Slashdot Mirror
Oxford Students Hack University Network
An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
What appropriately aged Slashdotter hasn't hacked into their university or college's network?
Cheers!
Erick
http://www.busyweather.com/
... a.k.a. A Beginner's Guide to tcpdump and ettercap
Now that is a heavy fine.
The school is feeling embarassed, and vengeful, so they make an example of the students; the students were only hacking the network to produce a news article on the lacklustre security at Oxford. They have a right to obtain evidence to support an article on the security systems, even by showing how the system can be broken into. Students likely have been complaining about it for some time.
From my perspective, the student body has a right to be certain if the use of the school network is going to compromise any of their personal information. Do you know how many students use school networks to check banking information?
These white hat hackers have given the school a present and they are slapped in the face for it. Any action against the journalists will only smear Oxford's reputation further. They should simply thank them and make the necessary changes to improve security.
Shit, if I know this, and some multiple-PHD administrator can't figure it out, what does that say about the level of comprehension at Oxford?
The dangers of knowledge trigger emotional distress in human beings.
.. has to be having the police handle a situation that they don't understand.
What do I have to do to get a sig around here?! www.bearscanfly.org
They should be damn well "rusticated" for their tast in music alone!
An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do." In a warning to students, he added: "I am able to monitor my network, and student regulations mean that any member abusing it would find themselves before the Dean."
:)
;)
Er, require strong passwords? Hm, yeah, that'd work, and I guess it is "little" to do
The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.
How clever of them -- security by obscurity. I'm sure those "methods" would be far too complex for us to understand anyway, right?
It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."
Oh! So that's it. Weak passwords (or maybe a little social engineering, or both.) Gosh -- better keep a lid on that secret.
everything in moderation
This should be a valuable lesson to everyone, always get permission before "investigating". Surprisingly often, you can get permission--especially if you represent something like a campus newspaper, where they can assume you'll be responsible.
They could have asked for permission to attempt and hack into the network before actually doing it. At my university, there was a group of students who asked to test the network security and they got permission to try in the summer between a summer session block when not too many people were using the network. It also meant that when they printed their findings, not too many people were around to read it because it was obviously summer session. They didn't find many security lapses, heck if I remember correctly it was printed up on page 6 of the student newspaper.
Absolutely. The Uni's should try and foster an open environment, and not be so bloody harsh on students - who, do occasionally 'bend the rules'.
This is probably the only time in peoples lives that they can experiment like this, and they shouldn't be heavily fined/expelled/sued. Maybe a formal 'slap on the wrist', but that's it.
Its Uni - not a top secret government agency.
You can't expect to wield supreme executive power, just because some watery tart threw a sword at you
While this is an extreme hack and what not, you'd be surprised about how much resistance there is to security on a university setting. When my university installed email/virus scanning software, it was a HUGE deal and nearly wasn't installed because of concerns of academic freedom.
When I suggested turning on the Windows Firewall on Faculty PCs, I was told that it was a no no because it could interfere with Academic freedom. Freedom above everything else is the university motto.
Speaking as someone who sysadmin'd at one of the top five universities in my country, I can say that most universities are like this.
Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites.
The only things I can think of that are actually worth securing ARE secured. Who cares if these guys can change someones email password. Most uni students don't even use their supplied email addresses, and they are usually only used as a redundant means of sending out marks. I wouldn't be worried about the CCTV monitoring either. It's not like the CCTV was viewing some "restricted" area of the university. Want to see what's going on? Walk down there and take a look. *gasp*.
I'm probably being a troll (I can't even tell anymore) but honestly, most university security is so lax because there simply isn't that much data that requires securing.
--
The last digit of pi is four.
White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.
In this day and age of computers being ubiquitous with education, and many college kids, regardless of what school you end up going to, not knowing damn near the first thing about computer security, rooting a system is hardly an accomplishment. What it is though, is invasion of privacy, more then likely an infringement on the User Agreement which all colleges I've been to have to get on their network, and a really REALLY dumb way of propping yourself up to look cool.
As for What they did, looking into MSN conversations isn't hard, it's plaintext across a network, set up a box to dump all the shit it gets and voila, hours of juicy reading material.
