Oxford Students Hack University Network 662
An anonymous reader writes "Both The Guardian and BBC News are carrying the story that two students at the University of Oxford, Patrick Foster and Roger Waite, were able to easily hack into the university's internal network in minutes using only easily-available software. Once inside, they could find out anyone's email password, observe instant messenger conversations and control parts of the university's CCTV system. The students were investigating the university's network security for the student newspaper, The Oxford Student, which published a front page article and editorial on the matter. In the article, a university spokesperson is quoted as saying 'In some cases the wish to provide the widest possible computer access as cheaply as possible may mean deciding to go for a cheaper set-up, with potentially lower security.' The students now face disciplinary precedings from the university and could receive rustication (suspension) and a 500 pound fine. The matter has also been passed onto the police."
Re:Oxford Loses Out (Score:5, Interesting)
couldn't the newspaper be anonomyous (Score:3, Interesting)
Aargh, again with the confusion. (Score:5, Interesting)
Er, require strong passwords? Hm, yeah, that'd work, and I guess it is "little" to do
The OxStu has agreed not to pass on the methods used to carry out such actions, which fall foul of both the law and OUCS guidelines. One computer expert told The OxStu that the actions were virtually untraceable.
How clever of them -- security by obscurity. I'm sure those "methods" would be far too complex for us to understand anyway, right?
It can take less than a minute to obtain an individual student's email password. A student at College B whose password was compromised told The OxStu: "It's absolutely ridiculous that security could be so light. I'll certainly be changing my password regularly in the future."
Oh! So that's it. Weak passwords (or maybe a little social engineering, or both.) Gosh -- better keep a lid on that secret.
Re:They shouldnt be punished.. (Score:5, Interesting)
This is probably the only time in peoples lives that they can experiment like this, and they shouldn't be heavily fined/expelled/sued. Maybe a formal 'slap on the wrist', but that's it.
Its Uni - not a top secret government agency.
academic freedom (Score:5, Interesting)
When I suggested turning on the Windows Firewall on Faculty PCs, I was told that it was a no no because it could interfere with Academic freedom. Freedom above everything else is the university motto.
..Well (Score:5, Interesting)
Security is lax, well, because the information that someone would want to steal is usually already available on the various faculty websites.
The only things I can think of that are actually worth securing ARE secured. Who cares if these guys can change someones email password. Most uni students don't even use their supplied email addresses, and they are usually only used as a redundant means of sending out marks. I wouldn't be worried about the CCTV monitoring either. It's not like the CCTV was viewing some "restricted" area of the university. Want to see what's going on? Walk down there and take a look. *gasp*.
I'm probably being a troll (I can't even tell anymore) but honestly, most university security is so lax because there simply isn't that much data that requires securing.
Bullshit. (Score:5, Interesting)
In this day and age of computers being ubiquitous with education, and many college kids, regardless of what school you end up going to, not knowing damn near the first thing about computer security, rooting a system is hardly an accomplishment. What it is though, is invasion of privacy, more then likely an infringement on the User Agreement which all colleges I've been to have to get on their network, and a really REALLY dumb way of propping yourself up to look cool.
As for What they did, looking into MSN conversations isn't hard, it's plaintext across a network, set up a box to dump all the shit it gets and voila, hours of juicy reading material.
E-mail passwords are also easy to get plaintext, unless the users of the network use some type of security layer, (SSL and the like) otherwise if you go to a normal webmail account, (http://webmail.schooname.com) you send your shit plaintext most of the time, Purdue, BSU, and a few other Indiana schools do that.
The only thing I think that is dumb on the administration's part is having the Closed Circuit Televisions controlled via the internal network, that shit should be on a totally different network, that is the only real folly I see that is just nasty. Otherwise most of the shit is just because people are not security conscious.
root/root (Score:5, Interesting)
I was just curious at the time
A day later I get a rather straighforward e-mail from the system op, telling me to stop, or they will report me to the appropriate authorities, and about possible disciplinary options.
