problem (as so often!) is more social than technological: the users of the network have expectations of privacy which the implementation doesn't provide.
The failing on the part of the University not so much in the area of technology and IT security, is more in the area of user education: people using the facilities need to be made aware that the ethernet that you share with a couple of hundred other students is in no way private, any more than a conversation held in the JCR (college bar) is ...
The University is on the whole, very security concious. The mail servers, shell machines, web servers, etc, provided by the central Computing Service all provide access via SSH or SSL encrypted connections (and frequently for anything that requires a username and password, only via such connections).
One thing that does puzzle/concern me is the allegation that a CCTV feed was accessed. So far as I know, all the CCTV systems operated by the University security service run over seperate fibre optics and are kept strictly segregated from the general purpose data network.
I believe that it is the law in England (and Wales) that if you know of a criminal act taking place then if you do not report it to the police then you are deemed to be an accessory after the fact and have hence committed a criminal act yourself.
Therefore, once the University was informed of the criminal acts (breach of the Computer Misuse Act) they had to inform the police. They had no choice in the matter.
Agrajag: "Oh no, not again!"
For example, it would be nice if I could get to my campus email through a secure POP link. But the server doesn't have one enabled. Well then, say hello to PINE, via ssh
If you have a full shell account on the remote end (i.e. pine doesn't start automatically upon login, and you don't exit when exiting pine), read this to learn how to automatically pull down your email with pop3 over ssh without entering passwords. Works great.
Intelligent Life on Earth