E-mail passwords are also easy to get plaintext, unless the users of the network use some type of security layer, (SSL and the like) otherwise if you go to a normal webmail account, (http://webmail.schooname.com) you send your shit plaintext most of the time, Purdue, BSU, and a few other Indiana schools do that.
The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network, that is the only real folly I see that is just nasty. Otherwise most of the shit is just because people are not security conscious.
Do you even know what "rule of law" means? It means NO ONE is above the law. Not the president, not the police, not even investigative journalists.
What the two students did was clearly in violation of university policy and criminal law, and need to be punished accordingly.
Yes, the fact that their primary intention was journalism should be considered as a mitigating factor, but I see no reason why it should get them off the hook for having committed several crimes.
Forgot one:
SCO sues B
Reminds me of my first year in college where I tried logging into the school server from my dorm computer on the school network with login root and password root....
:-)
:-)
I was just curious at the time
A day later I get a rather straighforward e-mail from the system op, telling me to stop, or they will report me to the appropriate authorities, and about possible disciplinary options.
Well at least I found out that they were smart enough to change the password, and keep on eye on what people were trying to do
.... ... }
int main (void) {
Relevantly, they managed to find and clamp down on compromised boxes (usually Win, or unpatched linux boxes) pretty quickly. They also had some very good techs (as well as some pretty nifty stuff, eg ADSM backup of private machines for all users).
Based on the info these guys say they got, it looks like at least partly what they were doing was just packet-sniffing. Not sure how the cctv stuff works, as I know the newest cctv gear has been installed since I left.
If it's just that, then there is at least one precedent at Oxford, as a number of passwords of POP users were captured by a compromised linux box (vanilla, unpatched RedHat 3 or 4, iirc) in about 98 or 99. OUCS detected the box, and then the sniffing, within one or two hours and froze all accounts, which I thought was pretty good going for such a huge place.
I'd have preferred if these guys had just told OUCS in private, instead of trumpeting about it in the papers. Wouldn't surprise me if they were charged ... I wonder if Thames Valley Police will run the investigation? :)
Erick
http://www.busyweather.com/
Imagine never failing another subject.
Imagine being able to push your enemies down a grade.
Imagine making some extra cash selling exam information.
Imagine trashing the occasional file to irk a disliked professor.
Imagine that the organisation responsible for stopping you doing these things spends more time complaining about white hats than it does stopping black hats.
Imagine how much easier life would be not doing the right thing.
Just imagine...
Whether they did for self aggrandisement or not, whistle-blowers make it safe for the rest of us. I don't have the skill to test security like this. But its nice to know that there are self-serving show-offs who will do it for me. More power to them.
What country are you from btw? I only ask because in the USA, there's a whole host of information that have access controls set on them by the Federal Gov't. Especially medical information... with the new laws they've passed, god help you if you screw it up.
As someone who sysadmin'd at one of the top five universities in his country, I find it disturbing how easily you dismiss student's e-mail addresses. Did it ever occur to you that... someone might actually send mail while pretending to be someone else!!! Some college's and uni's send grades, schedules and who knows what else directly to students' email. Pretty handy for a stalker right?
maybe you're just getting a little excited, because I don't think you're trolling. Otherwise your statements would suggest extreme incompetence.
And why is this? Maybe we have different ideas about what constitutes "information worth stealing"[Fuck Beta]
o0t!
They also have to learn that it doesn't pay to go against the system... ;p
An IT Officer at College A said: "Short of keeping the network as segmented as possible, there is very little we can do."
Somebody fire this person.
Whitehats hack with permission. A security consultant you pay to check your network is a whitehat. Someone that hacks it on their own is a blackhat. There is NO right to obtain evidence through illegal means. You must ask permission first.
Let me turn it to the real world. Suppose I break in your house (something I'm sure I could easily do, 99.999% of houses have shitty physical security) look at your things to see what I could get at, then tell you about it later. Is that ok? I mean I didn't hurt anything, and I gave you a report, so it;s ok right? Wrong, it's not ok, I broke the law.
Same thing. You aren't allowed to hack systems without permission. I don't care why you are doing it, you still aren't allowed to. This isn't a matter up for debate, it's the law, and it directly relates to physical privacy and security laws.
Your stuff is your stuff, and the rest of the world is welcome to keep the fuck out.