Well at least I found out that they were smart enough to change the password, and keep on eye on what people were trying to do
Re:Get permission! (Score:3, Interesting)
Re:Oxford Loses Out (Score:5, Interesting)
I recall that in the US, the Supreme Court has afforded protection to journalists who intentionally broke security laws to protect the public interest. For example, I seem to remember that in the pre-9/11 days, it was ok for a journalist to try and sneak a gun past the security checkpoints, as long as they didn't ever board a plane.
If caught, the journalist would go to jail, but charges would be thrown out...I don't remember how everything worked, and I'm too lazy to type it into google
Re:root/root (Score:4, Interesting)
The fact that they responded the next day indicates they were watching rather closely. Log watching is not something you expect from sysadmins who don't change their passwords.
The only difference (Score:3, Interesting)
Re:Are there any adults in the house? (Score:5, Interesting)
1) You can't force them to use secure transmission of all data
2) You can't force them to use secure transmission of YOUR data
3) You can't force them to follow best practices in the handling of all data
4) If you try to point out in a public fora, that their handling of your data is faulty in any way, you can be sued
But you can't sue them UNTIL your information is in the hand of someone who uses it illegally.
Anyone notice how badly this deck is stacked yet?
Re:Yeah... and? (Score:5, Interesting)
That's why this surprised me. In the real world, sure they would be rightfully prosecuted. But with the entire event being isolated to a university campus...
Re:The Point Most Will Miss... (Score:1, Interesting)
The press isn't above the law.
These folks didn't just "alert the population," they broke the law first.
Be careful what you wish for. If you let the press be above the law, they will break into your house and look for incriminating documents. They will stop you in the street and strip-search you: "action of the press!"
Always, always think before shooting your mouth off: "if I allow them to do this on others, what will stop them from doing it on me?"
-hadohk
Where this world moves ? (Score:5, Interesting)
This is the proper way. But making the unprotected network and call police... it's a degradation.
Re:500 pound fine? (Score:2, Interesting)
Nice work alluding to comments from an earlier story, BTW. I wonder who else noticed?
Re:little we can do? (Score:1, Interesting)
If on the other hand, the tech then added "with the available budget", or similiar. Or if this was the non technical IT manager, then it is probably unfair.
Re:Are there any adults in the house? (Score:3, Interesting)
Best interest of the school, or of the students?
Have you ever happened to try reporting security issues to a school? I have--the grades database server at my old high school was insecure (no sa password on the sql server). After I reported the issue to the superintendent, the entire IT department, several teachers, and an assistant principal, it took the IT guys 4 months, just to set a password. A local malicious attacker was unlikely, but a worm or outside attack was surely possible. Sure, my high school isn't Oxford, but an increased time delay for such a simple fix at my school, in comparison to a more complicated for a larger institution like Oxford, could be understandable. If I had perhaps reported it to the school newspaper, the issue would probably have been resolved more timely because students grades were in jeopardy, and a larger community knew it. Groups create more action than a single person creates, just look at how well lobbying works.
Sure, the two students are probably in more trouble now than they would have been, but the issues are now probably being resolved more quickly.
Re:Anonymous article, anyone? (Score:2, Interesting)
Nope, sorry (Score:3, Interesting)
If they suspect a problem, they need to talk to the school about it and get permission. Just running off and doing it isn't acceptable.
You are free to test the security of things YOU OWN. You can break in to your house, you can hack your own computer. You can break the window of your own car. However you can't do any of those things to someone's property you just happen to use. Just because you have an account on a system I own doesn't give you permission to hack it. Just because I'm storing your bicicle for you doesn't give you permission to break in to my garage.
Look, I'll even entertain an argument that the law should be changed to make it legal, though I disagree, but you can't claim this isn't what the law is. Hence, they didn't have a right since they were breaking the law.
