Oxford Students Hack University Network

An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."

Re:Oxford Loses Out

[sirsnork]

The multiple-PHD Admin certainly knows it, and has likely been voicing his concerns for some time. Unfortuantly the way the word works is that if it ain't broke, don't fix it. I imagine said admin(s) will now get the money they require to resolve the problem properly, otherwise Oxford risk more students doing this in 12 months time and looking even more silly

Aargh, again with the confusion.

[randyest]

An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."

Er, require strong passwords? Hm, yeah, that'd work, and I guess it is "little" to do :)

The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.

How clever of them -- security by obscurity. I'm sure those "methods" would be far too complex for us to understand anyway, right? ;)

It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."

Oh! So that's it. Weak passwords (or maybe a little social engineering, or both.) Gosh -- better keep a lid on that secret.

Re:They shouldnt be punished..

[MrRTFM]

Absolutely. The Uni's should try and foster an open environment, and not be so bloody harsh on students - who, do occasionally 'bend the rules'.

This is probably the only time in peoples lives that they can experiment like this, and they shouldn't be heavily fined/expelled/sued. Maybe a formal 'slap on the wrist', but that's it.

Its Uni - not a top secret government agency.

academic freedom

[havaloc]

While this is an extreme hack and what not, you'd be surprised about how much resistance there is to security on a university setting. When my university installed email/virus scanning software, it was a HUGE deal and nearly wasn't installed because of concerns of academic freedom.
When I suggested turning on the Windows Firewall on Faculty PCs, I was told that it was a no no because it could interfere with Academic freedom. Freedom above everything else is the university motto.

..Well

[SinaSa]

Speaking as someone who sysadmin'd at one of the top five universities in my country, I can say that most universities are like this.

Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites.

The only things I can think of that are actually worth securing ARE secured. Who cares if these guys can change someones email password. Most uni students don't even use their supplied email addresses, and they are usually only used as a redundant means of sending out marks. I wouldn't be worried about the CCTV monitoring either. It's not like the CCTV was viewing some "restricted" area of the university. Want to see what's going on? Walk down there and take a look. *gasp*.

I'm probably being a troll (I can't even tell anymore) but honestly, most university security is so lax because there simply isn't that much data that requires securing.

Bullshit.

[Crasoum]

White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.

In this day and age of computers being ubiquitous with education, and many college kids, regardless of what school you end up going to, not knowing damn near the first thing about computer security, rooting a system is hardly an accomplishment. What it is though, is invasion of privacy, more then likely an infringement on the User Agreement which all colleges I've been to have to get on their network, and a really REALLY dumb way of propping yourself up to look cool.

As for What they did, looking into MSN conversations isn't hard, it's plaintext across a network, set up a box to dump all the shit it gets and voila, hours of juicy reading material.

E-mail passwords are also easy to get plaintext, unless the users of the network use some type of security layer, (SSL and the like) otherwise if you go to a normal webmail account, (http://webmail.schooname.com) you send your shit plaintext most of the time, Purdue, BSU, and a few other Indiana schools do that.

The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network, that is the only real folly I see that is just nasty. Otherwise most of the shit is just because people are not security conscious.

root/root

[codeonezero]

Reminds me of my first year in college where I tried logging into the school server from my dorm computer on the school network with login root and password root....

I was just curious at the time :-)

A day later I get a rather straighforward e-mail from the system op, telling me to stop, or they will report me to the appropriate authorities, and about possible disciplinary options.

Well at least I found out that they were smart enough to change the password, and keep on eye on what people were trying to do :-)

Re:Oxford Loses Out

[Smitty825]

Maybe my memory is foggy, plus, I realize that the incident occurred at Oxford University, which is in the UK, not the US, but.... (Is that enough of a disclaimer?)

I recall that in the US, the Supreme Court has afforded protection to journalists who intentionally broke security laws to protect the public interest. For example, I seem to remember that in the pre-9/11 days, it was ok for a journalist to try and sneak a gun past the security checkpoints, as long as they didn't ever board a plane.

If caught, the journalist would go to jail, but charges would be thrown out...I don't remember how everything worked, and I'm too lazy to type it into google :-)

Re:Are there any adults in the house?

[perlchild]

It's only maladministration if the administration is warned of a potential exploit, and does nothing. However, the recent legal climate makes it MANDATORY that this warning be done in an anonymous manner. Quite simply, because it's a crime to find an exploit on someone else's network, but choosing NOT to fix a bug is not a punishable crime(that's defensible, in a way: some bugfixes have been known to the worse than what they cured before). The only problem is that if a) the network handles YOUR sensitive private confidential or financial information, and you know it's being mishandled, you have one choice, to leave the institution, since:

1) You can't force them to use secure transmission of all data
2) You can't force them to use secure transmission of YOUR data
3) You can't force them to follow best practices in the handling of all data
4) If you try to point out in a public fora, that their handling of your data is faulty in any way, you can be sued

But you can't sue them UNTIL your information is in the hand of someone who uses it illegally.

Anyone notice how badly this deck is stacked yet?

Re:Yeah... and?

[gilrain]

The thing is, university campuses tend to almost have their own legal systems. At least, on the campuses I've been on, certain things are more legal than in the real world, and others are less legal. In general, unless it gets out of hand, problems on campus are handled by the university administration. For instance, plagiarism is given a grade of 0, or might even result in expusion -- but how often do you see it reported to any kind of legal authority?

That's why this surprised me. In the real world, sure they would be rightfully prosecuted. But with the entire event being isolated to a university campus...

Where this world moves ?

