Slashdot Mirror
Student Attempting To Improve School Security Suspended
TA_TA_BOX writes "The University of Portland has handed a one-year suspension to an engineering major after he designed a program to bypass the Cisco Clean Access (CCA). According to the University of Portland's Vice President of Information Systems, the purpose of the CCA is to evaluate whether the computers are compliant with current security policies (i.e., anti-virus software, Windows Updates and Patches, etc.). Essentially the student wrote a program that could fool the CCA to think that the computers operating system and anti-virus were fully patched and up to date. 'In the design of his computer program, Maass looked at the functions CCA provides and identified vulnerabilities where it could be bypassed. He wrote a program that emulated the same functions as CCA and eliminated some security issues. He says that the method he chose is "one of six that I came up with." Maass says his intent was not malicious. Rather, the sophomore says he was examining vulnerabilities so that they could be fixed. "I was planning on going to Cisco with the vulnerability this summer," Maass says. '"
It seems obvious that the suspension is a favor done by the university. A person of this caliber could do better in the workforce or a better university instead of TEACHING the university...
Anyone in the software biz should know: don't do security research (look for vulnerabilities) in commercial software or commercial websites if you want to be in the US. If you find a vulnerability, like a website that lets you launch missiles by putting &loggedIn=true in the URL, the best thing to do is to laugh to yourself about it, and forget it. Failing that, use some secure anonymous service and post the vulnerability somewhere. Doing the responsible thing, like informing the vendor, is absolutely thankless and likely to result in nothing but problems. Be smart, don't be a hero. Don't try to improve the security of others.
Guess I *won't* be doing that automated WiFi stumbler as a senior project...
Paleotechnologist and connoisseur of pretty shiny things.
TFA isn't really clear on what sort of "break-in" this was. It looks like it was, at most, a proof of concept break-in, and may have been as little as figuring out how to break the system without actually doing it.
In any case, he didn't go around giving out exploit code, and he even worked on the problem of patching the hole (as well as solving other problems with the CCA software), with the intent of full diclosure of the patch and upgrades. This isn't really a punishment for breaking things, it's a DMCA-style punishment for figuring out how someone might break things.
(IANAL)
When I started at as a freshman at the University of South Carolina 2 years ago, they were already using CCA. It's main intrusion was the fact that the University demanded that we use McAffee regardless of any other (superior) software we may have already purchased. Personally, I used Symantec Antivirus (Corporate) that I got through my internship. Regardless, it forced McAffee down my throat. I couldn't use the two side by side, as XP would freeze on startup with both installed. I noticed that the policy for CCA usage only applied to Windows computers, and that Linux and Mac users were exempt. So I booted my SuSe installation and launched Firefox to discover a web-gate type login, a form that I had to put my CCA user and pass into. Once entered, it said I was logged in for 7 days. I thought, well there's really only one way they're seperating out Windows, Mac's and Linux boxes: the user-agent. All it took to bypass was a custom Firefox deployment package pre-configured with User Agent Switcher. You didn't even need CCA installed. Every 7 days you got the web-gate login. All you had to do was switch to the pre-configured Linux user-agent and login, upon which you could change back to the default and continue on your merry way for 7 days. In about a week everyone in my dorm was using it, and it still works today. They just ban the user-agent when they catch on, and we come up with new ones. I'm not sure this guy's University may differ, but it really shouldn't take any kind of sexy software hackery to bypass it. PS. wtf is up with slashdot's server? It took me like 15 minutes to get this posted
mmm...muffins
I bet he's reconsidering helping them now.
The article goes over it pretty well, but Cisco Clean Access Agent, in my experience at my college is more of a headache than it's worth. If someone has the slightest problem with Anti-virus updates, they get locked out every week, (I actually have to download the smart installer for them, and then patch it manually). Plus, a lot of good antiviruses aren't recognized by CCA agent as being acceptable. I currently run Windows 2003 server as a desktop, and CCA agent doesn't play nice with me either - I have to trick CCA agent by using a virtual machine for logins. Frankly, if there was a link to this program, I'd be using it right now...
Maybe it's just me but isn't the statement that he was going to inform Cisco sometime this summer pretty vague? What was holding him back?
~S
Steve Jobs openly admits to phone phreaking and calling the Pope. Both he and Bill Gates eventually dropped out of school. It's clear that, to become a person of substance, you have to be willing to challenge authority once in a while. Are we trying to raise a generation of corporate drones who are so obedient they can never pose a competitive threat to existing oligarchy. Are we so insane we let disturbed students stay in school and own guns, but suspend ones who are merely using university's property, paid for by their tuition, more efficiently than average?