I understand why they decided to publish widely (Score:2, Interesting)
This was the first email I got when I decided to go the route of notifying them directly rather than publishing my findings:And this was my subsequent response:Which finally resulted in this (I guess it was escalated):I never heard back, but about three months later it was finally fixed. THREE MONTHS. Sometimes a little fire like an article is necessary to get bureaucracies moving.
Re:Yeah... and? (Score:5, Interesting)
When i was at collage, i remember a friend of mine came over, but needed to do some work. Now the work was a document on a server in Preston Polytechnic, so we tried to FTP it over to the local VAX. Eventually we just gave up because it wasnt working
Now we dont know exactly what happened, but next day i got an email from a very annoyed SYSadmin for this system because we had caused some form of system failiure by our actions. I think he called it a "Network breakthrough event" or something. Apparently somehow we had cacked their system in some way (I dont think it was permement, or particularly serious). They were Threataning to sue me and the guy involved.
I send them an email saying we only wanted to get some work off the server and promising never to go near their crappy system again.
From what i found out later, the reason he was threatening me was because the Poly had recently promised someone doing some research that their system was safe and secure, and apparently something died (Probably the FTP daemon) when the guy was in the room. Very embarrasing. So of course it all got blamed on them nasty hackers.
I later found out exacly now flaky a default PrimeOs installation was in person, it always surprised me after that how anyone would ever dream of using it in a production system, but then again, being braught up on VMS and UNIX, i seem to have got the strange impression that more than 10 hours uptime in one stretch is my god-given right
Re:Yeah... and? (Score:2, Interesting)
"
-- Well since you asked, we have some cretin in the UK who is suing his university after they kicked him out for plagiarising his entire coursework. He says the university wasnt clear enough that plagiarism wasnt allowed. It just goes to show what happens when your education system lets idiots go to university. And when your legal system allows idiots to sue.
Re:Yeah... and? (Score:3, Interesting)
Heh, speaking of forging e-mails from professors and university justice... That reminds me of a funny story:
A friend of mine was teased relentlessly by a student in one of her classes about the professor liking her. The professor wasn't exactly young or attractive, and he was obviously doing this just to spite her, although it wasn't always in good fun. Anyway, in a move-gone-too-far, he decided to set up his Outlook e-mail client so that his name and reply-to address were those of the professor. He then proceeded to type her an e-mail, saying how he had the hots for her and whatnot.
The problem was, he didn't type in her e-mail address correctly. And so her SMTP server bounced the e-mail back... To the real professor.
Anyway, the prof contacted the University IT department, and I don't think that relentlessly teasing student goes here anymore.
- sm
Re:Yeah... and? (Score:5, Interesting)
My first school hack was a real hack. I was playing some BASIC game on the Commodore 64 in the library and I hit a bug that prevented me from winning the game. A real, live bug. So I listed the line, identified the bug, and started fixing it when the librarian walked up and asked what I was doing. She wound up calling my parents saying I was trying to rewrite the game so I could win, you know, cheating.
My parents were cool about it. When I got home my dad asked me what had happened, and since I had previously saved the game to my own disk (we weren't allowed to do that...) and brought it home I fired it up and reproduced the bug for him. Then he watched me fix it, called the librarian and bitched at her, because it was a real bug.
I got kicked off the computer in the library after that. No big loss, we had two of those machines at home and tons more stuff. ;) But I've had a severe prejudice against librarians every since then...
Re:Yeah... and? (Score:5, Interesting)
As for prosecuting students who hack the systems and networks, we take a different approach. Before I was a sysadmin, I was a student at the same University and certainly had a go at the systems (I found a way to get a setuid copy of bash), on telling the sysadmins, they fixed the security hole, but I got kudos and respect for finding the hole.
The general policy is that our Computer Science students should be smart enough to root the systems, and if they manage it, so long as they don't abuse it and they report it quickly, then we are happy!
Re:Are there any adults in the house? (Score:3, Interesting)
When I read this article for myself, my thoughts were "Ah, good. They are making it more apparent that every system can have flaws and weaknesses if not set up and maintained properly", but the article generally came over as making it rather sensationalist that such a thing would be possible on the Oxford network.
