Ontario student suspended for alerting his Universitie to online security vulnerability

[Energycore]

3 minutes ago, MoonSpot said:

Why?  If the uni keeps him banned after the police confirm he was just white hating, then fine.  But at this point the only thing anyone has to run on is belief, and thats just stupid.  If he's confident he did nothing and that they'll ultimately be "thankful", and he's willing to give them leeway in order for them to confirm as much for themselves...Why should we get spun up over this?

Someone on the internet advocating for a calm and collected reaction? That's a first

1 minute ago, leadeater said:

Realizing you just did something very wrong and got access to information you know you should never have seen then trying to spin it as a good gesture by disclosing it as trying to help is not the right thing to do, if that is how it played out.

 

I do give the person some seriously good credit for at least owning up to it even if it was purely ass covering. That alone would make me very lenient in any punishment.

 

If it was purely how the student says it was and was always good intent then getting the police involved is a bit much, however I do see it from the universities perspective as private information had been breached and it's not something you can quietly dismiss. Take note of the fact that counselling records had been breached which is protected under strict laws and guidelines as anything medically related is. 

How will this hold up in court though? If it comes to that, the student was probably looking for breaches in the school system (or not? But how does one find a breach by accident). Disclosing it should help, but the uni can still accuse them of the above.

[yathis]

Its an illegal act

Like breaking into someones house, then going straight to donut shop to report your actions to the pigs.

[The Sloth]

10 hours ago, yathis said:

Its an illegal act

Like breaking into someones house, then going straight to donut shop to report your actions to the pigs.

 

 

not a good analogy, it would be more like finding someone's house with a broken lock, even if you tell the police they will question you about why you were checking the lock. 

[yathis]

Maybe the univ has info regarding he went further then the front stoop.

I bet the student stepped inside the house.

[Energycore]

Just now, nerdslayer1 said:

not a good analogy, it would be more like finding someone with a broken lock, even you tell the police they will question you about why you were checking the lock. 

I think the argument to make here, is whether you can find a vulnerability in a server without looking for it. Imagine this: your neighbour's house has a broken lock but it doesn't look broken, you found out by trying to open their door. Then you go to them and say "hey, I was trying to open your door and your lock was broken. Don't worry I didn't take anything". It doesn't sound particularly believable.

2 minutes ago, yathis said:

Its an illegal act

Like breaking into someones house, then going straight to donut shop to report your actions to the pigs.

I believe the more accurate analogy would be to go to your neighbour to tell them, not the cops.

[Windows7ge]

At the college I attend I've discovered multiple vulnerabilities in their systems. Including the ability to remote shutdown or restart every computer in a building simultaneously.

I haven't told them about any of them though for fear of this.

[Energycore]

Just now, Windows7ge said:

At the college I attend I've discovered multiple vulnerabilities in their systems. Including the ability to remote shutdown or restart every computer in a building simultaneously.

I haven't told them about any of them though for fear of this.

Honest question though, were you looking for them? And if you only stumbled into them, how?

[MoonSpot]

16 minutes ago, leadeater said:

P.S. Disclaimer I work for a university IT department.

BIASED!!  Your working for "The Man" man..  You're just another yuppie sellout trying to confuse the signal to butter their own wallet, man. /s(but a small /s)

 

I can understand a student not reporting a potential problem right away.  They could have simply wanted to understand the problem well enough to intelligently comment on.  We're are talking about a young person here.  Expecting them to correctly interact with any kind of bureaucracy in a manner which that bureaucracy finds acceptable is a pretty severe breakdown in logic.

[leadeater]

18 minutes ago, Energycore said:

How will this hold up in court though? If it comes to that, the student was probably looking for breaches in the school system (or not? But how does one find a breach by accident). Disclosing it should help, but the uni can still accuse them of the above.

Hopefully this doesn't go to court, even though I know there are cyber security laws I don't specifically see anything wrong with people poking around to see if there is anything. For me it's only a matter of how you do it, why you were doing it, what you did immediately after finding something.

 

An example of one I would consider wrong always would be 'Seeing if the network is susceptible to denial of service'. Of course it is, every network is and by exploring the limits you cause mass disruption.

 

An example of one that is always fine would be 'Finding out there is a route to the IP range for network switch management and trying default username/passwords on the switches'. However it turns to not fine if you then start trying to brute force the password as that causes huge CPU load on the switch.

[leadeater]

6 minutes ago, MoonSpot said:

BIASED!!  Your working for "The Man" man..  You're just another yuppie sellout trying to confuse the signal to butter their own wallet, man. /s(but a small /s)

Hey if they pay well I'll shill till the cows come home .

[straight_stewie]

49 minutes ago, MoistyMcMoistface said:

-white hat hacker, gains unsanctioned access to Laurentian University's online back end. Sudbury Ontario Canada.

