Ontario student suspended for alerting his Universitie to online security vulnerability

[dtaflorida]

Meh, this is always how it goes. Over 20 years ago my friend got suspended from a university in florida for a year. The Sun stations had no restrictions so any user could put in commands for a list of users. He printed the list along with the passwords and handed them to the admin and told him to clean it up security. A year later he came back and the system was still wide open. And of course he was banned from the labs for the rest of time, photo on a bulletin board for employees to recognize LOL. We were all friends tho... the employees working the labs and my friend. 

[tlink]

8 hours ago, leadeater said:

Oh for sure, the system I know of definitely doesn't store the password unencrypted.

 

Edit:

What makes it so useful is any staff member doesn't need to find someone from IT to do basic tasks such as telling the student what their password is. This is extremely common even when students do get to set their own password, in fact when it comes to student support it is the most common request for help so having 100 staff be able to help rather than just 1-3 is much more efficient.

 

Edit 2:

When it comes to Active Directory btw there is no way to login as a student or anyone for that matter without actually knowing their password, there is no way round it. Having the passwords generated and stored in a Student Management System is a bypass to this natural security yes but that system itself is more secure as it contains everything about the student including medical information and has role based security on it meaning you can only see specific information that you are allowed and no more.

well that second edit is a pretty darn good reason i'll give you that. i think you probably are right, but the middle ground would be that teachers could just send password reset links to their students or something like that. but eh, stuff like this is hard to do right for a lot of reasons. its a balance between security and usability as always.

[tlink]

28 minutes ago, dtaflorida said:

Meh, this is always how it goes. Over 20 years ago my friend got suspended from a university in florida for a year. The Sun stations had no restrictions so any user could put in commands for a list of users. He printed the list along with the passwords and handed them to the admin and told him to clean it up security. A year later he came back and the system was still wide open. And of course he was banned from the labs for the rest of time, photo on a bulletin board for employees to recognize LOL. We were all friends tho... the employees working the labs and my friend. 

what he did wrong was that he actually printed the list and obtained any information. i get that he had well intend and i would agree that banning him forever and suspension for a year is too much but he should get slapped on the wrist for downloading the actual passwords, that is a crime and it should be.

[Doobeedoo]

Because hacker = criminal automatically.

 

I'm sure it will go well in other paths from there though...

[TacticlTwinkie]

I did a similar thing in highschool. I figured out a stupidly easy way to get past the school's internet filter on the library computers, just to see if I could. I then mentioned that the filter was easily beatable to the school IT guy in conversation. He then went back into some sort of log, went to my account, saw that I accessed the youtube home page, alerted administration, and I was suspended. Its safe to say that the IT guy and I were no longer friendly.

[cesrai]

 

2 hours ago, leadeater said:

in a way it actually is a cultural thing as it's very common to just pay your way and see nothing wrong with it.

I don't know if you mean Middle-East or West Africa region, but in Middle-East it isn't a cultural thing to pay your way out and it's frowned upon. Also, it's punishable and also the individuals that do it are really hated by the society.

[Mr.Meerkat]

17 hours ago, nerdslayer1 said:

yes- https://www.google.com/about/appsecurity/reward-program/

Quote

$1,337 - $5,000

$31,337

$13,337

$3,133.7

Someone at google likes the number 1337 wayyyyyy too much  

[Sauron]

17 hours ago, yathis said:

Its an illegal act

Like breaking into someones house, then going straight to donut shop to report your actions to the pigs.

No - it's like breaking into someone's house without breaking anything, taking nothing, and telling the owner what you did, how you did it and how to prevent it in the future. It's a bit creepy, but in the end it's a good thing for the owner. That said you'd probably still end up in jail if the owner pressed charges, because after all you did break into his house.

[MoistyMcMoistface]

4 hours ago, Sauron said:

No - it's like breaking into someone's house without breaking anything, taking nothing, and telling the owner what you did, how you did it and how to prevent it in the future. It's a bit creepy, but in the end it's a good thing for the owner. That said you'd probably still end up in jail if the owner pressed charges, because after all you did break into his house.

Again, like I said before it is in a way HIS HOUSE. He is a student, his information is vulnerable, he has a very legitimate concern that the private information of all his friends as well as himself where to be protected. 

 

If he was some random dude in Idaho then it would be a different story. 