I was composing a letter to write in to the editor about similar weaknesses I had found but not ever dared to tell people about (almost entirely cases of not changing the default password), in which I pointed out that it's most likely that tons of networks are insecure in the same way, but people just don't find out that often.
However, I then saw a small article in Oxford's rival student newspaper (The Cherwell), saying that these two students who wrote the article were being investigated by the proctors. I quickly decided not to submit my letter, though on reflection, maybe an anonymous submission might have been worthwhile sending.
I agree with Pat Foster, who said: "I regret the fact that the university's priority seems to be pursuing Roger and myself, rather than addressing the issues we raised."
Actually... (Score:3, Interesting)
If you don't have 'no trespassing' signs on your yard and kids walk through it every day for, say about 7 years (this is the usual) you can actually lose the right to stop them. The area becomes public domain for a particular purpose.
It would be interesting to see this applied to a network.
(IANAL, btw)
Over-blown and inaccurate (Score:2, Interesting)
Firstly, please let me clarify a few points about the article and the way stuff is run at Oxford:
My understanding of what has probably happened is that one or more colleges have skimped on network hardware and not installed the recommended switched network equipment with MAC address protection.
Alternatively the students may have found a way to defeat the security on the switch they're connected to that allowed them to mirror other ports' traffic down their port.
Although they did sniff passwords for a University provided e-mail service, it seems that everything they did was within a college network.
To say that the University network was hacked, as both the /. article and the student rag suggests is not accurate and vastly inflates the scale of what these students "achieved".
Alnitak - Oxford graduate and ex-staffer.
Quick Lesson in Oxford.... (Score:4, Interesting)
But with the entire event being isolated to a university campus...
There is no single campus at Oxford, only a collection of Colleges, Libraries and Faculties.
The policing of Oxford students is dealt with mainly by the Colleges and the Proctors. The Proctors can be quite fierce if they fail to see the funny side. They are also quite old fashioned - most students hope only to encounter them at ceremonial occasions when they'll be wearing gowns and funny hats. There are also the 'Bulldogs' who are basically the heavies for the Proctors and go round in bowler hats and used to chase the students out of pubs in the old days.
In this instance, the fact that the story was splashed on the front page of a newspaper with circulation throughout Oxford (rather than just within a campus) probably caused a lot of embarassment. Added to which, I wouldn't be surprised if the Proctors have very little understanding of exactly what has been done or how. They will assume the worst. They probably just want to be seen to be taking the matter seriously and don't know exactly how serious it really is or what reaction is appropriate. In any case, rustication isn't so bad - you can come back to study once you've served your time away). They could have been 'sent down', in which case it'd be game over.
Re:Yeah... and? (Score:5, Interesting)
4.4 Without prejudice to article 4.3, customers are permitted to hack the
XS4ALL system.
The first customer who succeeds in attaining a position equivalent to that
of the XS4ALL system administrator will be offered six months' free use of
the system, provided that the said customer explains how he or she succeeded
in hacking the system, has not damaged the system or other customers and has
respected the privacy of other customers. Each customer hereby gives consent
for other customers to attempt to hack the system under the aforementioned
conditions.
On the other hand, enabling it... (Score:5, Interesting)
And on another level, they can force people to use some amount of SSL. Make the mail server SSL-only, for instance. This is especially the case at my university: each student is issued a standard university ThinkPad [wfu.edu], and they can control the load on those things. Set up a secure POP connection, have the new laptops set up to use it, and within one replacement cycle (two years) you can have everyone checking their mail securely. Would this be excessively burdensome? It won't protect your web mail or Slashdot account from packet sniffing, but it keeps your email (which usually shares your Important University Password) nice and secure!
(Incidentally, they've been loading Mozilla on them for mail and browsing. I can only see good coming of that, at least.)