 

-Accessing 2,000 personal records 'exceptionally easy, exposing private information, contact info and grades. 

"Yeah, it was exceptionally easy. Trivial almost," "I did have access to pretty much the whole system. People's privacy was at risk, but that wasn't my intention." -  says Laurentian student:

 

- White hat immediately contacts head of IT department upon this discovery. 

 

- Laurentian University not happy: Suspends student 

All schools are like that. I nearly got in trouble for breaking our RFID ID card readers that unlock doors and stuff using common hand held methods. The only reason I didn't get canned was because when I approached them with the problem I had built a little test bench that basically simulated their system, and as a result I had plausible deniability as to whether or not I had actually done anything wrong. Oh and because when they told me they were going to expel me I told them that I was going to sue them and then had a lawyer send the president (not the school, the president of the school) a letter about it.

[Windows7ge]

Just now, Energycore said:

Honest question though, were you looking for them? And if you only stumbled into them, how?

White hat hacking, bored during class, play around in the command prompt. Write a few batch files, beyond my initial discoveries I wanted to know how deep the hole went so I continued looking for vulnerabilities around the campus and more things showed up. Even found an unrestricted 1GBit port in a random hallway. You could do MANY things with that. Even hop subsets which would make it hard to track who was launching an attack.

 

In reference to the analogies you made previously though is why I haven't told any staff or IT. Yes. Things I shouldn't be doing. With good intent though but I KNOW they wouldn't look at it that way. So I'm just hanging out until I suddenly hear "Someone broke into the network and launched an attack any we can't figure out who, how, why". Well you probably should have started by locking down this, this, and this.

[MoistyMcMoistface]

11 minutes ago, Energycore said:

I think the argument to make here, is whether you can find a vulnerability in a server without looking for it. Imagine this: your neighbour's house has a broken lock but it doesn't look broken, you found out by trying to open their door. Then you go to them and say "hey, I was trying to open your door and your lock was broken. Don't worry I didn't take anything". It doesn't sound particularly believable.

I believe the more accurate analogy would be to go to your neighbour to tell them, not the cops.

 

But he is a student at that Uni, literally if he lives on campus the University is literally his home. Him and all his friends have a vested interest that the university holds the highest quality of standards.

 

 In this case the best analogy is that he is a customer at a bank. He opens an deposit box to hold his most precious documentation ( Squidward's embarrassing picture at the Christmas party). The bank promises him the highest security and will keep his document safe. The concerned customer returns to the bank after hours to make sure the bank is locked up nice in tight. Only to find that the customer front door was left unlocked. There is not an alarm. The guard is sleeping with NCH on. He walks to the vault. The vault was only secured by one of them dollar store plastic pink Disney princes toy chest pad locks. He called the bank manager the next day to complain about the lack of security. 

[The Sloth]

6 minutes ago, MoistyMcMoistface said:

Squidward's embarrassing picture at the Christmas party

yes

[leadeater]

2 minutes ago, Windows7ge said:

White hat hacking, bored during class, play around in the command prompt. Write a few batch files, beyond my initial discoveries I wanted to know how deep the hole went so I continued looking for vulnerabilities around the campus and more things showed up. Even found an unrestricted 1GBit port in a random hallway. You could do MANY things with that. Even hop subsets which would make it hard to track who was launching an attack.

Been there before, bored start looking at command switches to see what options are available then accidentally send every computer in the network a message using Net Send. It didn't go down well lol.

 

I've also had to be on the other end of this type of thing, company I used to work for did contract support for schools. A student found where GPOs files were stored and figured out how to interpret them and go access to a network share that had some old financial data on it, some of it was luck/timing as the share was more open than usual due to server migration work being done but hats off to the student for digging in that far. School only found out since the student went around bragging about it which wasn't a very smart thing to do but everyone does stupid things, he didn't get in to very serious trouble but it did help I wasn't actively trying to throw him under the bus for my own mistake.

[leadeater]

10 minutes ago, MoistyMcMoistface said:

In this case the best analogy is that he is a customer at a bank. He opens an deposit box to hold his most precious documentation ( Squidward's embarrassing picture at the Christmas party). The bank promises him the highest security and will keep his document safe. The concerned customer returns to the bank after hours to make sure the bank is locked up nice in tight. Only to find that the customer front door was left unlocked. There is not an alarm. The guard is sleeping with NCH on. He walks to the vault. The vault was only secured by one of them dollar store plastic pink Disney princes toy chest pad locks. He called the bank manager the next day to complain about the lack of security. 

Except it was a bit more like the customer turns up to find the front door unlocked and the guard asleep then goes home. Then comes back another day to see if it's the same situation and it was, so then walks in to the vault and finds it's very insecure so breaks it and goes looking inside.

 

Two mistakes; Not ringing the bank on the first day and then using that gained knowledge to break in.