Here's the deal, before you all start burning megabytes on the debate whether or not this people were whitehat or blackhat, or whether it creates a slippery slope that will usher in a horde of script kiddies, there's one thing that you all need to remember:
This was an action of the press.
Let me repeat myself, because it's important.
This was an action of the press.
It is the purpose of the press to keep whoever is in power accountable. In the United States of America, this role was so important that until the mid 1970s* the press was considered to be the fourth branch of government. Now things might be a little different over in the United Kingdom, but the last time I checked, their press sometimes tries to expose and keep in check authority there as well.
This isn't a bunch of kids who hax0r1zed the system, and then cranked out a Cult of the Dead Cow text file, and said, "You g0t p0wn3d - but w5 R da Pr3ss."
These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities.
* Okay, maybe that 1970s remark was a little sarcastic, but with all the media consolidation by the same megacorporations who buy and sell the elite of the american government, can you really describe it as the fourth branch of government anymore?
HaXXXor.com - Naked Chicks Teach You How To Ha
I am appalled at the number of people justifying what Oxford Univeristy is attempting to do. Have you heard of Whistleblowing, which I consider a fundamental service to any functioning democracy?
Look Oxford has been entrusted with the personal information of their students. They are the ones that should be facing the heavy and lorn arm of the law and not the students that brought the problems to everyone's attention.
As long as they did not do any harm, and they didn't, these students ought to be rewarded, not punished. How the fuck are you supposed to find out if a university is doing what it's supposed to? Are we supposed to just take at their word?
I don't think so!
Pragmatism as an ideology is not particularly pragmatic in the long term. Keep it in mind when you dismiss Free Software
What's going on ? When I was a student, our teachers offered highest marks in system programming to everyone who could hack the department network. A student had a choice : to study everything or just to prove himself capable. After each sucessful break in, the hole was patched and the network became more protected.
This is the proper way. But making the unprotected network and call police... it's a degradation.
It was later recorded by the university database that not only did they promptly pay the find, they _overpaid_ by almost 2000 pounds. Of course, a refund was issued instantly.
Couldn't figure out why they were snickering though?
Obviously, now. Before hand, how could they have shown it?
White-hat my ass, they didn't ask for permission to crack the system first; they did it, THEN told them they did it, how easy it was and oh yea, it was for altruistic purposes.
I hate to disturb your dream here, but asking permission might have made life difficult. The point of the exercise was that anyone could do it, not anyone being watched closely. It's impossible for Oxford to closely watch everyone.
Sure, it was done altruistically. People with different motivation have been and continue to do the same things. They reported the problems they noticed so that other students would know what not to trust on campus.
We shall see what happens to them.
Friends don't help friends install M$ junk.
I work at the university, and the essential facts of this case have been reasonably well known here since it happened several weeks ago.
:-) but suspending them, essentially for having no common sense, is a bit harsh. It would have been straightforward for them to obtain most of the facts they needed for the story without breaking the law and violating people's privacy (restrict the packet sniffer to specific computers where the owners had agreed in advance), but they chose not to or failed to think about it or do some basic research first.
The structure of the university means that the many parts of the university (the 'colleges') have independently run networks, all connected to the same university backbone. Many college networks aren't switched, either because of lack of time or resources, or because there's not all that much point - if you know what you're doing you can MAC flood the switches anyway from any port that is set to learn new computers (pretty much essential in libraries).
What the 'reporters' did was simply to run a packet sniffer on various unswitched networks. I think they managed to watch some CCTV coverage, read someone random's MSN conversation, and possibly pick up a few passwords. They then went and told the people they'd sniffed what they'd done, and wrote a rather over-sensationalised article about the security flaws.
This kind of thing (someone noticing the network is insecure and making a really big deal of it) happens every few years in Oxford, and usually it doesn't generate quite this much publicity. The university has gradually been developing a tougher line on computer misuse, which may explain their desire to throw the book at the journalists.