Re:Oxford Loses Out (Score:4, Interesting)
If the airport screeners actually found the gun, he would be breaking rocks in a federal pen.
Re:Yeah... and? (Score:4, Interesting)
Among the big security problems were:
-All students getting unfirewalled public IPs (I shit you not)
-All servers having unfirewalled public IPs
-E-mail hosted on old (probably unpatched) HP-Unix with the most basic of unshadowed DES passwords
-NT servers (see above) without the latest patches
When I contacted the IT department with comment on all of this prior to publishing, they said something like, "the average student doesn't know how to take advantage of all of those issues." That comment frosted me and prompted me to publish.
The result? A firewall was installed in a matter of days and public IPs went private. Yes, I could have run any kind of server I wanted unhindered (and did) but I was concerned for the welfare of the students who would have their computers molested by crackers.
Of course I later applied for a network admin job at the school upon graduating and didn't get the job so maybe that wasn't so smart. But I did get a better job instead. In fact, the job formerly held by the guy my alma matter chose instead of me. How's that for irony?
Re:Yeah... and? (Score:2, Interesting)
XS4ALL figths spam [slashdot.org]
and stands by their customer [slashdot.org]
Re:Yeah... and? (Score:4, Interesting)
Once I went to deliver a software app, they did not have my money so I uninstalled it grabbed my stuff and started to leave. He threatened to call the cops, at which point i said, "please do, I would like to file a fraud report against you for trying to steal my software without paying for it." after some arguing, I picked up my cellphone and said, "fine I'll call the cops." at which point the customer magically was able to produce a check for me (Check's over $1000.00 are fine to take, it's a nasty felony that will get you thrown in jail for writing a bad check over $1000.00)
I sat down and reinstalled, and gave them another invoice for 3 hours more labor to cover the BS they tried to pull.
I later forced the jerk to pay me in small claims court for the final labor invoice.
Never put in time-bombs. ALWAYS have them pay up front for labor and demand payment fo rthe product at delivery. If the company will not do that, then dont work for them, there are plenty of companies out there that are not scumbags.
BTW, after a few years of freelance, I learned that most companies in the area knew about the company that tried to screw me, they had a reputation of trying to steal from contractors.
Re:Why such high security at a college campus?? (Score:4, Interesting)
Why all these intrusive and secure measures just for a college campus? Its not a military base or anything....
Re:Yeah... and? (Score:3, Interesting)
A firewall makes a lame attempt to divide the network into an inside and an outside, under the assumption that attacks will come from the outside. But all it takes is for one machine on the inside to be compromised and that assumption is no longer true. Unfortunately, these days virtually all networks of any size have compromised machines: email and web browsing are sources of compromises, and firewalls don't block those; and lots of people use laptops on other networks as well, where they may have picked up something nasty.
The advantages of firewalls are insufficient to outweigh the disadvantages of not having a real public IP.
--Bruce Fields
Re:Yeah... and? (Score:3, Interesting)
Fine, be pedantic... To clarify things, our AUP has a blanket ban on "Peer to peer file transfer software, such as KaZaa, WinMX, eMule, BitTorrent etc...". Yes, perhaps you could claim that everything that runs on Ethernet is "Peer to peer", but that's just being difficult.
If you look at the Janet AUP (UK academic network), you'll see that "Non-academic use is not permitted", so technically our students aren't even allowed to email their folks! Of course, we don't enforce things to this level, but you started the pedantry
Re:Yeah... and? (Score:2, Interesting)
Computing services was used by the entire campus, maths, engineering, chemestry etc. The security policy here was quite tight, you could do what you wanted, but if you found a hole report it. If you do any dammage you will be expelled. We have a very good relationship with the sysadmin, to the extent that he let us use and explore new systems before they were given to the general population. In this way we could find holes and expoits before any reliance was placed on the new facilities.
Comuter science had a much more slak security policy, only compter science based students had access. Here you could again do what you like, but if you caused any damage the syadmin would make it public and let your peers deal with you. This was incentive enough, believe me.