He should have talked to the campus IT guys about this "research" before conducting it on live campus systems. I worked in campus IT at Stanford and my experience is that they might be open to seeing what you're working on and allowing it.
/. conveniently left off the next paragraph:
The article summary posted here on
Maass' program was in use for approximately seven months before the University froze his UP account.
So he ran this thing for most of the school year and gave it away to his friends and put up a facebook page about it without telling Cisco? At some point it starts to look like the, "I was about to tell Cisco!" claim is just an excuse to get out of trouble. Once he had a working demonstration he should have approached Cisco, not distributed it while he put off talking to the vendor for half a year.
Still, it seems like the uni is going overboard on the punishment.
Lasers Controlled Games!
story after story, its "this student scared us - lets git 'em!".
why is this country SO AFRAID of students and so into controlling them? I'm not sure I could survive in a modern high school or even college environment now. I'd be too angry all the time at how badly they are mismanaging our youth.
I am quickly losing all my faith and trust in the so-called 'education system' we have in the US. its becoming not much more than babysitting and nannying.
and I fear for the kind of young adults we are going to produce from this brainwashing factory we call 'school'.
anyway, what good is there in suspending this kid? what does that accomplish? the fact that he found YOUR security flaw embarassed you? is that a reason to punish him?
perhaps the school does not DESERVER your funding. yes, YOU fund the school - they work FOR YOU. its not the other way around. YOU are the consumer. if school-A is giving you crap, why not take your business elsewhere? yes, school IS a business - very much so.
--
"It is now safe to switch off your computer."
TFA says he was running this program for seven months, and was planning on alerting cisco "this summer", and he also spread the program to his friends. Doesn't really sound like security research to me, more like bypassing the security for your own convenience. You really don't "research" a security flaw for seven months, and even spread it to other people.
Doolittle :
Bomb no.20 : To explode of course.
If you stop thinking of school (all school, from kindergarten through college) as "where you went when you wanted to learn about things, test things, build new things, and in general broaden your horizons and expand what you are capable of doing" and instead start thinking about it as a way to keep people busy and out of the work force for awhile, then the whole thing starts to make alot more sense.
Imagine what the job market and the economy would look like if everyone in our overpopulated civilization who could work, had one.
We are the fire that lights our world.. and we are the fire that consumes it.
Early only we ran into some policy issues at the university.
The solution...
Take the engineering department off of the campus network and maintain it ourselves.
It worked out fairly well when I was there, but resulted in some equipment deficiencies. We ended up getting the backend of the upgrade cycle, but that was fine as we were allowed to "blow them up."
This would not have worked without volunteer work and when I had returned I was already a competent admin. It probably wouldn't scale too well, but it's a good learning experience for some.
It does lead to issues though...
At one point, a professor proclaims the network seems to be having issues and at that point I poked my head up.
"Um, no it's not... I'm putting in dDNS... because it looked like fun."
Things were back up momentarily. (Hey I was young!)
The best was probably the day I rooted the servers and updated the motd.
"Under new management -- cylix"
This was of course the policy for gaining administration for maintaining systems. The final system I had to social engineer my way into... sorta... I basically made it into the server room with the prof maintaining things and he left to go get some papers. He knew I was after the final system and just wouldn't let me take it over without a fight. He had to know what I was going to do and probably just wanted to see how fast I could get my hands into the system. The moment he stepped out I tackled the keyboard like it was a drunken cheerleader.
The only catch was no denial of service. So, if you were going to bring something down... no one could notice.
Fun times!
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
U of P is a Catholic school with no particular engineering focus. I think he would have stood a better chance of a reasonable response had he been attending a "real" engineering school. There's nothing wrong with Catholic school, or in studying engineering at such a school, but I think this poor guy should have seen it coming... If you're going to do research like this, do it at home. If he wanted to inform Cisco of the problems, he should have just done so directly. I feel bad for the guy but it's not surprising.
If I did something like that and got caught I would say I was planning to come clean as well.
Which brings up your main, and correct, point. It's sad when we penalize so harshly for students just being clever. Would they have suspended him for a year for putting a penny in the dorm elevator (in effect locking it on a single floor during early morning rush time)??? I often joke, and I'm sadly accurate: If I did half of what I did 20 years ago in highschool and later college....today...I'd be a multiple strike felon...and yet no one or any property was really ever hurt
Total? -9 points. Not good. The university had no choice. For reference, here is the scale:
Too bad the guy may lose his scholarship. He presented it wrong, especially giving it out and not telling Cisco immediately, along with running it himself. But it doens't deserve a full suspension for a semester.