[nickol]

What's going on ? When I was a student, our teachers offered highest marks in system programming to everyone who could hack the department network. A student had a choice : to study everything or just to prove himself capable. After each sucessful break in, the hole was patched and the network became more protected.

This is the proper way. But making the unprotected network and call police... it's a degradation.

Re:Yeah... and?

[ScouseMouse]

Yeah, Uni Sysadmins hate to look stupid, because in an environment with a couple of hundred graduatiing CS students they are very easy to replace at the drop of a hat.

When i was at collage, i remember a friend of mine came over, but needed to do some work. Now the work was a document on a server in Preston Polytechnic, so we tried to FTP it over to the local VAX. Eventually we just gave up because it wasnt working

Now we dont know exactly what happened, but next day i got an email from a very annoyed SYSadmin for this system because we had caused some form of system failiure by our actions. I think he called it a "Network breakthrough event" or something. Apparently somehow we had cacked their system in some way (I dont think it was permement, or particularly serious). They were Threataning to sue me and the guy involved.

I send them an email saying we only wanted to get some work off the server and promising never to go near their crappy system again.

From what i found out later, the reason he was threatening me was because the Poly had recently promised someone doing some research that their system was safe and secure, and apparently something died (Probably the FTP daemon) when the guy was in the room. Very embarrasing. So of course it all got blamed on them nasty hackers. :-)

I later found out exacly now flaky a default PrimeOs installation was in person, it always surprised me after that how anyone would ever dream of using it in a production system, but then again, being braught up on VMS and UNIX, i seem to have got the strange impression that more than 10 hours uptime in one stretch is my god-given right :-).

Re:Yeah... and?

[fucksl4shd0t]

My first school hack was a real hack. I was playing some BASIC game on the Commodore 64 in the library and I hit a bug that prevented me from winning the game. A real, live bug. So I listed the line, identified the bug, and started fixing it when the librarian walked up and asked what I was doing. She wound up calling my parents saying I was trying to rewrite the game so I could win, you know, cheating.

My parents were cool about it. When I got home my dad asked me what had happened, and since I had previously saved the game to my own disk (we weren't allowed to do that...) and brought it home I fired it up and reproduced the bug for him. Then he watched me fix it, called the librarian and bitched at her, because it was a real bug.

I got kicked off the computer in the library after that. No big loss, we had two of those machines at home and tons more stuff. ;) But I've had a severe prejudice against librarians every since then...

Re:Yeah... and?

[andy+landy]

I'm a sysadmin for a UK university and it's certainly true that we have our own rules. For example, our AUP forbids the use of peer-to-peer software as it's easier that way. Anyone using it is in breach of the AUP, clean and simple. That way we avoid having to deal with legalities of copyright infringement etc.

As for prosecuting students who hack the systems and networks, we take a different approach. Before I was a sysadmin, I was a student at the same University and certainly had a go at the systems (I found a way to get a setuid copy of bash), on telling the sysadmins, they fixed the security hole, but I got kudos and respect for finding the hole.

The general policy is that our Computer Science students should be smart enough to root the systems, and if they manage it, so long as they don't abuse it and they report it quickly, then we are happy!

Re:Yeah... and?

[olderchurch]

This is the exact same reason why I love my provider. From their general conditions:
4.4 Without prejudice to article 4.3, customers are permitted to hack the
XS4ALL system.

The first customer who succeeds in attaining a position equivalent to that
of the XS4ALL system administrator will be offered six months' free use of
the system, provided that the said customer explains how he or she succeeded
in hacking the system, has not damaged the system or other customers and has
respected the privacy of other customers. Each customer hereby gives consent
for other customers to attempt to hack the system under the aforementioned
conditions.

On the other hand, enabling it...

[FooAtWFU]

On the other hand, there are some very simple measures that certain sysadmins could take. For example, it would be nice if I could get to my campus email through a secure POP link. But the server doesn't have one enabled. Well then, say hello to PINE, via ssh! (mmm, PINE)...

And on another level, they can force people to use some amount of SSL. Make the mail server SSL-only, for instance. This is especially the case at my university: each student is issued a standard university ThinkPad, and they can control the load on those things. Set up a secure POP connection, have the new laptops set up to use it, and within one replacement cycle (two years) you can have everyone checking their mail securely. Would this be excessively burdensome? It won't protect your web mail or Slashdot account from packet sniffing, but it keeps your email (which usually shares your Important University Password) nice and secure!

(Incidentally, they've been loading Mozilla on them for mail and browsing. I can only see good coming of that, at least.)

Re:Yeah... and?

[Lumpy]

Good example, when I did freelance work I ALWAYS required 50% payment up front. and my expenses were split as product and labor. the up front pay's for labor only and the final payment at delivery was for the product (software, hardware, whatever) it was clearly written that way on the invoices.

Once I went to deliver a software app, they did not have my money so I uninstalled it grabbed my stuff and started to leave. He threatened to call the cops, at which point i said, "please do, I would like to file a fraud report against you for trying to steal my software without paying for it." after some arguing, I picked up my cellphone and said, "fine I'll call the cops." at which point the customer magically was able to produce a check for me (Check's over $1000.00 are fine to take, it's a nasty felony that will get you thrown in jail for writing a bad check over $1000.00)

I sat down and reinstalled, and gave them another invoice for 3 hours more labor to cover the BS they tried to pull.

I later forced the jerk to pay me in small claims court for the final labor invoice.

Never put in time-bombs. ALWAYS have them pay up front for labor and demand payment fo rthe product at delivery. If the company will not do that, then dont work for them, there are plenty of companies out there that are not scumbags.

BTW, after a few years of freelance, I learned that most companies in the area knew about the company that tried to screw me, they had a reputation of trying to steal from contractors.