[leadeater]

5 hours ago, cesrai said:

I don't know if you mean Middle-East or West Africa region, but in Middle-East it isn't a cultural thing to pay your way out and it's frowned upon. Also, it's punishable and also the individuals that do it are really hated by the society.

Sorry was meaning West-Africa and India. Not that this doesn't happen to some extend in every country but can't judge everyone on the actions of the few.

[Windows7ge]

9 hours ago, leadeater said:

Yep totally feel your pain, I've done CCNA.

I'm glad I'm not alone in that regard. What sucks is I've heard if you want to sell their equipment or buy advanced equipment (modules, memory cards, etc) you have to become "CISCO licensed" I think it's called. I have an idea as to why they do it but I hate the idea. I don't plan to get licensed just to buy or sell their advanced modules and equipment (To make matters worse it's all proprietary, their modules and other accessories will only work with their equipment.) The equipment is also VERY over priced compared to the cost of manufacture. So what I've learned in these classes:

The fundamentals of networking: Help me in the future.

Anything specific to their equipment: Unlikely to help me in the future because I'm not recommending it to anyone. Too hard to get your hands on, too expensive...but their routers and switches are easy to set up once you memorize the commands and have ludicrous advanced features.

[leadeater]

3 minutes ago, Windows7ge said:

I'm glad I'm not alone in that regard. What sucks is I've heard if you want to sell their equipment or buy advanced equipment (modules, memory cards, etc) you have to become "CISCO licensed" I think it's called. I have an idea as to why they do it but I hate the idea. I don't plan to get licensed just to buy or sell their advanced modules and equipment (To make matters worse it's all proprietary, their modules and other accessories will only work with their equipment.) The equipment is also VERY over priced compared to the cost of manufacture. So what I've learned in these classes:

The fundamentals of networking: Help me in the future.

Anything specific to their equipment: Unlikely to help me in the future because I'm not recommending it to anyone. Too hard to get your hands on, too expensive...but their routers and switches are easy to set up once you memorize the commands and have ludicrous advanced features.

Far as selling it that's not actually something you have to worry about, re-sellers take care of that and you use them to sell to clients if you're an IT support business. Being a licensed re-seller is the norm and every brand requires it not just Cisco. Far as list price goes that's extremely higher than the actual price, Cisco is price competitive with the brands it competes with but yes in cases slightly more but not a lot.

 

Cisco also has a small business line of products which are very well priced and offer exceptionally good features, with many solid 10Gb copper and SFP+ options. I got my Cisco SG300-10 for $120 USD which even offers basic layer 3 functionality.

 

I've actually gotten quite happy with Allied Telesis which CLI wise is a total rip off of Cisco lol. They have good products and are very well priced.

[Windows7ge]

12 minutes ago, leadeater said:

Far as selling it that's not actually something you have to worry about, re-sellers take care of that and you use them to sell to clients if you're an IT support business.

Ah, that's what the reseller license meant. My bad.

14 minutes ago, leadeater said:

Cisco also has a small business line of products which are very well priced and offer exceptionally good features, with many solid 10Gb copper and SFP+ options. I got my Cisco SG300-10 for $120 USD which even offers basic layer 3 functionality.

I wired up 2 SFP+ cards with SFP+ to LC fiber-optic transceivers giving me a 10Gbit link to my server (cost me around $120, extremely worth it. Transfer speeds increased up-to 7x compared to 1Gbit) but it's just a direct point-to-point link on its own network because I have no switch that supports 10Gbit or SFP. A enthusiast grade switch from Cisco would be nice if it doesn't break the bank.

 

The college has us using the Cisco 1941 routers, and Cisco 2960 switches. The 1941 is $700 on Newegg and the switch is around $200~300...most small businesses wouldn't buy that. Small businesses are my target audience but you mentioned Allied Telesis. I'll look them up sometime.

[leadeater]

10 minutes ago, Windows7ge said:

The college has us using the Cisco 1941 routers, and Cisco 2960 switches. The 1941 is $700 on Newegg and the switch is around $200~300...most small businesses wouldn't buy that. Small businesses are my target audience but you mentioned Allied Telesis. I'll look them up sometime.

Yea the Cisco small business class of switches are in a completely different category to those, I'd use Cisco Small Business over Allied Telesis but I got forced in to using them and actually happy with them. Nothing good is cheap so that is always going to be a problem, even netgear isn't that cheap and i hate them. D-Link is only worth having around to use as a metric of how bad things could be, "At least it's not D-Link" lol.

