Slashdot Mirror

← Back to Stories (view on slashdot.org)

Student Attempting To Improve School Security Suspended

Posted by Zonk on from the no-good-deed-goes-unpunished dept.

TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"

7 of 282 comments (clear)

  1. Not impressed by Adam+Zweimiller · · Score: 5, Interesting

    When I started at as a freshman at the University of South Carolina 2 years ago, they were already using CCA. It's main intrusion was the fact that the University demanded that we use McAffee regardless of any other (superior) software we may have already purchased. Personally, I used Symantec Antivirus (Corporate) that I got through my internship. Regardless, it forced McAffee down my throat. I couldn't use the two side by side, as XP would freeze on startup with both installed. I noticed that the policy for CCA usage only applied to Windows computers, and that Linux and Mac users were exempt. So I booted my SuSe installation and launched Firefox to discover a web-gate type login, a form that I had to put my CCA user and pass into. Once entered, it said I was logged in for 7 days. I thought, well there's really only one way they're seperating out Windows, Mac's and Linux boxes: the user-agent. All it took to bypass was a custom Firefox deployment package pre-configured with User Agent Switcher. You didn't even need CCA installed. Every 7 days you got the web-gate login. All you had to do was switch to the pre-configured Linux user-agent and login, upon which you could change back to the default and continue on your merry way for 7 days. In about a week everyone in my dorm was using it, and it still works today. They just ban the user-agent when they catch on, and we come up with new ones. I'm not sure this guy's University may differ, but it really shouldn't take any kind of sexy software hackery to bypass it. PS. wtf is up with slashdot's server? It took me like 15 minutes to get this posted

    --
    mmm...muffins
    1. Re:Not impressed by bahwi · · Score: 3, Interesting

      Well, there's not really just one way to split up the OS'es, see nmap TCP/IP OS fingerprinting, but it's kind of disheartening that Cisco is using the UA for that, as it's the least secure thing you could possibly do. Kind of a name badge, "Hi My name is: CEO of Your Company" and security letting him pass without a card swipe or ID check because he says it so it must be true. Nmap OS Fingerprinting is really very cool if you haven't checked it out before. OpenBSD hides itself pretty well and FreeBSD does ok with certain switches turned on. But of course the detection just gets better each time too.

    2. Re:Not impressed by logan@bitsmart.com · · Score: 5, Interesting

      Heh... I reported this via Bugtraq on August 19, 2005, and CISCO responded to it 3 days later...

      http://www.securityfocus.com/archive/1/408603/30/0 /threaded

      As in, they've known about this for at least 20 months...

  2. Cisco Clean Access Agent... by TheGreatHegemon · · Score: 4, Interesting

    The article goes over it pretty well, but Cisco Clean Access Agent, in my experience at my college is more of a headache than it's worth. If someone has the slightest problem with Anti-virus updates, they get locked out every week, (I actually have to download the smart installer for them, and then patch it manually). Plus, a lot of good antiviruses aren't recognized by CCA agent as being acceptable. I currently run Windows 2003 server as a desktop, and CCA agent doesn't play nice with me either - I have to trick CCA agent by using a virtual machine for logins. Frankly, if there was a link to this program, I'd be using it right now...

  3. lets just suspend ALL students and save time by TheGratefulNet · · Score: 4, Interesting

    story after story, its "this student scared us - lets git 'em!".

    why is this country SO AFRAID of students and so into controlling them? I'm not sure I could survive in a modern high school or even college environment now. I'd be too angry all the time at how badly they are mismanaging our youth.

    I am quickly losing all my faith and trust in the so-called 'education system' we have in the US. its becoming not much more than babysitting and nannying.

    and I fear for the kind of young adults we are going to produce from this brainwashing factory we call 'school'.

    anyway, what good is there in suspending this kid? what does that accomplish? the fact that he found YOUR security flaw embarassed you? is that a reason to punish him?

    perhaps the school does not DESERVER your funding. yes, YOU fund the school - they work FOR YOU. its not the other way around. YOU are the consumer. if school-A is giving you crap, why not take your business elsewhere? yes, school IS a business - very much so.

    --

    --
    "It is now safe to switch off your computer."
  4. wow, excellent points by JohnnyComeLately · · Score: 4, Interesting
    Your reply hits many points, dead on (pardon the pun when combined with the guns reference). Technically, I "broke" Sprint PCS security policy by showing them a hole in 3G data services (around 98/99). The security guys were certain they were applying the layers of security but forgot about a fundamental shift in types of traffic (tunneling within a tunnel) used in 3G. I said, "OK, if it's secure, how is it I can ping the billing server from my "public" computer".....I could technically have been in the same boat as some others (not this kid...he was clever).

    Which brings up your main, and correct, point. It's sad when we penalize so harshly for students just being clever. Would they have suspended him for a year for putting a penny in the dorm elevator (in effect locking it on a single floor during early morning rush time)??? I often joke, and I'm sadly accurate: If I did half of what I did 20 years ago in highschool and later college....today...I'd be a multiple strike felon...and yet no one or any property was really ever hurt

    1. Re:wow, excellent points by ScrewMaster · · Score: 5, Interesting

      When I was in college thirty-odd years ago, my University only allocated 2,000 minutes per quarter per student of mainframe time. Not enough (obviously) and they refused to give me any more. So I wrote a simple fake-login program that would log the user's name and password, and cough up a realistic "system is down" message. Matter of fact, I exactly duplicated the normal logon procedure, including any nominal pauses and delays that occurred. Even fooled the system operators a couple of times. I ran the thing on forty or fifty terminals simultaneously, and I would watch in case someone called one of the admins over to ask why the system wasn't working. Whenever that happened, I'd hit a key on my terminal that would immediately log all the other systems off, so it would work normally at the next login attempt. It wasn't often: most people just shrugged, got up and left to go about their business. Occasionally some busybody would call an administrator over, so I had to keep an eye on things.

      In under a week I had captured the accounts of every active student user on the system, plus all the supervisory accounts. It was pretty unbelievable (as in, "holy SHIT Jesus Mary mother of God" unbelievable) and I couldn't understand why there were no precautions taken against that sort of thing. Needless to say I had no problems with account time after that. That was on the one mainframe: there was another guy, pretty sharp coder, that figured out what I was doing. At first I thought I was screwed, but he was delighted by the idea and duplicated it on the bigger system (this was years before the word "pwned" came in to the popular lexicon but it's no less applicable.) No surprise, a few days later and he had the run of that machine. So far as I'm aware, nobody ever figured out what we'd done. The big system was the one that had everything administrative on it from student grades to paper clips and we could have wreaked havoc if we'd wanted to. As it was, though, we just wanted more computer time to do our homework.

      A couple of years later my father testified in front of my State's legislature regarding a new "computer crime" bill they were shopping around. It was one of those ridiculous "zero tolerance" laws that make the lawmakers look "tough on crime" but end up shafting a lot of people that don't deserve it. Dad pointed out to these idiots that, if passed, their brain-child would immediately criminalize 90% of the best and brightest students in our engineering and computer science curricula. They backed off in a hurry and came back with a more reasonable bill, which never got passed anyway.

      That was then. Nowadays, I don't think our lawmakers would bat an eye if they put half our smartest engineering students in jail. They're just engineers, after all, and ... who the fuck needs those.

      --
      The higher the technology, the sharper that two-edged sword.