By Jo Best, 19 July 2004 13:30
NEWS Two Oxford University students are facing suspension and a fine after they hacked into the University computer system to show just how easy it was to access supposedly secure personal details.
The pair used free software that they downloaded and managed to access a database of university pupils' email passwords and other personal details, as well as spy on MSN Messenger conversations and look at some of the CCTV network. Gaining access to the system took only minutes, they said.
The two 20-year-old students undertook the hacking to expose security flaws in the internal network for the university newspaper, The Oxford Student. After proving the network was easy to crack, the newspaper printed their experiences.
The faculty weren't overly impressed with the students' endeavours, however, and questioned them about their actions before the university proctors before deciding to refer the matter on to Thames Valley police for investigation.
The Oxford staff will decide in September whether the students will be suspended for a year and fined £500 for their exploits. The university, however, hasn't said it will be updating its security procedures.
Comments
There are 12 comments. Join the discussion
1. mike hingley
Wow - this has always been a difficult area. I myself have been in a similar (but not quite as headline grabbing) position during my employmeny with my previous employer - I had located a deficiency with the applications used to store call centre logs.
My approach was to inform my employers, and the fully document what I had discovered. In the end they ignored my documentation, and I left it there.
I believe that the only thing that these students did wrong was to blab the information regarding the security (or percieved security)of the network to the student population, rather than the appropriate authorities (Network Managers etc)
Therefore I believe that Oxford's correct apporach should be to thank the students for identifying the security holes, plug the hole snad set forth some form of policy to ensure that future security issues are handled correctly - because there doesn't seem to be one at the moment.
Therefore I believethat the only 'crime' that these students performed was to follow a non-existant policy, and that Oxford is more concerned about the bad publicity of this incident than the actual problems
These are my thoughts - without prejudice.
2. Tyler Durden
It's hardly fair to punish these guys who made it clear to the school that the network was unsecure. They told of their exploits in true hacker fashion in hopes that the network admins would beef it up a bit. If it only took these guys minutes and they used free software, I would be very concerned about the confidentiality of my password.
If these guys made their exploits public, how many others have done the same and continue to do so without any publication. Those are the ones concerning me.
3. anonymous
Typical, say a word against the NHS and its handling of IT projects or possible flaws in their chosen methodology and get sacked, is there a pattern developing here?
Oxford university was riddiculed, they should be asking the "hackers" to show all the exploits instead of throwing them to the local police.
4. Harold Wilkinson
I bet these are security 'holes' found on any large university network. I bet the students merely downloaded some software and sniffed a few packets. I bet students are told at Oxford not to send plain text passwords over the network and I bet any script kiddie could snoop on MS Messenger files. I bet, finally, that it's somewhat more difficult for anyone outside the Oxford University network to sniff the same data that travels on the LAN. Just because the data is there, doesn;t give anyone the right to seek it out in contravention of user agreements, let alone to use it as the basis for a sensationalist student newspaper article (published prior to the students even bothering to inform the authorities of their findings).
5. james Button
Prosecute the university for data protection failure.
Naa! Let's carry on doing over the whistle blowers.
They ain't part of Tony's establishment.
6. Adrian Lee
Not exactly surprising that it was so easy to hack. And surely Oxford should be more worried at that ease than the fact a couple of students proved the theory and publicised it. They could've just exploited it and not let on they knew how.
And considering a years suspension and £500 fine? Slightly excessive don't you think. If a kid in a comprehensive school beat another kid up or hit a teacher or something, the school would be chastised for giving as harsh a penalty as that. I can't see this is anything like that bad as that.
7. anonymous
The real criminals are those responsable for security.
Next time it could be some really bad guy to be interested to hack some database and use the exploits for less noble actions (let your fantasy flow).
Early hacking of structures maintained by a bunch of incompetent idiots is a good thing, just to prevent the worse they should give awards for people who actually can show up with exploits.
The behaviour shows that managment is simply not able to think 2 steps in advance.
8. Adrian Lee
Not exactly surprising that it was so easy to hack. And surely Oxford should be more worried at that ease than the fact a couple of students proved the theory and publicised it. They could've just exploited it and not let on they knew how.
And considering a years suspension and £500 fine? Slightly excessive don't you think. If a kid in a comprehensive school beat another kid up or hit a teacher or something, the school would be chastised for giving as harsh a penalty as that. I can't see this is anything like that bad as that.
9. Paul Higgins
I agree with James. The University appears to have broken the law here re the Data Protection Act. The University has a duty to ensure that personal data is secure. It appears that wasn't the case. Of course the Computer Misuse Act was also broken here by the students but any 'damage' done by them?
10. Mark Savage
This looks like a case of overkill against the students and complete apathy toward the security of the university's data. I worked as a network administrator for a college for a while and if one of the students managed to 'hack' the network I then worked to block the hole and improve security. I only informed the college authorities if it was obvious that the 'hack' was carried out with malicious intent against another student.
11. Mark Oxenham
One thing everyone seems to be missing here is precisely what information these students gained access into. There's a lot of judgmental attitudes going on without knowing the full facts! If the students gained complete access to secure areas then fine, they should be thanked and the security holes plugged. But did they really gain full access to confidential information? If they just used some dodgy freeware and accessed a few files that weren't held in secure areas then there is a case that the Universities security policy is actually more than adequate.
I know it is unlikely to be the latter but let's not all get on the 'damn the borgouis insitution' and 'free the oxford two' bandwagon without knowing all the true facts - we can leave tabloid journalism to do that.
12. anonymous
1. They can't have been great hackers if they were unable to cover up their actions.
2. If their only crime was to gain access to data that they should not have, then if they came forward with the information on how they did it they should be rewarded for helping find a security flaw in the universities system.