[ArduinoBen]

I thought Universities were supposed to teach people and make them more intelligence.....

 

I think they are just scared.  Just think about if they didn't find out and a lot of their data was leaked.

 

I guess it was also really embarrassing though, as well........

[Windows7ge]

1 minute ago, leadeater said:

Been there before, bored start looking at command switches to see what options are available then accidentally send every computer in the network a message using Net Send. It didn't go down well lol.

My campus didn't enable Net Send (tried it). However with the remote shutdown in CMD you can add a "comment" which will display on your monitor. That worked.

I know why they enabled remote showdown in windows. They utilize a program called Deep Freeze to rewrite an image of a pre-created OS and applications onto the boot disk. This cleans the drive of any altered information at each boot up which students may have done from that day. The remote shutdown come in by allowing a server somewhere to remote restart the entire campus which initiates Deep Freeze.

 

It could backfire though if a student hijacks a computer with some programs. They can launch their attack and reboot the computer re-imaging the disk which would make it hard to know how they got in and with what tools. (The network is on a domain though so they'd have to use an account other than theirs)

13 minutes ago, leadeater said:

I've also had to be on the other end of this type of thing, company I used to work for did contract support for schools. A student found where GPOs files were stored and figured out how to interpret them and go access to a network share that had some old financial data on it, some of it was luck/timing as the share was more open than usual due to server migration work being done but hats off to the student for digging in that far. School only found out since the student went around bragging about it which wasn't a very smart thing to do but everyone does stupid things, he didn't get in to very serious trouble but it did help I wasn't actively trying to throw him under the bus for my own mistake.

I haven't gone as far as trying to access servers that I'm not suppose to be in and I don't plan to. I have however used "Net View" and thanks to network discovery being enabled I can see a list of every active computer across campus which makes it very easy to target systems if it's on the same network. Including the servers. They like to name their servers after Greek and Egyptian gods for some reason.

[leadeater]

1 minute ago, Windows7ge said:

I know why they enabled remote showdown in windows. They utilize a program called Deep Freeze to rewrite an image of a pre-created OS and applications onto the boot disk. This cleans the drive of any altered information at each boot up which students may have done from that day. The remote shutdown come in by allowing a server somewhere to remote restart the entire campus which initiates Deep Freeze.

 

It could backfire though if a student hijacks a computer with some programs. They can launch their attack and reboot the computer re-imaging the disk which would make it hard to know how they got in and with what tools. (The network is on a domain though so they'd have to use an account other than theirs)

Personally I'm not a fan of Deep Freeze or Windows Steady State (now defunct I think). It makes the people responsible for desktop security too complacent "If anything goes wrong just reboot the computer", or how about you make it more secure and put better computer management tools in place....

 

Just releasing my hatred of Deep Freeze, caused me many problems in the past. 

[Windows7ge]

1 hour ago, leadeater said:

Personally I'm not a fan of Deep Freeze or Windows Steady State (now defunct I think). It makes the people responsible for desktop security too complacent "If anything goes wrong just reboot the computer", or how about you make it more secure and put better computer management tools in place....

 

Just releasing my hatred of Deep Freeze, caused me many problems in the past. 

That makes me think that just because someone has a cozy job in the IT department at a college doesn't mean they should take the easy route and stop their education. If anything the way you describe Deep Freeze I'd go as far as to think people recommending companies use it are actually reverting. Sort of undoing what they learned to get there in the first place.

[leadeater]

1 hour ago, Windows7ge said:

That makes me think that just because someone has a cozy job in the IT department at a college doesn't mean they should take the easy route and stop their education. If anything the way you describe Deep Freeze I'd go as far as to think people recommending companies use it are actually reverting. Sort of undoing what they learned to get there in the first place.

And if you work at one make use of what you have, as part of our employment agreement we are allowed to take any papers we like (subject to entry requirements) at no cost. There is a maximum limit of how many we can take each year but that's fine, also have a job to do right .

[matrix07012]

Private companies pay for this. *facepalm*

[Beskamir]

Quote

including passwords

So... are these hashed and salted passwords or is the University staff so idiotic they stored everything in plain text?

[Droidbot]

Gah, I remember the time I found that using a vuln in my school's FTP server for the education and textbook system, I could pull up a root shell. That's what happens when you set-and-forget, people. Still running Ubuntu 10.04 and an FTP package from early 2011. 

 

I didn't exploit it or touch it after the first login, as the IT manager would have killed me.

However, I did log in, so technically I am guilty. 

But then they discontinued the service and outsourced the entire shabang to a 3rd party company, and shut it down. Logins are through LDAP for the new service, and there is NO passwords/usernames onsite. Good system. 

[tlink]

ffs. in my country people can't be prosecuted for things like this, the school would probably get wrist slapped by the government for working against public interest from public money.