They are threatened with a 500 pound fine and being suspended for a year. Personally I think the fine is justified (the university could use it to buy some more switches
Disclaimer: These are my own views, and do not necessarily represent the views of either the college I work for, nor Oxford University. Right, that's out the way, then. I work for the college that one of these students attend. So far there's been very little said by the IT staff on this matter - it's all been done by the official channels of the university. But this seems to be a good place to set the record straight on a few things. These students didn't hack anything. All they did was sniff some tcp/ip traffic. That they could only do because it was the last hub left to upgrade in college. I'm fairly certain they wouldn't have had the intelligence to bypass a proper switch, but even then, it's hardly a massive security failure. None of the college's administration systems were compromised in any way. None of the student servers were compromised. The emails and passwords they compromised were not the official university ones, and if they were, it is because the email clients were not configured properly. The new webmail interface (unpopular for a reason that's beyond me) is through https: and therefore secure. They only got these passwords at all because email passwords under pop, as well as imap if you don't use ssl, are transmitted through clear-text, people. Just like msn messenger and the internet. Somehow we are being held accountable for how the internet works. Maybe it's because Tim Berners-lee attended here. There is no real problem here, except the issue of user awareness. And that was in no way raised by the article these two hacks wrote - rather people are more paranoid (not a bad thing in itself) yet further misled in their understanding of the university networks. It is not journalism to create a story. It is journalism to report a story in a fair and unbiased manner. Out of the article printed by these two in the Oxford Mail, the various editorials in both the above and the other Oxford Student paper, the Guardian and the BBC, the only unbiased report I've seen is from the BBC. And even then it's because you get the impression they're too lazy to get involved ;op
No, that's not journalism. That's scare-mongering.
I agree with those people who say this should not have gone to the police - but by that time it was being handled by people who didn't understand the technicalities of what these people did.
The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network
Yeah, exactly. That wasn't us, btw. But even so, I'd like to point out that being able to access a security camera in a public area is not exactly a breach of privacy. Just a bit dumb of whoever put it in. Probably someone going over the head of the IT admin , if I know oxford...
Somebody fire this person (re: the comments by IT officer A)
It's better to stay quiet and be suspected a fool than open one's mouth and remove all doubt.
These were members of the legitimate press, who in the course of their duties as members of a free press, alerted a population about a situation where the authorities who they trust to provide security have failed in carrying out their responsibilities
Uh.. I don't see it as the duties of the free press to break the law in order to create a story - or even to report one. As for the failing of responsibilities - it should be obvious by now that this hasn't happened.
Have you heard of Whistleblowing
Have you heard of Shit-stirring?
[I am an IT professional at University of Oxford, but I'm not associated with the College concerned - just passing on what I've heard locally].
One thing that doesn't come out very clearly in the Oxford Student article, or the subsequent press coverage, is the nature of the "hack".
As I understand it, the college that the students attend uses still uses some ethernet hubs, rather than switches (this is where the quote about the "cost" of security comes from), and the students just packet-sniffed the traffic that was going past on their local network segment. They found exactly what anyone who knows a bit about networks would expect to find.
The problem (as so often!) is more social than technological: the users of the network have expectations of privacy which the implementation doesn't provide.
The failing on the part of the University not so much in the area of technology and IT security, is more in the area of user education: people using the facilities need to be made aware that the ethernet that you share with a couple of hundred other students is in no way private, any more than a conversation held in the JCR (college bar) is ...
The University is on the whole, very security concious. The mail servers, shell machines, web servers, etc, provided by the central Computing Service all provide access via SSH or SSL encrypted connections (and frequently for anything that requires a username and password, only via such connections).
One thing that does puzzle/concern me is the allegation that a CCTV feed was accessed. So far as I know, all the CCTV systems operated by the University security service run over seperate fibre optics and are kept strictly segregated from the general purpose data network.
And on another level, they can force people to use some amount of SSL. Make the mail server SSL-only, for instance. This is especially the case at my university: each student is issued a standard university ThinkPad, and they can control the load on those things. Set up a secure POP connection, have the new laptops set up to use it, and within one replacement cycle (two years) you can have everyone checking their mail securely. Would this be excessively burdensome? It won't protect your web mail or Slashdot account from packet sniffing, but it keeps your email (which usually shares your Important University Password) nice and secure!
(Incidentally, they've been loading Mozilla on them for mail and browsing. I can only see good coming of that, at least.)
The World Wide Web is dying. Soon, we shall have only the Internet.
When i was at collage...
And, um, which collage did you go to?
Evil is the money of root.