[Sauron]

7 hours ago, MoistyMcMoistface said:

Again, like I said before it is in a way HIS HOUSE. He is a student, his information is vulnerable, he has a very legitimate concern that the private information of all his friends as well as himself where to be protected. 

 

If he was some random dude in Idaho then it would be a different story. 

Consider it his hotel then. He trusted the organization with his information and does not have a legal right to break into the safe to check if his information is secure. If he could expose the vulnerability without using it it would have been a better situation for him.

 

Obviously the university is just butthurt about their own negligence, but that doesn't mean there is no ground for sanctions against the student.

[bbdoron770]

On 26/04/2017 at 1:35 PM, MoistyMcMoistface said:

-white hat hacker, gains unsanctioned access to Laurentian University's online back end. Sudbury Ontario Canada.

 

-Accessing 2,000 personal records 'exceptionally easy, exposing private information, contact info and grades. 

"Yeah, it was exceptionally easy. Trivial almost," "I did have access to pretty much the whole system. People's privacy was at risk, but that wasn't my intention." -  says Laurentian student:

 

- White hat immediately contacts head of IT department upon this discovery. 

 

- Laurentian University not happy: Suspends student 

 

-"I don't think any organization anywhere on this planet would be able to say all our information is always secure."- Alex Freedman, Laurentian University Chief of Staff

 

http://www.cbc.ca/news/canada/sudbury/laurentian-university-internet-security-breach-1.4082506

Unfortunately, I recently went through a similar story. Fortunately, my ending was slightly better.

I discovered a long list of WordPress vulnerabilities that my school's site was vulnerable to. I emailed them and they said that they would update and fix it.

Then I discovered some open (and somewhat private) smb shares and an incredibly sloppily designed (no authentication whatsoever) intranet, but when I emailed them they banned me from the network and threatened me with a lawsuit.

I know where I could find other vulnerabilities (but I haven't checked/scanned, I'm not stupid) but my school isn't interested. I was told that since I'm not allowed to pentest the system, I'm obviously not able to inform them of something that I legally cannot know about.

Is that a better ending?

[Windows7ge]

10 hours ago, leadeater said:

Yea the Cisco small business class of switches are in a completely different category to those, I'd use Cisco Small Business over Allied Telesis but I got forced in to using them and actually happy with them. Nothing good is cheap so that is always going to be a problem, even netgear isn't that cheap and i hate them. D-Link is only worth having around to use as a metric of how bad things could be, "At least it's not D-Link" lol.

I don't think I've worked with anything D-Link. I had my parents buy a 24 port TP-Link 1Gbit switch for the house. Of which I then had to terminate all the cables. Great way to memorize the color code for T-568A and T-568B even though it doesn't matter so long as the order is the same on both ends. Provided all the equipment you're working on supports Auto-MDIX.

[MoistyMcMoistface]

9 hours ago, bbdoron770 said:

Unfortunately, I recently went through a similar story. Fortunately, my ending was slightly better.

I discovered a long list of WordPress vulnerabilities that my school's site was vulnerable to. I emailed them and they said that they would update and fix it.

Then I discovered some open (and somewhat private) smb shares and an incredibly sloppily designed (no authentication whatsoever) intranet, but when I emailed them they banned me from the network and threatened me with a lawsuit.

I know where I could find other vulnerabilities (but I haven't checked/scanned, I'm not stupid) but my school isn't interested. I was told that since I'm not allowed to pentest the system, I'm obviously not able to inform them of something that I legally cannot know about.

Is that a better ending?

It really sucks that your school is dank like that. It is instances like this that make me feel Universities should have government oversight. Many developed countries have private Universities and Public universities. Usually the latter is heavily or complete subsidized and many times actually run/owned partially or completely by gov. Government run anything needs to maintain certain standards in policy and must have uniform discipline (at least on paper) so shit like that would not happen. Regardless even the Private Unis in many countries have government oversight and dedicate whole sections of law defining what is and what is not a University.   

[bobhays]

On 4/25/2017 at 8:52 PM, nerdslayer1 said:

a well made anonymous tip is hard to track.

The tip maybe, but they might be able to track the hack after he informs them about the risk and what to look for