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
To those who are saying "CCA doesn't recognize perfectly good antivirus packages" (and other sorts of comments). Most, if not all, of that is configurable on the backend. If your school forces McAfee, they likely removed (or never added) other products to the CCA server. The college for which I work supports Symantec, McAfee (which we give away to students), AVG, and at least a few others.
If your CCA isn't acceping an antivirus scanner you like, why not go through the proper channels to find out *why* it's not supported and see about getting that fixed?
bork bork bork!
I don't get it. Is this a client that runs on your personal machine? Or something installed on University machines?
If the former, then yeah, the kid had it coming. You don't bypass security on computers that aren't yours. Punishment was too harsh, but it sounds like he did break policy, and the university is in the right to do something. If he didn't have permission to bypass security on their network for research, then he has no excuse.
Now if it was the latter, and he did this on his OWN machine on the university network, then unless they state somewhere specifically that you "MUST BE RUNNING CCA TO ACCESS OUR CRAPPY NETWORK!!" then the university doesn't really have a case.
IANAL, but I am in IT. We are slightly lax about what we allow our employees to do with their machines, since we have less than 200 employees. But if they bypassed security? Break of usage policy, case closed.
The article is vague, how exactly did he "patch some holes" by bypassing CCA?
-- Having a Creationist Museum is like having an Atheist place of worship
I take back what I said before.
The idea that he was about to tell Cisco about it is a pretty weak cover story, given his behaviour.
File under 'M' for 'Manic ranting'
I just finished working with the CCIE who implemented the CCA at U of P today and he said the student wasn't suspended for circumventing the CCA but rather distributing it to other students, which in my book is malicious. And for the record I work for a University around 30 miles away from U of P.
Many of the arguments we use to - justly - defend security researchers seem like they may not apply in this case.
* He used the software to bypass the security check for seven months
* He distributed the software to several other students and a professor
* He did not disclose the vulnerability to the vendor before releasing his exploit
* He did not ask permission
Now, this is not to say that the University's use of CCA is wise or it's reaction was reasonably proportionate to the damage done. (If the damage and the policy violation is as minimal as the article claims, a 1-year suspension is insane.) But Mr. Maass did not do a good job of covering his ass, either.
Let this be a lesson to the next guy.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
Clearly you haven't learned from the movie "Catch Me If You Can".
These people can outsmart you every minute of the day if you give them reason to. Why not just employ them and get on their side?
Oh right, this isn't about security, this is another stupid power struggle.
Regardless of the student's ethics (or lack thereof), this illustrates a fallacy of trust in computing that often goes overlooked, especially in software security products: transitive (implicit) trust.
... If the administrator (of the University, some enterprise, or even a home network) cannot state anything about the trustworthiness of an unfamiliar computer, how can that same administrator trust the output of some software program designed to assert the trustworthiness of an otherwise untrusted computer?
Think about it logically for a second
Trusted input (e.g. Cisco Clean Access)
+ Untrusted computation (unknown host)
!= Trusted output (i.e. an assertion from the CCA that the computer is trustworthy)
The nature of this equation is that the untrusted computer is implicitly trusted to compute its own trustworthiness. What ramifications does that have on the real world analogies?
Banker: Can I trust that you'll repay this loan for $1 Billion?
Some joe off the street: [Hides "will work for food" cardboard sign behind his back.] Uh, sure.
And yet, how many NAC/NAP vendors actually try to challenge the unknown host (java applet, activeX control, native code, etc.)? Answer is: nearly all of them, unfortunately. Even if Cisco fixes this hole, what will happen next? This is not unlike Cisco trying to sell a perpetual motion machine-- this simply defies the "natural laws" of security.
--
NAC is not the answer. How about those good ol' 3270 connections?
Would you care to quote the policy you claim he broke?
No, it sounds like he embarassed the University IT administration, so they closed ranks and used a kangaroo court to express their displeasure. Dean Wormer put him on double secret probation first, I'm sure.
"National Security is the chief cause of national insecurity." - Celine's First Law
I wasn't buglarizing this house, I was just checking the home security system for holes!
OK this story is sensationalist BS. Maybe the summary should have stated that he USED IT FOR SEVEN MONTHS and GAVE IT OUT TO FRIENDS!? Come on, only when he gets caught does he say he was going to share his results. Yeah, that's like embezzling and then saying you were going to give all the money back when you get caught.
