Oxford Uni Network Hacked

ciderpunx | 16.07.2004 15:19 | Technology | Oxford

2 student journalists have managed to break into the University's computer network.

Two first year students at Oxford Uni have managed to break into the computer network, while investigating it's level of security for a Student Magazine.

Patrick Foster and Roger Waite were able to retrieve email passwords, listen in on MSN Messenger conversations, and even view live CCTV camera footage.

After they contacted the University, the authorities, rather than thanking them for revealing potentially dangerous flaws in their IT setup, reacted in typically draconian fashion, summoning them to a Court of Summary Jurisdiction, where they could be fined up to £500 and suspended from the university (known as rustication). The case was also referred to Thames Valley Police. If they had not contacted the university authorities, it's unlikely that their activities would ever have been exposed.

If people who test networks responsibly are treated in this way, the University can never expect to improve it's security - those with more malicious intentions are hardly likely to own up to their activities!

Students have the right (not least in the light of the Data Protection Act) to have private information kept secure - the University have failed them. Students should encrypt all information held on the "swiss cheese security" university computer system using a known safe copy of gpg -

http://www.gnupg.org/ (pgp for M$ windoze users

http://www.pgpi.org/products/pgp/versions/freeware/winxp/8.0/ )

Here are the links:

http://www.oxfordstudent.com/2004-05-27/news/1

http://www.oxfordstudent.com/2004-05-27/editorial/1

http://slashdot.org/article.pl?sid=04/07/16/021200&mode=thread&tid=126&tid=146&tid=172&tid=99

http://www.guardian.co.uk/online/news/0,12597,1261609,00.html

http://news.bbc.co.uk/1/hi/education/3897755.stm

ciderpunx

Comments

Hide the following 9 comments

MS weakness

16.07.2004 15:48

Once again we see an example of the appaling weakness of all Microsoft products. The ability to enter secure areas on MS Exchange is well known and documented on the various websites used by hackers.

I presume nobody who views Indy-media would dream of using Windows or Explorer but we should all ensure our friends and families are not using them either.

Linux, Solaris, Unix, Prabal are all far more secure. The Pegasus e-mail package is also excellent and free !

Journo

pegasus

16.07.2004 16:27

Hi Journo

> The Pegasus e-mail package is also excellent and free !

doesn't pegasus only run on windows ;-)

You do bring up a serious point though. Though, Unices like Solaris are very able, the source code is still in the hands and under the control of a single corporation (and not a particularly nice one in Sun's case). I tend to prefer 'free' software like GNU/Linux.

Free software gives ppl the right to run, study, improve and share programs whereas proprietary software specifically tries to stop people from excercising these rights.

AFAIK the security breach was done by sniffing packets on an unswitched network, so it was more of a hardware than a software issue, although one could still argue that M$N should be done over TLS/SSL which would have meant the packets were encrypted.

Long Live the Penguin!

cat /dev/null > /bin/win32

Education

16.07.2004 19:56

The "hack" was simply done using a network sniffer. Admittedly using a switched network would have increased security slightly, though this would do nothing to prevent anyone outside the network from snooping external unencrypted traffic (eg. msn) anyway. The only way that passwords to university email accounts could've been obtained is if users were using unencrypted POP3/IMAP/http access.

SSL encrypted versions of all these methods of access to email accounts were supported, though obviously most people just use the defaults, and probably would no matter how many times you tell them. The original article was sensationalist, but if the university had any sense rather than than trying to punish them they should concentrate on educating everyone on (lack of) computer security.

sas

Responsible behavior

17.07.2004 12:49

"Responsible behavior"? I don't think so. You do that by walking into OUCS and breaking in there and then and doing it very publicly. They should have followed Phil and Toby's example at Fairford. Would you like your email/banking/indymedia passwords made public? Covert action is normally irresponsible. Nevertheless, it's true that the reaction was draconian. Whey-ho! St George (Linux) may bring down the M$ dragon at least in Oxford. Cambridge will be harder to break, I fear, cos M$ is one of their bigger donors. Not so influential in Oxford maybe.

IT support

cat /dev/null > /bin/win32

18.07.2004 15:06

shouldn't that be:

cat /bin/win32 > /dev/null

(or maybe "cat /dev/null > /bin/win32", is a deep rooted philosophical statment, i.e. that windows is a bigger, deeper black hole than /dev/null, nothing escapes not even the darkness of /dev/null escapes, no-one escapes, no-one hears your screams? . . . thats deep man, very deep. /bin/win32 it is).

and people, dont forget BSD (OpenBSD) its also a free OS (and so is GNU/Hurd).

manic depressive

hack? bollocks

18.07.2004 17:21

using a packet sniffer to reveal passwords and other unencrypted data on a LAN is hardly hacking. any fool can download a packet sniffer. this doesn't reveal a weakness in micro$oft (not that there arn't any), packet sniffing works equally well on data flying around bewteen computers regardless of the operating system. yes, the uni could use encrypted links for some stuff, as could everyone.

what did any of this reveal? only the sensationalist way of writting by the orginal poster..

ben

re: cat /dev/null > /bin/win32

19.07.2004 11:24

> shouldn't that be:
>
> cat /bin/win32 > /dev/null

... not for my preffered behaviour - i.e. overwrite the contents of /bin/win32 with the contents of /dev/null e.g.:

$ echo test > a
$ cat a > /dev/null
$ cat a
test
$ cat /dev/null > a
$ cat a
$

> and people, dont forget BSD (OpenBSD) its also a free OS (and so is GNU/Hurd).

yay! I have freeBSD on the laptop next to me, with an uptime of 89 days (it used to crash at least daily when it was installed with win95).

One caveat though, the BSD licence is different as it doesn't include derivative works, so you can nick their code, and then include it in a proprietary product.

For example the developers of winnt used code based on code from the BSD tcp/ip stack, which they *bought* from a Scottish company called Spider - see

http://www.kuro5hin.org/?op=displaystory;sid=2001/6/19/05641/7357 , and
Proudly Serving My Corporate Masters (!!) by Adam Barr -

http://www.proudlyserving.com/.

srm -f /bin/win32

re: re: cat /dev/null > /bin/win32

19.07.2004 16:51

bloody hell! i didn't know M$ stooped that low!

i wish i could install BSD on my laptop :( i have to use Linux, and sometimes it sucks! Why, oh Why do people *still* make distro specific makefiles (especially for hardware!! isn't it hard enough to make kernel objects without worrying about where to install them?)and why is kernel 2.6 not backwards compatiable with 2.4? whats the deal with that!! why!!! why! why dont 2.4 kernel modules work with 2.6?! why!! why wont they work! why!!?!!!

. . .this would never happen under BSD-style communism ;(

manic depressive

Computers

19.07.2004 18:30

Wow!

I like computers. They are great.
More to the point, I am great. I know so much that I can't even help myself from spewing jargon into unrelated conversation. It's almost as if I want people to know how good I am. It's almost as if I need their love.

I can't believe any of us came here to air our stupid views!