My university imposed this crapola on all dorm residents during the summer to test it out. I wasn't there, but my girlfriend's computer suffered the consequences of it. They forced her to uninstall the AVG antivirus and Comodo firewall that I configured, and during the transition her computer was massively hijacked. I'll admit, the dorm networks there are atrocious and this type of software might have been a good idea. Worms/viruses were absolutely rampant; two or three times a day AVG would popup saying it found a threat in some random temporary folder, and the firewall would report numerous "intrusion attempts". However, they didn't even warn people that they would be COMPLETELY unprotected while they are installing the new protection software. If I was there I would have unplugged the network cable during all this. Opening the ports for even five minutes proved disastrous. Needless to say I ended up reformatting.
They never did implement CCA after the trial. Now, the dorm network is simply bandwidth-throttled and packet-shaped to oblivion. Dial-up is faster, I am sure. It's still a security risk, but so slow that no one gives a shit.
OTOH, if he were smart enough to break this thing and he were malicious, he would have instead sold it to some Russian hacking group to put into new viruses. He didn't. He didn't crack anybody else's machines with it. He didn't run it on university equipment. He didn't do any of the thousands of truly malicious things he could have done. Based on that, I see no reason to believe that the guy didn't intend to tell Cisco about it... but probably not until after he graduated so that he wouldn't have to deal with a bug-fixed version of the software that disabled his workaround....
Instead of using the software maliciously (which would have been relatively easy by comparison), the guy just ran it on his own personal machines and gave it to other people to willingly run on their own personal machines so that they could use the network without the interference of an overbearing piece of security software. All the guy did was write software that made it look like he was running the stupid tool that the uni required him to run in order to use the network without actually having to run it. That's hardly malicious behavior, and if the guy was running reasonable antivirus protection software and was keeping up-to-date with security patches without the "assistance" of the tool in question, it really didn't create any significant security risk, either.
No, this is a typical knee-jerk reaction by bureaucrats. I would expect nothing better from most universities, but it's still a shame every time someone's life is needlessly wrecked because of a bunch of pencil pushers.
Check out my sci-fi/humor trilogy at PatriotsBooks.
I was talking about colleges and universities, lower schools a somewhat different matter. Second of all the problem 95% of the time isn't schools (almost all, even "magnet", middle and high schools are rigid) or the nature of the student but parenting (or rather lack thereof). Now I'm not blaming the parents per say but simply saying that there are tons of options to get out of the hell hole of a system if you are determined enough.
Likewise children should be taught to do the damn work, contrary to what you may believe in real life you all too often need to do bitch work and you can't cry or throw a tantrum or get bored. I remember fondly how in 6th grade after realizing that every math assignment was from the book I simply took a few days and did all the assignments till the end of the year. Doing them all at once on my own was mildly interesting and gave me 2+ months of no math homework. A few friends even got into it and we had a sort of implied competition on who could finish the problems the fastest.
Who says you even need a plugin? Just go to about:config, right-click and enter a new string that is named "general.useragent.override" and for the value enter anything you like. Examples of user agent strings can be found here.
What a crock-o-blank,
i ndows XP\SP3\KB918439\Filelist\]
;-)
Typical University IT people not knowing what the hell they are dealing with. Think this "breach" was a big deal? Think again.
Know how to use the Windows Registry? You'll love how simple this is...
Cisco Clean Access looks for several registry keys that determine which Windows patches are installed and which are not. It also looks for registry info to give the system a look at what anti-virus package they are running and which DAT file they have. Basically, all his program would need to do is create entries in the registry in the locations where Clean Access would look. It would defeat the security check and the remediation process very easily.
This is not a vulnerability, it is the means in which the system works.
1. User connects to the network. When a browser is launched, the user is redirected and prompted to install the Clean Access Agent from the Clean Access Server.
2. The user is presented with a login box where he/she would log into the system.
3. The Clean Access Agent checks for several registry flags to determine which Windows Updates are installed and what anti-virus/anti-spyware is installed. It will also check the registry for anti-virus/anti-spyware DAT/REG file date and versions.
4. If the system is not up to date, they are passed to a temporary role (remediation stage) where they are only permitted to selected sites to download the updates they need.
5. Users are left in the temporary role until they fulfill the logon requirements. Once the requirements have been completed, they are passed to the main role allowing full access to the network.
Now...for the easy part...
Wanna get around the CCA check without installing patch KB918439? Create the following registry keys ending with Filelist.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\W
How about getting around AV installation (McAfee VirusScan Enterprise as an example)? Create the following registry keys ending with VirusScan Enterprise.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\]
How about getting around a forced DAT update? Create the following registry keys ending with CurrentVersion. Also create a string value called szVirDefVer with the value greater than 5018.
[\HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion\]
Heh...that wasn't so bad...was it?